openssl nodejs https+客户端证书+usbkey
mac sslconfig 文件路径
/System/Library/OpenSSL/openssl.cnf
一生成CA
openssl req -new -x509 -keyout ca.key -out ca.crt -config openssl.cnf
cdpmacdeMBP:mkssl3 cdpmac$ openssl req -new -x509 -keyout ca.key -out ca.crt -config openssl.cnf
Generating a bit RSA private key
.++++++
......................++++++
writing new private key to 'ca.key'
Enter PEM pass phrase:
Verifying - Enter PEM pass phrase:
-----
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name ( letter code) [AU]:CN
State or Province Name (full name) [Some-State]:Beijing
Locality Name (eg, city) []:Dongcheng
Organization Name (eg, company) [Internet Widgits Pty Ltd]:Go
Organizational Unit Name (eg, section) []:Audit
Common Name (e.g. server FQDN or YOUR name) []:CA
Email Address []:
二生成 客户端和服务器端的私钥(key文件):
openssl genrsa -des3 -out server.key 1024
openssl genrsa -des3 -out client.key 1024
三生成的csr文件
服务端
cdpmacdeMBP:mkssl3 cdpmac$ openssl req -new -key server.key -out server.csr -config openssl.cnf
Enter pass phrase for server.key:
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name ( letter code) [AU]:CN
State or Province Name (full name) [Some-State]:Beijing
Locality Name (eg, city) []:Dongcheng
Organization Name (eg, company) [Internet Widgits Pty Ltd]:Go
Organizational Unit Name (eg, section) []:Audit
Common Name (e.g. server FQDN or YOUR name) []www.httpsserver.com ^ Email Address []: Please enter the following 'extra' attributes
to be sent with your certificate request
A challenge password []:
An optional company name []:
客户端
cdpmacdeMBP:mkssl3 cdpmac$ openssl req -new -key client.key -out client.csr -config openssl.cnf
Enter pass phrase for client.key:
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name ( letter code) [AU]:CN
State or Province Name (full name) [Some-State]:Beijing
Locality Name (eg, city) []:Dongcheng
Organization Name (eg, company) [Internet Widgits Pty Ltd]:Go
Organizational Unit Name (eg, section) []:Audit
Common Name (e.g. server FQDN or YOUR name) []:www.httpsclient.com
Email Address []: Please enter the following 'extra' attributes
to be sent with your certificate request
A challenge password []:
An optional company name []:
签名
cdpmacdeMBP:mkssl3 cdpmac$ Openssl ca -in server.csr -out server.crt -cert ca.crt -keyfile ca.key -config openssl.cnf
Using configuration from openssl.cnf
Enter pass phrase for ca.key:
Check that the request matches the signature
Signature ok
Certificate Details:
Serial Number: (0x1)
Validity
Not Before: Jul :: GMT
Not After : Jul :: GMT
Subject:
countryName = CN
stateOrProvinceName = Beijing
organizationName = Go
organizationalUnitName = Audit
commonName = www.httpsserver.com
X509v3 extensions:
X509v3 Basic Constraints:
CA:FALSE
Netscape Comment:
OpenSSL Generated Certificate
X509v3 Subject Key Identifier:
7F:::A8:3F::B8::2F:0D:B4::F2::5F:E5:1E::5E:
X509v3 Authority Key Identifier:
keyid:B6:D8::A3:C2::D1::8F:::C4::FA::C4:C4:1A:DA: Certificate is to be certified until Jul :: GMT ( days)
Sign the certificate? [y/n]:y out of certificate requests certified, commit? [y/n]y
Write out database with new entries
Data Base Updated
cdpmacdeMBP:mkssl3 cdpmac$ Openssl ca -in client.csr -out client.crt -cert ca.crt -keyfile ca.key -config openssl.cnf
Using configuration from openssl.cnf
Enter pass phrase for ca.key:
:error::lib():UI_set_result:result too small:/SourceCache/OpenSSL098/OpenSSL098-52.20./src/crypto/ui/ui_lib.c::You must type in to characters
Enter pass phrase for ca.key:
:error::lib():UI_set_result:result too small:/SourceCache/OpenSSL098/OpenSSL098-52.20./src/crypto/ui/ui_lib.c::You must type in to characters
Enter pass phrase for ca.key:
Enter pass phrase for ca.key:
Enter pass phrase for ca.key:
Check that the request matches the signature
Signature ok
Certificate Details:
Serial Number: (0x2)
Validity
Not Before: Jul :: GMT
Not After : Jul :: GMT
Subject:
countryName = CN
stateOrProvinceName = Beijing
organizationName = Go
organizationalUnitName = Audit
commonName = www.httpsclient.com
X509v3 extensions:
X509v3 Basic Constraints:
CA:FALSE
Netscape Comment:
OpenSSL Generated Certificate
X509v3 Subject Key Identifier:
F3:B9:6E:AB:::FE:0D:E2::3D:3B:DD:7C:CC:::7B::7F
X509v3 Authority Key Identifier:
keyid:B6:D8::A3:C2::D1::8F:::C4::FA::C4:C4:1A:DA: Certificate is to be certified until Jul :: GMT ( days)
Sign the certificate? [y/n]:y out of certificate requests certified, commit? [y/n]y
Write out database with new entries
Data Base Updated
注意
Organization Name (eg, company) [Internet Widgits Pty Ltd]:Go 必须相同
需要为
Common Name (e.g. server FQDN or YOUR name) []www.httpsserver.com 配置host
1.首先要生成服务器端的私钥(key文件):
openssl genrsa -des3 -out server.key 1024
运行时会提示输入密码,此密码用于加密key文件(参数des3便是指加密算法,当然也可以选用其他你认为安全的算法.),以后每当需读取此文件(通过openssl提供的命令或API)都需输入口令.如果觉得不方便,也可以去除这个口令,但一定要采取其他的保护措施!
去除key文件口令的命令:
openssl rsa -in server.key -out server.key
2.openssl req -new -key server.key -out server.csr -config openssl.cnf
生成Certificate Signing Request(CSR),生成的csr文件交给CA签名后形成服务端自己的证书.屏幕上将有提示,依照其指示一步一步输入要求的个人信息即可.
3.对客户端也作同样的命令生成key及csr文件:
openssl genrsa -des3 -out client.key 1024
openssl req -new -key client.key -out client.csr -config openssl.cnf
4.CSR文件必须有CA的签名才可形成证书.可将此文件发送到verisign等地方由它验证,要交一大笔钱,何不自己做CA呢.
openssl req -new -x509 -keyout ca.key -out ca.crt -config openssl.cnf
5.用生成的CA的证书为刚才生成的server.csr,client.csr文件签名:
Openssl ca -in server.csr -out server.crt -cert ca.crt -keyfile ca.key -config openssl.cnf
Openssl ca -in client.csr -out client.crt -cert ca.crt -keyfile ca.key -config openssl.cnf
这两步会报错因为没有文件
mkdir ./demoCA
654 mkdir demoCA/newcerts
655 touch demoCA/index.txt
656 vi demoCA/serial
输入01 退出
Openssl ca -in server.csr -out server.crt -cert ca.crt -keyfile ca.key -config openssl.cnf
再生成
Openssl ca -in client.csr -out client.crt -cert ca.crt -keyfile ca.key -config openssl.cnf
时出错
cdpmacdeMBP:mkssl3 cdpmac$ openssl ca -in client.csr -out client.crt -cert ca.crt -keyfile ca.key -config openssl.cnf
Using configuration from openssl.cnf
Enter pass phrase for ca.key:
Check that the request matches the signature
Signature ok
Certificate Details:
Serial Number: 4 (0x4)
Validity
Not Before: Jul 8 06:14:48 2015 GMT
Not After : Jul 7 06:14:48 2016 GMT
Subject:
countryName = CN
stateOrProvinceName = Beijing
organizationName = Goyoo
organizationalUnitName = Audit
commonName = Cuidapeng
emailAddress = cclient@hotmail.com
X509v3 extensions:
X509v3 Basic Constraints:
CA:FALSE
Netscape Comment:
OpenSSL Generated Certificate
X509v3 Subject Key Identifier:
7E:A5:DA:92:0C:06:7B:2F:84:3C:C6:63:39:5C:B6:47:69:C6:76:3C
X509v3 Authority Key Identifier:
keyid:F0:62:47:E3:7C:56:E0:83:28:EE:D3:D1:F0:C5:46:54:39:39:47:75
Certificate is to be certified until Jul 7 06:14:48 2016 GMT (365 days)
Sign the certificate? [y/n]:y
failed to update database
TXT_DB error number 2
查问题知
http://zeldor.biz/2013/11/txt_db-error-number-2-failed-to-update-database/
Because you have generated your own self signed certificate with the same CN (Common Name) information that the CA certificate that you’ve generated before.
