diff --git a/sources/tech/20190411 Be your own certificate authority.md b/sources/tech/20190411 Be your own certificate authority.md deleted file mode 100644 index 9ecdd54315..0000000000 --- a/sources/tech/20190411 Be your own certificate authority.md +++ /dev/null @@ -1,135 +0,0 @@ -[#]: collector: (lujun9972) -[#]: translator: (geekpi) -[#]: reviewer: ( ) -[#]: publisher: ( ) -[#]: url: ( ) -[#]: subject: (Be your own certificate authority) -[#]: via: (https://opensource.com/article/19/4/certificate-authority) -[#]: author: (Moshe Zadka https://opensource.com/users/moshez/users/elenajon123) - -Be your own certificate authority -====== -Create a simple, internal CA for your microservice architecture or -integration testing. -![][1] - -The Transport Layer Security ([TLS][2]) model, which is sometimes referred to by the older name SSL, is based on the concept of [certificate authorities][3] (CAs). These authorities are trusted by browsers and operating systems and, in turn, _sign_ servers' certificates to validate their ownership. - -However, for an intranet, a microservice architecture, or integration testing, it is sometimes useful to have a _local CA_ : one that is trusted only internally and, in turn, signs local servers' certificates. - -This especially makes sense for integration tests. Getting certificates can be a burden because the servers will be up for minutes. But having an "ignore certificate" option in the code could allow it to be activated in production, leading to a security catastrophe. - -A CA certificate is not much different from a regular server certificate; what matters is that it is trusted by local code. For example, in the **requests** library, this can be done by setting the **REQUESTS_CA_BUNDLE** variable to a directory containing this certificate. - -In the example of creating a certificate for integration tests, there is no need for a _long-lived_ certificate: if your integration tests take more than a day, you have already failed. - -So, calculate **yesterday** and **tomorrow** as the validity interval: - - -``` ->>> import datetime ->>> one_day = datetime.timedelta(days=1) ->>> today = datetime.date.today() ->>> yesterday = today - one_day ->>> tomorrow = today - one_day -``` - -Now you are ready to create a simple CA certificate. You need to generate a private key, create a public key, set up the "parameters" of the CA, and then self-sign the certificate: a CA certificate is _always_ self-signed. Finally, write out both the certificate file as well as the private key file. - - -``` -from cryptography.hazmat.primitives.asymmetric import rsa -from cryptography.hazmat.primitives import hashes, serialization -from cryptography import x509 -from cryptography.x509.oid import NameOID - -private_key = rsa.generate_private_key( -public_exponent=65537, -key_size=2048, -backend=default_backend() -) -public_key = private_key.public_key() -builder = x509.CertificateBuilder() -builder = builder.subject_name(x509.Name([ -x509.NameAttribute(NameOID.COMMON_NAME, 'Simple Test CA'), -])) -builder = builder.issuer_name(x509.Name([ -x509.NameAttribute(NameOID.COMMON_NAME, 'Simple Test CA'), -])) -builder = builder.not_valid_before(yesterday) -builder = builder.not_valid_after(tomorrow) -builder = builder.serial_number(x509.random_serial_number()) -builder = builder.public_key(public_key) -builder = builder.add_extension( -x509.BasicConstraints(ca=True, path_length=None), -critical=True) -certificate = builder.sign( -private_key=private_key, algorithm=hashes.SHA256(), -backend=default_backend() -) -private_bytes = private_key.private_bytes( -encoding=serialization.Encoding.PEM, -format=serialization.PrivateFormat.TraditionalOpenSSL, -encryption_algorithm=serialization.NoEncrption()) -public_bytes = certificate.public_bytes( -encoding=serialization.Encoding.PEM) -with open("ca.pem", "wb") as