物联网平台 如何自己制作CA证书

简介: 官网参考文档 : https://help.aliyun.com/document_detail/145689.html?spm=a2c4g.11186623.6.726.50536150NZrjWX目标 :1)总结遇到的问题2)配置文件核心配置的提供

问题1: 报错重复注册问题

具体见截图

image.png

原因分析

参数重复了

image.png

这一段参数不能重复使用如果有人注册了 ,就会报错


问题2: CA证书不可用,basicConstraints属性必须为true问题


原因分析

这个主要是openssl配置问题

image.png



参考的命令文档(完整)


根root


生成私有 CA 和 key ,有效期 10 年

openssl req -new -x509 -days 3650 -newkey rsa:2048 -keyout myIoTCARoot.key -out myIoTCARoot.crt -subj  "/C=CN/ST=Shanghai1/L=Shanghai1/O=IoT1/OU=iot/CN=x.iot.cn"


验证证书


生成验证证书

openssl genrsa -out verificationCert.key 2048

生成验证证书 CSR

openssl req -new -key verificationCert.key -out verificationCert.csr -subj "/C=CN/ST=Shanghai1/L=Shanghai1/O=IoT/OU=iot/CN=da45c9a3908a4993aeb432be23c08888888***********" #注册码

用私有 CA 和 key 签发验证证书

openssl x509 -req -in verificationCert.csr -CA myIoTCARoot.crt -CAkey myIoTCARoot.key -CAcreateserial -out verificationCert.crt -days 365 -sha512


设备证书


生成 pem 的私有 key

openssl genrsa -out device-1.key 2048

生成设备证书 CSR

openssl req -new -key device-1.key -out device-1.csr -newkey rsa:2048 -subj  "/C=CN/ST=Shanghai1/L=Shanghai1/O=IoT1/OU=iot/CN=*********" # -set_serial 指定序列号

用私有 CA 签发设备证书 CRT

openssl x509 -req -in device-1.csr -CA myIoTCARoot.crt -CAkey myIoTCARoot.key -CAcreateserial -out device-1.crt -days 3650 -sha512


如果是使用外挂的配置文件就这么玩

openssl req -new -key server.key -out server.csr -subj "/C=CN/ST=Guangdong/L=Guangzhou/O=xdevops/OU=xdevops/CN=gitlab.xdevops.cn"--字符串不可重复

4.openssl x509 -req -days 365 -in server.csr -signkey server.key -out server.crt -extfile D:\openssl.cnf  -extensions v3_ca



物联网平台提供的证书私钥是pkcs1格式的,java原生只能使用pkcs8格式的

opensslpkcs8-topk8-indevicex509.key-nocrypt-outdevicex509_pkcs8.key


-nocrypt这个参数必须要的



最后配上我的配置文件参考一下

#

# OpenSSL example configuration file.

# This is mostly being used for generation of certificate requests.

#


# Note that you can include other files from the main configuration

# file using the .include directive.

#.include filename


# This definition stops the following lines choking if HOME isn't

# defined.

HOME   = .


# Extra OBJECT IDENTIFIER info:

#oid_file  = $ENV::HOME/.oid

oid_section  = new_oids


# To use this configuration file with the "-extfile" option of the

# "openssl x509" utility, name here the section containing the

# X.509v3 extensions to use:

# extensions  =

# (Alternatively, use a configuration file that has only

# X.509v3 extensions in its main [= default] section.)


[ new_oids ]


# We can add new OIDs in here for use by 'ca', 'req' and 'ts'.

# Add a simple OID like this:

# testoid1=1.2.3.4

# Or use config file substitution like this:

# testoid2=${testoid1}.5.6


# Policies used by the TSA examples.

tsa_policy1 = 1.2.3.4.1

tsa_policy2 = 1.2.3.4.5.6

tsa_policy3 = 1.2.3.4.5.7


####################################################################

[ ca ]

default_ca = CA_default  # The default ca section


####################################################################

[ CA_default ]


dir  = /usr/ssl  # Where everything is kept

certs  = $dir/certs  # Where the issued certs are kept

crl_dir  = $dir/crl  # Where the issued crl are kept

database = $dir/index.txt # database index file.

