一:生成CA证书
目前不使用第三方权威机构的CA来认证,自己充当CA的角色。
网上下载一个openssl软件
1.创建私钥 :
C:OpenSSLin>openssl genrsa -out ca/ca-key.pem 1024
2.创建证书请求 :
C:OpenSSLin>openssl req -new -out ca/ca-req.csr -key ca/ca-key.pem
-----
Country Name (2 letter code) [AU]:cn
State or Province Name (full name) [Some-State]:zhejiang
Locality Name (eg, city) []:hangzhou
Organization Name (eg, company) [Internet Widgits Pty Ltd]:skyvision
Organizational Unit Name (eg, section) []:test
Common Name (eg, YOUR name) []:root
Email Address []:sky
3.自签署证书 :
C:OpenSSLin>openssl x509 -req -in ca/ca-req.csr -out ca/ca-cert.pem -signkey ca/ca-key.pem -days 3650
4.将证书导出成浏览器支持的.p12格式 :
C:OpenSSLin>openssl pkcs12 -export -clcerts -in ca/ca-cert.pem -inkey ca/ca-key.pem -out ca/ca.p12
密码:changeit
二.生成server证书。
1.创建私钥 :
C:OpenSSLin>openssl genrsa -out server/server-key.pem 1024
2.创建证书请求 :
C:OpenSSLin>openssl req -new -out server/server-req.csr -key server/server-key.pem
-----
Country Name (2 letter code) [AU]:cn
State or Province Name (full name) [Some-State]:zhejiang
Locality Name (eg, city) []:hangzhou
Organization Name (eg, company) [Internet Widgits Pty Ltd]:skyvision
Organizational Unit Name (eg, section) []:test
Common Name (eg, YOUR name) []:192.168.1.246 注释:一定要写服务器所在的域名或ip地址
Email Address []:sky
3.自签署证书 :
C:OpenSSLin>openssl x509 -req -in server/server-req.csr -out server/server-cert.pem -signkey server/server-key.pem -CA ca/ca-cert.pem -CAkey ca/ca-key.pem -CAcreateserial -days 3650
4.将证书导出成浏览器支持的.p12格式 :
C:OpenSSLin>openssl pkcs12 -export -clcerts -in server/server-cert.pem -inkey server/server-key.pem -out server/server.p12
密码:changeit
三.生成client证书。
1.创建私钥 :
C:OpenSSLin>openssl genrsa -out client/client-key.pem 1024
2.创建证书请求 :
C:OpenSSLin>openssl req -new -out client/client-req.csr -key client/client-key.pem
-----
Country Name (2 letter code) [AU]:cn
State or Province Name (full name) [Some-State]:zhejiang
Locality Name (eg, city) []:hangzhou
Organization Name (eg, company) [Internet Widgits Pty Ltd]:skyvision
Organizational Unit Name (eg, section) []:test
Common Name (eg, YOUR name) []:sky
Email Address []:sky 注释:就是登入中心的用户(本来用户名应该是Common Name,但是中山公安的不知道为什么使用的Email Address,其他版本没有测试)
Please enter the following 'extra' attributes
to be sent with your certificate request
A challenge password []:123456
An optional company name []:tsing
3.自签署证书 :
C:OpenSSLin>openssl x509 -req -in client/client-req.csr -out client/client-cert.pem -signkey client/client-key.pem -CA ca/ca-cert.pem -CAkey ca/ca-key.pem -CAcreateserial -days 3650
4.将证书导出成浏览器支持的.p12格式 :
C:OpenSSLin>openssl pkcs12 -export -clcerts -in client/client-cert.pem -inkey client/client-key.pem -out client/client.p12
密码:changeit
== End 参考==
请一定严格根据里面的步骤来,待实验成功后,修改你自己想要修改的内容。我就是一开始没有安装该填写的来,结果生成的证书就无法配对成功。
常见错误
在使用openssl时有可能会报错,下面是自己遇到的几个错误。
1. openssl出现错误:unable to write ‘random state’
需要用管理员身份运行cmd
2.openssl出现错误:Can’t open C:Program FilesCommon FilesSSL/openssl.cnf for reading,no such file or directory
出现这个错误的原因是可能没有设置环境变量OPENSSL_CONF
d:openssl>set OPENSSL_CONF=d:opensslOpenSSL-Win64inopenssl.cfg
openssl.cfg是openssl的配置信息
3. openssl出现错误:problem creating object tsa_policy1=1.2.3.4.1
出现这个错误的原因是由于版本,在1.1.0版本就会出现这种情况,而1.0.2不会。因此前面推荐安装时不要选择1.1.0的版本。
验证证书
语法
openssl verify[-CApath directory] [-CAfile file] [-purpose purpose] [-policy arg] [-ignore_critical] [-crl_check] [-crl_check_all] [-policy_check] [-explicit_policy] [-inhibit_any] [-inhibit_map] [-x509_strict] [-extended_crl] [-use_deltas] [-policy_print] [-untrusted file] [-help] [-issuer_checks] [-verbose] [-] [certificates]
使用
方式一
OpenSSL> verify -CAfile D:OpenSSL-Win64incaca-cert.pem D:OpenSSL-Win64inserver/server-cert.pem
方式二
OpenSSL> s_client -connect 192.168.29.44:443 -CAfile D:OpenSSL-Win64incaca-cert.pem