vault pki 实践

传统方式的购买 TLS 证书,流程繁琐, 采购周期长。 vault 的优点在于 Vault PKI allows users to dynamically generate X.509 certificates quickly and on demand. Vault PKI can streamline distributing TLS certificates and allows users to create PKI certificates with a single command. Vault PKI reduces overhead around the usual manual process of generating a private key and CSR, submitting to a CA, and waiting for a verification and signing process to complete, while additionally providing an authentication and authorization mechanism to validate as well.

为什么需要 TSL

为了避免被中间人劫持:

  • 安全传输公钥: 权威机构的公钥不需要传输,因为权威机构会和主流的浏览器或操作系统合作,将他们的公钥内置在浏览器或操作系统环境中。客户端收到证书之后,只需要从证书中找到权威机构的信息,并从本地环境中找到权威机构的公钥,就能正确解密A公钥。
  • 保证客户端收到的证书是服务器下发的证书,没有被中间人篡改过。
    更多详细信息, 可以参考文章一, 文章二 或者自行 Google

    举例

    当我们访问的 Google 的时候,我们的电脑内置了权威机构的根证书 GTS Root。由此根证书,我们可以验证谷歌站点发过来的 ca chain 真实性。

vault pki

参考:

搭建 vault 可以参考我的另外一篇 post vault 实践

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
# Creating the root CA:
# First, enable the pki secrets engine at the pki path:
$ vault secrets enable pki

# Tune the pki secrets engine to issue certificates with a maximum time-to-live (TTL)
# of 87600 hours (10 years):
$ vault secrets tune -max-lease-ttl=87600h pki

# Generate the root CA, extracting the root CA's certificate to root.crt; the secret
# key is not exported!
$ vault write -field=certificate pki/root/generate/internal common_name="feiyang.com" \
ttl=87600h > root.crt

# This generates a new self-signed CA certificate and private key. Vault will automatically
# revoke the generated root at the end of its lease period (TTL); the CA certificate will
# sign its own Certificate Revocation List (CRL).

# Configure the CA and CRL URLs:
$ vault write pki/config/urls \
issuing_certificates="$VAULT_ADDR/v1/pki/ca" \
crl_distribution_points="$VAULT_ADDR/v1/pki/crl"

# Creating the intermediate CA:
# First, enable the pki secrets engine at the pki_int path:
$ vault secrets enable -path=pki_int pki

# Tune the pki_int secrets engine to issue certificates with a maximum time-to-live (TTL)
# of 43800 hours (5 years):
$ vault secrets tune -max-lease-ttl=43800h pki_int

# Execute the following command to generate an intermediate and save the CSR as
# pki_intermediate.csr:
$ vault write -format=json pki_int/intermediate/generate/exported \
common_name="feiyang.com Intermediate Authority" ttl="43800h" format="pem" > pki_intermediate

# Extract the private key & certificate signing request from the previous command's output:
$ jq -r '.data.private_key' < pki_intermediate > intermediate.key.pem
$ jq -r '.data.csr' < pki_intermediate > pki_intermediate.csr

# Sign the intermediate certificate with the root certificate and save the generated
# certificate as intermediate.cert.pem:
$ vault write -format=json pki/root/sign-intermediate csr=@pki_intermediate.csr \
format="pem" \
| jq -r '.data.certificate' > intermediate.cert.pem

# Once the CSR is signed and the root CA returns a certificate, it can be imported back
# into Vault:
$ vault write pki_int/intermediate/set-signed certificate=@intermediate.cert.pem

然后就是拼接成 ca chain (颁发的证书在前,CA证书在后)

1
2
3
4
5
6
$ cat intermediate.cert.pem > intermediate.chain.pem
$ cat root.crt >> intermediate.chain.pem

root@ubuntu18-108:/etc/vault.d/pki_test# ls
feiyang.txt intermediate.chain.pem pki_intermediate root.crt
intermediate.cert.pem intermediate.key.pem pki_intermediate.csr