#unique_subject = no   # Set to 'no' to allow creation of

    # several certs with same subject.

new_certs_dir = $dir/newcerts  # default place for new certs.


certificate = $dir/cacert.pem  # The CA certificate

serial  = $dir/serial   # The current serial number

crlnumber = $dir/crlnumber # the current crl number

    # must be commented out to leave a V1 CRL

crl  = $dir/crl.pem   # The current CRL

private_key = $dir/private/cakey.pem# The private key


x509_extensions = usr_cert  # The extensions to add to the cert


# Comment out the following two lines for the "traditional"

# (and highly broken) format.

name_opt  = ca_default  # Subject Name options

cert_opt  = ca_default  # Certificate field options


# Extension copying option: use with caution.

# copy_extensions = copy


# Extensions to add to a CRL. Note: Netscape communicator chokes on V2 CRLs

# so this is commented out by default to leave a V1 CRL.

# crlnumber must also be commented out to leave a V1 CRL.

# crl_extensions = crl_ext


default_days = 365   # how long to certify for

default_crl_days= 30   # how long before next CRL

default_md = default  # use public key default MD

preserve = no   # keep passed DN ordering


# A few difference way of specifying how similar the request should look

# For type CA, the listed attributes must be the same, and the optional

# and supplied fields are just that :-)

policy  = policy_match


# For the CA policy

[ policy_match ]

countryName  = match

stateOrProvinceName = match

organizationName = match

organizationalUnitName = optional

commonName  = supplied

emailAddress  = optional


# For the 'anything' policy

# At this point in time, you must list all acceptable 'object'

# types.

[ policy_anything ]

countryName  = optional

stateOrProvinceName = optional

localityName  = optional

organizationName = optional

organizationalUnitName = optional

commonName  = supplied

emailAddress  = optional


####################################################################

[ req ]

default_bits  = 2048

default_keyfile  = privkey.pem

distinguished_name = req_distinguished_name

attributes  = req_attributes

x509_extensions = v3_ca # The extensions to add to the self signed cert


# Passwords for private keys if not present they will be prompted for

# input_password = secret

# output_password = secret


# This sets a mask for permitted string types. There are several options.

# default: PrintableString, T61String, BMPString.

# pkix  : PrintableString, BMPString (PKIX recommendation before 2004)

# utf8only: only UTF8Strings (PKIX recommendation after 2004).

# nombstr : PrintableString, T61String (no BMPStrings or UTF8Strings).

# MASK:XXXX a literal mask value.

# WARNING: ancient versions of Netscape crash on BMPStrings or UTF8Strings.

string_mask = utf8only


# req_extensions = v3_req # The extensions to add to a certificate request


[ req_distinguished_name ]

countryName   = Country Name (2 letter code)

countryName_default  = AU

countryName_min   = 2

countryName_max   = 2


stateOrProvinceName  = State or Province Name (full name)

stateOrProvinceName_default = Some-State


localityName   = Locality Name (eg, city)


0.organizationName  = Organization Name (eg, company)

0.organizationName_default = Internet Widgits Pty Ltd


# we can do this but it is not needed normally :-)

#1.organizationName  = Second Organization Name (eg, company)

#1.organizationName_default = World Wide Web Pty Ltd


organizationalUnitName  = Organizational Unit Name (eg, section)

#organizationalUnitName_default =


commonName   = Common Name (e.g. server FQDN or YOUR name)

commonName_max   = 64


emailAddress   = Email Address

emailAddress_max  = 64


# SET-ex3   = SET extension number 3


[ req_attributes ]

challengePassword  = A challenge password

challengePassword_min  = 4

challengePassword_max  = 20


unstructuredName  = An optional company name


[ usr_cert ]


# These extensions are added when 'ca' signs a request.


# This goes against PKIX guidelines but some CAs do it and some software

# requires this to avoid interpreting an end user certificate as a CA.


basicConstraints=CA:FALSE


# Here are some examples of the usage of nsCertType. If it is omitted

# the certificate can be used for anything *except* object signing.


# This is OK for an SSL server.

# nsCertType   = server


# For an object signing certificate this would be used.

# nsCertType = objsign


# For normal client use this is typical

# nsCertType = client, email


# and for everything including object signing:

# nsCertType = client, email, objsign


# This is typical in keyUsage for a client certificate.

# keyUsage = nonRepudiation, digitalSignature, keyEncipherment


# This will be displayed in Netscape's comment listbox.

nsComment   = "OpenSSL Generated Certificate"


# PKIX recommendations harmless if included in all certificates.

subjectKeyIdentifier=hash

authorityKeyIdentifier=keyid,issuer


# This stuff is for subjectAltName and issuerAltname.

# Import the email address.

# subjectAltName=email:copy

# An alternative to produce certificates that aren't

# deprecated according to PKIX.

# subjectAltName=email:move


# Copy subject details

# issuerAltName=issuer:copy


#nsCaRevocationUrl  = http://www.domain.dom/ca-crl.pem

#nsBaseUrl

#nsRevocationUrl

#nsRenewalUrl

#nsCaPolicyUrl

#nsSslServerName


# This is required for TSA certificates.

# extendedKeyUsage = critical,timeStamping


[ v3_req ]


