文档章节

openssl制作V3版证书实现基于https的 webservice双向认证(本篇只讲述证书制作过程)

AutumnFrame
 AutumnFrame
发布于 2016/09/22 14:11
字数 1908
阅读 253
收藏 3

openssl制作V3版证书实现基于https的

webservice双向认证(本篇只讲述证书制作过程)

 

 

一、准备工作:

首先要安装openssl证书制作工具。

二、制作证书:

1.1、构建根证书私钥

openssl genrsa -out ca/ca-key.pem 2048

1.2、生成根证书签发申请

openssl req -new -key ca/ca-key.pem -out private/ca.csr

1.3、签发根证书

openssl x509 -req -days 3650 –sha256 –extfile openssl.cnf -extensions v3_ca -signkey ca/ca-key.pem -in ca/ca.csr -out ca/ca.cer

1.4、转换为p12格式证书

openssl pkcs12 -export -cacerts -inkey ca/ca-key.pem -in ca/ca.cer -out ca/ca.p12

2.1、产生服务端私钥

openssl genrsa -out server/server-key.pem 2048

2.2、生成服务器证书签发申请

openssl req -new -key server/server-key.pem -out server/server.csr

此处要输入IP或域名

2.3、签发服务器证书

openssl x509 -req -days 3650 –sha256 –extfile openssl.cnf -extensions v3_req -CA ca/ca.cer -CAkey  ca/ca-key.pem -CAserial ca.srl -CAcreateserial -in server/server.csr -out server/server.cer

2.4、转换为p12格式证书

openssl pkcs12 -export -cacerts -inkey server/server-key.pem -in server/server.cer -out server/server.p12

3.1、产生客户端私钥

openssl genrsa -out client/client-key.pem 2048

3.2、生成客户端签发申请

openssl req -new -key client/client-key.pem -out client/client.csr

3.3、签发客户端证书

openssl x509 -req -days 3650 –sha256 –extfile openssl.cnf -extensions v3_req -CA ca/ca.cer -CAkey  ca/ca-key.pem -CAserial ca.srl -CAcreateserial -in client/client.csr -out client/client.cer

3.4、转换为p12格式证书

openssl pkcs12 -export -cacerts -inkey client/client-key.pem -in client/client.cer -out client/client.p12

 

以下是openssl.cnf配置文件内容:

#

# OpenSSL example configuration file.

# This is mostly being used for generation of certificate requests.

#

 

# This definition stops the following lines choking if HOME isn't

# defined.

HOME   = .

RANDFILE  = $ENV::HOME/.rnd

 

# Extra OBJECT IDENTIFIER info:

#oid_file  = $ENV::HOME/.oid

oid_section  = new_oids

 

# To use this configuration file with the "-extfile" option of the

# "openssl x509" utility, name here the section containing the

# X.509v3 extensions to use:

# extensions  =

# (Alternatively, use a configuration file that has only

# X.509v3 extensions in its main [= default] section.)

 

[ new_oids ]

 

# We can add new OIDs in here for use by 'ca', 'req' and 'ts'.

# Add a simple OID like this:

# testoid1=1.2.3.4

# Or use config file substitution like this:

# testoid2=${testoid1}.5.6

 

# Policies used by the TSA examples.

tsa_policy1 = 1.2.3.4.1

tsa_policy2 = 1.2.3.4.5.6

tsa_policy3 = 1.2.3.4.5.7

 

####################################################################

[ ca ]

default_ca = CA_default  # The default ca section

 

####################################################################

[ CA_default ]

 

dir  = ./CA  # Where everything is kept

certs  = $dir/certs  # Where the issued certs are kept

crl_dir  = $dir/crl  # Where the issued crl are kept

database = $dir/index.txt # database index file.

#unique_subject = no   # Set to 'no' to allow creation of

     # several ctificates with same subject.

new_certs_dir = $dir/newcerts  # default place for new certs.

 

certificate = $dir/cacert.pem  # The CA certificate

serial  = $dir/serial   # The current serial number

crlnumber = $dir/crlnumber # the current crl number

     # must be commented out to leave a V1 CRL

crl  = $dir/crl.pem   # The current CRL

private_key = $dir/private/cakey.pem# The private key

RANDFILE = $dir/private/.rand # private random number file

 

x509_extensions = usr_cert  # The extentions to add to the cert

 

# Comment out the following two lines for the "traditional"

# (and highly broken) format.

name_opt  = ca_default  # Subject Name options

cert_opt  = ca_default  # Certificate field options

 

# Extension copying option: use with caution.

copy_extensions = copy

 

