标签:
mac sslconfig 文件路径
/System/Library/OpenSSL/openssl.cnf
一生成CA
openssl req -new -x509 -keyout ca.key -out ca.crt -config openssl.cnf
cdpmacdeMBP:mkssl3 cdpmac$ openssl req -new -x509 -keyout ca.key -out ca.crt -config openssl.cnf Generating a 1024 bit RSA private key .++++++ ......................++++++ writing new private key to ‘ca.key‘ Enter PEM pass phrase: Verifying - Enter PEM pass phrase: ----- You are about to be asked to enter information that will be incorporated into your certificate request. What you are about to enter is what is called a Distinguished Name or a DN. There are quite a few fields but you can leave some blank For some fields there will be a default value, If you enter ‘.‘, the field will be left blank. ----- Country Name (2 letter code) [AU]:CN State or Province Name (full name) [Some-State]:Beijing Locality Name (eg, city) []:Dongcheng Organization Name (eg, company) [Internet Widgits Pty Ltd]:Go Organizational Unit Name (eg, section) []:Audit Common Name (e.g. server FQDN or YOUR name) []:CA Email Address []:
二生成 客户端和服务器端的私钥(key文件):
openssl genrsa -des3 -out server.key 1024
openssl genrsa -des3 -out client.key 1024
三生成的csr文件
服务端
cdpmacdeMBP:mkssl3 cdpmac$ openssl req -new -key server.key -out server.csr -config openssl.cnf Enter pass phrase for server.key: You are about to be asked to enter information that will be incorporated into your certificate request. What you are about to enter is what is called a Distinguished Name or a DN. There are quite a few fields but you can leave some blank For some fields there will be a default value, If you enter ‘.‘, the field will be left blank. ----- Country Name (2 letter code) [AU]:CN State or Province Name (full name) [Some-State]:Beijing Locality Name (eg, city) []:Dongcheng Organization Name (eg, company) [Internet Widgits Pty Ltd]:Go Organizational Unit Name (eg, section) []:Audit Common Name (e.g. server FQDN or YOUR name) []www.httpsserver.com ^ Email Address []: Please enter the following ‘extra‘ attributes to be sent with your certificate request A challenge password []: An optional company name []:
客户端
cdpmacdeMBP:mkssl3 cdpmac$ openssl req -new -key client.key -out client.csr -config openssl.cnf Enter pass phrase for client.key: You are about to be asked to enter information that will be incorporated into your certificate request. What you are about to enter is what is called a Distinguished Name or a DN. There are quite a few fields but you can leave some blank For some fields there will be a default value, If you enter ‘.‘, the field will be left blank. ----- Country Name (2 letter code) [AU]:CN State or Province Name (full name) [Some-State]:Beijing Locality Name (eg, city) []:Dongcheng Organization Name (eg, company) [Internet Widgits Pty Ltd]:Go Organizational Unit Name (eg, section) []:Audit Common Name (e.g. server FQDN or YOUR name) []:www.httpsclient.com Email Address []: Please enter the following ‘extra‘ attributes to be sent with your certificate request A challenge password []: An optional company name []:
签名
cdpmacdeMBP:mkssl3 cdpmac$ Openssl ca -in server.csr -out server.crt -cert ca.crt -keyfile ca.key -config openssl.cnf Using configuration from openssl.cnf Enter pass phrase for ca.key: Check that the request matches the signature Signature ok Certificate Details: Serial Number: 1 (0x1) Validity Not Before: Jul 8 06:53:06 2015 GMT Not After : Jul 7 06:53:06 2016 GMT Subject: countryName = CN stateOrProvinceName = Beijing organizationName = Go organizationalUnitName = Audit commonName = www.httpsserver.com X509v3 extensions: X509v3 Basic Constraints: CA:FALSE Netscape Comment: OpenSSL Generated Certificate X509v3 Subject Key Identifier: 7F:77:31:A8:3F:83:B8:21:2F:0D:B4:96:F2:71:5F:E5:1E:98:5E:89 X509v3 Authority Key Identifier: keyid:B6:D8:38:A3:C2:84:D1:66:8F:86:69:C4:75:FA:69:C4:C4:1A:DA:43 Certificate is to be certified until Jul 7 06:53:06 2016 GMT (365 days) Sign the certificate? [y/n]:y 1 out of 1 certificate requests certified, commit? [y/n]y Write out database with 1 new entries Data Base Updated