为 client 创建一个 role, client 端可以用来申请证书。

1
2
3
4
5
6
vault write pki_int/roles/feiyang-dot-com \
allowed_domains="feiyang.com" \
allow_subdomains=true \
max_ttl="720h"

vault write pki_int/issue/feiyang-dot-com common_name="test.feiyang.com" ttl="24h" >>feiyang.txt

我们来看一下, 返回的 test.feiyang.com 有什么
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
root@ubuntu18-108:/etc/vault.d/pki_test# cat feiyang.txt
Key Value
--- -----
ca_chain [-----BEGIN CERTIFICATE-----
MIIDrDCCApSgAwIBAgIUNhNKMD9l+/MExLQd3zhvJ6BGDNQwDQYJKoZIhvcNAQEL
BQAwFjEUMBIGA1UEAxMLZmVpeWFuZy5jb20wHhcNMjExMTIzMDIyNzAyWhcNMjEx
MjI1MDIyNzMyWjAtMSswKQYDVQQDEyJmZWl5YW5nLmNvbSBJbnRlcm1lZGlhdGUg
QXV0aG9yaXR5MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEA6fVj91gg
QY1UpNnm387tn9lMirtwhVxEexXPJHL00St3J+io7gbTkw6DNZE5wwsoILqB4jKe
rGsWsk2zIZlebISBzPVhIdLqeVyTW0/hUtLc4KoHgcrAtI8qwaqtGMAOmLWBLHdZ
Gb6j2uiuf6773YPkNT0zaemD/t3JndFFCzZne3xUsOkPUrODmtHUAENHPAxuDQhP
DIYNDENi9KRvh5CD778gXFYgoh+MuWHx8+vcy8IJi/ykfR9yE+P2beP/N/11Jm02
uALJJ0NeQ/nGDaktR4Q5SgkmLY8rwgWRWQmJBR7welSY/ZjPfjfdlmeGdHecYPK9
acGBKk/81lryOQIDAQABo4HaMIHXMA4GA1UdDwEB/wQEAwIBBjAPBgNVHRMBAf8E
BTADAQH/MB0GA1UdDgQWBBRIhaij4GVicVWQAcZvTOxdPg4F5jAfBgNVHSMEGDAW
gBSPMN9+BzUlsMkk8Hv+GVDS0nD3gjA+BggrBgEFBQcBAQQyMDAwLgYIKwYBBQUH
MAKGImh0dHA6Ly8xOTIuMTY4LjY0LjM6ODIwMC92MS9wa2kvY2EwNAYDVR0fBC0w
KzApoCegJYYjaHR0cDovLzE5Mi4xNjguNjQuMzo4MjAwL3YxL3BraS9jcmwwDQYJ
KoZIhvcNAQELBQADggEBAEVNSisWlg+TdPct9VXKJ6cLsHdWNzIfIXk3lFNzcd1J
zWuYEtBYpAvdLFAy3KzmmepTP/jqKN6+nw4JDOMzv/kaRx0Fyoq/uvBu3GILH3NB
ZjMWkOCuvEdFozKj9qTj4GkL9wFzUfEra0w6x+2tr1qodCtcjxxHUv9/jr0slFle
e/zOsLpNd/q+ozWNmt2KEN3STCugIoMhlvAQESUtiESbphMoqPFVw1cc5SX8LI78
cQMgEyT67wiH9KHsJfcJQexzQCQUJcebXbO9HvUTnP94kdVZIN3uDot5OiDWJPqg
M8uwej97SAyjjnjGR8bkO+Ct1SuSDV5URP2E/9possg=
-----END CERTIFICATE-----]
certificate -----BEGIN CERTIFICATE-----
MIIDZjCCAk6gAwIBAgIUQu0BTkmbJHjwUGiXDjLOX47ki18wDQYJKoZIhvcNAQEL
BQAwLTErMCkGA1UEAxMiZmVpeWFuZy5jb20gSW50ZXJtZWRpYXRlIEF1dGhvcml0
eTAeFw0yMTExMjUxNjE0MzBaFw0yMTExMjYxNjE1MDBaMBsxGTAXBgNVBAMTEHRl
c3QuZmVpeWFuZy5jb20wggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQCn
cVsD17cydZz722CwpIS6bPjGLxMxnl2xk2yfGdhQZc2z/GEtyQd028n6PwPoxJ9U
6dwGZcyzS/iHTZhmThv6hvy2QZgeIbWB8n58Cnf7ExWmwmplUVQd549NP9RwFtuN
tBKZjxpVyPiwp3dVoBuA+3rVBo4z5Cfz1HQ0b53j5Vb9AjNX8VrDFWOpGOF2LWPg
nZOWLQaCMMOd7iuXjPKLJtO2VDbBGBYOx0YXhyr5itQDhM8UKgEVU1kJZgna7CWu
CfBdQh+new+YgsPTQx4zkca472Uyb9rykTxzRfnly0b5WkhwDoyvCMPZtFerf3T7
LjJhqnVWcCgA1R0sb0/HAgMBAAGjgY8wgYwwDgYDVR0PAQH/BAQDAgOoMB0GA1Ud
JQQWMBQGCCsGAQUFBwMBBggrBgEFBQcDAjAdBgNVHQ4EFgQUSjt1XbgoJdJceVB+
VP5bMuGFEnAwHwYDVR0jBBgwFoAUSIWoo+BlYnFVkAHGb0zsXT4OBeYwGwYDVR0R
BBQwEoIQdGVzdC5mZWl5YW5nLmNvbTANBgkqhkiG9w0BAQsFAAOCAQEAdTP2kqpS
P1qTmt/ILAuJ5wz6Fe+78v3uv5PjAGz4CJ4gcdqVXqVxn0a6PPi3VuCg2y50h/zC
a/T7OWC/Qcu3No0Puad2T2osVbrH/pf/WvmieMnwPcc+8Ay8pgEDO1iP8R7m/YB4
fnt1x2ePkeHRp984QnCt19a8nVNTnD5bsGR4dIcchgz0xDyGlro7rDY8MppBJZNy
24Dg6BJOo+GTFwO3+lvoB4RrlVQpr74a5y4PJJnRdwq5ov/1qMd5E1MkzJAdPPhs
xi5+oaa7Ja9hpYk9iZUcdZrePE31WTkqnNZvkC+DZGQ3eZbdO/uK2fRYvX4tjOyX
16kYe2YkPN9KzA==
-----END CERTIFICATE-----
expiration 1637943300
issuing_ca -----BEGIN CERTIFICATE-----
MIIDrDCCApSgAwIBAgIUNhNKMD9l+/MExLQd3zhvJ6BGDNQwDQYJKoZIhvcNAQEL
BQAwFjEUMBIGA1UEAxMLZmVpeWFuZy5jb20wHhcNMjExMTIzMDIyNzAyWhcNMjEx
MjI1MDIyNzMyWjAtMSswKQYDVQQDEyJmZWl5YW5nLmNvbSBJbnRlcm1lZGlhdGUg
QXV0aG9yaXR5MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEA6fVj91gg
QY1UpNnm387tn9lMirtwhVxEexXPJHL00St3J+io7gbTkw6DNZE5wwsoILqB4jKe
rGsWsk2zIZlebISBzPVhIdLqeVyTW0/hUtLc4KoHgcrAtI8qwaqtGMAOmLWBLHdZ
Gb6j2uiuf6773YPkNT0zaemD/t3JndFFCzZne3xUsOkPUrODmtHUAENHPAxuDQhP
DIYNDENi9KRvh5CD778gXFYgoh+MuWHx8+vcy8IJi/ykfR9yE+P2beP/N/11Jm02
uALJJ0NeQ/nGDaktR4Q5SgkmLY8rwgWRWQmJBR7welSY/ZjPfjfdlmeGdHecYPK9
acGBKk/81lryOQIDAQABo4HaMIHXMA4GA1UdDwEB/wQEAwIBBjAPBgNVHRMBAf8E
BTADAQH/MB0GA1UdDgQWBBRIhaij4GVicVWQAcZvTOxdPg4F5jAfBgNVHSMEGDAW
gBSPMN9+BzUlsMkk8Hv+GVDS0nD3gjA+BggrBgEFBQcBAQQyMDAwLgYIKwYBBQUH
MAKGImh0dHA6Ly8xOTIuMTY4LjY0LjM6ODIwMC92MS9wa2kvY2EwNAYDVR0fBC0w
KzApoCegJYYjaHR0cDovLzE5Mi4xNjguNjQuMzo4MjAwL3YxL3BraS9jcmwwDQYJ
KoZIhvcNAQELBQADggEBAEVNSisWlg+TdPct9VXKJ6cLsHdWNzIfIXk3lFNzcd1J
zWuYEtBYpAvdLFAy3KzmmepTP/jqKN6+nw4JDOMzv/kaRx0Fyoq/uvBu3GILH3NB