# Extensions to add to a CRL. Note: Netscape communicator chokes on V2 CRLs

# so this is commented out by default to leave a V1 CRL.

# crlnumber must also be commented out to leave a V1 CRL.

# crl_extensions = crl_ext

 

default_days = 365   # how long to certify for

default_crl_days= 30   # how long before next CRL

default_md = default  # use public key default MD

preserve = no   # keep passed DN ordering

 

# A few difference way of specifying how similar the request should look

# For type CA, the listed attributes must be the same, and the optional

# and supplied fields are just that :-)

policy  = policy_match

 

# For the CA policy

[ policy_match ]

countryName  = match

stateOrProvinceName = match

organizationName = match

organizationalUnitName = optional

commonName  = supplied

emailAddress  = optional

 

# For the 'anything' policy

# At this point in time, you must list all acceptable 'object'

# types.

[ policy_anything ]

countryName  = optional

stateOrProvinceName = optional

localityName  = optional

organizationName = optional

organizationalUnitName = optional

commonName  = supplied

emailAddress  = optional

 

####################################################################

[ req ]

default_bits  = 1024

default_keyfile  = privkey.pem

distinguished_name = req_distinguished_name

attributes  = req_attributes

x509_extensions = v3_ca # The extentions to add to the self signed cert

 

# Passwords for private keys if not present they will be prompted for

# input_password = secret

# output_password = secret

 

# This sets a mask for permitted string types. There are several options.

# default: PrintableString, T61String, BMPString.

# pkix  : PrintableString, BMPString (PKIX recommendation before 2004)

# utf8only: only UTF8Strings (PKIX recommendation after 2004).

# nombstr : PrintableString, T61String (no BMPStrings or UTF8Strings).

# MASK:XXXX a literal mask value.

# WARNING: ancient versions of Netscape crash on BMPStrings or UTF8Strings.

string_mask = utf8only

 

req_extensions = v3_req # The extensions to add to a certificate request

[alternate_names]

IP = 115.28.28.169

[ req_distinguished_name ]

countryName   = Country Name (2 letter code)

countryName_default  = CN

countryName_min   = 2

countryName_max   = 2

 

stateOrProvinceName  = State or Province Name (full name)

stateOrProvinceName_default = BeiJing

 

localityName   = Locality Name (eg, city)

 

0.organizationName  = Organization Name (eg, company)

0.organizationName_default = myca

 

# we can do this but it is not needed normally :-)

#1.organizationName  = Second Organization Name (eg, company)

#1.organizationName_default = World Wide Web Pty Ltd

 

organizationalUnitName  = Organizational Unit Name (eg, section)

#organizationalUnitName_default =

 

commonName   = Common Name (e.g. server FQDN or YOUR name)

commonName_max   = 64

 

emailAddress   = Email Address

emailAddress_max  = 64

 

# SET-ex3   = SET extension number 3

 

[ req_attributes ]

challengePassword  = A challenge password

challengePassword_min  = 4

challengePassword_max  = 20

 

unstructuredName  = An optional company name

 

[ usr_cert ]

 

# These extensions are added when 'ca' signs a request.

 

# This goes against PKIX guidelines but some CAs do it and some software

# requires this to avoid interpreting an end user certificate as a CA.

 

basicConstraints=CA:true

 

# Here are some examples of the usage of nsCertType. If it is omitted

# the certificate can be used for anything *except* object signing.

 

# This is OK for an SSL server.

# nsCertType   = server

 

# For an object signing certificate this would be used.

# nsCertType = objsign

 

# For normal client use this is typical

# nsCertType = client, email

 

# and for everything including object signing:

nsCertType = client, email, objsign

 

# This is typical in keyUsage for a client certificate.

keyUsage = nonRepudiation, digitalSignature, keyEncipherment

 

# This will be displayed in Netscape's comment listbox.

nsComment   = "OpenSSL Generated Certificate"

 

# PKIX recommendations harmless if included in all certificates.

subjectKeyIdentifier=hash

authorityKeyIdentifier=keyid,issuer

 

# This stuff is for subjectAltName and issuerAltname.

# Import the email address.

# subjectAltName=email:copy

# An alternative to produce certificates that aren't

# deprecated according to PKIX.

# subjectAltName=email:move

 

# Copy subject details

# issuerAltName=issuer:copy

 

#nsCaRevocationUrl  = http://www.domain.dom/ca-crl.pem

#nsBaseUrl

#nsRevocationUrl

#nsRenewalUrl

#nsCaPolicyUrl

#nsSslServerName

 

# This is required for TSA certificates.

# extendedKeyUsage = critical,timeStamping

 

[ svr_cert ]

 

# These extensions are added when 'ca' signs a request.

 

# This goes against PKIX guidelines but some CAs do it and some software

# requires this to avoid interpreting an end user certificate as a CA.

 

basicConstraints=CA:true

 

