X.509 certificate

簡單講一下 certificate

  • X.509 是公鑰憑證(public key certificate) 的一套標準,用在很多網路通訊協定 (包含 TLS/SSL)

  • certificate 包含公鑰及識別資訊(hostname, organization, …等資訊)

  • certificate 是由 certificate authority(CA) 簽署,或是自簽(Self-signed)

  • 使用 browser 連入 https server時,會檢查 server 的 certificate 是否有效,確定這個 server 真的是合法的 site

  • 在 elastic stack 上,如果有多個 elasticsearch server node 彼此連線,由於 node 彼此是 client 也是 server

    • 使用 self-signed CA 產出來的 certificate,連入時會檢查使用的 certificate 是否由同一組 CA 簽署
    • server 使用 certificate,確定連入 server 的 client 都帶有正確的私鑰與 public certificate,是 authenticated user

附帶說明,X.509 有多種檔案格式

  • .pem
  • .cer, .crt, .der
  • .p12
  • .p7b, .p7c

另外檔案格式可以有其他用途,也就是說裡面裝的不一定是 X.509 憑證

CA

$ openssl pkcs12 -in /etc/elasticsearch/config/elastic-stack-ca.p12 -info -nokeys

MAC: sha1, Iteration 100000
MAC length: 20, salt length: 20
PKCS7 Data
Shrouded Keybag: pbeWithSHA1And3-KeyTripleDES-CBC, Iteration 50000
PKCS7 Encrypted data: pbeWithSHA1And40BitRC2-CBC, Iteration 50000
Certificate bag
Bag Attributes
    friendlyName: ca
    localKeyID:
subject=CN = Elastic Certificate Tool Autogenerated CA

issuer=CN = Elastic Certificate Tool Autogenerated CA

-----BEGIN CERTIFICATE-----
-----END CERTIFICATE-----

issuer command name 為 Elastic autogen CA subject command name 為 Elastic autogen CA

https://shazi.info/openssl-%E6%AA%A2%E6%B8%AC-ssl-%E7%9A%84%E6%86%91%E8%AD%89%E4%B8%B2%E9%8D%8A-certificate-chain/

openssl s_client -connect google.com

https://medium.com/@superseb/get-your-certificate-chain-right-4b117a9c0fce

openssl verify -CAfile client-ca.cer client.cer

openssl verify -show_chain -CAfile client-ca.cer client.cer

Certificate

用 openssl 工具看一下內容,如果有密碼這邊要用密碼解鎖

$ openssl pkcs12 -in /etc/elasticsearch/config/elastic-certificates.p12 -info -nokeys

MAC: sha1, Iteration 100000
MAC length: 20, salt length: 20
PKCS7 Data
Shrouded Keybag: pbeWithSHA1And3-KeyTripleDES-CBC, Iteration 50000
PKCS7 Encrypted data: pbeWithSHA1And40BitRC2-CBC, Iteration 50000
Certificate bag
Bag Attributes
    friendlyName: elk.asia-east1-b.c.machi-x.internal
    localKeyID:
subject=CN = elk.asia-east1-b.c.machi-x.internal

issuer=CN = Elastic Certificate Tool Autogenerated CA

-----BEGIN CERTIFICATE-----
-----END CERTIFICATE-----
Certificate bag
Bag Attributes
    friendlyName: ca
    2.16.840.1.113894.746875.1.1: <Unsupported tag 6>
subject=CN = Elastic Certificate Tool Autogenerated CA

issuer=CN = Elastic Certificate Tool Autogenerated CA

-----BEGIN CERTIFICATE-----
-----END CERTIFICATE-----
張哲嘉
張哲嘉
Site Reliability Engineer

我的研究領域包括網站可靠性工程、DevOps、Container和Kubernetes。