ZjMWkOCuvEdFozKj9qTj4GkL9wFzUfEra0w6x+2tr1qodCtcjxxHUv9/jr0slFle
e/zOsLpNd/q+ozWNmt2KEN3STCugIoMhlvAQESUtiESbphMoqPFVw1cc5SX8LI78
cQMgEyT67wiH9KHsJfcJQexzQCQUJcebXbO9HvUTnP94kdVZIN3uDot5OiDWJPqg
M8uwej97SAyjjnjGR8bkO+Ct1SuSDV5URP2E/9possg=
-----END CERTIFICATE-----
private_key -----BEGIN RSA PRIVATE KEY-----
MIIEpAIBAAKCAQEAp3FbA9e3MnWc+9tgsKSEumz4xi8TMZ5dsZNsnxnYUGXNs/xh
LckHdNvJ+j8D6MSfVOncBmXMs0v4h02YZk4b+ob8tkGYHiG1gfJ+fAp3+xMVpsJq
ZVFUHeePTT/UcBbbjbQSmY8aVcj4sKd3VaAbgPt61QaOM+Qn89R0NG+d4+VW/QIz
V/FawxVjqRjhdi1j4J2Tli0GgjDDne4rl4zyiybTtlQ2wRgWDsdGF4cq+YrUA4TP
FCoBFVNZCWYJ2uwlrgnwXUIfp3sPmILD00MeM5HGuO9lMm/a8pE8c0X55ctG+VpI
cA6MrwjD2bRXq390+y4yYap1VnAoANUdLG9PxwIDAQABAoIBAB5H9bnALTVG59j0
V4wadJZyVpsgsEvs4+zVSHONbP09K/I81iY9kMelZ+WFt+NEi7wDfvL5Pge+2Xc+
pSz7OzwXZWRggG4Skoypmg48pm4ViXja9/rStm+iDNxfir+qopIB2stCgfS5n5/y
6TXm+pJc6F3WDal8vWzvIwTImrk32WgNa3TxA/KtkawbhiAwOsvT4S5SlQmsgpFK
EtC+lmbx9aZTeoAcor/XMz9hbk0pB3r9VK4Z4MxOz5WrNcb2wPZ81EuVVBBdEYCI
auaNTnLl8r5w/VMSTi2DvSuZ9SC6yGc4Gv8Y3GvsHpxujAQlls3kqJQtPAPs4Cwg
hNS8JyECgYEAwDrhkaW7AUhrhQ5655Vv4/EF5sFNIPp8A0e7jzq7iDSmbvdG1EGU
eaUYqj7zY6USRf2B2cnTYo7WQJedshK6/mRErFv+prsNUT0kyKIgEKgLWPMZwzAQ
6RI9uDRiRYNbcLlU8Wukxt1A+9JlddVFfwI0L98J9v6TkgRXL8ZTKM0CgYEA3v1s
J6ZdjjBqA1+qzSEkmHjSk9CPTNuQ4/sIciOXdcu8r+g9fbj88I4ZrT4q8L7Xqojj
bgB/mJpebRrkLOGU8iBCqCHjJSqciBBU1c2v8quoLOD4Mo2naBLqI2ge30RJGxEY
Yt8Bacmlr3q2SsDZ6GtLQf7UVCfN+3u+Gd4CquMCgYBYFeMtSYNSyCu00fjRy/F0
wwpQPj2oof9XxXQV4vTyKiYl7RvAwbhWsaeGw8fl3ktsVQk+kjRSEl/tQ0yYv+p+
DdZGIPWk00v78Qe9BEWrPEXO4b7paUomcxxjH2X0soehNNvOsOPV2KchfbzObQcm
dw0Q7qRzUR6wJ1sIYlnS9QKBgQDPCftOgSAiMf9sbHnYhapFywCxb5ZtpPtNQbog
x70MCQODTB0zyvtGmplqiesype72Dq0jaGEQHlwH70zmAvjZKmzZUMVmr76wcoFi
Fd0Ecq7uJF8uCOnjLpSoFTd80xkRgXjj6+yS/T/RwxzYIWDxdBVnDCS2klKk6cqi
l8hgQwKBgQCCG+QMKA6o6gtYnxdi6S3EF3Mo0b9MB3r4OFRFHN7Sk1ICxWB5oy94
YSER0HMxcl+N6COfr4QiA46Me0ixEJ/CXnE9ey7zrvojchLbtIZrZPenhAiFxiiC
/wDATARa8QuQ2HrBt7G/zzCujWQilbGcWWqK/K/4ESA40Ib4N05grQ==
-----END RSA PRIVATE KEY-----
private_key_type rsa
serial_number 42:ed:01:4e:49:9b:24:78:f0:50:68:97:0e:32:ce:5f:8e:e4:8b:5f

