[ policy_match ] countryName = match stateOrProvinceName = match organizationName = match organizationalUnitName = match commonName = supplied emailAddress = optional
默认签发有效期为10年,你可以自己设置一个合适的值
2) 创建一个新的CA根证书 下面的几个脚本我都放在/etc/ssl目录下
new_ca.sh: #!/bin/sh # Generate the key. genrsa意思是生成一个私钥 openssl genrsa -out private/ca.key # Generate a certificate request. req表示生成证书,还能生成ca证书,-new表示产生一个新csr,需要输入一些信息,-key表示私钥, openssl req -new -key private/ca.key -out private/ca.csr # Self signing key is bad... this could work with a third party signed key... registeryfly has them on for $16 but I'm too cheap lazy to get one on a lark. # I'm also not 100% sure if any old certificate will work or if you have to buy a special one that you can sign with. I could investigate further but since this # service will never see the light of an unencrypted Internet see the cheap and lazy remark. # So self sign our root key. x509是一个证书生成工具,显示证书内容,转换格式,给CSR签名等
openssl x509 -req -days 3650 -in private/ca.csr -signkey private/ca.key -out private/ca.crt # Setup the first serial number for our keys... can be any 4 digit hex string... not sure if there are broader bounds but everything I've seen uses 4 digits. echo FACE > private/serial # Create the CA's key database. touch private/index.txt
# Create a Certificate Revocation list for removing 'user certificates.'
gencrl在index文件中生成一个CRL相关的信息
-crldays是crl过期的时间 openssl ca -gencrl -out /etc/ssl/private/ca.crl -crldays 7
执行 sh new_ca.sh 生成新的CA证书
3) 生成服务器证书的脚本
new_server.sh: # Create us a key. Don't bother putting a password on it since you will need it to start apache. If you have a better work around I'd love to hear it. openssl genrsa -out private/server.key # Take our key and create a Certificate Signing Request for it. openssl req -new -key private/server.key -out private/server.csr # Sign this bastard key with our bastard CA key.
location / { root /var/www/nginx-default; index index.html index.htm; }
启动你的nginx ,等待客户连接
5) 现在来生成客户端证书
new_user.sh: #!/bin/sh # The base of where our SSL stuff lives. base="/etc/ssl/private" # Were we would like to store keys... in this case we take the username given to us and store everything there. mkdir -p $base/users/$1/
# Let's create us a key for this user... yeah not sure why people want to use DES3 but at least let's make us a nice big key.
生成用户私钥 openssl genrsa -des3 -out $base/users/$1/$1.key 1024 # Create a Certificate Signing Request for said key.
根据用户私钥生成他的证书 openssl req -new -key $base/users/$1/$1.key -out $base/users/$1/$1.csr # Sign the key with our CA's key and cert and create the user's certificate out of it.
# This is the tricky bit... convert the certificate into a form that most browsers will understand PKCS12 to be specific. # The export password is the password used for the browser to extract the bits it needs and insert the key into the user's keychain. # Take the same precaution with the export password that would take with any other password based authentication scheme.
执行 sh new_user.sh yourname 来生成一个 yourname 的client证书 按照提示一步一步来,这里要注意的是客户证书的几个项目要和根证书匹配 也就是第一步时配置的: countryName = match stateOrProvinceName = match organizationName = match organizationalUnitName = match
不一致的话无法生成最后的客户证书
6) 发送上一步生成的 yourname.p12 到客户端。 IE下双击安装就可以导入。 FireFox安装 : Go into preferences. Advanced. View Certificates. Import. Enter master password for FireFox (if you don't have one set one here otherwise stolen laptop = easy access). Enter in the export password given to you by the dude who created your cert. Hit OK like a mad man. 打开第一步进行设置的域名解析会弹出对话框来要求你选择使用哪个证书,选择刚才安装的证书。选择接受服务器证书。现在你可以正常访问服务器拉。如果没弄对的话就会出现400 Bad request certification的错误 7)没啥拉,有问题多试几次,其实都是很简单的事。就是中文的资料太少了。 希望可以帮助到你哈