gRPC之SAN证书生成

1、SAN证书生成

SAN(Subject Alternative Name)是 SSL 标准 x509 中定义的一个扩展。使用了 SAN 字段的 SSL 证书，可以扩

展此证书支持的域名，使得一个证书可以支持多个不同域名的解析。接下来我们重新利用配置文件生成CA证书，

再利用ca相关去生成服务端的证书。

1.1 CA根证书生成

新建工作目录：

[root@zsx cert]# pwd
/home/zhangshixing/cert

新建一个配置文件ca.conf，文件内容如下：

[ req ]
default_bits       = 2048
distinguished_name = req_distinguished_name[ req_distinguished_name ]
countryName                 = Country Name (2 letter code)
countryName_default         = CN
stateOrProvinceName         = State or Province Name (full name)
stateOrProvinceName_default = SiChuan
localityName                = Locality Name (eg, city)
localityName_default        = Chengdu
organizationName            = Organization Name (eg, company)
organizationName_default    = Step
commonName                  = CommonName (e.g. server FQDN or YOUR name)
commonName_max              = 64
commonName_default          = tonghua

依次执行下面的命令，执行过程中遇到的填写国家之类的直接Enter跳过，选择配置文件中默认的，从而生成CA私

钥(ca.key)、签名请求(ca.csr)和签名证书(ca.pem)。

[root@zsx cert]# ll
total 4
-rw-r--r--. 1 root root 635 Feb 16 19:53 ca.conf
[root@zsx cert]# openssl genrsa -out ca.key 2048
Generating RSA private key, 2048 bit long modulus
...................................+++
......................+++
e is 65537 (0x10001)[root@zsx cert]# ls
ca.conf  ca.key

[root@zsx cert]# openssl req -new -sha256 -out ca.csr -key ca.key -config ca.conf
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [CN]:
State or Province Name (full name) [SiChuan]:
Locality Name (eg, city) [Chengdu]:
Organization Name (eg, company) [Step]:
CommonName (e.g. server FQDN or YOUR name) [tonghua]:[root@zsx cert]# ls
ca.conf  ca.csr  ca.key

[root@zsx cert]# openssl x509 -req -days 3650 -in ca.csr -signkey ca.key -out ca.pem
Signature ok
subject=/C=CN/ST=SiChuan/L=Chengdu/O=Step/CN=tonghua
Getting Private key[root@zsx cert]# ls
ca.conf  ca.csr  ca.key  ca.pem

1.2 签发服务端证书

接下来创建服务端配置文件server.conf，文件内容如下：

[ req ]
default_bits       = 2048
distinguished_name = req_distinguished_name[ req_distinguished_name ]
countryName                 = Country Name (2 letter code)
countryName_default         = CN
stateOrProvinceName         = State or Province Name (full name)
stateOrProvinceName_default = SiChuan
localityName                = Locality Name (eg, city)
localityName_default        = Chengdu
organizationName            = Organization Name (eg, company)
organizationName_default    = Step
commonName                  = CommonName (e.g. server FQDN or YOUR name)
commonName_max              = 64
commonName_default          = tonghua
[ req_ext ]
# 添加subjectAltName 
subjectAltName = @alt_names
# www.example.cn代表允许的ServerName
[alt_names]
DNS.1   = www.example.cn
IP      = 127.0.0.1

同样，使用上面得到的CA根证书(ca.pem)签发服务端证书，依次执行下面命令生成服务端的密钥、签名请求和签

名证书：

# 服务端私钥
[root@zsx cert]# openssl genrsa -out server.key 2048
Generating RSA private key, 2048 bit long modulus
.......................................................................................................................................................+++
................................................+++
e is 65537 (0x10001)[root@zsx cert]# ls
ca.conf  ca.csr  ca.key  ca.pem  server.conf  server.key

# 服务端签名请求
[root@zsx cert]# openssl req -new -sha256 -out server.csr -key server.key -config server.conf
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [CN]:
State or Province Name (full name) [SiChuan]:
Locality Name (eg, city) [Chengdu]:
Organization Name (eg, company) [Step]:
CommonName (e.g. server FQDN or YOUR name) [tonghua]:[root@zsx cert]# ls
ca.conf  ca.csr  ca.key  ca.pem  server.conf  server.csr  server.key

