openssl制作雙向認證經過驗證可行
openssl制作雙向認證經過驗證可行
http://www.360doc.com/content/12/0524/15/2150778_213390447.shtml
2012-05-24 履歷館
創建一個證書的步驟:
(1)生成系統私鑰
(2)生成待簽名證書
(3)生成x509證書, 用CA私鑰進行簽名
(4)導成瀏覽器支持的p12格式證書
備註:創建過程中如遇到unable to load local/user/openssl.cnf的情況,將openssl.cnf拷貝到openssl.exe所在的目錄下。
二:生成CA證書
目前不使用第三方權威機構的CA來認證,自己充當CA的角色。
1. 創建私鑰:
openssl genrsa -out c:/ca/ca-key.pem 1024
2.創建證書請求:
openssl req -new -out c:/ca/ca-req.csr -key c:/ca/ca-key.pem(如果出現:unable to load config info from /user/local/ssl/openssl.cnf
加上命令參數為:openssl req -config openssl.cnf -new -out c:/ca/ca-req.csr -key c:/ca/ca-key.pem
openssl.cnf 為全路徑,如果openssl.cnf與opensll.exe同目錄下,則可寫為:
openssl req -config openssl.cnf -new -out c:/ca/ca-req.csr -key c:/ca/ca-key.pem)
-----
Country Name (2 letter code) [AU]:cn
State or Province Name (full name) [Some-State]:bj
Locality Name (eg, city) []:bj
Organization Name (eg, company) [Internet Widgits Pty Ltd]:tb
Organizational Unit Name (eg, section) []:tb
Common Name (eg, YOUR name) []:ca
Email Address []:[email protected]
Please enter the following ‘extra‘ attributes
to be sent with your certificate request
A challenge password []:
An optional company name []:
3.自簽署證書:
openssl x509 -req -in c:/ca/ca-req.csr -out c:/ca/ca-cert.pem -signkey c:/ca/ca-key.pem -days 3650
4.將證書導出成瀏覽器支持的.p12格式:
openssl pkcs12 -export -clcerts -in c:/ca/ca-cert.pem -inkey c:/ca/ca-key.pem -out c:/ca/ca.p12
密碼:123456
三.生成server證書
1.創建私鑰:
openssl genrsa -out c:/server/server-key.pem 1024
2.創建證書請求:
openssl req -new -out c:/server/server-req.csr -key c:/server/server-key.pem
-----
Country Name (2 letter code) [AU]:cn
State or Province Name (full name) [Some-State]:bj
Locality Name (eg, city) []:bj
Organization Name (eg, company) [Internet Widgits Pty Ltd]:tb
Organizational Unit Name (eg, section) []:tb
Common Name (eg, YOUR name) []:localhost #此處一定要寫服務器所在ip
Email Address []:[email protected]
Please enter the following ‘extra‘ attributes
to be sent with your certificate request
A challenge password []:
An optional company name []:
3.自簽署證書:
openssl x509 -req -in c:/server/server-req.csr -out c:/server/server-cert.pem -signkey c:/server/server-key.pem -CA c:/ca/ca-cert.pem -CAkey c:/ca/ca-key.pem -CAcreateserial -days 3650
openssl req -x509 -config E:\EDriver\Data\07_Task\10.Tibco\openssl\CONF\san.conf -newkey rsa:4096 -sha256 -nodes -out d:\temp\qareq.pem -outform PEM
keytool -importcert -file d:\temp\qareq.pem -keystore d:\temp\qareq.jks -alias "qaca"
==============
使用conf創建SAN Certification
san.conf
[ req ] default_bits = 1024 default_keyfile = privkey.pem distinguished_name = req_distinguished_name req_extensions = req_ext # The extentions to add to the self signed cert [ req_distinguished_name ] countryName = CN (2 letter code) countryName_default = CN stateOrProvinceName = Macao (full name) stateOrProvinceName_default = Macao localityName = Macao (eg, city) localityName_default = Macao organizationName = VML (eg, company) organizationName_default = VML commonName = IT (eg, YOUR name) commonName_max = 64 [ req_ext ] subjectAltName = @alt_names [alt_names] DNS.1 = IPaddress1 DNS.2 = IPaddress2
openssl req -new -config CONF\san.conf -out server-req.csr -key server-key.pem
openssl x509 -req -in server-req.csr -out server-cert.pem -signkey server-key.pem -CA ca-cert.pem -CAkey ca-key.pem -CAcreateserial -days 3650
