物联网平台 如何自己制作CA证书

简介: 官网参考文档 : https://help.aliyun.com/document_detail/145689.html?spm=a2c4g.11186623.6.726.50536150NZrjWX目标 :1)总结遇到的问题2)配置文件核心配置的提供

问题1: 报错重复注册问题

具体见截图

image.png

原因分析

参数重复了

image.png

这一段参数不能重复使用如果有人注册了 ,就会报错


问题2: CA证书不可用,basicConstraints属性必须为true问题


原因分析

这个主要是openssl配置问题

image.png



参考的命令文档(完整)


根root


生成私有 CA 和 key ,有效期 10 年

openssl req -new -x509 -days 3650 -newkey rsa:2048 -keyout myIoTCARoot.key -out myIoTCARoot.crt -subj  "/C=CN/ST=Shanghai1/L=Shanghai1/O=IoT1/OU=iot/CN=x.iot.cn"


验证证书


生成验证证书

openssl genrsa -out verificationCert.key 2048

生成验证证书 CSR

openssl req -new -key verificationCert.key -out verificationCert.csr -subj "/C=CN/ST=Shanghai1/L=Shanghai1/O=IoT/OU=iot/CN=da45c9a3908a4993aeb432be23c08888888***********" #注册码

用私有 CA 和 key 签发验证证书

openssl x509 -req -in verificationCert.csr -CA myIoTCARoot.crt -CAkey myIoTCARoot.key -CAcreateserial -out verificationCert.crt -days 365 -sha512


设备证书


生成 pem 的私有 key

openssl genrsa -out device-1.key 2048

生成设备证书 CSR

openssl req -new -key device-1.key -out device-1.csr -newkey rsa:2048 -subj  "/C=CN/ST=Shanghai1/L=Shanghai1/O=IoT1/OU=iot/CN=*********" # -set_serial 指定序列号

用私有 CA 签发设备证书 CRT

openssl x509 -req -in device-1.csr -CA myIoTCARoot.crt -CAkey myIoTCARoot.key -CAcreateserial -out device-1.crt -days 3650 -sha512


如果是使用外挂的配置文件就这么玩

openssl req -new -key server.key -out server.csr -subj "/C=CN/ST=Guangdong/L=Guangzhou/O=xdevops/OU=xdevops/CN=gitlab.xdevops.cn"--字符串不可重复

4.openssl x509 -req -days 365 -in server.csr -signkey server.key -out server.crt -extfile D:\openssl.cnf  -extensions v3_ca



物联网平台提供的证书私钥是pkcs1格式的,java原生只能使用pkcs8格式的

opensslpkcs8-topk8-indevicex509.key-nocrypt-outdevicex509_pkcs8.key


-nocrypt这个参数必须要的



最后配上我的配置文件参考一下

#

# OpenSSL example configuration file.

# This is mostly being used for generation of certificate requests.

#


# Note that you can include other files from the main configuration

# file using the .include directive.

#.include filename


# This definition stops the following lines choking if HOME isn't

# defined.

HOME   = .


# Extra OBJECT IDENTIFIER info:

#oid_file  = $ENV::HOME/.oid

oid_section  = new_oids


# To use this configuration file with the "-extfile" option of the

# "openssl x509" utility, name here the section containing the

# X.509v3 extensions to use:

# extensions  =

# (Alternatively, use a configuration file that has only

# X.509v3 extensions in its main [= default] section.)


[ new_oids ]


# We can add new OIDs in here for use by 'ca', 'req' and 'ts'.

# Add a simple OID like this:

# testoid1=1.2.3.4

# Or use config file substitution like this:

# testoid2=${testoid1}.5.6


# Policies used by the TSA examples.

tsa_policy1 = 1.2.3.4.1

tsa_policy2 = 1.2.3.4.5.6

tsa_policy3 = 1.2.3.4.5.7


####################################################################

[ ca ]

default_ca = CA_default  # The default ca section


####################################################################

[ CA_default ]


dir  = /usr/ssl  # Where everything is kept

certs  = $dir/certs  # Where the issued certs are kept

crl_dir  = $dir/crl  # Where the issued crl are kept

database = $dir/index.txt # database index file.