# 用根证书签发服务端证书server.pem
[root@zsx cert]# openssl x509 -req -days 3650 -CA ca.pem -CAkey ca.key -CAcreateserial -in server.csr -out server.pem -extensions req_ext -extfile server.conf
Signature ok
subject=/C=CN/ST=SiChuan/L=Chengdu/O=Step/CN=tonghua
Getting CA Private Key[root@zsx cert]# ls
ca.conf  ca.csr  ca.key  ca.pem  ca.srl  server.conf  server.csr  server.key  server.pem

1.3 签发客户端证书

建立配置文件client.conf：

[ req ]
default_bits       = 2048
distinguished_name = req_distinguished_name[ req_distinguished_name ]
countryName                 = Country Name (2 letter code)
countryName_default         = CN
stateOrProvinceName         = State or Province Name (full name)
stateOrProvinceName_default = SiChuan
localityName                = Locality Name (eg, city)
localityName_default        = Chengdu
organizationName            = Organization Name (eg, company)
organizationName_default    = Step
commonName                  = CommonName (e.g. server FQDN or YOUR name)
commonName_max              = 64
commonName_default          = tonghua
[ req_ext ]
subjectAltName = @alt_names
[alt_names]
DNS.1   = www.example.cn
IP      = 127.0.0.1

执行下面命令生成客户端密钥、证书等：

[root@zsx cert]# openssl ecparam -genkey -name secp384r1 -out client.key[root@zsx cert]# ls
ca.conf  ca.key  ca.srl       client.key   server.csr  server.pem
ca.csr   ca.pem  client.conf  server.conf  server.key

[root@zsx cert]# openssl req -new -sha256 -out client.csr -key client.key -config client.conf
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [CN]:
State or Province Name (full name) [SiChuan]:
Locality Name (eg, city) [Chengdu]:
Organization Name (eg, company) [Step]:
CommonName (e.g. server FQDN or YOUR name) [tonghua]:[root@zsx cert]# ls
ca.conf  ca.key  ca.srl       client.csr  server.conf  server.key
ca.csr   ca.pem  client.conf  client.key  server.csr   server.pem

[root@zsx cert]# openssl x509 -req -days 3650 -CA ca.pem -CAkey ca.key -CAcreateserial -in client.csr -out client.pem -extensions req_ext -extfile client.conf
Signature ok
subject=/C=CN/ST=SiChuan/L=Chengdu/O=Step/CN=tonghua
Getting CA Private Key[root@zsx cert]# ls
ca.conf  ca.key  ca.srl       client.csr  client.pem   server.csr  server.pem
ca.csr   ca.pem  client.conf  client.key  server.conf  server.key

1.4 双向认证

1.4.1 proto编写和编译

syntax = "proto3";
package proto;
option go_package = "./base;base";service BaseService {rpc GetTime (TimeRequest) returns (TimeResponse) {}
}message TimeRequest {}message TimeResponse {string time = 1;
}

protoc --go_out=plugins=grpc:. base.proto

1.4.2 服务端

package mainimport ("context""crypto/tls""crypto/x509"pb "demo/base""google.golang.org/grpc""google.golang.org/grpc/credentials""io/ioutil""log""net""time"
)const (// Address gRPC服务地址Address = "127.0.0.1:8888"
)type service struct {pb.UnimplementedBaseServiceServer
}func main() {// TLS认证// 从证书相关文件中读取和解析信息,得到证书公钥、密钥对cert, err := tls.LoadX509KeyPair("./cert/server.pem", "./cert/server.key")if err != nil {log.Fatalln("cert err: ", err)}// 初始化一个CertPoolcertPool := x509.NewCertPool()ca, err := ioutil.ReadFile("./cert/ca.pem")if err != nil {log.Fatalln("ca err: ", err)}// 解析传入的证书,解析成功会将其加到池子中certPool.AppendCertsFromPEM(ca)// 构建基于TLS的TransportCredentials选项creds := credentials.NewTLS(&tls.Config{// 服务端证书链,可以有多个Certificates: []tls.Certificate{cert},// 要求必须验证客户端证书ClientAuth: tls.RequireAndVerifyClientCert,// 设置根证书的集合,校验方式使用 ClientAuth 中设定的模式ClientCAs: certPool,})// 实例化grpc ServerrpcServer := grpc.NewServer(grpc.Creds(creds))// 创建带ca证书验证的服务端pb.RegisterBaseServiceServer(rpcServer, &service{})// 设置传输协议和监听地址listen, err := net.Listen("tcp", Address)if err != nil {log.Fatalln("listen err: ", err)}log.Println("Listen on " + Address + " with TLS")rpcServer.Serve(listen)
}// 实现接口
func (s *service) GetTime(ctx context.Context, in *pb.TimeRequest) (*pb.TimeResponse, error) {now := time.Now().Format("2006-01-02 15:04:05")return &pb.TimeResponse{Time: now}, nil
}

