openssl nodejs https+客户端证书+usbkey

mac sslconfig 文件路径

/System/Library/OpenSSL/openssl.cnf

一生成CA

openssl req -new -x509 -keyout ca.key -out ca.crt -config openssl.cnf

cdpmacdeMBP:mkssl3 cdpmac$  openssl req -new -x509 -keyout ca.key -out ca.crt -config openssl.cnf
Generating a 1024 bit RSA private key
.++++++
......................++++++
writing new private key to ‘ca.key‘
Enter PEM pass phrase:
Verifying - Enter PEM pass phrase:
-----
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter ‘.‘, the field will be left blank.
-----
Country Name (2 letter code) [AU]:CN
State or Province Name (full name) [Some-State]:Beijing
Locality Name (eg, city) []:Dongcheng
Organization Name (eg, company) [Internet Widgits Pty Ltd]:Go
Organizational Unit Name (eg, section) []:Audit
Common Name (e.g. server FQDN or YOUR name) []:CA
Email Address []:

二生成 客户端和服务器端的私钥(key文件):

openssl genrsa -des3 -out server.key 1024

openssl genrsa -des3 -out client.key 1024

三生成的csr文件

服务端

cdpmacdeMBP:mkssl3 cdpmac$ openssl req -new -key server.key -out server.csr -config openssl.cnf
Enter pass phrase for server.key:
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter ‘.‘, the field will be left blank.
-----
Country Name (2 letter code) [AU]:CN
State or Province Name (full name) [Some-State]:Beijing
Locality Name (eg, city) []:Dongcheng
Organization Name (eg, company) [Internet Widgits Pty Ltd]:Go
Organizational Unit Name (eg, section) []:Audit
Common Name (e.g. server FQDN or YOUR name) []www.httpsserver.com                                                                                                                  ^ Email Address []:                                                                  

Please enter the following ‘extra‘ attributes
to be sent with your certificate request
A challenge password []:
An optional company name []:

客户端

cdpmacdeMBP:mkssl3 cdpmac$ openssl req -new -key client.key -out client.csr -config openssl.cnf
Enter pass phrase for client.key:
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter ‘.‘, the field will be left blank.
-----
Country Name (2 letter code) [AU]:CN
State or Province Name (full name) [Some-State]:Beijing
Locality Name (eg, city) []:Dongcheng
Organization Name (eg, company) [Internet Widgits Pty Ltd]:Go
Organizational Unit Name (eg, section) []:Audit
Common Name (e.g. server FQDN or YOUR name) []:www.httpsclient.com
Email Address []:

Please enter the following ‘extra‘ attributes
to be sent with your certificate request
A challenge password []:
An optional company name []:

签名

cdpmacdeMBP:mkssl3 cdpmac$ Openssl ca -in server.csr -out server.crt -cert ca.crt -keyfile ca.key -config openssl.cnf
Using configuration from openssl.cnf
Enter pass phrase for ca.key:
Check that the request matches the signature
Signature ok
Certificate Details:
        Serial Number: 1 (0x1)
        Validity
            Not Before: Jul  8 06:53:06 2015 GMT
            Not After : Jul  7 06:53:06 2016 GMT
        Subject:
            countryName               = CN
            stateOrProvinceName       = Beijing
            organizationName          = Go
            organizationalUnitName    = Audit
            commonName                = www.httpsserver.com
        X509v3 extensions:
            X509v3 Basic Constraints:
                CA:FALSE
            Netscape Comment:
                OpenSSL Generated Certificate
            X509v3 Subject Key Identifier:
                7F:77:31:A8:3F:83:B8:21:2F:0D:B4:96:F2:71:5F:E5:1E:98:5E:89
            X509v3 Authority Key Identifier:
                keyid:B6:D8:38:A3:C2:84:D1:66:8F:86:69:C4:75:FA:69:C4:C4:1A:DA:43

Certificate is to be certified until Jul  7 06:53:06 2016 GMT (365 days)
Sign the certificate? [y/n]:y

1 out of 1 certificate requests certified, commit? [y/n]y
Write out database with 1 new entries
Data Base Updated
cdpmacdeMBP:mkssl3 cdpmac$ Openssl ca -in client.csr -out client.crt -cert ca.crt -keyfile ca.key -config openssl.cnf
Using configuration from openssl.cnf
Enter pass phrase for ca.key:
42576:error:28069065:lib(40):UI_set_result:result too small:/SourceCache/OpenSSL098/OpenSSL098-52.20.2/src/crypto/ui/ui_lib.c:850:You must type in 4 to 1023 characters
Enter pass phrase for ca.key:
42576:error:28069065:lib(40):UI_set_result:result too small:/SourceCache/OpenSSL098/OpenSSL098-52.20.2/src/crypto/ui/ui_lib.c:850:You must type in 4 to 1023 characters
Enter pass phrase for ca.key:
Enter pass phrase for ca.key:
Enter pass phrase for ca.key:
Check that the request matches the signature
Signature ok
Certificate Details:
        Serial Number: 2 (0x2)
        Validity
            Not Before: Jul  8 06:54:05 2015 GMT
            Not After : Jul  7 06:54:05 2016 GMT
        Subject:
            countryName               = CN
            stateOrProvinceName       = Beijing
            organizationName          = Go
            organizationalUnitName    = Audit
            commonName                = www.httpsclient.com
        X509v3 extensions:
            X509v3 Basic Constraints:
                CA:FALSE
            Netscape Comment:
                OpenSSL Generated Certificate
            X509v3 Subject Key Identifier:
                F3:B9:6E:AB:58:29:FE:0D:E2:62:3D:3B:DD:7C:CC:03:16:7B:48:7F
            X509v3 Authority Key Identifier:
                keyid:B6:D8:38:A3:C2:84:D1:66:8F:86:69:C4:75:FA:69:C4:C4:1A:DA:43