verify in nginx

安装 Nginx 的过程就省略了,只看设置

nginx server

这里的 server.crt 就是 ca chain, 把 feiyang.txt 里面的 certificate 和 issuing_ca 拼接起来

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
    server {
listen 443 ssl http2;
listen [::]:443 ssl http2;
server_name test.feiyang.com;
root /usr/share/nginx/html;

ssl_certificate "/etc/pki/nginx/server.crt";
ssl_certificate_key "/etc/pki/nginx/private/server.key";
ssl_session_cache shared:SSL:1m;
ssl_session_timeout 10m;
ssl_ciphers HIGH:!aNULL:!MD5;
ssl_prefer_server_ciphers on;

[root@centos7 nginx]# cat /etc/pki/nginx/server.crt
-----BEGIN CERTIFICATE-----
MIIDZjCCAk6gAwIBAgIUQu0BTkmbJHjwUGiXDjLOX47ki18wDQYJKoZIhvcNAQEL
BQAwLTErMCkGA1UEAxMiZmVpeWFuZy5jb20gSW50ZXJtZWRpYXRlIEF1dGhvcml0
eTAeFw0yMTExMjUxNjE0MzBaFw0yMTExMjYxNjE1MDBaMBsxGTAXBgNVBAMTEHRl
c3QuZmVpeWFuZy5jb20wggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQCn
cVsD17cydZz722CwpIS6bPjGLxMxnl2xk2yfGdhQZc2z/GEtyQd028n6PwPoxJ9U
6dwGZcyzS/iHTZhmThv6hvy2QZgeIbWB8n58Cnf7ExWmwmplUVQd549NP9RwFtuN
tBKZjxpVyPiwp3dVoBuA+3rVBo4z5Cfz1HQ0b53j5Vb9AjNX8VrDFWOpGOF2LWPg
nZOWLQaCMMOd7iuXjPKLJtO2VDbBGBYOx0YXhyr5itQDhM8UKgEVU1kJZgna7CWu
CfBdQh+new+YgsPTQx4zkca472Uyb9rykTxzRfnly0b5WkhwDoyvCMPZtFerf3T7
LjJhqnVWcCgA1R0sb0/HAgMBAAGjgY8wgYwwDgYDVR0PAQH/BAQDAgOoMB0GA1Ud
JQQWMBQGCCsGAQUFBwMBBggrBgEFBQcDAjAdBgNVHQ4EFgQUSjt1XbgoJdJceVB+
VP5bMuGFEnAwHwYDVR0jBBgwFoAUSIWoo+BlYnFVkAHGb0zsXT4OBeYwGwYDVR0R
BBQwEoIQdGVzdC5mZWl5YW5nLmNvbTANBgkqhkiG9w0BAQsFAAOCAQEAdTP2kqpS
P1qTmt/ILAuJ5wz6Fe+78v3uv5PjAGz4CJ4gcdqVXqVxn0a6PPi3VuCg2y50h/zC
a/T7OWC/Qcu3No0Puad2T2osVbrH/pf/WvmieMnwPcc+8Ay8pgEDO1iP8R7m/YB4