# Extensions to add to a certificate request


basicConstraints = CA:FALSE

keyUsage = nonRepudiation, digitalSignature, keyEncipherment


[ v3_ca ]



# Extensions for a typical CA



# PKIX recommendation.


subjectKeyIdentifier=hash


authorityKeyIdentifier=keyid:always,issuer


basicConstraints = critical,CA:true


# Key usage: this is typical for a CA certificate. However since it will

# prevent it being used as an test self-signed certificate it is best

# left out by default.

# keyUsage = cRLSign, keyCertSign


# Some might want this also

# nsCertType = sslCA, emailCA


# Include email address in subject alt name: another PKIX recommendation

# subjectAltName=email:copy

# Copy issuer details

# issuerAltName=issuer:copy


# DER hex encoding of an extension: beware experts only!

# obj=DER:02:03

# Where 'obj' is a standard or added object

# You can even override a supported extension:

# basicConstraints= critical, DER:30:03:01:01:FF


[ crl_ext ]


# CRL extensions.

# Only issuerAltName and authorityKeyIdentifier make any sense in a CRL.


# issuerAltName=issuer:copy

authorityKeyIdentifier=keyid:always


[ proxy_cert_ext ]

# These extensions should be added when creating a proxy certificate


# This goes against PKIX guidelines but some CAs do it and some software

# requires this to avoid interpreting an end user certificate as a CA.


basicConstraints=CA:FALSE


# Here are some examples of the usage of nsCertType. If it is omitted

# the certificate can be used for anything *except* object signing.


# This is OK for an SSL server.

# nsCertType   = server


# For an object signing certificate this would be used.

# nsCertType = objsign


# For normal client use this is typical

# nsCertType = client, email


# and for everything including object signing:

# nsCertType = client, email, objsign


# This is typical in keyUsage for a client certificate.

# keyUsage = nonRepudiation, digitalSignature, keyEncipherment


# This will be displayed in Netscape's comment listbox.

nsComment   = "OpenSSL Generated Certificate"


# PKIX recommendations harmless if included in all certificates.

subjectKeyIdentifier=hash

authorityKeyIdentifier=keyid,issuer


# This stuff is for subjectAltName and issuerAltname.

# Import the email address.

# subjectAltName=email:copy

# An alternative to produce certificates that aren't

# deprecated according to PKIX.

# subjectAltName=email:move


# Copy subject details

# issuerAltName=issuer:copy


#nsCaRevocationUrl  = http://www.domain.dom/ca-crl.pem

#nsBaseUrl

#nsRevocationUrl

#nsRenewalUrl

#nsCaPolicyUrl

#nsSslServerName


# This really needs to be in place for it to be a proxy certificate.

proxyCertInfo=critical,language:id-ppl-anyLanguage,pathlen:3,policy:foo


####################################################################

[ tsa ]


default_tsa = tsa_config1 # the default TSA section


[ tsa_config1 ]


# These are used by the TSA reply generation only.

dir  = ./demoCA  # TSA root directory

serial  = $dir/tsaserial # The current serial number (mandatory)

crypto_device = builtin  # OpenSSL engine to use for signing

signer_cert = $dir/tsacert.pem  # The TSA signing certificate

    # (optional)

certs  = $dir/cacert.pem # Certificate chain to include in reply

    # (optional)

signer_key = $dir/private/tsakey.pem # The TSA private key (optional)

signer_digest  = sha256   # Signing digest to use. (Optional)

default_policy = tsa_policy1  # Policy if request did not specify it

    # (optional)

other_policies = tsa_policy2, tsa_policy3 # acceptable policies (optional)

digests     = sha1, sha256, sha384, sha512  # Acceptable message digests (mandatory)

accuracy = secs:1, millisecs:500, microsecs:100 # (optional)

clock_precision_digits  = 0 # number of digits after dot. (optional)

ordering  = yes # Is ordering defined for timestamps?

   # (optional, default: no)

tsa_name  = yes # Must the TSA name be included in the reply?

   # (optional, default: no)

ess_cert_id_chain = no # Must the ESS cert id chain be included?

