2.7. 使用 GnuTLS 为 TLS 服务器证书创建私钥和 CSR

流程

1. 在服务器系统中生成私钥，例如：

   Copy to Clipboard Toggle word wrap

   $ certtool --generate-privkey --sec-param High --outfile <example-server.key>

2. 可选：使用您选择的文本编辑器准备一个简化创建 CSR 的配置文件，例如：

   Copy to Clipboard Toggle word wrap

   $ vim <example_server.cnf>
   signing_key
   encryption_key
   key_agreement
   
   tls_www_server
   
   country = "US"
   organization = "Example Organization"
   cn = "server.example.com"
   
   dns_name = "example.com"
   dns_name = "server.example.com"
   ip_address = "192.168.0.1"
   ip_address = "::1"
   ip_address = "127.0.0.1"

3. 使用之前创建的私钥创建 CSR：

   Copy to Clipboard Toggle word wrap

   $ certtool --generate-request --template <example-server.cfg> --load-privkey <example-server.key> --outfile <example-server.crq>

   如果省略 --template 选项，certool 工具会提示您输入额外的信息，例如：

   Copy to Clipboard Toggle word wrap

   You are about to be asked to enter information that will be incorporated
   into your certificate request.
   What you are about to enter is what is called a Distinguished Name or a DN.
   There are quite a few fields but you can leave some blank
   For some fields there will be a default value,
   If you enter '.', the field will be left blank.
   -----
   Generating a PKCS #10 certificate request...
   Country name (2 chars): <US>
   State or province name: <Washington>
   Locality name: <Seattle>
   Organization name: <Example Organization>
   Organizational unit name:
   Common name: <server.example.com>

验证

1. 从 CA 获取请求的证书后，检查证书的人类可读部分是否与您的要求匹配，例如：

   Copy to Clipboard Toggle word wrap

   $ certtool --certificate-info --infile <example-server.crt>
   Certificate:
   …
           Issuer: CN = Example CA
           Validity
               Not Before: Feb  2 20:27:29 2023 GMT
               Not After : Feb  2 20:27:29 2024 GMT
           Subject: C = US, O = Example Organization, CN = server.example.com
           Subject Public Key Info:
               Public Key Algorithm: id-ecPublicKey
                   Public-Key: (256 bit)
   …
           X509v3 extensions:
               X509v3 Key Usage: critical
                   Digital Signature, Key Encipherment, Key Agreement
               X509v3 Extended Key Usage:
                   TLS Web Server Authentication
               X509v3 Subject Alternative Name:
                   DNS:example.com, DNS:server.example.com, IP Address:192.168.0.1, IP
   …