1、SAN证书生成
SAN(Subject Alternative Name)
是 SSL 标准 x509 中定义的一个扩展。使用了 SAN 字段的 SSL 证书,可以扩
展此证书支持的域名,使得一个证书可以支持多个不同域名的解析。接下来我们重新利用配置文件生成CA证书,
再利用ca相关去生成服务端的证书。
1.1 CA根证书生成
新建工作目录:
[root@zsx cert]# pwd
/home/zhangshixing/cert
新建一个配置文件ca.conf
,文件内容如下:
[ req ]
default_bits = 2048
distinguished_name = req_distinguished_name[ req_distinguished_name ]
countryName = Country Name (2 letter code)
countryName_default = CN
stateOrProvinceName = State or Province Name (full name)
stateOrProvinceName_default = SiChuan
localityName = Locality Name (eg, city)
localityName_default = Chengdu
organizationName = Organization Name (eg, company)
organizationName_default = Step
commonName = CommonName (e.g. server FQDN or YOUR name)
commonName_max = 64
commonName_default = tonghua
依次执行下面的命令,执行过程中遇到的填写国家之类的直接Enter跳过,选择配置文件中默认的,从而生成CA私
钥(ca.key
)、签名请求(ca.csr
)和签名证书(ca.pem
)。
[root@zsx cert]# ll
total 4
-rw-r--r--. 1 root root 635 Feb 16 19:53 ca.conf
[root@zsx cert]# openssl genrsa -out ca.key 2048
Generating RSA private key, 2048 bit long modulus
...................................+++
......................+++
e is 65537 (0x10001)[root@zsx cert]# ls
ca.conf ca.key
[root@zsx cert]# openssl req -new -sha256 -out ca.csr -key ca.key -config ca.conf
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [CN]:
State or Province Name (full name) [SiChuan]:
Locality Name (eg, city) [Chengdu]:
Organization Name (eg, company) [Step]:
CommonName (e.g. server FQDN or YOUR name) [tonghua]:[root@zsx cert]# ls
ca.conf ca.csr ca.key
[root@zsx cert]# openssl x509 -req -days 3650 -in ca.csr -signkey ca.key -out ca.pem
Signature ok
subject=/C=CN/ST=SiChuan/L=Chengdu/O=Step/CN=tonghua
Getting Private key[root@zsx cert]# ls
ca.conf ca.csr ca.key ca.pem
1.2 签发服务端证书
接下来创建服务端配置文件server.conf
,文件内容如下:
[ req ]
default_bits = 2048
distinguished_name = req_distinguished_name[ req_distinguished_name ]
countryName = Country Name (2 letter code)
countryName_default = CN
stateOrProvinceName = State or Province Name (full name)
stateOrProvinceName_default = SiChuan
localityName = Locality Name (eg, city)
localityName_default = Chengdu
organizationName = Organization Name (eg, company)
organizationName_default = Step
commonName = CommonName (e.g. server FQDN or YOUR name)
commonName_max = 64
commonName_default = tonghua
[ req_ext ]
# 添加subjectAltName
subjectAltName = @alt_names
# www.example.cn代表允许的ServerName
[alt_names]
DNS.1 = www.example.cn
IP = 127.0.0.1
同样,使用上面得到的CA根证书(ca.pem
)签发服务端证书,依次执行下面命令生成服务端的密钥、签名请求和签
名证书:
# 服务端私钥
[root@zsx cert]# openssl genrsa -out server.key 2048
Generating RSA private key, 2048 bit long modulus
.......................................................................................................................................................+++
................................................+++
e is 65537 (0x10001)[root@zsx cert]# ls
ca.conf ca.csr ca.key ca.pem server.conf server.key
# 服务端签名请求
[root@zsx cert]# openssl req -new -sha256 -out server.csr -key server.key -config server.conf
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [CN]:
State or Province Name (full name) [SiChuan]:
Locality Name (eg, city) [Chengdu]:
Organization Name (eg, company) [Step]:
CommonName (e.g. server FQDN or YOUR name) [tonghua]:[root@zsx cert]# ls
ca.conf ca.csr ca.key ca.pem server.conf server.csr server.key
