http 80
https 443 rsa 非对称128加密 安全类交易可以使用rsa 1024位加密算法
https是ssl(secure socket layer)的一种
单向 客户端单向访问服务器(安全)
根证书 rootCA
服务器认证 serverCA
双向认证
根证书
生成一对不对称密钥,公钥public key(加密) 和私钥 private key(解密),一个私钥对应多个公钥
用密钥产生请求,同时交给root机构
root机构进行签名
服务器认证
客户端认证
过程:客户端请求认证,取得证书,每次访问携带证书
md5 和sha指纹加密算法
使用openssl来签证书
1 下载安装文件
http://slproweb.com/products/Win32OpenSSL.html
2 安装完成后,设置环境变量
OPENSSL_CONF
D:\tools\OpenSSL-Win32\bin\openssl.cfg
path
D:\tools\OpenSSL-Win32\bin
3 生成根证书所用密钥
openssl genrsa -des3 -out ca.key 1024
示例
D:\tools\opensslca>openssl genrsa -des3 -out ca.key 1024
Loading 'screen' into random state - done
Generating RSA private key, 1024 bit long modulus
........++++++
.....................................................................++++++
e is 65537 (0x10001)
Enter pass phrase for ca.key: 输入密码
Verifying - Enter pass phrase for ca.key: 再次输入密码
去除ca密钥的口令
openssl rsa -in ca.key -out ca.key
D:\tools\opensslca>openssl rsa -in ca.key -out ca.key
Enter pass phrase for ca.key:
writing RSA key
生成rootCA
openssl req -new -x509 -key ca.key -out ca.crt -config D:\tools\OpenSSL-Win32\bin\openssl.cfg
国家:CN
省:SH
市:SH
公司名:yue
主机名:Nemo-20100613CG
D:\tools\opensslca>openssl req -new -x509 -key ca.key -out ca.crt -config D:\too
ls\OpenSSL-Win32\bin\openssl.cfg
Loading 'screen' into random state - done
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [AU]:CN
State or Province Name (full name) [Some-State]:SH
Locality Name (eg, city) []:SH
Organization Name (eg, company) [Internet Widgits Pty Ltd]:yue
Organizational Unit Name (eg, section) []:Nemo-20100613CG
Common Name (e.g. server FQDN or YOUR name) []:Nemo-20100613CG
Email Address []:
[email protected]
同时会在C:\WINDOWS\system32\drivers\etc\hosts文件中添加如下行:
127.0.0.1 cn.yue.com
将ROOT CA导入客户端的根级信任域,所有客户端都需要导入
internate 选项-->证书-->导入
生成web服务端的证书使用rootca签名aaaaaa
命令如下:
openssl genrsa -des3 -out server.key 1024
去除密码
openssl rsa -in server.key -out server.key
生成服务端证书签名:
openssl req -new -key server.key -out server.csr
使用rootCA 请求web服务器的证书,进行签名认证
openssl ca -in server.csr -out server.crt -cert ca.crt -keyfile ca.key
出现如下错误:
D:\tools\opensslca>openssl ca -in server.csr -out server.crt -cert ca.crt -keyfi
le ca.key
Using configuration from D:\tools\OpenSSL-Win32\bin\openssl.cfg
Loading 'screen' into random state - done
I am unable to access the ./demoCA/newcerts directory
./demoCA/newcerts: No such file or directory
解决方法:
md demoCA
cd demoCA
md newcerts
cd ..
@echo>index.txt
@echo>serial
@echo 01 >serial
重新生成Web服务器的server.crt证书:
openssl ca -in server.csr -out server.crt -cert ca.crt -keyfile ca.key
结果如下:
Using configuration from D:\tools\OpenSSL-Win32\bin\openssl.cfg
Loading 'screen' into random state - done
Check that the request matches the signature
Signature ok
Certificate Details:
Serial Number: 1 (0x1)
Validity
Not Before: Oct 27 10:51:48 2012 GMT
Not After : Oct 27 10:51:48 2013 GMT
Subject:
countryName = CN
stateOrProvinceName = SH
organizationName = yue
organizationalUnitName = Nemo-20100613CG
commonName = Nemo-20100613CG
emailAddress =
[email protected]
X509v3 extensions:
X509v3 Basic Constraints:
CA:FALSE
Netscape Comment:
OpenSSL Generated Certificate
X509v3 Subject Key Identifier:
28:B4:50:30:E3:44:5C:51:76:F9:26:E6:FD:F9:C1:1C:84:79:9E:B1
X509v3 Authority Key Identifier:
keyid:3F:CE:E6:09:56:BD:5B:0F:09:22:0B:FA:3B:98:F2:0D:6B:39:1A:0
7
Certificate is to be certified until Oct 27 10:51:48 2013 GMT (365 days)
Sign the certificate? [y/n]:y
1 out of 1 certificate requests certified, commit? [y/n]y
Write out database with 1 new entries
Data Base Updated