mac sslconfig 文件路径

/System/Library/OpenSSL/openssl.cnf

一生成CA

openssl req -new -x509 -keyout ca.key -out ca.crt -config openssl.cnf

cdpmacdeMBP:mkssl3 cdpmac$  openssl req -new -x509 -keyout ca.key -out ca.crt -config openssl.cnf

Generating a  bit RSA private key

.++++++

......................++++++

writing new private key to 'ca.key'

Enter PEM pass phrase:

Verifying - Enter PEM pass phrase:

-----

You are about to be asked to enter information that will be incorporated

into your certificate request.

What you are about to enter is what is called a Distinguished Name or a DN.

There are quite a few fields but you can leave some blank

For some fields there will be a default value,

If you enter '.', the field will be left blank.

-----

Country Name ( letter code) [AU]:CN

State or Province Name (full name) [Some-State]:Beijing

Locality Name (eg, city) []:Dongcheng

Organization Name (eg, company) [Internet Widgits Pty Ltd]:Go

Organizational Unit Name (eg, section) []:Audit

Common Name (e.g. server FQDN or YOUR name) []:CA

Email Address []:

二生成 客户端和服务器端的私钥(key文件):

openssl genrsa -des3 -out server.key 1024

openssl genrsa -des3 -out client.key 1024

三生成的csr文件

服务端

cdpmacdeMBP:mkssl3 cdpmac$ openssl req -new -key server.key -out server.csr -config openssl.cnf

Enter pass phrase for server.key:

You are about to be asked to enter information that will be incorporated

into your certificate request.

What you are about to enter is what is called a Distinguished Name or a DN.

There are quite a few fields but you can leave some blank

For some fields there will be a default value,

If you enter '.', the field will be left blank.

-----

Country Name ( letter code) [AU]:CN

State or Province Name (full name) [Some-State]:Beijing

Locality Name (eg, city) []:Dongcheng

Organization Name (eg, company) [Internet Widgits Pty Ltd]:Go

Organizational Unit Name (eg, section) []:Audit

Common Name (e.g. server FQDN or YOUR name) []www.httpsserver.com                                                                                                                  ^ Email Address []:                                                                  

Please enter the following 'extra' attributes

to be sent with your certificate request

A challenge password []:

An optional company name []:

客户端

cdpmacdeMBP:mkssl3 cdpmac$ openssl req -new -key client.key -out client.csr -config openssl.cnf

Enter pass phrase for client.key:

You are about to be asked to enter information that will be incorporated

into your certificate request.

What you are about to enter is what is called a Distinguished Name or a DN.

There are quite a few fields but you can leave some blank

For some fields there will be a default value,

If you enter '.', the field will be left blank.

-----

Country Name ( letter code) [AU]:CN

State or Province Name (full name) [Some-State]:Beijing

Locality Name (eg, city) []:Dongcheng

Organization Name (eg, company) [Internet Widgits Pty Ltd]:Go

Organizational Unit Name (eg, section) []:Audit

Common Name (e.g. server FQDN or YOUR name) []:www.httpsclient.com

Email Address []:

Please enter the following 'extra' attributes

to be sent with your certificate request

A challenge password []:

An optional company name []:

签名

cdpmacdeMBP:mkssl3 cdpmac$ Openssl ca -in server.csr -out server.crt -cert ca.crt -keyfile ca.key -config openssl.cnf

Using configuration from openssl.cnf

Enter pass phrase for ca.key:

Check that the request matches the signature

Signature ok

Certificate Details:

        Serial Number:  (0x1)

        Validity

            Not Before: Jul   ::  GMT

            Not After : Jul   ::  GMT

        Subject:

            countryName               = CN

            stateOrProvinceName       = Beijing

            organizationName          = Go

            organizationalUnitName    = Audit

            commonName                = www.httpsserver.com

        X509v3 extensions:

            X509v3 Basic Constraints:

                CA:FALSE

            Netscape Comment:

                OpenSSL Generated Certificate

            X509v3 Subject Key Identifier:

                7F:::A8:3F::B8::2F:0D:B4::F2::5F:E5:1E::5E:

            X509v3 Authority Key Identifier:

                keyid:B6:D8::A3:C2::D1::8F:::C4::FA::C4:C4:1A:DA:

Certificate is to be certified until Jul   ::  GMT ( days)

Sign the certificate? [y/n]:y

 out of  certificate requests certified, commit? [y/n]y

Write out database with  new entries

Data Base Updated
cdpmacdeMBP:mkssl3 cdpmac$ Openssl ca -in client.csr -out client.crt -cert ca.crt -keyfile ca.key -config openssl.cnf

Using configuration from openssl.cnf

Enter pass phrase for ca.key:

:error::lib():UI_set_result:result too small:/SourceCache/OpenSSL098/OpenSSL098-52.20./src/crypto/ui/ui_lib.c::You must type in  to  characters

