之前我们了解了https大致流程,如果不懂请参考我的另一篇文章:白话理解https
下面介绍自签证书的制作。
cfssl工具
工具下载地址:http://pkg.cfssl.org/
所需工具下载cfssl、cfssl-json、cfssl-certinfo(可选,用来校验证书而已)
这里我在window上演示一遍:
CA证书
准备ca-config.json(根证书配置文件)
{
"signing": {
"default": {
"expiry": "43800h"
},
"profiles": {
"server": {
"expiry": "43800h",
"usages": [
"signing",
"key encipherment",
"server auth"
]
},
"client": {
"expiry": "43800h",
"usages": [
"signing",
"key encipherment",
"client auth"
]
},
"peer": {
"expiry": "43800h",
"usages": [
"signing",
"key encipherment",
"server auth",
"client auth"
]
}
}
}
}
ca-csr.json(根证书请求配置文件)
注意:
因为自签证书,ca-csr配置里的CN不要以"www"开头,测试过www开头会导致通信失败。
{
"CN": "MYCA",
"key": {
"algo": "rsa",
"size": 2048
},
"names": [
{
"C": "CN",
"ST": "Guangzhou",
"L": "Guangzhou",
"O": "组织",
"OU": "部门"
}
]
}
生成CA证书
cfssl gencert -initca ca-csr.json | cfssljson -bare ca -
服务端证书
server-csr.json
hosts为服务端的IP,请根据需要自行补充。
{
"CN": "my-server",
"hosts": [
"127.0.0.1"
],
"key": {
"algo": "rsa",
"size": 2048
},
"names": [
{
"C": "CN",
"ST": "Guangzhou",
"L": "Guangzhou",
"O": "组织",
"OU": "部门"
}
]
}
生成服务端证书
cfssl gencert -ca=ca.pem -ca-key=ca-key.pem -config=ca-config.json -profile=server server-csr.json | cfssljson -bare server
客户端证书
客户端证书和服务端证书生成步骤一样,只不过不需要配置host字段。
client-csr.json
{
"CN": "my-client",
"key": {
"algo": "rsa",
"size": 2048
},
"names": [
{
"C": "CN",
"ST": "Guangzhou",
"L": "Guangzhou",
"O": "组织",
"OU": "部门"
}
]
}
生成客户端证书
cfssl gencert -ca=ca.pem -ca-key=ca-key.pem -config=ca-config.json -profile=client client-csr.json | cfssljson -bare client
最后会生成以下证书
. ├── ca.csr ├── ca.pem ├── ca-key.pem ├── client.csr ├── client.pem ├── client-key.pem ├── server.csr ├── server.pem ├── server-key.pem
openssl工具
生成CA证书
# 生成 CA 私钥 openssl genrsa -out ca.key 1024 # X.509 Certificate Signing Request (CSR) Management. openssl req -new -key ca.key -out ca.csr # X.509 Certificate Data Management. openssl x509 -req -in ca.csr -signkey ca.key -out ca.crt
在执行第二部时候会出现类似让你填写信息:
➜ keys openssl req -new -key ca.key -out ca.csr You are about to be asked to enter information that will be incorporated into your certificate request. What you are about to enter is what is called a Distinguished Name or a DN. There are quite a few fields but you can leave some blank For some fields there will be a default value, If you enter '.', the field will be left blank. ----- Country Name (2 letter code) [AU]:CN State or Province Name (full name) [Some-State]:Zhejiang Locality Name (eg, city) []:Hangzhou Organization Name (eg, company) [Internet Widgits Pty Ltd]:My CA Organizational Unit Name (eg, section) []: Common Name (e.g. server FQDN or YOUR name) []:localhost Email Address []:
PS: 当然,你可以事先准备好ca.config, 设置好默认值,然后就可以一步到位(按回车)了。
比如:
vi ca.config
[ req ] default_bits = 4096 distinguished_name = req_distinguished_name [ req_distinguished_name ] countryName = Country Name (2 letter code) countryName_default = CN stateOrProvinceName = State or Province Name (full name) stateOrProvinceName_default = Guangdong localityName = Locality Name (eg, city) localityName_default = Guangzhou organizationName = Organization Name (eg, company) organizationName_default = XXXX commonName = Common Name (e.g. server FQDN or YOUR name) commonName_max = 64 commonName_default = xxx
然后再第二部命令多加个-config ca.config就行
openssl req -new -sha256 -out ca.csr -key ca.key -config ca.conf
生成公钥和私钥
# 生成服务器端私钥 openssl genrsa -out server.key 1024 # 生成服务器端公钥 openssl rsa -in server.key -pubout -out server.pem # 生成客户端私钥 openssl genrsa -out client.key 1024 # 生成客户端公钥 openssl rsa -in client.key -pubout -out client.pem
生成端证书
# 服务器端需要向 CA 机构申请签名证书,在申请签名证书之前依然是创建自己的 CSR 文件 openssl req -new -key server.key -out server.csr # 向自己的 CA 机构申请证书,签名过程需要 CA 的证书和私钥参与,最终颁发一个带有 CA 签名的证书 openssl x509 -req -CA ca.crt -CAkey ca.key -CAcreateserial -in server.csr -out server.crt # client 端 openssl req -new -key client.key -out client.csr # client 端到 CA 签名 openssl x509 -req -CA ca.crt -CAkey ca.key -CAcreateserial -in client.csr -out client.crt
PS:.crt转.pem命令
openssl x509 -in mycert.crt -out mycert.pem -outform PEM
此时就生成下面的证书了
. ├── https-client.js ├── https-server.js └── keys ├── ca.crt ├── ca.csr ├── ca.key ├── ca.pem ├── ca.srl ├── client.crt ├── client.csr ├── client.key ├── client.pem ├── server.crt ├── server.csr ├── server.key └── server.pem
(完)