之前我們了解了https大緻流程,如果不懂請參考我的另一篇文章:白話了解https
下面介紹自簽證書的制作。
cfssl工具
工具下載下傳位址:http://pkg.cfssl.org/
所需工具下載下傳cfssl、cfssl-json、cfssl-certinfo(可選,用來校驗證書而已)
這裡我在window上示範一遍:
CA憑證
準備ca-config.json(根證書配置檔案)
{
"signing": {
"default": {
"expiry": "43800h"
},
"profiles": {
"server": {
"expiry": "43800h",
"usages": [
"signing",
"key encipherment",
"server auth"
]
},
"client": {
"expiry": "43800h",
"usages": [
"signing",
"key encipherment",
"client auth"
]
},
"peer": {
"expiry": "43800h",
"usages": [
"signing",
"key encipherment",
"server auth",
"client auth"
]
}
}
}
} ca-csr.json(根證書請求配置檔案)
注意:
因為自簽證書,ca-csr配置裡的CN不要以"www"開頭,測試過www開頭會導緻通信失敗。
{
"CN": "MYCA",
"key": {
"algo": "rsa",
"size": 2048
},
"names": [
{
"C": "CN",
"ST": "Guangzhou",
"L": "Guangzhou",
"O": "組織",
"OU": "部門"
}
]
} 生成CA憑證
cfssl gencert -initca ca-csr.json | cfssljson -bare ca - 服務端證書
server-csr.json
hosts為服務端的IP,請根據需要自行補充。
{
"CN": "my-server",
"hosts": [
"127.0.0.1"
],
"key": {
"algo": "rsa",
"size": 2048
},
"names": [
{
"C": "CN",
"ST": "Guangzhou",
"L": "Guangzhou",
"O": "組織",
"OU": "部門"
}
]
} 生成服務端證書
cfssl gencert -ca=ca.pem\
-ca-key=ca-key.pem\
-config=ca-config.json\
-profile=server server-csr.json | cfssljson -bare server 用戶端證書
用戶端證書和服務端證書生成步驟一樣,隻不過不需要配置host字段。
client-csr.json
{
"CN": "my-client",
"key": {
"algo": "rsa",
"size": 2048
},
"names": [
{
"C": "CN",
"ST": "Guangzhou",
"L": "Guangzhou",
"O": "組織",
"OU": "部門"
}
]
} 生成用戶端證書
cfssl gencert -ca=ca.pem\
-ca-key=ca-key.pem\
-config=ca-config.json\
-profile=client client-csr.json | cfssljson -bare client 最後會生成以下證書
.
├── ca.csr
├── ca.pem
├── ca-key.pem
├── client.csr
├── client.pem
├── client-key.pem
├── server.csr
├── server.pem
├── server-key.pem openssl工具
# 生成 CA 私鑰
openssl genrsa -out ca.key 1024
# X.509 Certificate Signing Request (CSR) Management.
openssl req -new -key ca.key -out ca.csr
# X.509 Certificate Data Management.
openssl x509 -req -in ca.csr -signkey ca.key -out ca.crt 在執行第二部時候會出現類似讓你填寫資訊:
➜ keys openssl req -new -key ca.key -out ca.csr
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [AU]:CN
State or Province Name (full name) [Some-State]:Zhejiang
Locality Name (eg, city) []:Hangzhou
Organization Name (eg, company) [Internet Widgits Pty Ltd]:My CA
Organizational Unit Name (eg, section) []:
Common Name (e.g. server FQDN or YOUR name) []:localhost
Email Address []: PS: 當然,你可以事先準備好ca.config, 設定好預設值,然後就可以一步到位(按回車)了。
比如:
vi ca.config
[ req ]
default_bits = 4096
distinguished_name = req_distinguished_name
[ req_distinguished_name ]
countryName = Country Name (2 letter code)
countryName_default = CN
stateOrProvinceName = State or Province Name (full name)
stateOrProvinceName_default = Guangdong
localityName = Locality Name (eg, city)
localityName_default = Guangzhou
organizationName = Organization Name (eg, company)
organizationName_default = XXXX
commonName = Common Name (e.g. server FQDN or YOUR name)
commonName_max = 64
commonName_default = xxx 然後再第二部指令多加個-config ca.config就行
openssl req \
-new \
-sha256 \
-out ca.csr \
-key ca.key \
-config ca.conf 生成公鑰和私鑰
# 生成伺服器端私鑰
openssl genrsa -out server.key 1024
# 生成伺服器端公鑰
openssl rsa -in server.key -pubout -out server.pem
# 生成用戶端私鑰
openssl genrsa -out client.key 1024
# 生成用戶端公鑰
openssl rsa -in client.key -pubout -out client.pem 生成端證書
# 伺服器端需要向 CA 機構申請簽名證書,在申請簽名證書之前依然是建立自己的 CSR 檔案
openssl req -new -key server.key -out server.csr
# 向自己的 CA 機構申請證書,簽名過程需要 CA 的證書和私鑰參與,最終頒發一個帶有 CA 簽名的證書
openssl x509 -req -CA ca.crt -CAkey ca.key -CAcreateserial -in server.csr -out server.crt
# client 端
openssl req -new -key client.key -out client.csr
# client 端到 CA 簽名
openssl x509 -req -CA ca.crt -CAkey ca.key -CAcreateserial -in client.csr -out client.crt PS:.crt轉.pem指令
openssl x509 -in mycert.crt -out mycert.pem -outform PEM 此時就生成下面的證書了
.
├── https-client.js
├── https-server.js
└── keys
├── ca.crt
├── ca.csr
├── ca.key
├── ca.pem
├── ca.srl
├── client.crt
├── client.csr
├── client.key
├── client.pem
├── server.crt
├── server.csr
├── server.key
└── server.pem (完)