QT+Nginx Openssl证书双向认证

QT+Nginx Openssl证书双向认证

主要有以下几点:

  • 1.数字证书的生成
  • 2.nginx证书的配置
  • 3.Qt使用双向认证

一、数字证书的生成

1.生成ca证书

生成ca秘钥


建议用2048位密钥,少于此可能会不安全或很快将不安全。

openssl genrsa -des3 -out ca.key 2048  


这个命令会生成一个2048位的密钥,同时有一个des3方法加密的密码,如果你不想要每次都输入密码,可以改成:

#openssl genrsa -out privkey.pem 2048


导出ca证书

openssl rsa -in ca.key -out ca_decrypted.key  
openssl req -new -subj "/C=CN/ST=shanghai/L=china/O=test/CN=www.test.com" -x509 -days 3650 -key ca.key -out ca.crt  

2.生成服务端证书

openssl genrsa  -des3 -out test.com.pem 1024  
openssl rsa -in test.com.pem -out test.com.key  
openssl req -new -subj "/C=CN/ST=shanghai/L=china/O=test/CN=www.test.com" -key test.com.pem -out test.com.csr  
openssl ca -policy policy_anything -days 1460 -cert ca.crt -keyfile ca.key -in test.com.csr -out test.com.crt  

3.生成客户端证书

openssl genrsa -out client.pem 2048  
openssl req -new -subj "/C=CN/ST=ShangHai/L=china/O=test/CN=www.test.com" -key client.pem -out client-req.csr  
openssl ca -policy policy_anything -days 1460 -cert ca.crt  -keyfile ca.key -in client-req.csr -out client.crt  
openssl pkcs12 -export -clcerts -in client.crt -inkey client.pem -out client.p12  

二.nginx中配置

server {
    listen       443;
    server_name  www.test.com;

    ssl on;                                             #开启ssl  
    ssl_certificate  /home/hadoop/ssl/test.com.crt;    #服务器证书位置  
    ssl_certificate_key /home/hadoop/ssl/test.com.key; #服务器私钥  
    ssl_client_certificate /home/hadoop/ssl/ca.crt;     #CA证书用于验证客户端证书的合法性  
    ssl_verify_client       on;                         #开启对客户端的验证  
    ssl_session_timeout 5m;                             #session有效期,5分钟  
    ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
    ssl_ciphers 'AES128+EECDH:AES128+EDH:!aNULL';       #加密算法  
    ssl_prefer_server_ciphers on;
    ...
}

3.Qt使用双向认证

TestAuthentication.h

#ifndef TESTAUTHENTICATION_H
#define TESTAUTHENTICATION_H

#include 
#include 
#include 
#include 
#include 
#include 


class TestAuthentication: public QObject
{
    Q_OBJECT
public:
    TestAuthentication(QObject*parent = 0);
    ~TestAuthentication();
    void auth();
};

#endif // TESTAUTHENTICATION_H

TestAuthentication.cpp


#include "testauthentication.h"

TestAuthentication::TestAuthentication(QObject *parent) :
    QObject(parent)
{
}

TestAuthentication::~TestAuthentication()
{
}
void TestAuthentication::auth()
{
    QNetworkAccessManager manager;
    QNetworkRequest request;
    QSslConfiguration config;
    QByteArray password="123456";      //生成客户端证书时的密码
    QFile pkcs("D:\\ssl\\client.p12"); //生成的证书路径
    pkcs.open(QFile::ReadOnly);
    QSslKey key;
    QSslCertificate cert;
    QList certs;
    bool import = QSslCertificate::importPkcs12(&pkcs,&key,&cert,&certs,password);

    qDebug()<;
    pkcs.close();

    config.setPrivateKey(key);
    config.setLocalCertificate(cert);
    config.setProtocol(QSsl::TlsV1_2);
    request.setSslConfiguration(config);

    request.setUrl(QUrl("https://www.test.com"));
    QNetworkReply *reply = manager.get(request);
    QEventLoop loop;
    connect(&manager,&QNetworkAccessManager::finished,&loop,&QEventLoop::quit);
    loop.exec();
    qDebug()<readAll();
}
#include "testauthentication.h"
#include 

int main(int argc, char *argv[])
{
    QApplication a(argc, argv);
    TestAuthentication test;
    test.auth();
    return 0;
}

附件:


#!/bin/bash
SUBJECT="/C=CN/ST=shanghai/L=china/O=testServer/CN=www.test.com"
cd  ~/  
mkdir ssl  
cd ssl  
mkdir demoCA  
cd demoCA  
mkdir newcerts  
mkdir private  
touch index.txt  
echo '01' > serial  

cd ..

#openssl genrsa -des3 -out ca.key 2048  
openssl genrsa  -out ca.key 2048  

openssl rsa -in ca.key -out ca_decrypted.key  

openssl req -new -subj $SUBJECT -x509 -days 3650 -key ca.key -out ca.crt  

#openssl genrsa -des3 -out test.com.pem 1024  
openssl genrsa  -out test.com.pem 1024  

openssl rsa -in test.com.pem -out test.com.key  

openssl req -new -subj $SUBJECT -key test.com.pem -out test.com.csr  

openssl ca -policy policy_anything -days 1460 -cert ca.crt -keyfile ca.key -in test.com.csr -out test.com.crt  

cat ca.crt >> test.com.crt  

#openssl genrsa -des3 -out client.pem 2048  
openssl genrsa -out client.pem 2048  
SUBJECT="/C=CN/ST=ShangHai/L=china/O=testClient/CN=www.test.com"
openssl req -new -subj $SUBJECT -key client.pem -out client-req.csr  

openssl ca -policy policy_anything -days 1460 -cert ca.crt  -keyfile ca.key -in client-req.csr -out client.crt  

openssl pkcs12 -export -clcerts -in client.crt -inkey client.pem -out client.p12  

你可能感兴趣的:(qt,ssl证书)