fnt1x2ePkeHRp984QnCt19a8nVNTnD5bsGR4dIcchgz0xDyGlro7rDY8MppBJZNy
24Dg6BJOo+GTFwO3+lvoB4RrlVQpr74a5y4PJJnRdwq5ov/1qMd5E1MkzJAdPPhs
xi5+oaa7Ja9hpYk9iZUcdZrePE31WTkqnNZvkC+DZGQ3eZbdO/uK2fRYvX4tjOyX
16kYe2YkPN9KzA==
-----END CERTIFICATE-----
-----BEGIN CERTIFICATE-----
MIIDrDCCApSgAwIBAgIUNhNKMD9l+/MExLQd3zhvJ6BGDNQwDQYJKoZIhvcNAQEL
BQAwFjEUMBIGA1UEAxMLZmVpeWFuZy5jb20wHhcNMjExMTIzMDIyNzAyWhcNMjEx
MjI1MDIyNzMyWjAtMSswKQYDVQQDEyJmZWl5YW5nLmNvbSBJbnRlcm1lZGlhdGUg
QXV0aG9yaXR5MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEA6fVj91gg
QY1UpNnm387tn9lMirtwhVxEexXPJHL00St3J+io7gbTkw6DNZE5wwsoILqB4jKe
rGsWsk2zIZlebISBzPVhIdLqeVyTW0/hUtLc4KoHgcrAtI8qwaqtGMAOmLWBLHdZ
Gb6j2uiuf6773YPkNT0zaemD/t3JndFFCzZne3xUsOkPUrODmtHUAENHPAxuDQhP
DIYNDENi9KRvh5CD778gXFYgoh+MuWHx8+vcy8IJi/ykfR9yE+P2beP/N/11Jm02
uALJJ0NeQ/nGDaktR4Q5SgkmLY8rwgWRWQmJBR7welSY/ZjPfjfdlmeGdHecYPK9
acGBKk/81lryOQIDAQABo4HaMIHXMA4GA1UdDwEB/wQEAwIBBjAPBgNVHRMBAf8E
BTADAQH/MB0GA1UdDgQWBBRIhaij4GVicVWQAcZvTOxdPg4F5jAfBgNVHSMEGDAW
gBSPMN9+BzUlsMkk8Hv+GVDS0nD3gjA+BggrBgEFBQcBAQQyMDAwLgYIKwYBBQUH
MAKGImh0dHA6Ly8xOTIuMTY4LjY0LjM6ODIwMC92MS9wa2kvY2EwNAYDVR0fBC0w
KzApoCegJYYjaHR0cDovLzE5Mi4xNjguNjQuMzo4MjAwL3YxL3BraS9jcmwwDQYJ
KoZIhvcNAQELBQADggEBAEVNSisWlg+TdPct9VXKJ6cLsHdWNzIfIXk3lFNzcd1J
zWuYEtBYpAvdLFAy3KzmmepTP/jqKN6+nw4JDOMzv/kaRx0Fyoq/uvBu3GILH3NB
ZjMWkOCuvEdFozKj9qTj4GkL9wFzUfEra0w6x+2tr1qodCtcjxxHUv9/jr0slFle
e/zOsLpNd/q+ozWNmt2KEN3STCugIoMhlvAQESUtiESbphMoqPFVw1cc5SX8LI78
cQMgEyT67wiH9KHsJfcJQexzQCQUJcebXbO9HvUTnP94kdVZIN3uDot5OiDWJPqg
M8uwej97SAyjjnjGR8bkO+Ct1SuSDV5URP2E/9possg=
-----END CERTIFICATE-----