Enter pass phrase for ca.key:

:error::lib():UI_set_result:result too small:/SourceCache/OpenSSL098/OpenSSL098-52.20./src/crypto/ui/ui_lib.c::You must type in  to  characters

Enter pass phrase for ca.key:

Enter pass phrase for ca.key:

Enter pass phrase for ca.key:

Check that the request matches the signature

Signature ok

Certificate Details:

        Serial Number:  (0x2)

        Validity

            Not Before: Jul   ::  GMT

            Not After : Jul   ::  GMT

        Subject:

            countryName               = CN

            stateOrProvinceName       = Beijing

            organizationName          = Go

            organizationalUnitName    = Audit

            commonName                = www.httpsclient.com

        X509v3 extensions:

            X509v3 Basic Constraints:

                CA:FALSE

            Netscape Comment:

                OpenSSL Generated Certificate

            X509v3 Subject Key Identifier:

                F3:B9:6E:AB:::FE:0D:E2::3D:3B:DD:7C:CC:::7B::7F

            X509v3 Authority Key Identifier:

                keyid:B6:D8::A3:C2::D1::8F:::C4::FA::C4:C4:1A:DA:

Certificate is to be certified until Jul   ::  GMT ( days)

Sign the certificate? [y/n]:y

 out of  certificate requests certified, commit? [y/n]y

Write out database with  new entries

Data Base Updated

注意

Organization Name (eg, company) [Internet Widgits Pty Ltd]:Go 必须相同
需要为
Common Name (e.g. server FQDN or YOUR name) []www.httpsserver.com   配置host

1.首先要生成服务器端的私钥(key文件):
openssl genrsa -des3 -out server.key 1024
运行时会提示输入密码,此密码用于加密key文件(参数des3便是指加密算法,当然也可以选用其他你认为安全的算法.),以后每当需读取此文件(通过openssl提供的命令或API)都需输入口令.如果觉得不方便,也可以去除这个口令,但一定要采取其他的保护措施!
去除key文件口令的命令:
openssl rsa -in server.key -out server.key

2.openssl req -new -key server.key -out server.csr -config openssl.cnf
生成Certificate Signing Request(CSR),生成的csr文件交给CA签名后形成服务端自己的证书.屏幕上将有提示,依照其指示一步一步输入要求的个人信息即可.

3.对客户端也作同样的命令生成key及csr文件:
openssl genrsa -des3 -out client.key 1024
openssl req -new -key client.key -out client.csr -config openssl.cnf

4.CSR文件必须有CA的签名才可形成证书.可将此文件发送到verisign等地方由它验证,要交一大笔钱,何不自己做CA呢.
openssl req -new -x509 -keyout ca.key -out ca.crt -config openssl.cnf

5.用生成的CA的证书为刚才生成的server.csr,client.csr文件签名:
Openssl ca -in server.csr -out server.crt -cert ca.crt -keyfile ca.key -config openssl.cnf
Openssl ca -in client.csr -out client.crt -cert ca.crt -keyfile ca.key -config openssl.cnf

这两步会报错因为没有文件

mkdir ./demoCA

654  mkdir demoCA/newcerts

655  touch demoCA/index.txt

656  vi demoCA/serial

输入01 退出

Openssl ca -in server.csr -out server.crt -cert ca.crt -keyfile ca.key -config openssl.cnf

再生成

Openssl ca -in client.csr -out client.crt -cert ca.crt -keyfile ca.key -config openssl.cnf

时出错

cdpmacdeMBP:mkssl3 cdpmac$ openssl ca -in client.csr -out client.crt -cert ca.crt -keyfile ca.key -config openssl.cnf

Using configuration from openssl.cnf

Enter pass phrase for ca.key:

Check that the request matches the signature

Signature ok

Certificate Details:

Serial Number: 4 (0x4)

Validity

Not Before: Jul  8 06:14:48 2015 GMT

Not After : Jul  7 06:14:48 2016 GMT

Subject:

countryName               = CN

stateOrProvinceName       = Beijing

organizationName          = Goyoo

organizationalUnitName    = Audit

commonName                = Cuidapeng

emailAddress              = cclient@hotmail.com

X509v3 extensions:

X509v3 Basic Constraints:

CA:FALSE

Netscape Comment:

OpenSSL Generated Certificate

X509v3 Subject Key Identifier:

7E:A5:DA:92:0C:06:7B:2F:84:3C:C6:63:39:5C:B6:47:69:C6:76:3C

X509v3 Authority Key Identifier:

keyid:F0:62:47:E3:7C:56:E0:83:28:EE:D3:D1:F0:C5:46:54:39:39:47:75

Certificate is to be certified until Jul  7 06:14:48 2016 GMT (365 days)

Sign the certificate? [y/n]:y

failed to update database

TXT_DB error number 2

查问题知

http://zeldor.biz/2013/11/txt_db-error-number-2-failed-to-update-database/

Because you have generated your own self signed certificate with the same CN (Common Name) information that the CA certificate that you’ve generated before.