# Here are some examples of the usage of nsCertType. If it is omitted

# the certificate can be used for anything *except* object signing.

 

# This is OK for an SSL server.

nsCertType   = server

 

# For an object signing certificate this would be used.

# nsCertType = objsign

 

# For normal client use this is typical

# nsCertType = client, email

 

# and for everything including object signing:

# nsCertType = client, email, objsign

 

# This is typical in keyUsage for a client certificate.

#  digitalSignature nonRepudiation keyEncipherment dataEncipherment 

#  keyAgreement keyCertSign cRLSign encipherOnly decipherOnly

keyUsage = nonRepudiation, digitalSignature, keyEncipherment, dataEncipherment, keyAgreement

 

# This will be displayed in Netscape's comment listbox.

#nsComment   = "OpenSSL Generated Certificate"

 

# PKIX recommendations harmless if included in all certificates.

subjectKeyIdentifier=hash

authorityKeyIdentifier=keyid,issuer

 

# This stuff is for subjectAltName and issuerAltname.

# Import the email address.

# subjectAltName=email:copy

# An alternative to produce certificates that aren't

# deprecated according to PKIX.

# subjectAltName=email:move

 

# Copy subject details

# issuerAltName=issuer:copy

 

#nsCaRevocationUrl  = http://www.domain.dom/ca-crl.pem

#nsBaseUrl

#nsRevocationUrl

#nsRenewalUrl

#nsCaPolicyUrl

#nsSslServerName

 

# This is required for TSA certificates.

extendedKeyUsage = serverAuth,clientAuth

 

[ v3_req ]

subjectAltName = IP:115.28.28.169

# Extensions to add to a certificate request

 

basicConstraints = CA:true

keyUsage = nonRepudiation, digitalSignature, keyEncipherment

 

[ v3_ca ]

 

subjectAltName = @alternate_names

# Extensions for a typical CA

 

 

# PKIX recommendation.

 

subjectKeyIdentifier=hash

 

authorityKeyIdentifier=keyid:always,issuer

 

# This is what PKIX recommends but some broken software chokes on critical

# extensions.

#basicConstraints = critical,CA:true

# So we do this instead.

basicConstraints = CA:true

 

# Key usage: this is typical for a CA certificate. However since it will

# prevent it being used as an test self-signed certificate it is best

# left out by default.

#keyUsage = nonRepudiation, digitalSignature, keyEncipherment

 

# Some might want this also

# nsCertType = sslCA, emailCA

 

# Include email address in subject alt name: another PKIX recommendation

# subjectAltName=email:copy

# Copy issuer details

# issuerAltName=issuer:copy

 

# DER hex encoding of an extension: beware experts only!

# obj=DER:02:03

# Where 'obj' is a standard or added object

# You can even override a supported extension:

# basicConstraints= critical, DER:30:03:01:01:FF

 

[ crl_ext ]

 

# CRL extensions.

# Only issuerAltName and authorityKeyIdentifier make any sense in a CRL.

 

# issuerAltName=issuer:copy

authorityKeyIdentifier=keyid:always

 

[ proxy_cert_ext ]

# These extensions should be added when creating a proxy certificate

 

# This goes against PKIX guidelines but some CAs do it and some software

# requires this to avoid interpreting an end user certificate as a CA.

 

basicConstraints=CA:FALSE

 

# Here are some examples of the usage of nsCertType. If it is omitted

# the certificate can be used for anything *except* object signing.

 

# This is OK for an SSL server.

# nsCertType   = server

 

# For an object signing certificate this would be used.

# nsCertType = objsign

 

# For normal client use this is typical

# nsCertType = client, email

 

# and for everything including object signing:

# nsCertType = client, email, objsign

 

# This is typical in keyUsage for a client certificate.

# keyUsage = nonRepudiation, digitalSignature, keyEncipherment

 

# This will be displayed in Netscape's comment listbox.

nsComment   = "OpenSSL Generated Certificate"

 

# PKIX recommendations harmless if included in all certificates.

subjectKeyIdentifier=hash

authorityKeyIdentifier=keyid,issuer

 

# This stuff is for subjectAltName and issuerAltname.

# Import the email address.

# subjectAltName=email:copy

# An alternative to produce certificates that aren't

# deprecated according to PKIX.

# subjectAltName=email:move

 

# Copy subject details

# issuerAltName=issuer:copy

 

#nsCaRevocationUrl  = http://www.domain.dom/ca-crl.pem

#nsBaseUrl

#nsRevocationUrl

#nsRenewalUrl

#nsCaPolicyUrl

#nsSslServerName

 

# This really needs to be in place for it to be a proxy certificate.

proxyCertInfo=critical,language:id-ppl-anyLanguage,pathlen:3,policy:foo

 

####################################################################

[ tsa ]