# 用根证书签发服务端证书server.pem
[root@zsx cert]# openssl x509 -req -days 3650 -CA ca.pem -CAkey ca.key -CAcreateserial -in server.csr -out server.pem -extensions req_ext -extfile server.conf
Signature ok
subject=/C=CN/ST=SiChuan/L=Chengdu/O=Step/CN=tonghua
Getting CA Private Key[root@zsx cert]# ls
ca.conf ca.csr ca.key ca.pem ca.srl server.conf server.csr server.key server.pem
1.3 签发客户端证书
建立配置文件client.conf
:
[ req ]
default_bits = 2048
distinguished_name = req_distinguished_name[ req_distinguished_name ]
countryName = Country Name (2 letter code)
countryName_default = CN
stateOrProvinceName = State or Province Name (full name)
stateOrProvinceName_default = SiChuan
localityName = Locality Name (eg, city)
localityName_default = Chengdu
organizationName = Organization Name (eg, company)
organizationName_default = Step
commonName = CommonName (e.g. server FQDN or YOUR name)
commonName_max = 64
commonName_default = tonghua
[ req_ext ]
subjectAltName = @alt_names
[alt_names]
DNS.1 = www.example.cn
IP = 127.0.0.1
执行下面命令生成客户端密钥、证书等:
[root@zsx cert]# openssl ecparam -genkey -name secp384r1 -out client.key[root@zsx cert]# ls
ca.conf ca.key ca.srl client.key server.csr server.pem
ca.csr ca.pem client.conf server.conf server.key
[root@zsx cert]# openssl req -new -sha256 -out client.csr -key client.key -config client.conf
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [CN]:
State or Province Name (full name) [SiChuan]:
Locality Name (eg, city) [Chengdu]:
Organization Name (eg, company) [Step]:
CommonName (e.g. server FQDN or YOUR name) [tonghua]:[root@zsx cert]# ls
ca.conf ca.key ca.srl client.csr server.conf server.key
ca.csr ca.pem client.conf client.key server.csr server.pem
[root@zsx cert]# openssl x509 -req -days 3650 -CA ca.pem -CAkey ca.key -CAcreateserial -in client.csr -out client.pem -extensions req_ext -extfile client.conf
Signature ok
subject=/C=CN/ST=SiChuan/L=Chengdu/O=Step/CN=tonghua
Getting CA Private Key[root@zsx cert]# ls
ca.conf ca.key ca.srl client.csr client.pem server.csr server.pem
ca.csr ca.pem client.conf client.key server.conf server.key
1.4 双向认证
1.4.1 proto编写和编译
syntax = "proto3";
package proto;
option go_package = "./base;base";service BaseService {rpc GetTime (TimeRequest) returns (TimeResponse) {}
}message TimeRequest {}message TimeResponse {string time = 1;
}
protoc --go_out=plugins=grpc:. base.proto
1.4.2 服务端
package mainimport ("context""crypto/tls""crypto/x509"pb "demo/base""google.golang.org/grpc""google.golang.org/grpc/credentials""io/ioutil""log""net""time"
)const (// Address gRPC服务地址Address = "127.0.0.1:8888"
)type service struct {pb.UnimplementedBaseServiceServer
}func main() {// TLS认证// 从证书相关文件中读取和解析信息,得到证书公钥、密钥对cert, err := tls.LoadX509KeyPair("./cert/server.pem", "./cert/server.key")if err != nil {log.Fatalln("cert err: ", err)}// 初始化一个CertPoolcertPool := x509.NewCertPool()ca, err := ioutil.ReadFile("./cert/ca.pem")if err != nil {log.Fatalln("ca err: ", err)}// 解析传入的证书,解析成功会将其加到池子中certPool.AppendCertsFromPEM(ca)// 构建基于TLS的TransportCredentials选项creds := credentials.NewTLS(&tls.Config{// 服务端证书链,可以有多个Certificates: []tls.Certificate{cert},// 要求必须验证客户端证书ClientAuth: tls.RequireAndVerifyClientCert,// 设置根证书的集合,校验方式使用 ClientAuth 中设定的模式ClientCAs: certPool,})// 实例化grpc ServerrpcServer := grpc.NewServer(grpc.Creds(creds))// 创建带ca证书验证的服务端pb.RegisterBaseServiceServer(rpcServer, &service{})// 设置传输协议和监听地址listen, err := net.Listen("tcp", Address)if err != nil {log.Fatalln("listen err: ", err)}log.Println("Listen on " + Address + " with TLS")rpcServer.Serve(listen)
