2020年2月

快捷生成普通SSL证书

openssl req -newkey rsa:2048 -nodes -keyout ssl.key -x509 -days 3650 -out ssl.crt -subj "/C=CN/ST=GD/L=GZ/O=SwallowNetworks/OU=IT/CN=*.example.com/emailAddress=abuse@example.com" -addext "extendedKeyUsage = serverAuth, clientAuth" -addext "subjectAltName = DNS.1:*.google.com, DNS.2:*.g.com, IP:1.1.1.1, email:75311729@qq.com, URI:https://feng.cmd.gd/" -extensions v3_req -sha384

req  #引用openssl官方文档介绍: PKCS#10 certificate request and certificate generating utility
-newkey rsa:2048  #生成RSA 2048bit的key
-nodes #key不要密码, 删掉则要密码
-keyout ssl.key #保存key到文件
-x509 #创建证书, 删掉则创建证书请求CSR
-days 3650 #创建证书使用, CSR无需
-out ssl.crt #保存证书到文件
-subj "/C=CN/ST=GD/L=GZ/O=SwallowNetworks/OU=IT/CN=*.example.com/emailAddress=abuse@example.com" #使用者
-addext "extendedKeyUsage = serverAuth, clientAuth" #增加扩展提供服务器认证, 客户端认证. 可配置值: 
Value                  Meaning
 -----                  -------
 serverAuth             SSL/TLS Web Server Authentication.
 clientAuth             SSL/TLS Web Client Authentication.
 codeSigning            Code signing.
 emailProtection        E-mail Protection (S/MIME).
 timeStamping           Trusted Timestamping
 OCSPSigning            OCSP Signing
 ipsecIKE               ipsec Internet Key Exchange
 msCodeInd              Microsoft Individual Code Signing (authenticode)
 msCodeCom              Microsoft Commercial Code Signing (authenticode)
 msCTLSign              Microsoft Trust List Signing
 msEFS                  Microsoft Encrypted File System

-addext "subjectAltName = DNS.1:*.google.com, DNS.2:*.g.com, IP:1.1.1.1, email:75311729@qq.com, URI:https://feng.cmd.gd/" #SAN 俗称多域
include email (an email address) URI a uniform resource indicator, DNS (a DNS domain name), RID (a registered ID: OBJECT IDENTIFIER), IP (an IP address), dirName (a distinguished name) and otherName.

-addext "keyUsage=digitalSignature, nonRepudiation" #限定key的使用 
The supported names are: digitalSignature, nonRepudiation, keyEncipherment, dataEncipherment, keyAgreement, keyCertSign, cRLSign, encipherOnly and decipherOnly.

-extensions v3_req #约束证书使用, openssl.conf默认配置是终端证书 basicConstraints = CA:FALSE, keyUsage = nonRepudiation, digitalSignature, keyEncipherment
-sha384 #使用sha384摘要算法签名CSR

引用维基百科中文版关于TPM的介绍

可信平台模块(英语:Trusted Platform Module,缩写:TPM)是一项安全密码处理器的国际标准,旨在使用设备中集成的专用微控制器(安全硬件)处理设备中的加密密钥。TPM的技术规范由称为可信计算组织(TCG)的信息业联合体编写。国际标准化组织(ISO)和国际电工委员会(IEC)已于2009年将规范标准化为ISO/IEC 11889。

由于TPM是外国技术, 在中国售卖含有TPM技术的芯片必须要取得《商用密码产品销售许可证》, 出现自主开发的可信密码模块(英语: Trusted Cryptography Module,缩写: TCM)

英特尔®平台信任技术 (英语: Intel Platform Trust Technology, 缩写: Intel® PTT), 该项技术不需要另外加装模块, 已经在CPU中内置

Intel’s PTT was Introduced in 2013 on select fourth-generation Intel Core processors and chipsets, including Intel Haswell ULT multichip packages, as well as on Atom-based, system-on-a-chip solutions like Bay Trail.

PTT与TPM2.0关系
2020-02-21_22-59-38.png
图片来源

https://forums.juniper.net/t5/Security/What-s-the-Difference-between-Secure-Boot-and-Measured-Boot/ba-p/281251