gRPC之SAN证书生成
2023-12-13 04:59:44
1、SAN证书生成
SAN(Subject Alternative Name)是 SSL 标准 x509 中定义的一个扩展。使用了 SAN 字段的 SSL 证书,可以扩
展此证书支持的域名,使得一个证书可以支持多个不同域名的解析。接下来我们重新利用配置文件生成CA证书,
再利用ca相关去生成服务端的证书。
1.1 CA根证书生成
新建工作目录:
[root@zsx cert]# pwd
/home/zhangshixing/cert
新建一个配置文件ca.conf,文件内容如下:
[ req ]
default_bits = 2048
distinguished_name = req_distinguished_name
[ req_distinguished_name ]
countryName = Country Name (2 letter code)
countryName_default = CN
stateOrProvinceName = State or Province Name (full name)
stateOrProvinceName_default = SiChuan
localityName = Locality Name (eg, city)
localityName_default = Chengdu
organizationName = Organization Name (eg, company)
organizationName_default = Step
commonName = CommonName (e.g. server FQDN or YOUR name)
commonName_max = 64
commonName_default = tonghua
依次执行下面的命令,执行过程中遇到的填写国家之类的直接Enter跳过,选择配置文件中默认的,从而生成CA私
钥(ca.key)、签名请求(ca.csr)和签名证书(ca.pem)。
[root@zsx cert]# ll
total 4
-rw-r--r--. 1 root root 635 Feb 16 19:53 ca.conf
[root@zsx cert]# openssl genrsa -out ca.key 2048
Generating RSA private key, 2048 bit long modulus
...................................+++
......................+++
e is 65537 (0x10001)
[root@zsx cert]# ls
ca.conf ca.key
[root@zsx cert]# openssl req -new -sha256 -out ca.csr -key ca.key -config ca.conf
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [CN]:
State or Province Name (full name) [SiChuan]:
Locality Name (eg, city) [Chengdu]:
Organization Name (eg, company) [Step]:
CommonName (e.g. server FQDN or YOUR name) [tonghua]:
[root@zsx cert]# ls
ca.conf ca.csr ca.key
[root@zsx cert]# openssl x509 -req -days 3650 -in ca.csr -signkey ca.key -out ca.pem
Signature ok
subject=/C=CN/ST=SiChuan/L=Chengdu/O=Step/CN=tonghua
Getting Private key
[root@zsx cert]# ls
ca.conf ca.csr ca.key ca.pem
1.2 签发服务端证书
接下来创建服务端配置文件server.conf,文件内容如下:
[ req ]
default_bits = 2048
distinguished_name = req_distinguished_name
[ req_distinguished_name ]
countryName = Country Name (2 letter code)
countryName_default = CN
stateOrProvinceName = State or Province Name (full name)
stateOrProvinceName_default = SiChuan
localityName = Locality Name (eg, city)
localityName_default = Chengdu
organizationName = Organization Name (eg, company)
organizationName_default = Step
commonName = CommonName (e.g. server FQDN or YOUR name)
commonName_max = 64
commonName_default = tonghua
[ req_ext ]
# 添加subjectAltName
subjectAltName = @alt_names
# www.example.cn代表允许的ServerName
[alt_names]
DNS.1 = www.example.cn
IP = 127.0.0.1
同样,使用上面得到的CA根证书(ca.pem)签发服务端证书,依次执行下面命令生成服务端的密钥、签名请求和签
名证书:
# 服务端私钥
[root@zsx cert]# openssl genrsa -out server.key 2048
Generating RSA private key, 2048 bit long modulus
.......................................................................................................................................................+++
................................................+++
e is 65537 (0x10001)
[root@zsx cert]# ls
ca.conf ca.csr ca.key ca.pem server.conf server.key
# 服务端签名请求
[root@zsx cert]# openssl req -new -sha256 -out server.csr -key server.key -config server.conf
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [CN]:
State or Province Name (full name) [SiChuan]:
Locality Name (eg, city) [Chengdu]:
Organization Name (eg, company) [Step]:
CommonName (e.g. server FQDN or YOUR name) [tonghua]:
[root@zsx cert]# ls
ca.conf ca.csr ca.key ca.pem server.conf server.csr server.key
# 用根证书签发服务端证书server.pem
[root@zsx cert]# openssl x509 -req -days 3650 -CA ca.pem -CAkey ca.key -CAcreateserial -in server.csr -out server.pem -extensions req_ext -extfile server.conf
