tls双向认证 python openssl 双向认证 |
您所在的位置:网站首页 › 提货卡怎么使用 › tls双向认证 python openssl 双向认证 |
|
openssl制作双向认证经过验证可行 http://www.360doc.com/content/12/0524/15/2150778_213390447.shtml 履历馆 创建一个证书的步骤:
(1)生成系统私钥 (2)生成待签名证书 (3)生成x509证书, 用CA私钥进行签名 (4)导成浏览器支持的p12格式证书
备注:创建过程中如遇到unable to load local/user/openssl.cnf的情况,将openssl.cnf拷贝到openssl.exe所在的目录下。
二:生成CA证书 目前不使用第三方权威机构的CA来认证,自己充当CA的角色。 1. 创建私钥: openssl genrsa -out c:/ca/ca-key.pem 10242.创建证书请求: openssl req -new -out c:/ca/ca-req.csr -key c:/ca/ca-key.pem(如果出现:unable to load config info from /user/local/ssl/openssl.cnf加上命令参数为:openssl req -config openssl.cnf -new -out c:/ca/ca-req.csr -key c:/ca/ca-key.pem openssl.cnf 为全路径,如果openssl.cnf与opensll.exe同目录下,则可写为: -config openssl.cnf ) openssl req -config openssl.cnf -new -out c:/ca/ca-req.csr -key c:/ca/ca-key.pem) ----- Country Name (2 letter code) [AU]:cn State or Province Name (full name) [Some-State]:bj Locality Name (eg, city) []:bj Organization Name (eg, company) [Internet Widgits Pty Ltd]:tb Organizational Unit Name (eg, section) []:tb Common Name (eg, YOUR name) []:ca Email Address []:[email protected] Please enter the following 'extra' attributes to be sent with your certificate request A challenge password []: An optional company name []:
3.自签署证书: openssl x509 -req -in c:/ca/ca-req.csr -out c:/ca/ca-cert.pem -signkey c:/ca/ca-key.pem -days 36504.将证书导出成浏览器支持的.p12格式: openssl pkcs12 -export -clcerts -in c:/ca/ca-cert.pem -inkey c:/ca/ca-key.pem -out c:/ca/ca.p12 密码:123456
三.生成server证书 1.创建私钥: openssl genrsa -out c:/server/server-key.pem 10242.创建证书请求: openssl req -new -out c:/server/server-req.csr -key c:/server/server-key.pem ----- Country Name (2 letter code) [AU]:cn State or Province Name (full name) [Some-State]:bj Locality Name (eg, city) []:bj Organization Name (eg, company) [Internet Widgits Pty Ltd]:tb Organizational Unit Name (eg, section) []:tb Common Name (eg, YOUR name) []:localhost #此处一定要写服务器所在ip Email Address []:[email protected] Please enter the following 'extra' attributes to be sent with your certificate request A challenge password []: An optional company name []:3.自签署证书: openssl x509 -req -in c:/server/server-req.csr -out c:/server/server-cert.pem -signkey c:/server/server-key.pem -CA c:/ca/ca-cert.pem -CAkey c:/ca/ca-key.pem -CAcreateserial -days 3650 openssl req -x509 -config E:\EDriver\Data\07_Task\10.Tibco\openssl\CONF\san.conf -newkey rsa:4096 -sha256 -nodes -out d:\temp\qareq.pem -outform PEM keytool -importcert -file d:\temp\qareq.pem -keystore d:\temp\qareq.jks -alias "qaca"============== 使用conf创建SAN Certification san.conf [ req ] default_bits = 1024 default_keyfile = privkey.pem distinguished_name = req_distinguished_name req_extensions = req_ext # The extentions to add to the self signed cert [ req_distinguished_name ] countryName = CN (2 letter code) countryName_default = CN stateOrProvinceName = Macao (full name) stateOrProvinceName_default = Macao localityName = Macao (eg, city) localityName_default = Macao organizationName = VML (eg, company) organizationName_default = VML commonName = IT (eg, YOUR name) commonName_max = 64 [ req_ext ] subjectAltName = @alt_names [alt_names] DNS.1 = IPaddress1 DNS.2 = IPaddress2openssl req -new -config CONF\san.conf -out server-req.csr -key server-key.pem openssl x509 -req -in server-req.csr -out server-cert.pem -signkey server-key.pem -CA ca-cert.pem -CAkey ca-key.pem -CAcreateserial -days 3650 openssl pkcs12 -export -clcerts -in server-cert.pem -inkey server-key.pem -out server.p12 ================
4.将证书导出成浏览器支持的.p12格式: openssl pkcs12 -export -clcerts -in c:/server/server-cert.pem -inkey c:/server/server-key.pem -out c:/server/server.p12 密码:123456
四.生成client证书(每个客户端需要制作不同的客户端证书,使用同一个CA来制作客户端证书) 1.创建私钥: openssl genrsa -out c:/client/client-key.pem 10242.创建证书请求: openssl req -new -out c:/client/client-req.csr -key c:/client/client-key.pem ----- Country Name (2 letter code) [AU]:cn State or Province Name (full name) [Some-State]:bj Locality Name (eg, city) []:bj Organization Name (eg, company) [Internet Widgits Pty Ltd]:tb Organizational Unit Name (eg, section) []:tb Common Name (eg, YOUR name) []:dong(填写为客户端机器IP) Email Address []:[email protected] Please enter the following 'extra' attributes to be sent with your certificate request A challenge password []: An optional company name []:
3.自签署证书: openssl x509 -req -in c:/client/client-req.csr -out c:/client/client-cert.pem -signkey c:/client/client-key.pem -CA c:/ca/ca-cert.pem -CAkey c:/ca/ca-key.pem -CAcreateserial -days 36504.将证书导出成浏览器支持的.p12格式: openssl pkcs12 -export -clcerts -in c:/client/client-cert.pem -inkey c:/client/client-key.pem -out c:/client/client.p12 密码:123456
五.根据ca证书生成jks文件 keytool -keystore truststore.jks -keypass 222222 -storepass 222222 -alias ca -import -trustcacerts -file c:/ca/ca-cert.pem
六.配置tomcat ssl 修改conf/server.xml。tomcat6中多了SSLEnabled="true"属性。keystorefile, truststorefile设置为你正确的相关路径 xml 代码的配置: tomcat6.0的配置:
七、测试(linux下) openssl s_client -connect localhost:8443 -cert /home/ssl/c:/client/client-cert.pem -key /home/ssl/c:/client/client-key.pem -tls1 -CAfile /home/ssl/c:/ca/ca-cert.pem -state -showcertsGET /index.jsp HTTP/1.0
八、导入证书 服务端导入server.P12 和ca.p12证书 客户端导入将ca.p12,client.p12证书 IE中(打开IE->;Internet选项->内容->证书) ca.p12导入至受信任的根证书颁发机构,client.p12导入至个人 Firefox中(工具-选项-高级-加密-查看证书-您的证书) 将ca.p12和client.p12均导入这里
注意:ca,server,client的证书的common name(ca=ca,server=localhost,client=dong)一定不能重复,否则ssl不成功
九、tomcat应用程序使用浏览器证书认证 在c:/server/webapps/manager/WEB-INF/web.xml中,将BASIC认证改为证书认证 CLIENT-CERT Tomcat Manager Application在conf/tomcat-users.xml中填入下列内容
访问http://localhost:8443即可验证ssl是否成功 |
| CopyRight 2018-2019 办公设备维修网 版权所有 豫ICP备15022753号-3 |