 

default_tsa = tsa_config1 # the default TSA section

 

[ tsa_config1 ]

 

# These are used by the TSA reply generation only.

dir  = ./demoCA  # TSA root directory

serial  = $dir/tsaserial # The current serial number (mandatory)

crypto_device = builtin  # OpenSSL engine to use for signing

signer_cert = $dir/tsacert.pem  # The TSA signing certificate

     # (optional)

certs  = $dir/cacert.pem # Certificate chain to include in reply

     # (optional)

signer_key = $dir/private/tsakey.pem # The TSA private key (optional)

 

default_policy = tsa_policy1  # Policy if request did not specify it

     # (optional)

other_policies = tsa_policy2, tsa_policy3 # acceptable policies (optional)

digests  = md5, sha1  # Acceptable message digests (mandatory)

accuracy = secs:1, millisecs:500, microsecs:100 # (optional)

clock_precision_digits  = 0 # number of digits after dot. (optional)

ordering  = yes # Is ordering defined for timestamps?

    # (optional, default: no)

tsa_name  = yes # Must the TSA name be included in the reply?

    # (optional, default: no)

ess_cert_id_chain = no # Must the ESS cert id chain be included?

    # (optional, default: no)

© 著作权归作者所有

共有 人打赏支持
AutumnFrame
粉丝 0
博文 1
码字总数 1908
作品 0
通州
程序员
私信 提问
HTTPS证书验证流程及SSL证书生成步骤【附nginx开启https配置】

------------------------------------------------------------ HTTPS证书验证流程(极简化版) 1.客户端向服务端请求证书(server.crt) 2.服务端下发证书(server.crt) 3.客户端用预制的...

xiaomin0322
2018/09/19
0
0
Configuring SSL in Wildfly 8

Configuring SSL in Wildfly 8 一:什么是SSL   SSL(Security Socket Layer)全称是加密套接字协议层,它位于HTTP协议层和TCP协议层之间,用于建立用户与服务器之间的加密通信,确保所传递...

Zhao-Qian
2015/03/10
0
0
webservice ssl 1 SSL/TLS 协议入门

SSL(Secure Sockets Layer,安全套接层),及其继任者 TLS(Transport Layer Security,传输层安全)是为网络通信提供安全及数据完整性的一种安全协议。TLS与SSL在传输层对网络连接进行加密...

Zhao-Qian
2015/06/01
0
0
https环境搭建配置(基于Tomcat和Nginx)

一、基于Tomcat、JDK内置密钥工具: 1、生成服务端证书库(keystore证书库文件),用于客户端验证服务端的真实性 keytool -genkey -v -alias key_server -keyalg RSA -keystore e:server.keys...

谭又中
2014/10/23
0
6
[整理]HTTPS和SSL证书

在互联网安全通信方式上,目前用的最多的就是https配合ssl和数字证书来保证传输和认证安全了。本文追本溯源围绕这个模式谈一谈。 名词解释 首先解释一下上面的几个名词: • https:在http(...

candy-yun
2017/02/08
0
0

没有更多内容

加载失败,请刷新页面

加载更多

linux 服务管理 Crontba、Ntpdate、Logrotate、Supervisor

crond linux 系统则是由 cron (crond) 这个系统服务来控制的。Linux 系统上面原本就有非常多的计划性工作,因此这个系统服务是默认启动的。 另外, 由于使用者自己也可以设置计划任务,所以,...

狼王黄师傅
31分钟前
1
0
Sobel算子和Scharr滤波器

Sobel算子在数学上的本质是微分,对离散信号,是求邻域内的增量。 基本原理:在图像上,对图像信号在某点进行微分,表示图像的某个特征(如,强度、色调或者饱和度)在该点的变换程度。以强度...

yepanl
48分钟前
1
0
Jenkins API 使用

Jenkins 是一款流行的开源持续集成工具,可以用来做一些软件开发的自动化工作,如打包,测试,自动部署等。 Jenkins 中有 view 和 job 的概念, view 相当于组, job 则是具体的任务。 view...

YanWen
49分钟前
5
0
聊聊jest的NodeChecker

序 本文主要研究一下jest的NodeChecker NodeChecker jest-common-6.3.1-sources.jar!/io/searchbox/client/config/discovery/NodeChecker.java public class NodeChecker extends AbstractS......

go4it
56分钟前
3
0
深入分析String.intern和String常量的实现原理

背景 字符串类型在实际应用场景中使用非常频繁,如果为每个字符串常量都生成一个对应的String对象,明显会造成内存的浪费,针对这一问题,虚拟机实现一个字符串常量池的概念,提供了如下实现...

群星纪元
今天
2
0

没有更多内容

加载失败,请刷新页面

加载更多

返回顶部
顶部