[root@centos7 nginx]# cat /etc/pki/nginx/private/server.key
-----BEGIN RSA PRIVATE KEY-----
MIIEpAIBAAKCAQEAp3FbA9e3MnWc+9tgsKSEumz4xi8TMZ5dsZNsnxnYUGXNs/xh
LckHdNvJ+j8D6MSfVOncBmXMs0v4h02YZk4b+ob8tkGYHiG1gfJ+fAp3+xMVpsJq
ZVFUHeePTT/UcBbbjbQSmY8aVcj4sKd3VaAbgPt61QaOM+Qn89R0NG+d4+VW/QIz
V/FawxVjqRjhdi1j4J2Tli0GgjDDne4rl4zyiybTtlQ2wRgWDsdGF4cq+YrUA4TP
FCoBFVNZCWYJ2uwlrgnwXUIfp3sPmILD00MeM5HGuO9lMm/a8pE8c0X55ctG+VpI
cA6MrwjD2bRXq390+y4yYap1VnAoANUdLG9PxwIDAQABAoIBAB5H9bnALTVG59j0
V4wadJZyVpsgsEvs4+zVSHONbP09K/I81iY9kMelZ+WFt+NEi7wDfvL5Pge+2Xc+
pSz7OzwXZWRggG4Skoypmg48pm4ViXja9/rStm+iDNxfir+qopIB2stCgfS5n5/y
6TXm+pJc6F3WDal8vWzvIwTImrk32WgNa3TxA/KtkawbhiAwOsvT4S5SlQmsgpFK
EtC+lmbx9aZTeoAcor/XMz9hbk0pB3r9VK4Z4MxOz5WrNcb2wPZ81EuVVBBdEYCI
auaNTnLl8r5w/VMSTi2DvSuZ9SC6yGc4Gv8Y3GvsHpxujAQlls3kqJQtPAPs4Cwg
hNS8JyECgYEAwDrhkaW7AUhrhQ5655Vv4/EF5sFNIPp8A0e7jzq7iDSmbvdG1EGU
eaUYqj7zY6USRf2B2cnTYo7WQJedshK6/mRErFv+prsNUT0kyKIgEKgLWPMZwzAQ
6RI9uDRiRYNbcLlU8Wukxt1A+9JlddVFfwI0L98J9v6TkgRXL8ZTKM0CgYEA3v1s
J6ZdjjBqA1+qzSEkmHjSk9CPTNuQ4/sIciOXdcu8r+g9fbj88I4ZrT4q8L7Xqojj
bgB/mJpebRrkLOGU8iBCqCHjJSqciBBU1c2v8quoLOD4Mo2naBLqI2ge30RJGxEY
Yt8Bacmlr3q2SsDZ6GtLQf7UVCfN+3u+Gd4CquMCgYBYFeMtSYNSyCu00fjRy/F0
wwpQPj2oof9XxXQV4vTyKiYl7RvAwbhWsaeGw8fl3ktsVQk+kjRSEl/tQ0yYv+p+
DdZGIPWk00v78Qe9BEWrPEXO4b7paUomcxxjH2X0soehNNvOsOPV2KchfbzObQcm
dw0Q7qRzUR6wJ1sIYlnS9QKBgQDPCftOgSAiMf9sbHnYhapFywCxb5ZtpPtNQbog
x70MCQODTB0zyvtGmplqiesype72Dq0jaGEQHlwH70zmAvjZKmzZUMVmr76wcoFi
Fd0Ecq7uJF8uCOnjLpSoFTd80xkRgXjj6+yS/T/RwxzYIWDxdBVnDCS2klKk6cqi
l8hgQwKBgQCCG+QMKA6o6gtYnxdi6S3EF3Mo0b9MB3r4OFRFHN7Sk1ICxWB5oy94
YSER0HMxcl+N6COfr4QiA46Me0ixEJ/CXnE9ey7zrvojchLbtIZrZPenhAiFxiiC
/wDATARa8QuQ2HrBt7G/zzCujWQilbGcWWqK/K/4ESA40Ib4N05grQ==
-----END RSA PRIVATE KEY-----

