openssl nodejs https+客户端证书+usbkey
2015-07-08 16:08
579 查看
mac sslconfig 文件路径/System/Library/OpenSSL/openssl.cnf一生成CAopenssl req -new -x509 -keyout ca.key -out ca.crt -config openssl.cnf
1.首先要生成服务器端的私钥(key文件):
openssl genrsa -des3 -out server.key 1024
运行时会提示输入密码,此密码用于加密key文件(参数des3便是指加密算法,当然也可以选用其他你认为安全的算法.),以后每当需读取此文件(通过openssl提供的命令或API)都需输入口令.如果觉得不方便,也可以去除这个口令,但一定要采取其他的保护措施!
去除key文件口令的命令:
openssl rsa -in server.key -out server.key2.openssl req -new -key server.key -out server.csr -config openssl.cnf
生成Certificate Signing Request(CSR),生成的csr文件交给CA签名后形成服务端自己的证书.屏幕上将有提示,依照其指示一步一步输入要求的个人信息即可.3.对客户端也作同样的命令生成key及csr文件:
openssl genrsa -des3 -out client.key 1024
openssl req -new -key client.key -out client.csr -config openssl.cnf4.CSR文件必须有CA的签名才可形成证书.可将此文件发送到verisign等地方由它验证,要交一大笔钱,何不自己做CA呢.
openssl req -new -x509 -keyout ca.key -out ca.crt -config openssl.cnf5.用生成的CA的证书为刚才生成的server.csr,client.csr文件签名:
Openssl ca -in server.csr -out server.crt -cert ca.crt -keyfile ca.key -config openssl.cnf
Openssl ca -in client.csr -out client.crt -cert ca.crt -keyfile ca.key -config openssl.cnf这两步会报错因为没有文件mkdir ./demoCA654 mkdir demoCA/newcerts655 touch demoCA/index.txt656 vi demoCA/serial输入01 退出Openssl ca -in server.csr -out server.crt -cert ca.crt -keyfile ca.key -config openssl.cnf再生成Openssl ca -in client.csr -out client.crt -cert ca.crt -keyfile ca.key -config openssl.cnf时出错cdpmacdeMBP:mkssl3 cdpmac$ openssl ca -in client.csr -out client.crt -cert ca.crt -keyfile ca.key -config openssl.cnfUsing configuration from openssl.cnfEnter pass phrase for ca.key:Check that the request matches the signatureSignature okCertificate Details:Serial Number: 4 (0x4)ValidityNot Before: Jul 8 06:14:48 2015 GMTNot After : Jul 7 06:14:48 2016 GMTSubject:countryName = CNstateOrProvinceName = BeijingorganizationName = GoyooorganizationalUnitName = AuditcommonName = CuidapengemailAddress = cclient@hotmail.comX509v3 extensions:X509v3 Basic Constraints:CA:FALSENetscape Comment:OpenSSL Generated CertificateX509v3 Subject Key Identifier:7E:A5:DA:92:0C:06:7B:2F:84:3C:C6:63:39:5C:B6:47:69:C6:76:3CX509v3 Authority Key Identifier:keyid:F0:62:47:E3:7C:56:E0:83:28:EE:D3:D1:F0:C5:46:54:39:39:47:75Certificate is to be certified until Jul 7 06:14:48 2016 GMT (365 days)Sign the certificate? [y/n]:yfailed to update databaseTXT_DB error number 2查问题知
http://zeldor.biz/2013/11/txt_db-error-number-2-failed-to-update-database/
Because you have generated your own self signed certificate with the same CN (Common Name) information that the CA certificate that you’ve generated before.之前生成csr时输也的Common Name 是相同的,重新生成一个。再来成功
cdpmacdeMBP:mkssl3 cdpmac$ openssl req -new -x509 -keyout ca.key -out ca.crt -config openssl.cnf Generating a 1024 bit RSA private key .++++++ ......................++++++ writing new private key to 'ca.key' Enter PEM pass phrase: Verifying - Enter PEM pass phrase: ----- You are about to be asked to enter information that will be incorporated into your certificate request. What you are about to enter is what is called a Distinguished Name or a DN. There are quite a few fields but you can leave some blank For some fields there will be a default value, If you enter '.', the field will be left blank. ----- Country Name (2 letter code) [AU]:CN State or Province Name (full name) [Some-State]:Beijing Locality Name (eg, city) []:Dongcheng Organization Name (eg, company) [Internet Widgits Pty Ltd]:Go Organizational Unit Name (eg, section) []:Audit Common Name (e.g. server FQDN or YOUR name) []:CA Email Address []:二生成 客户端和服务器端的私钥(key文件):openssl genrsa -des3 -out server.key 1024openssl genrsa -des3 -out client.key 1024三生成的csr文件服务端
cdpmacdeMBP:mkssl3 cdpmac$ openssl req -new -key server.key -out server.csr -config openssl.cnf Enter pass phrase for server.key: You are about to be asked to enter information that will be incorporated into your certificate request. What you are about to enter is what is called a Distinguished Name or a DN. There are quite a few fields but you can leave some blank For some fields there will be a default value, If you enter '.', the field will be left blank. ----- Country Name (2 letter code) [AU]:CN State or Province Name (full name) [Some-State]:Beijing Locality Name (eg, city) []:Dongcheng Organization Name (eg, company) [Internet Widgits Pty Ltd]:Go Organizational Unit Name (eg, section) []:Audit Common Name (e.g. server FQDN or YOUR name) []www.httpsserver.com ^ Email Address []: Please enter the following 'extra' attributes to be sent with your certificate request A challenge password []: An optional company name []:客户端
