openssl制作双向认证经过验证可行

openssl制作双向认证经过验证可行

http://www.360doc.com/content/12/0524/15/2150778_213390447.shtml

 

2012-05-24  履历馆

创建一个证书的步骤：

 

（1）生成系统私钥

 

（2）生成待签名证书

 

（3）生成x509证书, 用CA私钥进行签名

 

（4）导成浏览器支持的p12格式证书

 

备注:创建过程中如遇到unable to load local/user/openssl.cnf的情况，将openssl.cnf拷贝到openssl.exe所在的目录下。

 

 

二：生成CA证书

目前不使用第三方权威机构的CA来认证，自己充当CA的角色。

1. 创建私钥：

openssl genrsa -out c:/ca/ca-key.pem 1024

2.创建证书请求：

openssl req -new -out c:/ca/ca-req.csr -key c:/ca/ca-key.pem(如果出现：unable to load config info from /user/local/ssl/openssl.cnf

加上命令参数为：openssl req -config openssl.cnf -new -out c:/ca/ca-req.csr -key c:/ca/ca-key.pem

openssl.cnf 为全路径，如果openssl.cnf与opensll.exe同目录下，则可写为：-config openssl.cnf ）

 openssl req -config openssl.cnf -new -out c:/ca/ca-req.csr -key c:/ca/ca-key.pem)

 

-----

Country Name (2 letter code) [AU]:cn

State or Province Name (full name) [Some-State]:bj

Locality Name (eg, city) []:bj

Organization Name (eg, company) [Internet Widgits Pty Ltd]:tb

Organizational Unit Name (eg, section) []:tb

Common Name (eg, YOUR name) []:ca

Email Address []:ca@ca.com

 

 

 

Please enter the following 'extra' attributes

to be sent with your certificate request

A challenge password []:

An optional company name []:

 

3.自签署证书：

openssl x509 -req -in c:/ca/ca-req.csr -out c:/ca/ca-cert.pem -signkey c:/ca/ca-key.pem -days 3650

4.将证书导出成浏览器支持的.p12格式：

 

openssl pkcs12 -export -clcerts -in c:/ca/ca-cert.pem -inkey c:/ca/ca-key.pem -out c:/ca/ca.p12

密码：123456

 

     

三.生成server证书

1.创建私钥：

openssl genrsa -out c:/server/server-key.pem 1024

2.创建证书请求：

openssl req -new -out c:/server/server-req.csr -key c:/server/server-key.pem

-----

Country Name (2 letter code) [AU]:cn

State or Province Name (full name) [Some-State]:bj

Locality Name (eg, city) []:bj

Organization Name (eg, company) [Internet Widgits Pty Ltd]:tb

Organizational Unit Name (eg, section) []:tb

Common Name (eg, YOUR name) []:localhost   #此处一定要写服务器所在ip

Email Address []:server@server.com

 

 

 

Please enter the following 'extra' attributes

to be sent with your certificate request

A challenge password []:

An optional company name []:

3.自签署证书：

openssl x509 -req -in c:/server/server-req.csr -out c:/server/server-cert.pem -signkey c:/server/server-key.pem -CA c:/ca/ca-cert.pem -CAkey c:/ca/ca-key.pem -CAcreateserial -days 3650

 

openssl req -x509 -config E:EDriverData7_Task10.TibcoopensslCONFsan.conf -newkey rsa:4096 -sha256 -nodes -out d: empqareq.pem -outform PEM

keytool -importcert -file d: empqareq.pem -keystore d: empqareq.jks -alias "qaca"

==============

使用conf创建SAN Certification

san.conf

[ req ]
default_bits        = 1024
default_keyfile     = privkey.pem
distinguished_name  = req_distinguished_name
req_extensions     = req_ext # The extentions to add to the self signed cert

[ req_distinguished_name ]
countryName           = CN (2 letter code)
countryName_default   = CN
stateOrProvinceName   = Macao (full name)
stateOrProvinceName_default = Macao
localityName          = Macao (eg, city)
localityName_default  = Macao
organizationName          = VML (eg, company)
organizationName_default  = VML
commonName            = IT (eg, YOUR name)
commonName_max        = 64

[ req_ext ]
subjectAltName          = @alt_names

[alt_names]
DNS.1   = IPaddress1
DNS.2   = IPaddress2

openssl req -new -config CONFsan.conf -out server-req.csr -key server-key.pem

openssl x509 -req -in server-req.csr -out server-cert.pem -signkey server-key.pem -CA ca-cert.pem -CAkey ca-key.pem -CAcreateserial -days 3650

openssl pkcs12 -export -clcerts -in server-cert.pem -inkey server-key.pem -out server.p12