ubuntu20 verify

需要先把根证书 root.crt 导入 ubuntu20, 这里我们 copy & paste Adding a self-signed certificate to the “trusted list”

1
2
3
4
5
# sudo cp root.crt /usr/local/share/ca-certificates/
vim /usr/local/share/ca-certificates/feiyang.crt
sudo update-ca-certificates

echo "192.168.64.4 test.feiyang.com" >> /etc/hosts

添加好证书后,我们就可以用 curl 测试
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
root@ubuntu20:/usr/local/share/ca-certificates# curl -v https://test.feiyang.com

* Trying 192.168.64.4:443...
* TCP_NODELAY set
* Connected to test.feiyang.com (192.168.64.4) port 443 (#0)
* ALPN, offering h2
* ALPN, offering http/1.1
* successfully set certificate verify locations:
* CAfile: /etc/ssl/certs/ca-certificates.crt
CApath: /etc/ssl/certs
* TLSv1.3 (OUT), TLS handshake, Client hello (1):
* TLSv1.3 (IN), TLS handshake, Server hello (2):
* TLSv1.2 (IN), TLS handshake, Certificate (11):
* TLSv1.2 (IN), TLS handshake, Server key exchange (12):
* TLSv1.2 (IN), TLS handshake, Server finished (14):
* TLSv1.2 (OUT), TLS handshake, Client key exchange (16):
* TLSv1.2 (OUT), TLS change cipher, Change cipher spec (1):
* TLSv1.2 (OUT), TLS handshake, Finished (20):
* TLSv1.2 (IN), TLS handshake, Finished (20):
* SSL connection using TLSv1.2 / ECDHE-RSA-AES256-GCM-SHA384
* ALPN, server accepted to use h2
* Server certificate:
* subject: CN=test.feiyang.com
* start date: Nov 25 16:14:30 2021 GMT
* expire date: Nov 26 16:15:00 2021 GMT
* subjectAltName: host "test.feiyang.com" matched cert's "test.feiyang.com"
* issuer: CN=feiyang.com Intermediate Authority
* SSL certificate verify ok.
* Using HTTP2, server supports multi-use
* Connection state changed (HTTP/2 confirmed)
* Copying HTTP/2 data in stream buffer to connection buffer after upgrade: len=0
* Using Stream ID: 1 (easy handle 0x563b3aa8be10)
> GET / HTTP/2
> Host: test.feiyang.com
> user-agent: curl/7.68.0
> accept: */*
>
* Connection state changed (MAX_CONCURRENT_STREAMS == 128)!
< HTTP/2 200
< server: nginx/1.20.1
< date: Fri, 26 Nov 2021 02:48:04 GMT
< content-type: text/html
< content-length: 4833
< last-modified: Fri, 16 May 2014 15:12:48 GMT
< etag: "53762af0-12e1"
< accept-ranges: bytes

ubuntu18 firefox

我们把证书导入到另外一台 Ubuntu 桌面版,浏览器 firefox 里面。参考 Get Firefox to trust your self signed certificates

1
echo "192.168.64.4 test.feiyang.com" >> /etc/hosts




vault revoke

1
2
3
4
5
root@ubuntu18-108:/etc/vault.d/pki_test# vault write pki_int/revoke serial_number=42:ed:01:4e:49:9b:24:78:f0:50:68:97:0e:32:ce:5f:8e:e4:8b:5f
Key Value
--- -----
revocation_time 1637895959
revocation_time_rfc3339 2021-11-26T03:05:59.165880864Z