cdpmacdeMBP:mkssl3 cdpmac$ openssl req -new -key client.key -out client.csr -config openssl.cnf Enter pass phrase for client.key: You are about to be asked to enter information that will be incorporated into your certificate request. What you are about to enter is what is called a Distinguished Name or a DN. There are quite a few fields but you can leave some blank For some fields there will be a default value, If you enter '.', the field will be left blank. ----- Country Name (2 letter code) [AU]:CN State or Province Name (full name) [Some-State]:Beijing Locality Name (eg, city) []:Dongcheng Organization Name (eg, company) [Internet Widgits Pty Ltd]:Go Organizational Unit Name (eg, section) []:Audit Common Name (e.g. server FQDN or YOUR name) []:www.httpsclient.com Email Address []: Please enter the following 'extra' attributes to be sent with your certificate request A challenge password []: An optional company name []:签名
cdpmacdeMBP:mkssl3 cdpmac$ Openssl ca -in server.csr -out server.crt -cert ca.crt -keyfile ca.key -config openssl.cnf Using configuration from openssl.cnf Enter pass phrase for ca.key: Check that the request matches the signature Signature ok Certificate Details: Serial Number: 1 (0x1) Validity Not Before: Jul 8 06:53:06 2015 GMT Not After : Jul 7 06:53:06 2016 GMT Subject: countryName = CN stateOrProvinceName = Beijing organizationName = Go organizationalUnitName = Audit commonName = www.httpsserver.com X509v3 extensions: X509v3 Basic Constraints: CA:FALSE Netscape Comment: OpenSSL Generated Certificate X509v3 Subject Key Identifier: 7F:77:31:A8:3F:83:B8:21:2F:0D:B4:96:F2:71:5F:E5:1E:98:5E:89 X509v3 Authority Key Identifier: keyid:B6:D8:38:A3:C2:84:D1:66:8F:86:69:C4:75:FA:69:C4:C4:1A:DA:43 Certificate is to be certified until Jul 7 06:53:06 2016 GMT (365 days) Sign the certificate? [y/n]:y 1 out of 1 certificate requests certified, commit? [y/n]y Write out database with 1 new entries Data Base Updated
cdpmacdeMBP:mkssl3 cdpmac$ Openssl ca -in client.csr -out client.crt -cert ca.crt -keyfile ca.key -config openssl.cnf Using configuration from openssl.cnf Enter pass phrase for ca.key: 42576:error:28069065:lib(40):UI_set_result:result too small:/SourceCache/OpenSSL098/OpenSSL098-52.20.2/src/crypto/ui/ui_lib.c:850:You must type in 4 to 1023 characters Enter pass phrase for ca.key: 42576:error:28069065:lib(40):UI_set_result:result too small:/SourceCache/OpenSSL098/OpenSSL098-52.20.2/src/crypto/ui/ui_lib.c:850:You must type in 4 to 1023 characters Enter pass phrase for ca.key: Enter pass phrase for ca.key: Enter pass phrase for ca.key: Check that the request matches the signature Signature ok Certificate Details: Serial Number: 2 (0x2) Validity Not Before: Jul 8 06:54:05 2015 GMT Not After : Jul 7 06:54:05 2016 GMT Subject: countryName = CN stateOrProvinceName = Beijing organizationName = Go organizationalUnitName = Audit commonName = www.httpsclient.com X509v3 extensions: X509v3 Basic Constraints: CA:FALSE Netscape Comment: OpenSSL Generated Certificate X509v3 Subject Key Identifier: F3:B9:6E:AB:58:29:FE:0D:E2:62:3D:3B:DD:7C:CC:03:16:7B:48:7F X509v3 Authority Key Identifier: keyid:B6:D8:38:A3:C2:84:D1:66:8F:86:69:C4:75:FA:69:C4:C4:1A:DA:43 Certificate is to be certified until Jul 7 06:54:05 2016 GMT (365 days) Sign the certificate? [y/n]:y 1 out of 1 certificate requests certified, commit? [y/n]y Write out database with 1 new entries Data Base Updated注意
Organization Name (eg, company) [Internet Widgits Pty Ltd]:Go 必须相同 需要为
Common Name (e.g. server FQDN or YOUR name) []www.httpsserver.com 配置host
1.首先要生成服务器端的私钥(key文件):
openssl genrsa -des3 -out server.key 1024
运行时会提示输入密码,此密码用于加密key文件(参数des3便是指加密算法,当然也可以选用其他你认为安全的算法.),以后每当需读取此文件(通过openssl提供的命令或API)都需输入口令.如果觉得不方便,也可以去除这个口令,但一定要采取其他的保护措施!
