当前位置：首页 > news >正文

盐城市网站建设_网站建设公司_UI设计师_seo优化

news 2026/1/16 8:49:58

开发一套网站多少钱,网站建设公司案例,著名网页设计师及作品,昆山建设监察大队网站1、SAN证书生成 SAN(Subject Alternative Name)是 SSL 标准 x509 中定义的一个扩展。使用了 SAN 字段的 SSL 证书#xff0c;可以扩展此证书支持的域名#xff0c;使得一个证书可以支持多个不同域名的解析。接下来我们重新利用配置文件生成CA证书#xff0c; 再利用ca相…1、SAN证书生成 SAN(Subject Alternative Name)是 SSL 标准 x509 中定义的一个扩展。使用了 SAN 字段的 SSL 证书可以扩展此证书支持的域名使得一个证书可以支持多个不同域名的解析。接下来我们重新利用配置文件生成CA证书再利用ca相关去生成服务端的证书。 1.1 CA根证书生成新建工作目录 [rootzsx cert]# pwd /home/zhangshixing/cert新建一个配置文件ca.conf文件内容如下 [ req ] default_bits 2048 distinguished_name req_distinguished_name[ req_distinguished_name ] countryName Country Name (2 letter code) countryName_default CN stateOrProvinceName State or Province Name (full name) stateOrProvinceName_default SiChuan localityName Locality Name (eg, city) localityName_default Chengdu organizationName Organization Name (eg, company) organizationName_default Step commonName CommonName (e.g. server FQDN or YOUR name) commonName_max 64 commonName_default tonghua依次执行下面的命令执行过程中遇到的填写国家之类的直接Enter跳过选择配置文件中默认的从而生成CA私钥(ca.key)、签名请求(ca.csr)和签名证书(ca.pem)。 [rootzsx cert]# ll total 4 -rw-r--r--. 1 root root 635 Feb 16 19:53 ca.conf [rootzsx cert]# openssl genrsa -out ca.key 2048 Generating RSA private key, 2048 bit long modulus ................................... ...................... e is 65537 (0x10001)[rootzsx cert]# ls ca.conf ca.key[rootzsx cert]# openssl req -new -sha256 -out ca.csr -key ca.key -config ca.conf You are about to be asked to enter information that will be incorporated into your certificate request. What you are about to enter is what is called a Distinguished Name or a DN. There are quite a few fields but you can leave some blank For some fields there will be a default value, If you enter ., the field will be left blank. ----- Country Name (2 letter code) [CN]: State or Province Name (full name) [SiChuan]: Locality Name (eg, city) [Chengdu]: Organization Name (eg, company) [Step]: CommonName (e.g. server FQDN or YOUR name) [tonghua]:[rootzsx cert]# ls ca.conf ca.csr ca.key[rootzsx cert]# openssl x509 -req -days 3650 -in ca.csr -signkey ca.key -out ca.pem Signature ok subject/CCN/STSiChuan/LChengdu/OStep/CNtonghua Getting Private key[rootzsx cert]# ls ca.conf ca.csr ca.key ca.pem1.2 签发服务端证书接下来创建服务端配置文件server.conf文件内容如下 [ req ] default_bits 2048 distinguished_name req_distinguished_name[ req_distinguished_name ] countryName Country Name (2 letter code) countryName_default CN stateOrProvinceName State or Province Name (full name) stateOrProvinceName_default SiChuan localityName Locality Name (eg, city) localityName_default Chengdu organizationName Organization Name (eg, company) organizationName_default Step commonName CommonName (e.g. server FQDN or YOUR name) commonName_max 64 commonName_default tonghua [ req_ext ] # 添加subjectAltName subjectAltName alt_names # www.example.cn代表允许的ServerName [alt_names] DNS.1 www.example.cn IP 127.0.0.1同样使用上面得到的CA根证书(ca.pem)签发服务端证书依次执行下面命令生成服务端的密钥、签名请求和签名证书 # 服务端私钥 [rootzsx cert]# openssl genrsa -out server.key 2048 Generating RSA private key, 2048 bit long modulus ....................................................................................................................................................... ................................................ e is 65537 (0x10001)[rootzsx cert]# ls ca.conf ca.csr ca.key ca.pem server.conf server.key# 服务端签名请求 [rootzsx cert]# openssl req -new -sha256 -out server.csr -key server.key -config server.conf You are about to be asked to enter information that will be incorporated into your certificate request. What you are about to enter is what is called a Distinguished Name or a DN. There are quite a few fields but you can leave some blank For some fields there will be a default value, If you enter ., the field will be left blank. ----- Country Name (2 letter code) [CN]: State or Province Name (full name) [SiChuan]: Locality Name (eg, city) [Chengdu]: Organization Name (eg, company) [Step]: CommonName (e.g. server FQDN or YOUR name) [tonghua]:[rootzsx cert]# ls ca.conf ca.csr ca.key ca.pem server.conf server.csr server.key# 用根证书签发服务端证书server.pem [rootzsx cert]# openssl x509 -req -days 3650 -CA ca.pem -CAkey ca.key -CAcreateserial -in server.csr -out server.pem -extensions req_ext -extfile server.conf Signature ok subject/CCN/STSiChuan/LChengdu/OStep/CNtonghua Getting CA Private Key[rootzsx cert]# ls ca.conf ca.csr ca.key ca.pem ca.srl server.conf server.csr server.key server.pem1.3 签发客户端证书建立配置文件client.conf [ req ] default_bits 2048 distinguished_name req_distinguished_name[ req_distinguished_name ] countryName Country Name (2 letter code) countryName_default CN stateOrProvinceName State or Province Name (full name) stateOrProvinceName_default SiChuan localityName Locality Name (eg, city) localityName_default Chengdu organizationName Organization Name (eg, company) organizationName_default Step commonName CommonName (e.g. server FQDN or YOUR name) commonName_max 64 commonName_default tonghua [ req_ext ] subjectAltName alt_names [alt_names] DNS.1 www.example.cn IP 127.0.0.1执行下面命令生成客户端密钥、证书等 [rootzsx cert]# openssl ecparam -genkey -name secp384r1 -out client.key[rootzsx cert]# ls ca.conf ca.key ca.srl client.key server.csr server.pem ca.csr ca.pem client.conf server.conf server.key[rootzsx cert]# openssl req -new -sha256 -out client.csr -key client.key -config client.conf You are about to be asked to enter information that will be incorporated into your certificate request. What you are about to enter is what is called a Distinguished Name or a DN. There are quite a few fields but you can leave some blank For some fields there will be a default value, If you enter ., the field will be left blank. ----- Country Name (2 letter code) [CN]: State or Province Name (full name) [SiChuan]: Locality Name (eg, city) [Chengdu]: Organization Name (eg, company) [Step]: CommonName (e.g. server FQDN or YOUR name) [tonghua]:[rootzsx cert]# ls ca.conf ca.key ca.srl client.csr server.conf server.key ca.csr ca.pem client.conf client.key server.csr server.pem[rootzsx cert]# openssl x509 -req -days 3650 -CA ca.pem -CAkey ca.key -CAcreateserial -in client.csr -out client.pem -extensions req_ext -extfile client.conf Signature ok subject/CCN/STSiChuan/LChengdu/OStep/CNtonghua Getting CA Private Key[rootzsx cert]# ls ca.conf ca.key ca.srl client.csr client.pem server.csr server.pem ca.csr ca.pem client.conf client.key server.conf server.key1.4 双向认证 1.4.1 proto编写和编译 syntax proto3; package proto; option go_package ./base;base;service BaseService {rpc GetTime (TimeRequest) returns (TimeResponse) {} }message TimeRequest {}message TimeResponse {string time 1; }protoc --go_outpluginsgrpc:. base.proto1.4.2 服务端 package mainimport (contextcrypto/tlscrypto/x509pb demo/basegoogle.golang.org/grpcgoogle.golang.org/grpc/credentialsio/ioutillognettime )const (// Address gRPC服务地址Address 127.0.0.1:8888 )type service struct {pb.UnimplementedBaseServiceServer }func main() {// TLS认证// 从证书相关文件中读取和解析信息,得到证书公钥、密钥对cert, err : tls.LoadX509KeyPair(./cert/server.pem, ./cert/server.key)if err ! nil {log.Fatalln(cert err: , err)}// 初始化一个CertPoolcertPool : x509.NewCertPool()ca, err : ioutil.ReadFile(./cert/ca.pem)if err ! nil {log.Fatalln(ca err: , err)}// 解析传入的证书,解析成功会将其加到池子中certPool.AppendCertsFromPEM(ca)// 构建基于TLS的TransportCredentials选项creds : credentials.NewTLS(tls.Config{// 服务端证书链,可以有多个Certificates: []tls.Certificate{cert},// 要求必须验证客户端证书ClientAuth: tls.RequireAndVerifyClientCert,// 设置根证书的集合,校验方式使用 ClientAuth 中设定的模式ClientCAs: certPool,})// 实例化grpc ServerrpcServer : grpc.NewServer(grpc.Creds(creds))// 创建带ca证书验证的服务端pb.RegisterBaseServiceServer(rpcServer, service{})// 设置传输协议和监听地址listen, err : net.Listen(tcp, Address)if err ! nil {log.Fatalln(listen err: , err)}log.Println(Listen on Address with TLS)rpcServer.Serve(listen) }// 实现接口 func (s *service) GetTime(ctx context.Context, in *pb.TimeRequest) (*pb.TimeResponse, error) {now : time.Now().Format(2006-01-02 15:04:05)return pb.TimeResponse{Time: now}, nil }[rootzsx demo]# go run server.go 2023/02/16 20:53:13 Listen on 127.0.0.1:8888 with TLS1.4.3 客户端 package mainimport (contextcrypto/tlscrypto/x509pb demo/basefmtgoogle.golang.org/grpcgoogle.golang.org/grpc/credentialsio/ioutillog )const (// Address gRPC服务地址Address 127.0.0.1:8888 )func main() {// TLS连接// 从证书相关文件中读取和解析信息,得到证书公钥、密钥对cert, err : tls.LoadX509KeyPair(./cert/client.pem, ./cert/client.key)if err ! nil {log.Fatalln(cert err: , err)}certPool : x509.NewCertPool()ca, err : ioutil.ReadFile(./cert/ca.pem)if err ! nil {log.Fatalln(ca err: , err)}certPool.AppendCertsFromPEM(ca)creds : credentials.NewTLS(tls.Config{//客户端证书Certificates: []tls.Certificate{cert},//注意这里的参数为配置文件中所允许的ServerName,也就是其中配置的DNSServerName: www.example.cn,RootCAs: certPool,})// 连接服务端conn, err : grpc.Dial(Address, grpc.WithTransportCredentials(creds))if err ! nil {log.Fatal(err)}defer conn.Close()client : pb.NewBaseServiceClient(conn)reps, err : client.GetTime(context.Background(), pb.TimeRequest{})// 初始化客户端if err ! nil {log.Fatal(err)}fmt.Printf(grpcClient response is %s\n, reps.Time) }[rootzsx demo]# go run client.go grpcClient response is 2023-02-16 20:53:301.5 单向认证 1.5.1 服务端 package mainimport (contextpb demo/basegoogle.golang.org/grpcgoogle.golang.org/grpc/credentialslognettime )type service struct {pb.UnimplementedBaseServiceServer }func main() {creds, err : credentials.NewServerTLSFromFile(./cert/server.pem, ./cert/server.key)if err ! nil {log.Fatal(err)}Address : 127.0.0.1:8888//创建带ca证书验证的服务端rpcServer : grpc.NewServer(grpc.Creds(creds))pb.RegisterBaseServiceServer(rpcServer, service{})listen, _ : net.Listen(tcp, Address)log.Println(Listen on Address with TLS)rpcServer.Serve(listen) }// 实现接口 func (s *service) GetTime(ctx context.Context, in *pb.TimeRequest) (*pb.TimeResponse, error) {now : time.Now().Format(2006-01-02 15:04:05)return pb.TimeResponse{Time: now}, nil }[rootzsx demo]# go run server1.go 2023/02/16 20:53:55 Listen on 127.0.0.1:8888 with TLS1.5.2 客户端 package mainimport (contextpb demo/basefmtgoogle.golang.org/grpcgoogle.golang.org/grpc/credentialslog )func main() {creds, err : credentials.NewClientTLSFromFile(./cert/server.pem, www.example.cn)if err ! nil {log.Fatal(err)}conn, err : grpc.Dial(127.0.0.1:8888, grpc.WithTransportCredentials(creds))if err ! nil {log.Fatal(err)}defer conn.Close()client : pb.NewBaseServiceClient(conn)resp, err : client.GetTime(context.Background(), pb.TimeRequest{})if err ! nil {log.Fatal(err)}fmt.Printf(grpcClient response is %s\n, resp.Time) }[rootzsx demo]# go run client1.go grpcClient response is 2023-02-16 20:54:14# 项目结构 $ tree demo/ demo/ ├── base │ └── base.pb.go ├── base.proto ├── cert │ ├── ca.conf │ ├── ca.csr │ ├── ca.key │ ├── ca.pem │ ├── ca.srl │ ├── client.conf │ ├── client.csr │ ├── client.key │ ├── client.pem │ ├── server.conf │ ├── server.csr │ ├── server.key │ └── server.pem ├── client1.go ├── client.go ├── go.mod ├── go.sum ├── server1.go └── server.go

查看全文

http://www.ihoyoo.com/news/60445.html