openssl pkcs12 -export -clcerts -in server-cert.pem -inkey server-key.pem -out server.p12
================
4.將證書導出成瀏覽器支持的.p12格式:
openssl pkcs12 -export -clcerts -in c:/server/server-cert.pem -inkey c:/server/server-key.pem -out c:/server/server.p12
密碼:123456
四.生成client證書(每個客戶端需要制作不同的客戶端證書,使用同一個CA來制作客戶端證書)
1.創建私鑰:
openssl genrsa -out c:/client/client-key.pem 1024
2.創建證書請求:
openssl req -new -out c:/client/client-req.csr -key c:/client/client-key.pem
-----
Country Name (2 letter code) [AU]:cn
State or Province Name (full name) [Some-State]:bj
Locality Name (eg, city) []:bj
Organization Name (eg, company) [Internet Widgits Pty Ltd]:tb
Organizational Unit Name (eg, section) []:tb
Common Name (eg, YOUR name) []:dong(填寫為客戶端機器IP)
Email Address []:[email protected]
Please enter the following ‘extra‘ attributes
to be sent with your certificate request
A challenge password []:
An optional company name []:
3.自簽署證書:
openssl x509 -req -in c:/client/client-req.csr -out c:/client/client-cert.pem -signkey c:/client/client-key.pem -CA c:/ca/ca-cert.pem -CAkey c:/ca/ca-key.pem -CAcreateserial -days 3650
4.將證書導出成瀏覽器支持的.p12格式:
openssl pkcs12 -export -clcerts -in c:/client/client-cert.pem -inkey c:/client/client-key.pem -out c:/client/client.p12
密碼:123456
五.根據ca證書生成jks文件 (java keystore)
keytool -keystore truststore.jks -keypass 222222 -storepass 222222 -alias ca -import -trustcacerts -file c:/ca/ca-cert.pem
六.配置tomcat ssl
修改conf/server.xml。tomcat6中多了SSLEnabled="true"屬性。keystorefile, truststorefile設置為你正確的相關路徑
xml 代碼
tomcat 5.5的配置:
<Connector port="8443" maxHttpHeaderSize="8192"
maxThreads="150" minSpareThreads="25" maxSpareThreads="75"
enableLookups="false" disableUploadTimeout="true"
acceptCount="100" scheme="https" secure="true"
clientAuth="true" sslProtocol="TLS"
keystoreFile="server.p12" keystorePass="changeit" keystoreType="PKCS12"
truststoreFile="truststore.jks" truststorePass="222222" truststoreType="JKS" />
tomcat6.0的配置:
<Connector port="8443" protocol="HTTP/1.1" SSLEnabled="true"
maxThreads="150" scheme="https" secure="true"
clientAuth="true" sslProtocol="TLS"
keystoreFile="server.p12" keystorePass="changeit" keystoreType="PKCS12"
truststoreFile="truststore.jks" truststorePass="222222" truststoreType="JKS"/>
七、測試(linux下)
openssl s_client -connect localhost:8443 -cert /home/ssl/c:/client/client-cert.pem -key /home/ssl/c:/client/client-key.pem -tls1 -CAfile /home/ssl/c:/ca/ca-cert.pem -state -showcerts
GET /index.jsp HTTP/1.0
八、導入證書
服務端導入server.P12 和ca.p12證書
客戶端導入將ca.p12,client.p12證書
IE中(打開IE->;Internet選項->內容->證書)
ca.p12導入至受信任的根證書頒發機構,client.p12導入至個人
Firefox中(工具-選項-高級-加密-查看證書-您的證書)
將ca.p12和client.p12均導入這裏
註意:ca,server,client的證書的common name(ca=ca,server=localhost,client=dong)一定不能重復,否則ssl不成功
九、tomcat應用程序使用瀏覽器證書認證
在c:/server/webapps/manager/WEB-INF/web.xml中,將BASIC認證改為證書認證
<login-config>
<auth-method>CLIENT-CERT</auth-method>
<realm-name>Tomcat Manager Application</realm-name>
</login-config>
在conf/tomcat-users.xml中填入下列內容
<?xml version=‘1.0‘ encoding=‘utf-8‘?>
<tomcat-users>
<role rolename="manager"/>
<role rolename="admin"/>
<role rolename="user"/>
<user username="[email protected], CN=dong, OU=tb, O=tb, L=bj, ST=bj, C=cn" password="null" roles="admin,user,manager"/>
</tomcat-users>
訪問http://localhost:8443即可驗證ssl是否成功
openssl制作雙向認證經過驗證可行