   # (optional, default: no)

ess_cert_id_alg  = sha1 # algorithm to compute certificate

   # identifier (optional, default: sha1)


相关实践学习
钉钉群中如何接收IoT温控器数据告警通知
本实验主要介绍如何将温控器设备以MQTT协议接入IoT物联网平台,通过云产品流转到函数计算FC,调用钉钉群机器人API,实时推送温湿度消息到钉钉群。
阿里云AIoT物联网开发实战
本课程将由物联网专家带你熟悉阿里云AIoT物联网领域全套云产品,7天轻松搭建基于Arduino的端到端物联网场景应用。 开始学习前,请先开通下方两个云产品,让学习更流畅: IoT物联网平台:https://iot.console.aliyun.com/ LinkWAN物联网络管理平台:https://linkwan.console.aliyun.com/service-open
目录
相关文章
|
安全 物联网 数据安全/隐私保护
基于证书的物联网设备安全认证(上)
在当前物联网发展的过程中,越来越多的企业开始接受物联网,拥抱物联网。随着应用的普及,行业也对设备安全有了更高的要求。如何保障设备合法未被冒用,如何保障设备与服务端通道安全可靠,能否对通信数据进行业务层面的加密,都是从业者们频繁面对的问题。本文将介绍一种基于PKI整数体系认证设备,确保设备合法的方式
|
JSON 物联网 Java
|
Java 物联网 数据安全/隐私保护
物联网平台JAVA实现X509证书加密设备上线
官方文档示例:https://help.aliyun.com/document_detail/148843.html?spm=5176.11065259.1996646101.searchclickresult.173e10b7Qmv2Y9
488 0
物联网平台JAVA实现X509证书加密设备上线
|
16天前
|
存储 供应链 物联网
探索未来:区块链、物联网与虚拟现实技术的融合与创新
【10月更文挑战第15天】本文深入探讨了新兴技术如区块链、物联网(IoT)和虚拟现实(VR)的发展趋势及其在现代社会的应用。通过分析这些技术的独特属性和它们如何相互补充,我们揭示了一个由高度互联、智能化和沉浸式体验定义的未来图景。文章不仅讨论了这些技术当前的挑战,还展望了它们在未来可能带来的转变,旨在为读者提供对这些令人兴奋的技术趋势的全面理解。
|
16天前
|
安全 物联网 区块链
未来已来:探索区块链技术、物联网与虚拟现实的融合趋势
【10月更文挑战第15天】 在数字化浪潮中,区块链、物联网(IoT)和虚拟现实(VR)技术正引领着一场革命。本文将深入探讨这三种技术的发展趋势和相互融合的潜力,以及它们如何共同塑造我们的未来。我们将从基本概念入手,逐步揭示这些技术如何影响经济、社会和日常生活,同时提供具体应用场景以展示其变革力量。
|
3天前
|
供应链 物联网 区块链
未来已来:区块链技术、物联网与虚拟现实的融合与创新
【10月更文挑战第28天】在数字化浪潮的推动下,新兴技术如区块链、物联网(IoT)和虚拟现实(VR)正逐步渗透至我们的日常生活中。本文将探讨这些技术的发展趋势,以及它们如何相互融合,创造出前所未有的应用场景。我们将通过实际案例,展示这些技术如何改变工业、医疗、教育和娱乐等多个领域。最后,我们将展望这些技术未来的发展方向,以及它们可能带来的社会变革。
24 12
|
5天前
|
传感器 存储 运维
智能物联网:LoRaWAN技术在低功耗广域网中的应用
【10月更文挑战第26天】本文详细介绍了LoRaWAN技术的基本原理、应用场景及实际应用示例。LoRaWAN是一种低功耗、长距离的网络层协议,适用于智能城市、农业、工业监控等领域。文章通过示例代码展示了如何使用LoRaWAN传输温湿度数据,并强调了其在物联网中的重要性和广阔前景。
25 6
|
4天前
|
传感器 监控 物联网
智能物联网:LoRaWAN技术在低功耗广域网中的应用
【10月更文挑战第27天】LoRaWAN技术是低功耗广域网(LPWAN)的重要代表,以其远距离通信、低功耗和低成本部署等优势,广泛应用于智能城市、农业监测和环境监测等领域。本文介绍LoRaWAN的工作原理及其实际应用,并提供示例代码展示如何使用LoRaWAN进行数据传输。
15 2
|
10天前
|
安全 物联网 区块链
探索未来:区块链技术在物联网和虚拟现实中的融合应用
【10月更文挑战第21天】本文深入探讨了区块链、物联网(IoT)和虚拟现实(VR)这三项前沿技术的发展趋势,并分析了它们如何相互作用以推动创新。我们将通过具体案例来揭示这些技术如何改变我们的工作和生活方式,同时提供对未来发展的一些预测。

相关产品

  • 物联网平台