TLS/SSL 概念


TLS/SSL 是公钥/私钥基础结构 (PKI)。 对于最常见的情况,每个客户端和服务器都必须有私钥

可以通过多种方式生成私钥。 以下示例说明了使用 OpenSSL 命令行界面生成 2048 位 RSA 私钥:

openssl genrsa -out ryans-key.pem 2048

使用 TLS/SSL,所有服务器(和一些客户端)都必须有证书。 证书是与私钥相对应的公钥,并且由证书颁发机构或私钥的所有者进行数字签名(此类证书称为“自签名”)。 获取证书的第一步是创建证书签名请求(CSR)文件。

OpenSSL 命令行界面可用于为私钥生成 CSR:

openssl req -new -sha256 -key ryans-key.pem -out ryans-csr.pem

一旦生成 CSR 文件,则它可以发送到证书颁发机构进行签名或用于生成自签名证书。

使用 OpenSSL 命令行界面创建自签名证书如以下示例所示:

openssl x509 -req -in ryans-csr.pem -signkey ryans-key.pem -out ryans-cert.pem

生成证书后,可用于生成 .pfx.p12 文件:

openssl pkcs12 -export -in ryans-cert.pem -inkey ryans-key.pem \
      -certfile ca-cert.pem -out ryans.pfx

在哪里:

  • in: 是签名的证书
  • inkey: 是关联的私钥
  • certfile: 是将所有证书颁发机构 (CA) 证书串联到一个文件中,例如 cat ca1-cert.pem ca2-cert.pem > ca-cert.pem

The TLS/SSL is a public/private key infrastructure (PKI). For most common cases, each client and server must have a private key.

Private keys can be generated in multiple ways. The example below illustrates use of the OpenSSL command-line interface to generate a 2048-bit RSA private key:

openssl genrsa -out ryans-key.pem 2048

With TLS/SSL, all servers (and some clients) must have a certificate. Certificates are public keys that correspond to a private key, and that are digitally signed either by a Certificate Authority or by the owner of the private key (such certificates are referred to as "self-signed"). The first step to obtaining a certificate is to create a Certificate Signing Request (CSR) file.

The OpenSSL command-line interface can be used to generate a CSR for a private key:

openssl req -new -sha256 -key ryans-key.pem -out ryans-csr.pem

Once the CSR file is generated, it can either be sent to a Certificate Authority for signing or used to generate a self-signed certificate.

Creating a self-signed certificate using the OpenSSL command-line interface is illustrated in the example below:

openssl x509 -req -in ryans-csr.pem -signkey ryans-key.pem -out ryans-cert.pem

Once the certificate is generated, it can be used to generate a .pfx or .p12 file:

openssl pkcs12 -export -in ryans-cert.pem -inkey ryans-key.pem \
      -certfile ca-cert.pem -out ryans.pfx

Where:

  • in: is the signed certificate
  • inkey: is the associated private key
  • certfile: is a concatenation of all Certificate Authority (CA) certs into a single file, e.g. cat ca1-cert.pem ca2-cert.pem > ca-cert.pem