fout: -fout.write(private_bytes + public_bytes) -with open("ca.crt", "wb") as fout: -fout.write(public_bytes) -``` - -In general, a real CA will expect a [certificate signing request][4] (CSR) to sign a certificate. However, when you are your own CA, you can make your own rules! Just go ahead and sign what you want. - -Continuing with the integration test example, you can create the private keys and sign the corresponding public keys right then. Notice **COMMON_NAME** needs to be the "server name" in the **https** URL. If you've configured name lookup, the needed server will respond on **service.test.local**. - - -``` -service_private_key = rsa.generate_private_key( -public_exponent=65537, -key_size=2048, -backend=default_backend() -) -service_public_key = service_private_key.public_key() -builder = x509.CertificateBuilder() -builder = builder.subject_name(x509.Name([ -x509.NameAttribute(NameOID.COMMON_NAME, 'service.test.local') -])) -builder = builder.not_valid_before(yesterday) -builder = builder.not_valid_after(tomorrow) -builder = builder.public_key(public_key) -certificate = builder.sign( -private_key=private_key, algorithm=hashes.SHA256(), -backend=default_backend() -) -private_bytes = service_private_key.private_bytes( -encoding=serialization.Encoding.PEM, -format=serialization.PrivateFormat.TraditionalOpenSSL, -encryption_algorithm=serialization.NoEncrption()) -public_bytes = certificate.public_bytes( -encoding=serialization.Encoding.PEM) -with open("service.pem", "wb") as fout: -fout.write(private_bytes + public_bytes) -``` - -Now the **service.pem** file has a private key and a certificate that is "valid": it has been signed by your local CA. The file is in a format that can be given to, say, Nginx, HAProxy, or most other HTTPS servers. - -By applying this logic to testing scripts, it's easy to create servers that look like authentic HTTPS servers, as long as the client is configured to trust the right CA. - --------------------------------------------------------------------------------- - -via: https://opensource.com/article/19/4/certificate-authority - -作者:[Moshe Zadka (Community Moderator)][a] -选题:[lujun9972][b] -译者:[译者ID](https://github.com/译者ID) -校对:[校对者ID](https://github.com/校对者ID) - -本文由 [LCTT](https://github.com/LCTT/TranslateProject) 原创编译,[Linux中国](https://linux.cn/) 荣誉推出 - -[a]: https://opensource.com/users/moshez/users/elenajon123 -[b]: https://github.com/lujun9972 -[1]: https://opensource.com/sites/default/files/styles/image-full-size/public/lead-images/rh_commun_4604_02_mech_connections_rhcz0.5x.png?itok=YPPU4dMj -[2]: https://en.wikipedia.org/wiki/Transport_Layer_Security -[3]: https://en.wikipedia.org/wiki/Certificate_authority -[4]: https://en.wikipedia.org/wiki/Certificate_signing_request diff --git a/translated/tech/20190411 Be your own certificate authority.md b/translated/tech/20190411 Be your own certificate authority.md new file mode 100644 index 0000000000..21c698982c --- /dev/null +++ b/translated/tech/20190411 Be your own certificate authority.md @@ -0,0 +1,133 @@ +[#]: collector: (lujun9972) +[#]: translator: (geekpi) +[#]: reviewer: ( ) +[#]: publisher: ( ) +[#]: url: ( ) +[#]: subject: (Be your own certificate authority) +[#]: via: (https://opensource.com/article/19/4/certificate-authority) +[#]: author: (Moshe Zadka https://opensource.com/users/moshez/users/elenajon123) + + +自己成为证书颁发机构 +====== +为你的微服务架构或者集成测试创建一个简单的内部 CA +![][1] + +传输层安全([TLS][2])模型,有时也称它的旧名称 SSL,是基于[证书颁发机构][3] (CA) 的概念。这些机构受到浏览器和操作系统的信任,然后_签名_服务器的的证书则用于验证其所有权。 + +但是,对于内部网络,微服务架构或集成测试,有时候_本地 CA_ 更有用:一个只在内部受信任的CA,然后签名本地服务器的证书。 + +这对集成测试特别有意义。获取证书可能会带来负担,因为这会占用服务器几分钟。但是在代码中使用“忽略证书”可能会引入生产环境,从而导致安全灾难。 + +CA 证书与常规服务器证书没有太大区别。重要的是它被本地代码信任。例如,在 **requests** 库中,可以通过将 **REQUESTS_CA_BUNDLE** 变量设置为包含此证书的目录来完成。 + +在为集成测试创建证书的例子中,不需要_长期的_证书:如果你的集成测试需要超过一天,那么你会失败。 + +因此,计算**昨天**和**明天**作为有效期间隔: + +``` +>>> import datetime +>>> one_day = datetime.timedelta(days=1) +>>> today = datetime.date.today() +>>> yesterday = today - one_day +>>> tomorrow = today - one_day +``` + +现在你已准备好创建一个简单的 CA 证书。你需要生成私钥,创建公钥,设置 CA 的“参数”,然后自签名证书:CA 证书_总是_自签名的。最后,导出证书文件以及私钥文件。 + +``` +from cryptography.hazmat.primitives.asymmetric import rsa +from cryptography.hazmat.primitives import hashes, serialization +from cryptography import x509 +from cryptography.x509.oid import NameOID + + +private_key = rsa.generate_private_key( + public_exponent=65537, + key_size=2048, + backend=default_backend() +) +public_key = private_key.public_key() +builder = x509.CertificateBuilder() +builder = builder.subject_name(x509.Name([ + x509.NameAttribute(NameOID.COMMON_NAME, 'Simple Test CA'), +])) +builder = builder.issuer_name(x509.Name([ + x509.NameAttribute(NameOID.COMMON_NAME, 'Simple Test CA'), +])) +builder = builder.not_valid_before(yesterday) +builder = builder.not_valid_after(tomorrow) +builder = builder.serial_number(x509.random_serial_number()) +builder = builder.public_key(public_key) +builder = builder.add_extension( + x509.BasicConstraints(ca=True, path_length=None), + critical=True) +certificate = builder.sign( + private_key=private_key, algorithm=hashes.SHA256(), + backend=default_backend() +) +private_bytes = private_key.private_bytes( + encoding=serialization.Encoding.PEM, + format=serialization.PrivateFormat.TraditionalOpenSSL, + encryption_algorithm=serialization.NoEncrption()) +public_bytes = certificate.public_bytes( + encoding=serialization.Encoding.PEM) +with open("ca.pem", "wb") as fout: + fout.write(private_bytes + public_bytes) +with open("ca.crt", "wb") as fout: + fout.write(public_bytes) +``` + +通常,真正的 CA 会有[证书签名请求][4] (CSR) 来签名证书。但是,当你是自己的 CA 时,你可以制定自己的规则!请继续并签名你想要的内容。 + +继续集成测试的例子,你可以创建私钥并立即签名相应的公钥。注意 **COMMON_NAME** 需要是 **https** URL 中的“服务器名称”。如果你已配置名称查询,则相应的服务器会响应 **service.test.local**。 + +``` +service_private_key = rsa.generate_private_key( + public_exponent=65537, + key_size=2048, + backend=default_backend() +) +service_public_key = service_private_key.public_key() +builder = x509.CertificateBuilder() +builder = builder.subject_name(x509.Name([ + x509.NameAttribute(NameOID.COMMON_NAME, 'service.test.local') +])) +builder = builder.not_valid_before(yesterday) +builder = builder.not_valid_after(tomorrow) +builder = builder.public_key(public_key) +certificate = builder.sign( + private_key=private_key, algorithm=hashes.SHA256(), + backend=default_backend() +) +private_bytes = service_private_key.private_bytes( + encoding=serialization.Encoding.PEM, + format=serialization.PrivateFormat.TraditionalOpenSSL, + encryption_algorithm=serialization.NoEncrption()) +public_bytes = certificate.public_bytes( + encoding=serialization.Encoding.PEM) +with open("service.pem", "wb") as fout: + fout.write(private_bytes + public_bytes) +``` + +现在 **service.pem** 文件有一个私钥和一个“有效”的证书:它已由本地的 CA 签名。该文件的格式可以给 Nginx、HAProxy 或大多数其他 HTTPS 服务器使用。 + +通过将此逻辑用在测试脚本中,只要客户端配置信任该 CA,那么就可以轻松创建看起来真实的 HTTPS 服务器。 + +-------------------------------------------------------------------------------- + +via: https://opensource.com/article/19/4/certificate-authority + +作者:[Moshe Zadka (Community Moderator)][a] +选题:[lujun9972][b] +译者:[geekpi](https://github.com/geekpi) +校对:[校对者ID](https://github.com/校对者ID) + +本文由 [LCTT](https://github.com/LCTT/TranslateProject) 原创编译,[Linux中国](https://linux.cn/) 荣誉推出 + +[a]: https://opensource.com/users/moshez/users/elenajon123 +[b]: https://github.com/lujun9972 +[1]: https://opensource.com/sites/default/files/styles/image-full-size/public/lead-images/rh_commun_4604_02_mech_connections_rhcz0.5x.png?itok=YPPU4dMj +[2]: https://en.wikipedia.org/wiki/Transport_Layer_Security +[3]: https://en.wikipedia.org/wiki/Certificate_authority +[4]: https://en.wikipedia.org/wiki/Certificate_signing_request \ No newline at end of file