在国密标准文件《GMT 0015-2012 基于SM2密码算法的数字证书格式》里有对X.509数字证书格式的详细描述。
数字证书的定义
由国家认可的,具有权威性、可信性和公正性的第三方证书认证机构(CA)进行数字签名的一个可信的数字化文件。
数字证书的特性
1、任何能够获得和使用认证机构公钥的用户都可以恢复认证机构所认证的公钥。
2、除了认证机构,没有其他机构能够更改证书,证书是不可伪造的。
由于证书是不可伪造的,所以可以通过将其放置在目录中来发布,而不需要以后特意去保护它们。
数字证书的格式
采用GB/T 16262系列标准的特定编码规则(DER)对下列证书项中的各项信息进行编码,组成特定的证书数据结构。ASN.1 DER编码是关于每个元素的标记、长度和值的编码系统。
域 | 值 | 描述 |
---|---|---|
version | 2 | 整数2用于版本3证书 |
serialNumber | INTEGER | |
issuer | ||
Name | 必须与Subject DN一致 | |
RDNSequence | ||
RelativeDistinguishedName | ||
AttributeTypeAndValue | ||
AttributeType | OID | |
AttributeValue | 参考5.2.3.4 | |
validity | ||
NotBefore | ||
Time | ||
UtcTime | YYMMDDHHMMSSZ | 用于2049之前的年份(含2049) |
generalTime | YYYYMMDDHHMMSSZ | 用于2049之后的年份 |
NotAfter | ||
Time | ||
UtcTime | YYMMDDHHMMSSZ | 用于2049之前的年份(含2049) |
generalTime | YYYYMMDDHHMMSSZ | 用于2049之后的年份 |
subject | ||
Name | 必须与Issuer DN一直 | |
RDNSequence | ||
RelativeDistinguishedName | ||
AttributeTypeAndValue | ||
AttributeType | OID | |
AttributeValue | 参考5.2.3.4 | |
subjectPublicKeyInfo | ||
algorithm | ||
AlgorithmIdentifier | 公钥算法,可能是RSA公钥或椭圆曲线公钥 | |
algorithm | 1.2.840.113549.1.1.1 | RSA |
1.2.156.10197.1.301 | SM2椭圆曲线公钥密码算法 | |
parameters | NULL | RSA |
ECPublicKeySpec | 当使用SM2密码算法时,为SM2密码算法曲线的OID |
数字证书的实践
使用openssl生成证书
$ openssl req -newkey rsa:1024 -out req.pem -keyout sslclientkey.pem
$ openssl ca -in req.pem -out sslclientcert.pem
查看证书内容
$ openssl x509 -in sslclientcert.pem -text -noout
Certificate:Data:Version: 3 (0x2)Serial Number:f5:7d:2c:e9:8b:a7:72:a1Signature Algorithm: sha256WithRSAEncryptionIssuer: C=CN, ST=JS, L=NJ, O=JZ, OU=JZ, CN=XX/emailAddress=123@123.comValidityNot Before: May 27 02:42:27 2024 GMTNot After : May 27 02:42:27 2025 GMTSubject: C=CN, ST=JS, O=JZ, OU=JZ, CN=XX/emailAddress=123@123.comSubject Public Key Info:Public Key Algorithm: rsaEncryptionPublic-Key: (1024 bit)Modulus:00:d5:0e:4a:f2:21:1a:25:e4:86:cd:21:2b:4d:b8:bd:21:05:a5:f0:ab:91:c1:1d:aa:ba:3d:91:a3:eb:00:ec:42:c7:38:c6:50:b4:2a:43:3f:d9:e2:94:13:23:a5:e7:74:2c:73:bf:e8:29:3a:72:41:6f:fc:be:2c:6b:eb:35:b4:9f:7d:e2:b6:b8:62:30:a8:a1:7a:b6:47:3b:a5:b9:92:94:df:af:7d:0c:ab:af:3b:eb:76:06:09:cf:0f:59:33:54:de:cf:b3:ba:aa:22:35:34:fb:a0:1a:3f:89:8e:ff:04:af:f0:85:67:64:b1:ea:34:ef:72:6e:f9:9a:1f:3bExponent: 65537 (0x10001)X509v3 extensions:X509v3 Basic Constraints:CA:FALSENetscape Comment:OpenSSL Generated CertificateX509v3 Subject Key Identifier:A5:70:4E:A8:2A:12:D1:93:9A:02:F2:81:54:68:11:67:0E:5C:97:3AX509v3 Authority Key Identifier:keyid:2E:5F:85:F6:02:29:A0:10:47:B8:DB:8F:0C:C6:2F:1D:80:AA:9C:7BSignature Algorithm: sha256WithRSAEncryption4f:ce:d5:16:ad:54:91:d4:72:ca:34:63:85:b7:3e:64:48:91:ab:a1:1e:7f:e1:be:f2:ef:7f:0a:e9:f7:54:e0:53:96:05:de:ec:fb:16:1d:e1:ce:34:c9:7f:fd:d5:d4:7f:83:84:b7:f6:5e:0a:bb:af:94:5a:0b:c7:8c:1f:25:dd:71:0e:6f:24:06:d7:8f:74:67:e9:9c:9a:c3:b6:ef:0a:b8:ea:1f:77:51:24:2c:3e:1e:99:06:c4:ed:89:bd:c7:67:14:70:16:e5:36:05:86:f6:bc:f8:73:7f:81:cc:54:a6:9e:96:eb:bb:b0:45:56:1c:f8:44:b0:34:e9:a2:c4:85:a0:56:84:7f:7e:da:f5:0c:cd:da:e3:e6:e7:fb:4d:c0:b9:5d:fc:9e:d9:f9:61:91:ef:9c:e6:09:08:1f:4f:28:e0:56:f0:d4:b4:09:e1:9a:ff:5c:5d:8f:31:61:7f:75:31:ba:91:17:70:48:71:6e:33:ec:5e:87:95:80:2e:7f:a9:7d:de:41:29:4f:85:df:7d:4e:c1:19:cd:68:90:69:ab:e1:dc:f5:50:d4:65:e9:8d:9f:d9:8a:c1:5e:9a:0b:55:f5:08:4e:43:88:9a:5b:ef:ba:ab:b9:a9:b5:71:ae:b2:33:69:45:c0:04:be:5d:18:5b:28:d7:28:fb
证书格式转换:将PEM转换为DER格式
$ openssl x509 -in sslclientcert.pem -outform der -out sslclientcert.der
查看DER格式证书内容
$ openssl x509 -in sslclientcert.der -inform der -text -noout
Certificate:Data:Version: 3 (0x2)Serial Number:f5:7d:2c:e9:8b:a7:72:a1Signature Algorithm: sha256WithRSAEncryptionIssuer: C=CN, ST=JS, L=NJ, O=JZ, OU=JZ, CN=XX/emailAddress=123@123.comValidityNot Before: May 27 02:42:27 2024 GMTNot After : May 27 02:42:27 2025 GMTSubject: C=CN, ST=JS, O=JZ, OU=JZ, CN=XX/emailAddress=123@123.comSubject Public Key Info:Public Key Algorithm: rsaEncryptionPublic-Key: (1024 bit)Modulus:00:d5:0e:4a:f2:21:1a:25:e4:86:cd:21:2b:4d:b8:bd:21:05:a5:f0:ab:91:c1:1d:aa:ba:3d:91:a3:eb:00:ec:42:c7:38:c6:50:b4:2a:43:3f:d9:e2:94:13:23:a5:e7:74:2c:73:bf:e8:29:3a:72:41:6f:fc:be:2c:6b:eb:35:b4:9f:7d:e2:b6:b8:62:30:a8:a1:7a:b6:47:3b:a5:b9:92:94:df:af:7d:0c:ab:af:3b:eb:76:06:09:cf:0f:59:33:54:de:cf:b3:ba:aa:22:35:34:fb:a0:1a:3f:89:8e:ff:04:af:f0:85:67:64:b1:ea:34:ef:72:6e:f9:9a:1f:3bExponent: 65537 (0x10001)X509v3 extensions:X509v3 Basic Constraints:CA:FALSENetscape Comment:OpenSSL Generated CertificateX509v3 Subject Key Identifier:A5:70:4E:A8:2A:12:D1:93:9A:02:F2:81:54:68:11:67:0E:5C:97:3AX509v3 Authority Key Identifier:keyid:2E:5F:85:F6:02:29:A0:10:47:B8:DB:8F:0C:C6:2F:1D:80:AA:9C:7BSignature Algorithm: sha256WithRSAEncryption4f:ce:d5:16:ad:54:91:d4:72:ca:34:63:85:b7:3e:64:48:91:ab:a1:1e:7f:e1:be:f2:ef:7f:0a:e9:f7:54:e0:53:96:05:de:ec:fb:16:1d:e1:ce:34:c9:7f:fd:d5:d4:7f:83:84:b7:f6:5e:0a:bb:af:94:5a:0b:c7:8c:1f:25:dd:71:0e:6f:24:06:d7:8f:74:67:e9:9c:9a:c3:b6:ef:0a:b8:ea:1f:77:51:24:2c:3e:1e:99:06:c4:ed:89:bd:c7:67:14:70:16:e5:36:05:86:f6:bc:f8:73:7f:81:cc:54:a6:9e:96:eb:bb:b0:45:56:1c:f8:44:b0:34:e9:a2:c4:85:a0:56:84:7f:7e:da:f5:0c:cd:da:e3:e6:e7:fb:4d:c0:b9:5d:fc:9e:d9:f9:61:91:ef:9c:e6:09:08:1f:4f:28:e0:56:f0:d4:b4:09:e1:9a:ff:5c:5d:8f:31:61:7f:75:31:ba:91:17:70:48:71:6e:33:ec:5e:87:95:80:2e:7f:a9:7d:de:41:29:4f:85:df:7d:4e:c1:19:cd:68:90:69:ab:e1:dc:f5:50:d4:65:e9:8d:9f:d9:8a:c1:5e:9a:0b:55:f5:08:4e:43:88:9a:5b:ef:ba:ab:b9:a9:b5:71:ae:b2:33:69:45:c0:04:be:5d:18:5b:28:d7:28:fb