#unique_subject = no   # Set to 'no' to allow creation of

    # several certs with same subject.

new_certs_dir = $dir/newcerts  # default place for new certs.


certificate = $dir/cacert.pem  # The CA certificate

serial  = $dir/serial   # The current serial number

crlnumber = $dir/crlnumber # the current crl number

    # must be commented out to leave a V1 CRL

crl  = $dir/crl.pem   # The current CRL

private_key = $dir/private/cakey.pem# The private key


x509_extensions = usr_cert  # The extensions to add to the cert


# Comment out the following two lines for the "traditional"

# (and highly broken) format.

name_opt  = ca_default  # Subject Name options

cert_opt  = ca_default  # Certificate field options


# Extension copying option: use with caution.

# copy_extensions = copy


# Extensions to add to a CRL. Note: Netscape communicator chokes on V2 CRLs

# so this is commented out by default to leave a V1 CRL.

# crlnumber must also be commented out to leave a V1 CRL.

# crl_extensions = crl_ext


default_days = 365   # how long to certify for

default_crl_days= 30   # how long before next CRL

default_md = default  # use public key default MD

preserve = no   # keep passed DN ordering


# A few difference way of specifying how similar the request should look

# For type CA, the listed attributes must be the same, and the optional

# and supplied fields are just that :-)

policy  = policy_match


# For the CA policy

[ policy_match ]

countryName  = match

stateOrProvinceName = match

organizationName = match

organizationalUnitName = optional

commonName  = supplied

emailAddress  = optional


# For the 'anything' policy

# At this point in time, you must list all acceptable 'object'

# types.

[ policy_anything ]

countryName  = optional

stateOrProvinceName = optional

localityName  = optional

organizationName = optional

organizationalUnitName = optional

commonName  = supplied

emailAddress  = optional


####################################################################

[ req ]

default_bits  = 2048

default_keyfile  = privkey.pem

distinguished_name = req_distinguished_name

attributes  = req_attributes

x509_extensions = v3_ca # The extensions to add to the self signed cert


# Passwords for private keys if not present they will be prompted for

# input_password = secret

# output_password = secret


# This sets a mask for permitted string types. There are several options.

# default: PrintableString, T61String, BMPString.

# pkix  : PrintableString, BMPString (PKIX recommendation before 2004)

# utf8only: only UTF8Strings (PKIX recommendation after 2004).

# nombstr : PrintableString, T61String (no BMPStrings or UTF8Strings).

# MASK:XXXX a literal mask value.

# WARNING: ancient versions of Netscape crash on BMPStrings or UTF8Strings.

string_mask = utf8only


# req_extensions = v3_req # The extensions to add to a certificate request


[ req_distinguished_name ]

countryName   = Country Name (2 letter code)

countryName_default  = AU

countryName_min   = 2

countryName_max   = 2


stateOrProvinceName  = State or Province Name (full name)

stateOrProvinceName_default = Some-State


localityName   = Locality Name (eg, city)


0.organizationName  = Organization Name (eg, company)

0.organizationName_default = Internet Widgits Pty Ltd


# we can do this but it is not needed normally :-)

#1.organizationName  = Second Organization Name (eg, company)

#1.organizationName_default = World Wide Web Pty Ltd


organizationalUnitName  = Organizational Unit Name (eg, section)

#organizationalUnitName_default =


commonName   = Common Name (e.g. server FQDN or YOUR name)

commonName_max   = 64


emailAddress   = Email Address

emailAddress_max  = 64


# SET-ex3   = SET extension number 3


[ req_attributes ]

challengePassword  = A challenge password

challengePassword_min  = 4

challengePassword_max  = 20


unstructuredName  = An optional company name


[ usr_cert ]


# These extensions are added when 'ca' signs a request.


# This goes against PKIX guidelines but some CAs do it and some software

# requires this to avoid interpreting an end user certificate as a CA.


basicConstraints=CA:FALSE


# Here are some examples of the usage of nsCertType. If it is omitted

# the certificate can be used for anything *except* object signing.


# This is OK for an SSL server.

# nsCertType   = server


# For an object signing certificate this would be used.

# nsCertType = objsign


# For normal client use this is typical

# nsCertType = client, email


# and for everything including object signing:

# nsCertType = client, email, objsign


# This is typical in keyUsage for a client certificate.

# keyUsage = nonRepudiation, digitalSignature, keyEncipherment


# This will be displayed in Netscape's comment listbox.

nsComment   = "OpenSSL Generated Certificate"


