X.509 certificate

Share on:

簡單講一下 certificate

  • X.509 是公鑰憑證(public key certificate) 的一套標準,用在很多網路通訊協定 (包含 TLS/SSL)

  • certificate 包含公鑰及識別資訊(hostname, organization, …等資訊)

  • certificate 是由 certificate authority(CA) 簽署,或是自簽(Self-signed)

  • 使用 browser 連入 https server時,會檢查 server 的 certificate 是否有效,確定這個 server 真的是合法的 site

  • 在 elastic stack 上,如果有多個 elasticsearch server node 彼此連線,由於 node 彼此是 client 也是 server

    • 使用 self-signed CA 產出來的 certificate,連入時會檢查使用的 certificate 是否由同一組 CA 簽署
    • server 使用 certificate,確定連入 server 的 client 都帶有正確的私鑰與 public certificate,是 authenticated user

附帶說明,X.509 有多種檔案格式

  • .pem
  • .cer, .crt, .der
  • .p12
  • .p7b, .p7c

另外檔案格式可以有其他用途,也就是說裡面裝的不一定是 X.509 憑證

CA

 1$ openssl pkcs12 -in /etc/elasticsearch/config/elastic-stack-ca.p12 -info -nokeys
 2
 3MAC: sha1, Iteration 100000
 4MAC length: 20, salt length: 20
 5PKCS7 Data
 6Shrouded Keybag: pbeWithSHA1And3-KeyTripleDES-CBC, Iteration 50000
 7PKCS7 Encrypted data: pbeWithSHA1And40BitRC2-CBC, Iteration 50000
 8Certificate bag
 9Bag Attributes
10    friendlyName: ca
11    localKeyID:
12subject=CN = Elastic Certificate Tool Autogenerated CA
13
14issuer=CN = Elastic Certificate Tool Autogenerated CA
15
16-----BEGIN CERTIFICATE-----
17-----END CERTIFICATE-----

issuer command name 為 Elastic autogen CA subject command name 為 Elastic autogen CA

https://shazi.info/openssl-%E6%AA%A2%E6%B8%AC-ssl-%E7%9A%84%E6%86%91%E8%AD%89%E4%B8%B2%E9%8D%8A-certificate-chain/

1openssl s_client -connect google.com

https://medium.com/@superseb/get-your-certificate-chain-right-4b117a9c0fce

1openssl verify -CAfile client-ca.cer client.cer
2
3openssl verify -show_chain -CAfile client-ca.cer client.cer

Certificate

用 openssl 工具看一下內容,如果有密碼這邊要用密碼解鎖

 1$ openssl pkcs12 -in /etc/elasticsearch/config/elastic-certificates.p12 -info -nokeys
 2
 3MAC: sha1, Iteration 100000
 4MAC length: 20, salt length: 20
 5PKCS7 Data
 6Shrouded Keybag: pbeWithSHA1And3-KeyTripleDES-CBC, Iteration 50000
 7PKCS7 Encrypted data: pbeWithSHA1And40BitRC2-CBC, Iteration 50000
 8Certificate bag
 9Bag Attributes
10    friendlyName: elk.asia-east1-b.c.machi-x.internal
11    localKeyID:
12subject=CN = elk.asia-east1-b.c.machi-x.internal
13
14issuer=CN = Elastic Certificate Tool Autogenerated CA
15
16-----BEGIN CERTIFICATE-----
17-----END CERTIFICATE-----
18Certificate bag
19Bag Attributes
20    friendlyName: ca
21    2.16.840.1.113894.746875.1.1: <Unsupported tag 6>
22subject=CN = Elastic Certificate Tool Autogenerated CA
23
24issuer=CN = Elastic Certificate Tool Autogenerated CA
25
26-----BEGIN CERTIFICATE-----
27-----END CERTIFICATE-----
28