Certificate is to be certified until Jul  7 06:54:05 2016 GMT (365 days)
Sign the certificate? [y/n]:y

1 out of 1 certificate requests certified, commit? [y/n]y
Write out database with 1 new entries
Data Base Updated

注意

Organization Name (eg, company) [Internet Widgits Pty Ltd]:Go 必须相同需要为
Common Name (e.g. server FQDN or YOUR name) []www.httpsserver.com   配置host


1.首先要生成服务器端的私钥(key文件):
openssl genrsa -des3 -out server.key 1024
运行时会提示输入密码,此密码用于加密key文件(参数des3便是指加密算法,当然也可以选用其他你认为安全的算法.),以后每当需读取此文件(通过openssl提供的命令或API)都需输入口令.如果觉得不方便,也可以去除这个口令,但一定要采取其他的保护措施!
去除key文件口令的命令:
openssl rsa -in server.key -out server.key


2.openssl req -new -key server.key -out server.csr -config openssl.cnf
生成Certificate Signing Request(CSR),生成的csr文件交给CA签名后形成服务端自己的证书.屏幕上将有提示,依照其指示一步一步输入要求的个人信息即可.


3.对客户端也作同样的命令生成key及csr文件:
openssl genrsa -des3 -out client.key 1024
openssl req -new -key client.key -out client.csr -config openssl.cnf


4.CSR文件必须有CA的签名才可形成证书.可将此文件发送到verisign等地方由它验证,要交一大笔钱,何不自己做CA呢.
openssl req -new -x509 -keyout ca.key -out ca.crt -config openssl.cnf


5.用生成的CA的证书为刚才生成的server.csr,client.csr文件签名:
Openssl ca -in server.csr -out server.crt -cert ca.crt -keyfile ca.key -config openssl.cnf
Openssl ca -in client.csr -out client.crt -cert ca.crt -keyfile ca.key -config openssl.cnf


这两步会报错因为没有文件


mkdir ./demoCA


654  mkdir demoCA/newcerts


655  touch demoCA/index.txt


656  vi demoCA/serial


输入01 退出


Openssl ca -in server.csr -out server.crt -cert ca.crt -keyfile ca.key -config openssl.cnf


再生成


Openssl ca -in client.csr -out client.crt -cert ca.crt -keyfile ca.key -config openssl.cnf


时出错


cdpmacdeMBP:mkssl3 cdpmac$ openssl ca -in client.csr -out client.crt -cert ca.crt -keyfile ca.key -config openssl.cnf


Using configuration from openssl.cnf


Enter pass phrase for ca.key:


Check that the request matches the signature


Signature ok


Certificate Details:


Serial Number: 4 (0x4)


Validity


Not Before: Jul  8 06:14:48 2015 GMT


Not After : Jul  7 06:14:48 2016 GMT


Subject:


countryName               = CN


stateOrProvinceName       = Beijing


organizationName          = Goyoo


organizationalUnitName    = Audit


commonName                = Cuidapeng


emailAddress              = [email protected]


X509v3 extensions:


X509v3 Basic Constraints:


CA:FALSE


Netscape Comment:


OpenSSL Generated Certificate


X509v3 Subject Key Identifier:


7E:A5:DA:92:0C:06:7B:2F:84:3C:C6:63:39:5C:B6:47:69:C6:76:3C


X509v3 Authority Key Identifier:


keyid:F0:62:47:E3:7C:56:E0:83:28:EE:D3:D1:F0:C5:46:54:39:39:47:75


Certificate is to be certified until Jul  7 06:14:48 2016 GMT (365 days)


Sign the certificate? [y/n]:y


failed to update database


TXT_DB error number 2


查问题知


http://zeldor.biz/2013/11/txt_db-error-number-2-failed-to-update-database/


Because you have generated your own self signed certificate with the same CN (Common Name) information that the CA certificate that you’ve generated before.