# PKIX recommendations harmless if included in all certificates.

subjectKeyIdentifier=hash

authorityKeyIdentifier=keyid,issuer


# This stuff is for subjectAltName and issuerAltname.

# Import the email address.

# subjectAltName=email:copy

# An alternative to produce certificates that aren't

# deprecated according to PKIX.

# subjectAltName=email:move


# Copy subject details

# issuerAltName=issuer:copy


#nsCaRevocationUrl  = http://www.domain.dom/ca-crl.pem

#nsBaseUrl

#nsRevocationUrl

#nsRenewalUrl

#nsCaPolicyUrl

#nsSslServerName


# This is required for TSA certificates.

# extendedKeyUsage = critical,timeStamping


[ v3_req ]


# Extensions to add to a certificate request


basicConstraints = CA:FALSE

keyUsage = nonRepudiation, digitalSignature, keyEncipherment


[ v3_ca ]



# Extensions for a typical CA



# PKIX recommendation.


subjectKeyIdentifier=hash


authorityKeyIdentifier=keyid:always,issuer


basicConstraints = critical,CA:true


# Key usage: this is typical for a CA certificate. However since it will

# prevent it being used as an test self-signed certificate it is best

# left out by default.

# keyUsage = cRLSign, keyCertSign


# Some might want this also

# nsCertType = sslCA, emailCA


# Include email address in subject alt name: another PKIX recommendation

# subjectAltName=email:copy

# Copy issuer details

# issuerAltName=issuer:copy


# DER hex encoding of an extension: beware experts only!

# obj=DER:02:03

# Where 'obj' is a standard or added object

# You can even override a supported extension:

# basicConstraints= critical, DER:30:03:01:01:FF


[ crl_ext ]


# CRL extensions.

# Only issuerAltName and authorityKeyIdentifier make any sense in a CRL.


# issuerAltName=issuer:copy

authorityKeyIdentifier=keyid:always


[ proxy_cert_ext ]

# These extensions should be added when creating a proxy certificate


# This goes against PKIX guidelines but some CAs do it and some software

# requires this to avoid interpreting an end user certificate as a CA.


basicConstraints=CA:FALSE


# Here are some examples of the usage of nsCertType. If it is omitted

# the certificate can be used for anything *except* object signing.


# This is OK for an SSL server.

# nsCertType   = server


# For an object signing certificate this would be used.

# nsCertType = objsign


# For normal client use this is typical

# nsCertType = client, email


# and for everything including object signing:

# nsCertType = client, email, objsign


# This is typical in keyUsage for a client certificate.

# keyUsage = nonRepudiation, digitalSignature, keyEncipherment


# This will be displayed in Netscape's comment listbox.

nsComment   = "OpenSSL Generated Certificate"


# PKIX recommendations harmless if included in all certificates.

subjectKeyIdentifier=hash

authorityKeyIdentifier=keyid,issuer


# This stuff is for subjectAltName and issuerAltname.

# Import the email address.

# subjectAltName=email:copy

# An alternative to produce certificates that aren't

# deprecated according to PKIX.

# subjectAltName=email:move


# Copy subject details

# issuerAltName=issuer:copy


#nsCaRevocationUrl  = http://www.domain.dom/ca-crl.pem

#nsBaseUrl

#nsRevocationUrl

#nsRenewalUrl

#nsCaPolicyUrl

#nsSslServerName


# This really needs to be in place for it to be a proxy certificate.

proxyCertInfo=critical,language:id-ppl-anyLanguage,pathlen:3,policy:foo


####################################################################

[ tsa ]


default_tsa = tsa_config1 # the default TSA section


[ tsa_config1 ]