去除key文件口令的命令:
openssl rsa -in server.key -out server.key2.openssl req -new -key server.key -out server.csr -config openssl.cnf
生成Certificate Signing Request(CSR),生成的csr文件交给CA签名后形成服务端自己的证书.屏幕上将有提示,依照其指示一步一步输入要求的个人信息即可.3.对客户端也作同样的命令生成key及csr文件:
openssl genrsa -des3 -out client.key 1024
openssl req -new -key client.key -out client.csr -config openssl.cnf4.CSR文件必须有CA的签名才可形成证书.可将此文件发送到verisign等地方由它验证,要交一大笔钱,何不自己做CA呢.
openssl req -new -x509 -keyout ca.key -out ca.crt -config openssl.cnf5.用生成的CA的证书为刚才生成的server.csr,client.csr文件签名:
Openssl ca -in server.csr -out server.crt -cert ca.crt -keyfile ca.key -config openssl.cnf
Openssl ca -in client.csr -out client.crt -cert ca.crt -keyfile ca.key -config openssl.cnf这两步会报错因为没有文件mkdir ./demoCA654 mkdir demoCA/newcerts655 touch demoCA/index.txt656 vi demoCA/serial输入01 退出Openssl ca -in server.csr -out server.crt -cert ca.crt -keyfile ca.key -config openssl.cnf再生成Openssl ca -in client.csr -out client.crt -cert ca.crt -keyfile ca.key -config openssl.cnf时出错cdpmacdeMBP:mkssl3 cdpmac$ openssl ca -in client.csr -out client.crt -cert ca.crt -keyfile ca.key -config openssl.cnfUsing configuration from openssl.cnfEnter pass phrase for ca.key:Check that the request matches the signatureSignature okCertificate Details:Serial Number: 4 (0x4)ValidityNot Before: Jul 8 06:14:48 2015 GMTNot After : Jul 7 06:14:48 2016 GMTSubject:countryName = CNstateOrProvinceName = BeijingorganizationName = GoyooorganizationalUnitName = AuditcommonName = CuidapengemailAddress = cclient@hotmail.comX509v3 extensions:X509v3 Basic Constraints:CA:FALSENetscape Comment:OpenSSL Generated CertificateX509v3 Subject Key Identifier:7E:A5:DA:92:0C:06:7B:2F:84:3C:C6:63:39:5C:B6:47:69:C6:76:3CX509v3 Authority Key Identifier:keyid:F0:62:47:E3:7C:56:E0:83:28:EE:D3:D1:F0:C5:46:54:39:39:47:75Certificate is to be certified until Jul 7 06:14:48 2016 GMT (365 days)Sign the certificate? [y/n]:yfailed to update databaseTXT_DB error number 2查问题知
http://zeldor.biz/2013/11/txt_db-error-number-2-failed-to-update-database/
Because you have generated your own self signed certificate with the same CN (Common Name) information that the CA certificate that you’ve generated before.之前生成csr时输也的Common Name 是相同的,重新生成一个。再来成功
相关文章推荐
- 好用的http工具
- CocoaPods安装和使用教程:出处:http://code4app.com/article/cocoapods-install-usage
- 2015湖南省选集训DAY5——work(BZOJ4177)
- HttpClient抓取网页内容简单介绍
- 网络运营为何而生?
- 黑马程序员—Java网络编程
- HttpClient 源码解读
- xutils-httpUtils 下载显示文字进度百分比(toast)
- HTTPS 是如何保证安全的?[转帖]
- IOCP完整例子
- CentOS 6.5下编译安装httpd+mysql+php+phpMyAdmin
- nginx源码学习——Http连接对应的事件驱动模块
- (七十二)设置网络代理,升级SDK
- 神经网络(前向传播和反向传导)
- TCP Retransmission
- [火狐REST] 火狐REST 模拟 HTTP get, post请求
- https server
- CentOS 6配置iSCSI网络存储
- httpclient总结
- muduo网络编程分包和解包(一)