主要有以下几点:
建议用2048位密钥,少于此可能会不安全或很快将不安全。
openssl genrsa -des3 -out ca.key 2048
这个命令会生成一个2048位的密钥,同时有一个des3方法加密的密码,如果你不想要每次都输入密码,可以改成:
#openssl genrsa -out privkey.pem 2048
openssl rsa -in ca.key -out ca_decrypted.key
openssl req -new -subj "/C=CN/ST=shanghai/L=china/O=test/CN=www.test.com" -x509 -days 3650 -key ca.key -out ca.crt
openssl genrsa -des3 -out test.com.pem 1024
openssl rsa -in test.com.pem -out test.com.key
openssl req -new -subj "/C=CN/ST=shanghai/L=china/O=test/CN=www.test.com" -key test.com.pem -out test.com.csr
openssl ca -policy policy_anything -days 1460 -cert ca.crt -keyfile ca.key -in test.com.csr -out test.com.crt
openssl genrsa -out client.pem 2048
openssl req -new -subj "/C=CN/ST=ShangHai/L=china/O=test/CN=www.test.com" -key client.pem -out client-req.csr
openssl ca -policy policy_anything -days 1460 -cert ca.crt -keyfile ca.key -in client-req.csr -out client.crt
openssl pkcs12 -export -clcerts -in client.crt -inkey client.pem -out client.p12
server {
listen 443;
server_name www.test.com;
ssl on; #开启ssl
ssl_certificate /home/hadoop/ssl/test.com.crt; #服务器证书位置
ssl_certificate_key /home/hadoop/ssl/test.com.key; #服务器私钥
ssl_client_certificate /home/hadoop/ssl/ca.crt; #CA证书用于验证客户端证书的合法性
ssl_verify_client on; #开启对客户端的验证
ssl_session_timeout 5m; #session有效期,5分钟
ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
ssl_ciphers 'AES128+EECDH:AES128+EDH:!aNULL'; #加密算法
ssl_prefer_server_ciphers on;
...
}
TestAuthentication.h
#ifndef TESTAUTHENTICATION_H
#define TESTAUTHENTICATION_H
#include
#include
#include
#include
#include
#include
class TestAuthentication: public QObject
{
Q_OBJECT
public:
TestAuthentication(QObject*parent = 0);
~TestAuthentication();
void auth();
};
#endif // TESTAUTHENTICATION_H
TestAuthentication.cpp
#include "testauthentication.h"
TestAuthentication::TestAuthentication(QObject *parent) :
QObject(parent)
{
}
TestAuthentication::~TestAuthentication()
{
}
void TestAuthentication::auth()
{
QNetworkAccessManager manager;
QNetworkRequest request;
QSslConfiguration config;
QByteArray password="123456"; //生成客户端证书时的密码
QFile pkcs("D:\\ssl\\client.p12"); //生成的证书路径
pkcs.open(QFile::ReadOnly);
QSslKey key;
QSslCertificate cert;
QList certs;
bool import = QSslCertificate::importPkcs12(&pkcs,&key,&cert,&certs,password);
qDebug()<;
pkcs.close();
config.setPrivateKey(key);
config.setLocalCertificate(cert);
config.setProtocol(QSsl::TlsV1_2);
request.setSslConfiguration(config);
request.setUrl(QUrl("https://www.test.com"));
QNetworkReply *reply = manager.get(request);
QEventLoop loop;
connect(&manager,&QNetworkAccessManager::finished,&loop,&QEventLoop::quit);
loop.exec();
qDebug()<readAll();
}
#include "testauthentication.h"
#include
int main(int argc, char *argv[])
{
QApplication a(argc, argv);
TestAuthentication test;
test.auth();
return 0;
}
附件:
#!/bin/bash
SUBJECT="/C=CN/ST=shanghai/L=china/O=testServer/CN=www.test.com"
cd ~/
mkdir ssl
cd ssl
mkdir demoCA
cd demoCA
mkdir newcerts
mkdir private
touch index.txt
echo '01' > serial
cd ..
#openssl genrsa -des3 -out ca.key 2048
openssl genrsa -out ca.key 2048
openssl rsa -in ca.key -out ca_decrypted.key
openssl req -new -subj $SUBJECT -x509 -days 3650 -key ca.key -out ca.crt
#openssl genrsa -des3 -out test.com.pem 1024
openssl genrsa -out test.com.pem 1024
openssl rsa -in test.com.pem -out test.com.key
openssl req -new -subj $SUBJECT -key test.com.pem -out test.com.csr
openssl ca -policy policy_anything -days 1460 -cert ca.crt -keyfile ca.key -in test.com.csr -out test.com.crt
cat ca.crt >> test.com.crt
#openssl genrsa -des3 -out client.pem 2048
openssl genrsa -out client.pem 2048
SUBJECT="/C=CN/ST=ShangHai/L=china/O=testClient/CN=www.test.com"
openssl req -new -subj $SUBJECT -key client.pem -out client-req.csr
openssl ca -policy policy_anything -days 1460 -cert ca.crt -keyfile ca.key -in client-req.csr -out client.crt
openssl pkcs12 -export -clcerts -in client.crt -inkey client.pem -out client.p12