[root@zsx demo]# go run server.go
2023/02/16 20:53:13 Listen on 127.0.0.1:8888 with TLS

1.4.3 客户端

package mainimport ("context""crypto/tls""crypto/x509"pb "demo/base""fmt""google.golang.org/grpc""google.golang.org/grpc/credentials""io/ioutil""log"
)const (// Address gRPC服务地址Address = "127.0.0.1:8888"
)func main() {// TLS连接// 从证书相关文件中读取和解析信息,得到证书公钥、密钥对cert, err := tls.LoadX509KeyPair("./cert/client.pem", "./cert/client.key")if err != nil {log.Fatalln("cert err: ", err)}certPool := x509.NewCertPool()ca, err := ioutil.ReadFile("./cert/ca.pem")if err != nil {log.Fatalln("ca err: ", err)}certPool.AppendCertsFromPEM(ca)creds := credentials.NewTLS(&tls.Config{//客户端证书Certificates: []tls.Certificate{cert},//注意这里的参数为配置文件中所允许的ServerName,也就是其中配置的DNSServerName: "www.example.cn",RootCAs:    certPool,})// 连接服务端conn, err := grpc.Dial(Address, grpc.WithTransportCredentials(creds))if err != nil {log.Fatal(err)}defer conn.Close()client := pb.NewBaseServiceClient(conn)reps, err := client.GetTime(context.Background(), &pb.TimeRequest{})// 初始化客户端if err != nil {log.Fatal(err)}fmt.Printf("grpcClient response is %s\n", reps.Time)
}

[root@zsx demo]# go run client.go
grpcClient response is 2023-02-16 20:53:30

1.5 单向认证

1.5.1 服务端

package mainimport ("context"pb "demo/base""google.golang.org/grpc""google.golang.org/grpc/credentials""log""net""time"
)type service struct {pb.UnimplementedBaseServiceServer
}func main() {creds, err := credentials.NewServerTLSFromFile("./cert/server.pem", "./cert/server.key")if err != nil {log.Fatal(err)}Address := "127.0.0.1:8888"//创建带ca证书验证的服务端rpcServer := grpc.NewServer(grpc.Creds(creds))pb.RegisterBaseServiceServer(rpcServer, &service{})listen, _ := net.Listen("tcp", Address)log.Println("Listen on " + Address + " with TLS")rpcServer.Serve(listen)
}// 实现接口
func (s *service) GetTime(ctx context.Context, in *pb.TimeRequest) (*pb.TimeResponse, error) {now := time.Now().Format("2006-01-02 15:04:05")return &pb.TimeResponse{Time: now}, nil
}

[root@zsx demo]# go run server1.go
2023/02/16 20:53:55 Listen on 127.0.0.1:8888 with TLS

1.5.2 客户端

package mainimport ("context"pb "demo/base""fmt""google.golang.org/grpc""google.golang.org/grpc/credentials""log"
)func main() {creds, err := credentials.NewClientTLSFromFile("./cert/server.pem", "www.example.cn")if err != nil {log.Fatal(err)}conn, err := grpc.Dial("127.0.0.1:8888", grpc.WithTransportCredentials(creds))if err != nil {log.Fatal(err)}defer conn.Close()client := pb.NewBaseServiceClient(conn)resp, err := client.GetTime(context.Background(), &pb.TimeRequest{})if err != nil {log.Fatal(err)}fmt.Printf("grpcClient response is %s\n", resp.Time)
}

[root@zsx demo]# go run client1.go
grpcClient response is 2023-02-16 20:54:14

# 项目结构
$ tree demo/
demo/
├── base
│   └── base.pb.go
├── base.proto
├── cert
│   ├── ca.conf
│   ├── ca.csr
│   ├── ca.key
│   ├── ca.pem
│   ├── ca.srl
│   ├── client.conf
│   ├── client.csr
│   ├── client.key
│   ├── client.pem
│   ├── server.conf
│   ├── server.csr
│   ├── server.key
│   └── server.pem
├── client1.go
├── client.go
├── go.mod
├── go.sum
├── server1.go
└── server.go