Signature ok
subject=/C=CN/ST=SiChuan/L=Chengdu/O=Step/CN=tonghua
Getting CA Private Key
[root@zsx cert]# ls
ca.conf ca.csr ca.key ca.pem ca.srl server.conf server.csr server.key server.pem
1.3 签发客户端证书
建立配置文件client.conf:
[ req ]
default_bits = 2048
distinguished_name = req_distinguished_name
[ req_distinguished_name ]
countryName = Country Name (2 letter code)
countryName_default = CN
stateOrProvinceName = State or Province Name (full name)
stateOrProvinceName_default = SiChuan
localityName = Locality Name (eg, city)
localityName_default = Chengdu
organizationName = Organization Name (eg, company)
organizationName_default = Step
commonName = CommonName (e.g. server FQDN or YOUR name)
commonName_max = 64
commonName_default = tonghua
[ req_ext ]
subjectAltName = @alt_names
[alt_names]
DNS.1 = www.example.cn
IP = 127.0.0.1
执行下面命令生成客户端密钥、证书等:
[root@zsx cert]# openssl ecparam -genkey -name secp384r1 -out client.key
[root@zsx cert]# ls
ca.conf ca.key ca.srl client.key server.csr server.pem
ca.csr ca.pem client.conf server.conf server.key
[root@zsx cert]# openssl req -new -sha256 -out client.csr -key client.key -config client.conf
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [CN]:
State or Province Name (full name) [SiChuan]:
Locality Name (eg, city) [Chengdu]:
Organization Name (eg, company) [Step]:
CommonName (e.g. server FQDN or YOUR name) [tonghua]:
[root@zsx cert]# ls
ca.conf ca.key ca.srl client.csr server.conf server.key
ca.csr ca.pem client.conf client.key server.csr server.pem
[root@zsx cert]# openssl x509 -req -days 3650 -CA ca.pem -CAkey ca.key -CAcreateserial -in client.csr -out client.pem -extensions req_ext -extfile client.conf
Signature ok
subject=/C=CN/ST=SiChuan/L=Chengdu/O=Step/CN=tonghua
Getting CA Private Key
[root@zsx cert]# ls
ca.conf ca.key ca.srl client.csr client.pem server.csr server.pem
ca.csr ca.pem client.conf client.key server.conf server.key
1.4 双向认证
1.4.1 proto编写和编译
syntax = "proto3";
package proto;
option go_package = "./base;base";
service BaseService {
rpc GetTime (TimeRequest) returns (TimeResponse) {}
}
message TimeRequest {}
message TimeResponse {
string time = 1;
}
protoc --go_out=plugins=grpc:. base.proto
1.4.2 服务端
package main
import (
"context"
"crypto/tls"
"crypto/x509"
pb "demo/base"
"google.golang.org/grpc"
"google.golang.org/grpc/credentials"
"io/ioutil"
"log"
"net"
"time"
)
const (
// Address gRPC服务地址
Address = "127.0.0.1:8888"
)
type service struct {
pb.UnimplementedBaseServiceServer
}
func main() {
// TLS认证
// 从证书相关文件中读取和解析信息,得到证书公钥、密钥对
cert, err := tls.LoadX509KeyPair("./cert/server.pem", "./cert/server.key")
if err != nil {
log.Fatalln("cert err: ", err)
}
// 初始化一个CertPool
certPool := x509.NewCertPool()
ca, err := ioutil.ReadFile("./cert/ca.pem")
if err != nil {
log.Fatalln("ca err: ", err)
}
// 解析传入的证书,解析成功会将其加到池子中
certPool.AppendCertsFromPEM(ca)
// 构建基于TLS的TransportCredentials选项
creds := credentials.NewTLS(&tls.Config{
// 服务端证书链,可以有多个
Certificates: []tls.Certificate{cert},
// 要求必须验证客户端证书
ClientAuth: tls.RequireAndVerifyClientCert,
// 设置根证书的集合,校验方式使用 ClientAuth 中设定的模式
ClientCAs: certPool,
})
// 实例化grpc Server
rpcServer := grpc.NewServer(grpc.Creds(creds))
// 创建带ca证书验证的服务端
pb.RegisterBaseServiceServer(rpcServer, &service{})
// 设置传输协议和监听地址
listen, err := net.Listen("tcp", Address)
if err != nil {
log.Fatalln("listen err: ", err)
}
log.Println("Listen on " + Address + " with TLS")
rpcServer.Serve(listen)
}
// 实现接口
func (s *service) GetTime(ctx context.Context, in *pb.TimeRequest) (*pb.TimeResponse, error) {
now := time.Now().Format("2006-01-02 15:04:05")