cdpmacdeMBP:mkssl3 cdpmac$ Openssl ca -in client.csr -out client.crt -cert ca.crt -keyfile ca.key -config openssl.cnf Using configuration from openssl.cnf Enter pass phrase for ca.key: 42576:error:28069065:lib(40):UI_set_result:result too small:/SourceCache/OpenSSL098/OpenSSL098-52.20.2/src/crypto/ui/ui_lib.c:850:You must type in 4 to 1023 characters Enter pass phrase for ca.key: 42576:error:28069065:lib(40):UI_set_result:result too small:/SourceCache/OpenSSL098/OpenSSL098-52.20.2/src/crypto/ui/ui_lib.c:850:You must type in 4 to 1023 characters Enter pass phrase for ca.key: Enter pass phrase for ca.key: Enter pass phrase for ca.key: Check that the request matches the signature Signature ok Certificate Details: Serial Number: 2 (0x2) Validity Not Before: Jul 8 06:54:05 2015 GMT Not After : Jul 7 06:54:05 2016 GMT Subject: countryName = CN stateOrProvinceName = Beijing organizationName = Go organizationalUnitName = Audit commonName = www.httpsclient.com X509v3 extensions: X509v3 Basic Constraints: CA:FALSE Netscape Comment: OpenSSL Generated Certificate X509v3 Subject Key Identifier: F3:B9:6E:AB:58:29:FE:0D:E2:62:3D:3B:DD:7C:CC:03:16:7B:48:7F X509v3 Authority Key Identifier: keyid:B6:D8:38:A3:C2:84:D1:66:8F:86:69:C4:75:FA:69:C4:C4:1A:DA:43 Certificate is to be certified until Jul 7 06:54:05 2016 GMT (365 days) Sign the certificate? [y/n]:y 1 out of 1 certificate requests certified, commit? [y/n]y Write out database with 1 new entries Data Base Updated
注意
Organization Name (eg, company) [Internet Widgits Pty Ltd]:Go 必须相同
需要为
Common Name (e.g. server FQDN or YOUR name) []www.httpsserver.com 配置host
1.首先要生成服务器端的私钥(key文件):
openssl genrsa -des3 -out server.key 1024
运行时会提示输入密码,此密码用于加密key文件(参数des3便是指加密算法,当然也可以选用其他你认为安全的算法.),以后每当需读取此文件(通过openssl提供的命令或API)都需输入口令.如果觉得不方便,也可以去除这个口令,但一定要采取其他的保护措施!
去除key文件口令的命令:
openssl rsa -in server.key -out server.key
2.openssl req -new -key server.key -out server.csr -config openssl.cnf
生成Certificate Signing Request(CSR),生成的csr文件交给CA签名后形成服务端自己的证书.屏幕上将有提示,依照其指示一步一步输入要求的个人信息即可.
3.对客户端也作同样的命令生成key及csr文件:
openssl genrsa -des3 -out client.key 1024
openssl req -new -key client.key -out client.csr -config openssl.cnf
4.CSR文件必须有CA的签名才可形成证书.可将此文件发送到verisign等地方由它验证,要交一大笔钱,何不自己做CA呢.
openssl req -new -x509 -keyout ca.key -out ca.crt -config openssl.cnf
5.用生成的CA的证书为刚才生成的server.csr,client.csr文件签名:
Openssl ca -in server.csr -out server.crt -cert ca.crt -keyfile ca.key -config openssl.cnf
Openssl ca -in client.csr -out client.crt -cert ca.crt -keyfile ca.key -config openssl.cnf
这两步会报错因为没有文件
mkdir ./demoCA
654 mkdir demoCA/newcerts
655 touch demoCA/index.txt
656 vi demoCA/serial
输入01 退出
Openssl ca -in server.csr -out server.crt -cert ca.crt -keyfile ca.key -config openssl.cnf
再生成
Openssl ca -in client.csr -out client.crt -cert ca.crt -keyfile ca.key -config openssl.cnf
时出错
cdpmacdeMBP:mkssl3 cdpmac$ openssl ca -in client.csr -out client.crt -cert ca.crt -keyfile ca.key -config openssl.cnf
Using configuration from openssl.cnf
Enter pass phrase for ca.key:
Check that the request matches the signature
Signature ok
Certificate Details:
Serial Number: 4 (0x4)
Validity
Not Before: Jul 8 06:14:48 2015 GMT
Not After : Jul 7 06:14:48 2016 GMT
Subject:
countryName = CN
stateOrProvinceName = Beijing
organizationName = Goyoo
organizationalUnitName = Audit
commonName = Cuidapeng
emailAddress = cclient@hotmail.com
X509v3 extensions:
X509v3 Basic Constraints:
CA:FALSE
Netscape Comment:
OpenSSL Generated Certificate
X509v3 Subject Key Identifier:
7E:A5:DA:92:0C:06:7B:2F:84:3C:C6:63:39:5C:B6:47:69:C6:76:3C
X509v3 Authority Key Identifier:
keyid:F0:62:47:E3:7C:56:E0:83:28:EE:D3:D1:F0:C5:46:54:39:39:47:75
Certificate is to be certified until Jul 7 06:14:48 2016 GMT (365 days)
Sign the certificate? [y/n]:y
failed to update database
TXT_DB error number 2
查问题知
http://zeldor.biz/2013/11/txt_db-error-number-2-failed-to-update-database/
Because you have generated your own self signed certificate with the same CN (Common Name) information that the CA certificate that you’ve generated before.
之前生成csr时输也的Common Name 是相同的,重新生成一个。
再来
成功
openssl nodejs https+客户端证书+usbkey
标签:
原文地址:http://www.cnblogs.com/zihunqingxin/p/4630177.html