}// 实现接口
func (s *service) GetTime(ctx context.Context, in *pb.TimeRequest) (*pb.TimeResponse, error) {now := time.Now().Format("2006-01-02 15:04:05")return &pb.TimeResponse{Time: now}, nil
}
[root@zsx demo]# go run server.go
2023/02/16 20:53:13 Listen on 127.0.0.1:8888 with TLS
1.4.3 客户端
package mainimport ("context""crypto/tls""crypto/x509"pb "demo/base""fmt""google.golang.org/grpc""google.golang.org/grpc/credentials""io/ioutil""log"
)const (// Address gRPC服务地址Address = "127.0.0.1:8888"
)func main() {// TLS连接// 从证书相关文件中读取和解析信息,得到证书公钥、密钥对cert, err := tls.LoadX509KeyPair("./cert/client.pem", "./cert/client.key")if err != nil {log.Fatalln("cert err: ", err)}certPool := x509.NewCertPool()ca, err := ioutil.ReadFile("./cert/ca.pem")if err != nil {log.Fatalln("ca err: ", err)}certPool.AppendCertsFromPEM(ca)creds := credentials.NewTLS(&tls.Config{//客户端证书Certificates: []tls.Certificate{cert},//注意这里的参数为配置文件中所允许的ServerName,也就是其中配置的DNSServerName: "www.example.cn",RootCAs: certPool,})// 连接服务端conn, err := grpc.Dial(Address, grpc.WithTransportCredentials(creds))if err != nil {log.Fatal(err)}defer conn.Close()client := pb.NewBaseServiceClient(conn)reps, err := client.GetTime(context.Background(), &pb.TimeRequest{})// 初始化客户端if err != nil {log.Fatal(err)}fmt.Printf("grpcClient response is %s\n", reps.Time)
}
[root@zsx demo]# go run client.go
grpcClient response is 2023-02-16 20:53:30
1.5 单向认证
1.5.1 服务端
package mainimport ("context"pb "demo/base""google.golang.org/grpc""google.golang.org/grpc/credentials""log""net""time"
)type service struct {pb.UnimplementedBaseServiceServer
}func main() {creds, err := credentials.NewServerTLSFromFile("./cert/server.pem", "./cert/server.key")if err != nil {log.Fatal(err)}Address := "127.0.0.1:8888"//创建带ca证书验证的服务端rpcServer := grpc.NewServer(grpc.Creds(creds))pb.RegisterBaseServiceServer(rpcServer, &service{})listen, _ := net.Listen("tcp", Address)log.Println("Listen on " + Address + " with TLS")rpcServer.Serve(listen)
}// 实现接口
func (s *service) GetTime(ctx context.Context, in *pb.TimeRequest) (*pb.TimeResponse, error) {now := time.Now().Format("2006-01-02 15:04:05")return &pb.TimeResponse{Time: now}, nil
}
[root@zsx demo]# go run server1.go
2023/02/16 20:53:55 Listen on 127.0.0.1:8888 with TLS
1.5.2 客户端
package mainimport ("context"pb "demo/base""fmt""google.golang.org/grpc""google.golang.org/grpc/credentials""log"
)func main() {creds, err := credentials.NewClientTLSFromFile("./cert/server.pem", "www.example.cn")if err != nil {log.Fatal(err)}conn, err := grpc.Dial("127.0.0.1:8888", grpc.WithTransportCredentials(creds))if err != nil {log.Fatal(err)}defer conn.Close()client := pb.NewBaseServiceClient(conn)resp, err := client.GetTime(context.Background(), &pb.TimeRequest{})if err != nil {log.Fatal(err)}fmt.Printf("grpcClient response is %s\n", resp.Time)
}
[root@zsx demo]# go run client1.go
grpcClient response is 2023-02-16 20:54:14
# 项目结构
$ tree demo/
demo/
├── base
│ └── base.pb.go
├── base.proto
├── cert
│ ├── ca.conf
│ ├── ca.csr
│ ├── ca.key
│ ├── ca.pem
│ ├── ca.srl
│ ├── client.conf
│ ├── client.csr
│ ├── client.key
│ ├── client.pem
│ ├── server.conf
│ ├── server.csr
│ ├── server.key
│ └── server.pem
├── client1.go
├── client.go
├── go.mod
├── go.sum
├── server1.go
└── server.go