之前生成csr时输也的Common Name 是相同的,重新生成一个。


再来


成功
				


				
时间: 2024-10-13 07:00:57 

		


		


	

	
	

		


		
openssl nodejs https+客户端证书+usbkey的相关文章


								

		

			

                OPENSSL 生成https 客户端证书
			

		

		

									

				下面说下拿服务器证书.(前提是服务器是https,客户端认证用的时候),服务端不给的时候,我们自己去拿(不给怼他!,哈哈,开个玩笑,都会给的) openssl s_client -connect 域名:端口号 -showcerts|openssl x509 -outform der > cert.der 例如: openssl s_client -connect www.baidu.com:443 -showcerts|openssl x509 -outform der > cert.der			

		

	

				

		

			

                iis https 客户端证书
			

		

		

									

				1.自建根证书 makecert -r -pe -n "CN=WebSSLTestRoot" -b 12/22/2013 -e 12/23/2024 -ss root -sr localmachine -len 2048   2.建网站用的证书 makecert -pe -n "CN=www.aaa.com" -b 12/22/2013 -e 12/23/2024 -eku 1.3.6.1.5.5.7.3.1 -is root -ir localmachine -i			

		

	

				

		

			

                nginx 通过openssl配置https公网证书
			

		

		

									

				更详细的参数设定请参考:https://segmentfault.com/a/1190000002866627 步骤: 1.生成一个权威的ssl证书对(如果自己颁发的话,那么https是不被浏览器认可的,就是https上面会有一个大红叉) 推荐一个免费的网站:https://www.startssl.com/(注册邮箱:公司邮箱) startssl的操作教程看这个:http://www.freehao123.com/startssl-ssl/ 2.根据ssl.key和ssl.crt部署nginx			

		

	

				

		

			

                CentOS https 客户端证书制作
			

		

		

									

				* Eev:Centos 6.5 #建议先删除相关信息 find /etc/pki/ -name "*.pem" -exec rm -f {} \; find /etc/pki/ -name "index.txt" -exec rm -f {} \; touch /etc/pki/CA/index.txt #生成新的ca /etc/pki/tls/misc/CA -newca openssl genrsa -des3 -out clinet.key 2048 ope			

		

	

				

		

			

                nodejs 客户端证书设置。
			

		

		

									

				最近的系统要求较高的安全等级 https+usbkey证书 https的操作很简单 openssl 生成ca 和证书,配置启动即可 生成成功后,类似这样. 类似这样 var options = { key: fs.readFileSync(__dirname + '/server.key'), cert: fs.readFileSync(__dirname+'/server.pem'), ca: fs.readFileSync(__dirname+'/ca.crt'), auth:"1CUI&q			

		

	

				

		

			

                如何用OpenSSL从https网站上导出SSL的CA证书?
			

		

		

									

				我们在访问https的时候,对于有的程序需要提供访问网站的CA证书,这个时候客户端才能访问系统网站,比如使用TIBCO Business Workspace 5 HTTP send request activty 去访问Google API提供的REST 服务的时候,就需要我们提供www.googleapis.com网站的CA证书.一般来说,用两种比较常用的方式,第一种方式是通过浏览器访问这个网站,然后在网站的地址栏的右边有一个锁,可以通过点击这个锁来查看和导入证书,这种方式只适合那种网站可以在			

		

	

				

		

			

                Linux OpenVPN 服务端吊销(revoke)客户端证书(转自:https://www.xiaohui.com/dev/server/20070904-revoke-openvpn-client.htm)
			

		

		

									

				OpenVPN 服务器与 VPN 客户端之间的身份验证, 主要是通过证书来进行的.有时我们需要禁止某个用户连接 VPN 服务器,则将其证书吊销即可.要吊销(Revoke) OpenVPN 客户端证书,可以参照本文( https://www.xiaohui.com/dev/server/20070904-revoke-openvpn-client.htm )中的步骤执行(以 Linux 系统为例.Windows 下的大同小异): 进入 OpenVPN 安装目录的 easy-rsa 子目录.例如我的			

		

	

				

		

			

                用OpenSSL命令行生成证书文件(客户端)
			

		

		

									

				证书文件生成 也许很多人和本人一样深有体会,使用OpenSSL库写一个加密通讯过程,代码很容易就写出来了,可是整个工作却花了了好几天.除将程序编译成功外(没有可以使用的证书文件,编译成功了,它并不能跑起来,并不表示它能正常使用,所以--),还需生成必要的证书和私钥文件使双方能够成功验证对方. 找了n多的资料,很多是说的很模糊,看了n多的英文资料,还是没有办法(不知道是不是外国朋友都比较厉害,不用说明得太清?),无意间找到yawl([email protected])写的文章,难得的汉字(呵呵).			

		

	

				

		

			

                基于openssl的https服务的配置
			

		

		

									

				openssl实现私有CA,并配置基于openssl的https服务的配置,原理如下图 在CA服务器上实现私有CA步骤如下: 1.生成一对密钥 2.生成自签证书 基本的配置如下代码; [[email protected] CA]# pwd /etc/pki/CA [[email protected] CA]# (umask 077;openssl genrsa -out private/cakey.pem 2048) [[email protected] CA]# openssl req -ne