之前生成csr时输也的Common Name 是相同的,重新生成一个。
再来
成功
openssl nodejs https+客户端证书+usbkey的更多相关文章
- OPENSSL 生成https 客户端证书
下面说下拿服务器证书.(前提是服务器是https,客户端认证用的时候),服务端不给的时候,我们自己去拿(不给怼他!,哈哈,开个玩笑,都会给的) openssl s_client -connect 域名 ...
- iis https 客户端证书
1.自建根证书 makecert -r -pe -n "CN=WebSSLTestRoot" -b 12/22/2013 -e 12/23/2024 -ss root -sr lo ...
- nodejs 客户端证书设置。
最近的系统要求较高的安全等级 https+usbkey证书 https的操作很简单 openssl 生成ca 和证书,配置启动即可 生成成功后,类似这样. 类似这样 var options = { k ...
- openssl CA 自签证书,阿里云配置tomcat https
<一,openssl CA自签发证书> 1,生成私钥 openssl genrsa 1024 > private.key;
- curl+个人证书(又叫客户端证书)访问https站点
摘自http://blog.csdn.net/chary8088/article/details/22990741 curl+个人证书(又叫客户端证书)访问https站点 目前,大公司的OA管理系统( ...
- Android : 关于HTTPS、TLS/SSL认证以及客户端证书导入方法
一.HTTPS 简介 HTTPS 全称 HTTP over TLS/SSL(TLS就是SSL的新版本3.1).TLS/SSL是在传输层上层的协议,应用层的下层,作为一个安全层而存在,翻译过来一般叫做传 ...
- openssl生成https证书
openssl生成https证书 分类: 其它2009-09-03 16:20 452人阅读 评论(0) 收藏 举报 includemoduleaccessapachessl服务器 openssl生成 ...
- Https、OpenSSL自建CA证书及签发证书、nginx单向认证、双向认证及使用Java访问
0.环境 本文的相关源码位于 https://github.com/dreamingodd/CA-generation-demo 必须安装nginx,必须安装openssl,(用apt-get upd ...
- [转帖]用 OpenSSL 创建可以用于 https 的证书
用 OpenSSL 创建可以用于 https 的证书 开会时 说到了安全问题 就简单鼓捣了一下 以后还是用nginx 转发比较好一些. https://blog.csdn.net/joyous/art ...
随机推荐
- Thread--synchronized不能被继承?!?!!!
参考:http://bbs.csdn.net/topics/380248188 其实真相是这样的,“synchronized不能被继承”,这句话有2种不同意思,一种是比较正常的.很容易让人想到的意思: ...
- while read line do done < file
zzx@zzx120:~/test1$ cat file.txt 1122zzx@zzx120:~/test1$ cat ./read.sh #!/bin/bashwhile read line ...
- Java开学测试感想
开学第一堂课就是测试,测试暑假的自学成果,老师说试卷适当提高了难度,所以允许查书和使用网络查询,经过近三个钟头的努力奋斗和痛苦挣扎,我只完成了一小部分的代码,只有简单的set()get()函数,以及简 ...
- 吴裕雄--天生自然Linux操作系统:Linux 云服务器
自己安装服务器还是麻烦了些,现在一般都推荐大家使用云服务器,比较方便,价格也不贵. 腾讯云 以下几款性价比非常高,有几款是需要抢购的,大家看好时间基本能拿到. 1.1核2G 99/年,可以用来学习,L ...
- eclipse Java EE 与 Java 区别
1. 综述 eclipse IDE 一般来说有三种可切换的模式 Java EE Java 调试 可直接下拉至底部看两者的比较. 2. Java Java 是带有用户界面的 基本IDE ,缺少数据库和w ...
- Linux之程序的开始和结束
1.main函数由谁来调用 (1).编译链接时的引导代码. 操作系统下的应用程序其实是在main函数执行前也需要先执行一段引导代码才能去执行main函数,我们写应用程序时不用考虑引导代码的问题,编译链 ...
- JVM(三)内存结构图
JVM内存结构图:
- APUE 书中 toll 函数
今天看unix环境高级编程时,随着书上的源码打了一遍,编译时提示 toll函数未定义, 找了半天(恕我对上下文不了解).看了英文版和源代码文件才知道, 中文版打印错了: toll => atol ...
- 用hash存数组|得地址|取地址
#!/usr/bin/perl -w use strict; my %hash = %{&collect};my $arr_ad=$hash{'a'};print "$arr_ad\ ...
- Class<T> 泛型获取T的class
getClass().getGenericSuperclass()返回表示此 Class 所表示的实体(类.接口.基本类型或 void)的直接超类的 Type然后将其转换ParameterizedTy ...