公私钥生成

Posted 2023-03-17

参考技术A

步骤一：在windows操作系统上安装Win64OpenSSL软件； 步骤二：打开Win64OpenSSL软件，首先生成私钥，命令为：ecparam -genkey -name SM2 -out priv.key；

步骤三：再通过生成的私钥生成公钥，命令为：ec -in priv.key -pubout -out pub.key。

验证SM2生成的公私钥 步骤一：首先创建一个file.txt文件（示例放在公私钥同级目录下）；

步骤二：打开Win64OpenSSL软件，首先根据私钥生成签名，命令为：dgst -sign priv.key -sha1 -out sha1_sm2_file.sign file.txt

步骤三：再根据公钥去验证生成的签名，如果公钥和私钥相互匹配，那么生成SM2公私钥成功，命令为：dgst -verify pub.key -sha1 -signature sha1_sm2_file.sign file.txt

文件地址需要修改.上述直接放在d盘中,最后为.key 或者.pem

Download ( GmSSL-master.zip ), uncompress it and go to the source code folder. On Linux and OS X , run the following commands:

安装后,输入gmssl version,报错:

添加两条软连接：

生成私钥

生成公钥

参考 ( https://github.com/guanzhi/GmSSL )

上面生成的公私钥都没法给gmss sm2使用,可以进行加密解密,但是结果是错的

由于提供的公私钥为base64格式,故要进行转码.

四、其他格式互转

字符串与base64不能直接转,需要先转到bytes

公私钥CA证书生成

公私钥、证书生成

本文以Linux系统为例模拟CA生成http服务器的认证证书

http服务器操作

1.生成私钥

使用OpenSSL工具生成服务器私钥key文件

[nginx@nginx-node01 ~]$ openssl genrsa 1024 >> $HOSTNAME.key  
Generating RSA private key, 1024 bit long modulus
.................++++++
...........................++++++
e is 65537 (0x10001)
[nginx@nginx-node01 ~]$ ls
nginx-node01.key

2.生成证书预签csr文件

[nginx@nginx-node01 ~]$ openssl req -new -key $HOSTNAME.key -out $HOSTNAME.csr
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter ‘.‘, the field will be left blank.
-----
Country Name (2 letter code) [XX]:CN
State or Province Name (full name) []:henan
Locality Name (eg, city) [Default City]:zhengzhou
Organization Name (eg, company) [Default Company Ltd]:kov
Organizational Unit Name (eg, section) []:Dev
Common Name (eg, your name or your server‘s hostname) []:www.kov.com
Email Address []:sys@kov.com

Please enter the following ‘extra‘ attributes
to be sent with your certificate request
A challenge password []:
An optional company name []:
[nginx@nginx-node01 ~]$ ls
nginx-node01.csr  nginx-node01.key

CA服务器操作

1.创建所需要的文件

touch /etc/pki/CA/index.txt 生成证书索引数据库文件
echo 01 > /etc/pki/CA/serial 指定第一个颁发证书的序列号  

2.生成CA私钥

[root@ca ~]# hostname
ca
[root@ca ~]# openssl genrsa -out /etc/pki/CA/private/cakey.pem 2048

3. CA生成自签证书

[root@ca private]# openssl req -new -x509 -key cakey.pem -out /etc/pki/CA/cacert.pem -days 7300
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter ‘.‘, the field will be left blank.
-----
Country Name (2 letter code) [XX]:CN
State or Province Name (full name) []:henan
Locality Name (eg, city) [Default City]:zhengzhou
Organization Name (eg, company) [Default Company Ltd]:kov
Organizational Unit Name (eg, section) []:Dev
Common Name (eg, your name or your server‘s hostname) []:xx.kov.com
Email Address []:xx@kov.com

4.CA签署证书

将http服务器证书预签csr文件发给CA，由CA对服务器的预签文件csr进行签署，最后得到最终证书文件crt。（默认国家，省，公司名称三项必须和CA一致）

[root@ca private]# openssl ca -in /root/nginx-node01.csr -out /etc/pki/CA/certs/nginx-node01.crt -days 365    
Using configuration from /etc/pki/tls/openssl.cnf
Check that the request matches the signature
Signature ok
Certificate Details:
        Serial Number: 1 (0x1)
        Validity
            Not Before: Jul 13 15:31:40 2020 GMT
            Not After : Jul 13 15:31:40 2021 GMT
        Subject:
            countryName               = CN
            stateOrProvinceName       = henan
            organizationName          = kov
            organizationalUnitName    = Dev
            commonName                = www.kov.com
            emailAddress              = sys@kov.com
        X509v3 extensions:
            X509v3 Basic Constraints: 
                CA:FALSE
            Netscape Comment: 
                OpenSSL Generated Certificate
            X509v3 Subject Key Identifier: 
                81:DB:3C:4E:6D:0E:BD:5A:78:2D:F2:86:62:CD:B3:03:45:F1:AB:F3
            X509v3 Authority Key Identifier: 
                keyid:DF:B4:69:95:C5:71:44:EE:0B:9C:2E:CB:1C:CD:37:E3:0E:FD:AC:E8

Certificate is to be certified until Jul 13 15:31:40 2021 GMT (365 days)
Sign the certificate? [y/n]:y


1 out of 1 certificate requests certified, commit? [y/n]y
Write out database with 1 new entries
Data Base Updated
[root@ca private]# 

5.验证私钥、证书是否匹配

验证ca签署的http服务器证书文件nginx-node01.crt和http服务器私钥nginx-node01.key是否匹配

openssl rsa  -noout -modulus -in nginx-node01.key |openssl md5
openssl x509 -noout -modulus -in nginx-node01.crt |openssl md5

nginx验证https