# These are used by the TSA reply generation only.

dir  = ./demoCA  # TSA root directory

serial  = $dir/tsaserial # The current serial number (mandatory)

crypto_device = builtin  # OpenSSL engine to use for signing

signer_cert = $dir/tsacert.pem  # The TSA signing certificate

    # (optional)

certs  = $dir/cacert.pem # Certificate chain to include in reply

    # (optional)

signer_key = $dir/private/tsakey.pem # The TSA private key (optional)

signer_digest  = sha256   # Signing digest to use. (Optional)

default_policy = tsa_policy1  # Policy if request did not specify it

    # (optional)

other_policies = tsa_policy2, tsa_policy3 # acceptable policies (optional)

digests     = sha1, sha256, sha384, sha512  # Acceptable message digests (mandatory)

accuracy = secs:1, millisecs:500, microsecs:100 # (optional)

clock_precision_digits  = 0 # number of digits after dot. (optional)

ordering  = yes # Is ordering defined for timestamps?

   # (optional, default: no)

tsa_name  = yes # Must the TSA name be included in the reply?

   # (optional, default: no)

ess_cert_id_chain = no # Must the ESS cert id chain be included?

   # (optional, default: no)

ess_cert_id_alg  = sha1 # algorithm to compute certificate

   # identifier (optional, default: sha1)


相关实践学习
钉钉群中如何接收IoT温控器数据告警通知
本实验主要介绍如何将温控器设备以MQTT协议接入IoT物联网平台,通过云产品流转到函数计算FC,调用钉钉群机器人API,实时推送温湿度消息到钉钉群。
阿里云AIoT物联网开发实战
本课程将由物联网专家带你熟悉阿里云AIoT物联网领域全套云产品,7天轻松搭建基于Arduino的端到端物联网场景应用。 开始学习前,请先开通下方两个云产品,让学习更流畅: IoT物联网平台:https://iot.console.aliyun.com/ LinkWAN物联网络管理平台:https://linkwan.console.aliyun.com/service-open
目录
相关文章
|
安全 物联网 数据安全/隐私保护
基于证书的物联网设备安全认证(上)
在当前物联网发展的过程中,越来越多的企业开始接受物联网,拥抱物联网。随着应用的普及,行业也对设备安全有了更高的要求。如何保障设备合法未被冒用,如何保障设备与服务端通道安全可靠,能否对通信数据进行业务层面的加密,都是从业者们频繁面对的问题。本文将介绍一种基于PKI整数体系认证设备,确保设备合法的方式
|
JSON 物联网 Java
|
Java 物联网 数据安全/隐私保护
物联网平台JAVA实现X509证书加密设备上线
官方文档示例:https://help.aliyun.com/document_detail/148843.html?spm=5176.11065259.1996646101.searchclickresult.173e10b7Qmv2Y9
493 0
物联网平台JAVA实现X509证书加密设备上线
|
6天前
|
存储 安全 物联网
政府在推动物联网技术标准和规范的统一方面可以发挥哪些作用?
政府在推动物联网技术标准和规范的统一方面可以发挥哪些作用?
69 50
|
6天前
|
安全 物联网 物联网安全
制定统一的物联网技术标准和规范的难点有哪些?
制定统一的物联网技术标准和规范的难点有哪些?
18 2
|
6天前
|
存储 数据采集 物联网
物联网技术在物流领域的应用会遇到哪些挑战?
物联网技术在物流领域的应用会遇到哪些挑战?
19 4
|
7天前
|
存储 传感器 物联网
未来已来:区块链、物联网与虚拟现实技术融合的新篇章
【10月更文挑战第38天】本文旨在探索新兴技术区块链、物联网(IoT)和虚拟现实(VR)在未来社会的应用前景。通过分析这些技术的发展趋势,我们将揭示它们如何相互交织,共同塑造一个更智能、更互联的世界。文章将不包含传统意义上的摘要内容,而是直接深入主题,展开讨论。
|
8天前
|
供应链 监控 搜索推荐
物联网技术在物流领域的应用会带来哪些影响?
物联网技术在物流领域的应用会带来哪些影响?
34 2
|
8天前
|
传感器 存储 供应链
物联网技术在物流领域的应用实例有哪些?
物联网技术在物流领域的应用实例有哪些?
76 2

相关产品

  • 物联网平台