return &pb.TimeResponse{Time: now}, nil
}
[root@zsx demo]# go run server.go
2023/02/16 20:53:13 Listen on 127.0.0.1:8888 with TLS
1.4.3 客户端
package main
import (
"context"
"crypto/tls"
"crypto/x509"
pb "demo/base"
"fmt"
"google.golang.org/grpc"
"google.golang.org/grpc/credentials"
"io/ioutil"
"log"
)
const (
// Address gRPC服务地址
Address = "127.0.0.1:8888"
)
func main() {
// TLS连接
// 从证书相关文件中读取和解析信息,得到证书公钥、密钥对
cert, err := tls.LoadX509KeyPair("./cert/client.pem", "./cert/client.key")
if err != nil {
log.Fatalln("cert err: ", err)
}
certPool := x509.NewCertPool()
ca, err := ioutil.ReadFile("./cert/ca.pem")
if err != nil {
log.Fatalln("ca err: ", err)
}
certPool.AppendCertsFromPEM(ca)
creds := credentials.NewTLS(&tls.Config{
//客户端证书
Certificates: []tls.Certificate{cert},
//注意这里的参数为配置文件中所允许的ServerName,也就是其中配置的DNS
ServerName: "www.example.cn",
RootCAs: certPool,
})
// 连接服务端
conn, err := grpc.Dial(Address, grpc.WithTransportCredentials(creds))
if err != nil {
log.Fatal(err)
}
defer conn.Close()
client := pb.NewBaseServiceClient(conn)
reps, err := client.GetTime(context.Background(), &pb.TimeRequest{})
// 初始化客户端
if err != nil {
log.Fatal(err)
}
fmt.Printf("grpcClient response is %s\n", reps.Time)
}
[root@zsx demo]# go run client.go
grpcClient response is 2023-02-16 20:53:30
1.5 单向认证
1.5.1 服务端
package main
import (
"context"
pb "demo/base"
"google.golang.org/grpc"
"google.golang.org/grpc/credentials"
"log"
"net"
"time"
)
type service struct {
pb.UnimplementedBaseServiceServer
}
func main() {
creds, err := credentials.NewServerTLSFromFile("./cert/server.pem", "./cert/server.key")
if err != nil {
log.Fatal(err)
}
Address := "127.0.0.1:8888"
//创建带ca证书验证的服务端
rpcServer := grpc.NewServer(grpc.Creds(creds))
pb.RegisterBaseServiceServer(rpcServer, &service{})
listen, _ := net.Listen("tcp", Address)
log.Println("Listen on " + Address + " with TLS")
rpcServer.Serve(listen)
}
// 实现接口
func (s *service) GetTime(ctx context.Context, in *pb.TimeRequest) (*pb.TimeResponse, error) {
now := time.Now().Format("2006-01-02 15:04:05")
return &pb.TimeResponse{Time: now}, nil
}
[root@zsx demo]# go run server1.go
2023/02/16 20:53:55 Listen on 127.0.0.1:8888 with TLS
1.5.2 客户端
package main
import (
"context"
pb "demo/base"
"fmt"
"google.golang.org/grpc"
"google.golang.org/grpc/credentials"
"log"
)
func main() {
creds, err := credentials.NewClientTLSFromFile("./cert/server.pem", "www.example.cn")
if err != nil {
log.Fatal(err)
}
conn, err := grpc.Dial("127.0.0.1:8888", grpc.WithTransportCredentials(creds))
if err != nil {
log.Fatal(err)
}
defer conn.Close()
client := pb.NewBaseServiceClient(conn)
resp, err := client.GetTime(context.Background(), &pb.TimeRequest{})
if err != nil {
log.Fatal(err)
}
fmt.Printf("grpcClient response is %s\n", resp.Time)
}
[root@zsx demo]# go run client1.go
grpcClient response is 2023-02-16 20:54:14
# 项目结构
$ tree demo/
demo/
├── base
│ └── base.pb.go
├── base.proto
├── cert
│ ├── ca.conf
│ ├── ca.csr
│ ├── ca.key
│ ├── ca.pem
│ ├── ca.srl
│ ├── client.conf
│ ├── client.csr
│ ├── client.key
│ ├── client.pem
│ ├── server.conf
│ ├── server.csr
│ ├── server.key
│ └── server.pem
├── client1.go
├── client.go
├── go.mod
├── go.sum
├── server1.go
└── server.go
文章来源:https://blog.csdn.net/qq_30614345/article/details/134484950
本文来自互联网用户投稿,该文观点仅代表作者本人,不代表本站立场。本站仅提供信息存储空间服务,不拥有所有权,不承担相关法律责任。 如若内容造成侵权/违法违规/事实不符,请联系我的编程经验分享网邮箱:veading@qq.com进行投诉反馈,一经查实,立即删除!
本文来自互联网用户投稿,该文观点仅代表作者本人,不代表本站立场。本站仅提供信息存储空间服务,不拥有所有权,不承担相关法律责任。 如若内容造成侵权/违法违规/事实不符,请联系我的编程经验分享网邮箱:veading@qq.com进行投诉反馈,一经查实,立即删除!