================

 

4.将证书导出成浏览器支持的.p12格式：

openssl pkcs12 -export -clcerts -in c:/server/server-cert.pem -inkey c:/server/server-key.pem -out c:/server/server.p12

密码：123456

 

 

四.生成client证书(每个客户端需要制作不同的客户端证书,使用同一个CA来制作客户端证书)

1.创建私钥：

openssl genrsa -out c:/client/client-key.pem 1024

2.创建证书请求：

openssl req -new -out c:/client/client-req.csr -key c:/client/client-key.pem

-----

Country Name (2 letter code) [AU]:cn

State or Province Name (full name) [Some-State]:bj

Locality Name (eg, city) []:bj

Organization Name (eg, company) [Internet Widgits Pty Ltd]:tb

Organizational Unit Name (eg, section) []:tb

Common Name (eg, YOUR name) []:dong(填写为客户端机器IP)

Email Address []:dong@dong.com

 

 

 

Please enter the following 'extra' attributes

to be sent with your certificate request

A challenge password []:

An optional company name []:

 

3.自签署证书：

openssl x509 -req -in c:/client/client-req.csr -out c:/client/client-cert.pem -signkey c:/client/client-key.pem -CA c:/ca/ca-cert.pem -CAkey c:/ca/ca-key.pem -CAcreateserial -days 3650

4.将证书导出成浏览器支持的.p12格式：

openssl pkcs12 -export -clcerts -in c:/client/client-cert.pem -inkey c:/client/client-key.pem -out c:/client/client.p12

密码：123456

 

 

 

五.根据ca证书生成jks文件 (java keystore)

keytool -keystore truststore.jks -keypass 222222 -storepass 222222 -alias ca -import -trustcacerts -file c:/ca/ca-cert.pem

 

 

 

六.配置tomcat ssl

修改conf/server.xml。tomcat6中多了SSLEnabled="true"属性。keystorefile, truststorefile设置为你正确的相关路径

xml 代码

 tomcat 5.5的配置：

<Connector port="8443" maxHttpHeaderSize="8192"

             maxThreads="150" minSpareThreads="25" maxSpareThreads="75"

             enableLookups="false" disableUploadTimeout="true"

             acceptCount="100" scheme="https" secure="true"

             clientAuth="true" sslProtocol="TLS"

             keystoreFile="server.p12" keystorePass="changeit" keystoreType="PKCS12"

             truststoreFile="truststore.jks" truststorePass="222222" truststoreType="JKS" /> 

tomcat6.0的配置：

<Connector port="8443" protocol="HTTP/1.1" SSLEnabled="true"

               maxThreads="150" scheme="https" secure="true"

               clientAuth="true" sslProtocol="TLS"

               keystoreFile="server.p12" keystorePass="changeit" keystoreType="PKCS12"

               truststoreFile="truststore.jks" truststorePass="222222" truststoreType="JKS"/>

 

 

 

七、测试（linux下）

openssl s_client -connect localhost:8443 -cert /home/ssl/c:/client/client-cert.pem -key /home/ssl/c:/client/client-key.pem -tls1 -CAfile /home/ssl/c:/ca/ca-cert.pem -state -showcerts

 

GET /index.jsp HTTP/1.0

 

 

 

八、导入证书

服务端导入server.P12 和ca.p12证书

客户端导入将ca.p12，client.p12证书

IE中（打开IE->;Internet选项->内容->证书）

 

ca.p12导入至受信任的根证书颁发机构，client.p12导入至个人

 

Firefox中（工具-选项-高级-加密-查看证书-您的证书）

 

将ca.p12和client.p12均导入这里

 

 

注意:ca,server,client的证书的common name(ca=ca,server=localhost,client=dong)一定不能重复，否则ssl不成功

 

 

 

九、tomcat应用程序使用浏览器证书认证

 

在c:/server/webapps/manager/WEB-INF/web.xml中，将BASIC认证改为证书认证

 

<login-config>

    <auth-method>CLIENT-CERT</auth-method>

    <realm-name>Tomcat Manager Application</realm-name>

  </login-config>

 

 

 

在conf/tomcat-users.xml中填入下列内容

<?xml version='1.0' encoding='utf-8'?>

<tomcat-users>

  <role rolename="manager"/>

  <role rolename="admin"/>

  <role rolename="user"/>

  <user username="EMAILADDRESS=dong@dong.com, CN=dong, OU=tb, O=tb, L=bj, ST=bj, C=cn" password="null" roles="admin,user,manager"/>

</tomcat-users>

 

 

 

访问http://localhost:8443即可验证ssl是否成功