之前生成csr时输也的Common Name 是相同的,重新生成一个。

再来

成功

openssl nodejs https+客户端证书+usbkey的更多相关文章

  1. OPENSSL 生成https 客户端证书

    下面说下拿服务器证书.(前提是服务器是https,客户端认证用的时候),服务端不给的时候,我们自己去拿(不给怼他!,哈哈,开个玩笑,都会给的) openssl s_client -connect 域名 ...

  2. iis https 客户端证书

    1.自建根证书 makecert -r -pe -n "CN=WebSSLTestRoot" -b 12/22/2013 -e 12/23/2024 -ss root -sr lo ...

  3. nodejs 客户端证书设置。

    最近的系统要求较高的安全等级 https+usbkey证书 https的操作很简单 openssl 生成ca 和证书,配置启动即可 生成成功后,类似这样. 类似这样 var options = { k ...

  4. openssl CA 自签证书,阿里云配置tomcat https

    <一,openssl CA自签发证书> 1,生成私钥 openssl genrsa 1024 > private.key;

  5. curl+个人证书(又叫客户端证书)访问https站点

    摘自http://blog.csdn.net/chary8088/article/details/22990741 curl+个人证书(又叫客户端证书)访问https站点 目前,大公司的OA管理系统( ...

  6. Android : 关于HTTPS、TLS/SSL认证以及客户端证书导入方法

    一.HTTPS 简介 HTTPS 全称 HTTP over TLS/SSL(TLS就是SSL的新版本3.1).TLS/SSL是在传输层上层的协议,应用层的下层,作为一个安全层而存在,翻译过来一般叫做传 ...

  7. openssl生成https证书

    openssl生成https证书 分类: 其它2009-09-03 16:20 452人阅读 评论(0) 收藏 举报 includemoduleaccessapachessl服务器 openssl生成 ...

  8. Https、OpenSSL自建CA证书及签发证书、nginx单向认证、双向认证及使用Java访问

    0.环境 本文的相关源码位于 https://github.com/dreamingodd/CA-generation-demo 必须安装nginx,必须安装openssl,(用apt-get upd ...

  9. [转帖]用 OpenSSL 创建可以用于 https 的证书

    用 OpenSSL 创建可以用于 https 的证书 开会时 说到了安全问题 就简单鼓捣了一下 以后还是用nginx 转发比较好一些. https://blog.csdn.net/joyous/art ...

随机推荐

  1. vue整合外部js

    vue引入外部jsimport { TrackLine } from "../../../../../static/js/trajectory.js";import { initM ...

  2. Django框架(七):模型(三) 关联、模型类的属性

    1. 关联 1.1 模型类关系 关系型数据库的关系包括三种类型: ForeignKey:一对多,将字段定义在多的一端中. ManyToManyField:多对多,将字段定义在任意一端中. OneToO ...

  3. html页面监听事件

    今天有个需求,类似以下: <div id="a"> <input name="yinzhangfenlei" id="yinzhan ...

  4. ZJNU 2208 - 你渴望力量吗

    在图的最外面套一层0(防止到头) 然后搜索图有多少块在 '0'有两块0,一块1 '1'有一块0,一块1 其余情况不存在 #include<stdio.h> ],dx[]={,,,-},dy ...

  5. shell脚本中的条件测试if中的-z到-d的意思

    文件表达式 if [ -f  file ]    如果文件存在if [ -d ...   ]    如果目录存在if [ -s file  ]    如果文件存在且非空 if [ -r file  ] ...

  6. stopping service [tomcat],服务未启动

    1. 在主类中添加日志打印,查看错误: 2. 我的错误是因为两个controller含有相同的路径

  7. 手机APP例如抖音,让 people‘s 注意力集中到了 社会进化的 优胜部分 (优胜劣汰,什么是优) + 真善美,的 “美” , 促进了2极分化, 会产生强者俞强,弱者越弱,确实促进了信息的流通,传播了有用的东东 产生了独特的价值 而 如何 能计算出这些价值呢, 需要 数学 金融 财务 货币 量化吗

    手机APP例如抖音,让      people‘s  注意力集中到了  社会进化的 优胜部分  (优胜劣汰,什么是优)   +     真善美,的  “美”        , 促进了2极分化, 会产生 ...

  8. Nginx_安全2

    Nginx与安全有关的配置 隐藏版本号 http {    server_tokens off;} 经常会有针对某个版本的nginx安全漏洞出现,隐藏nginx版本号就成了主要的安全优化手段之一,当然 ...

  9. 吴裕雄--天生自然C语言开发:enum(枚举)

    enum DAY { MON=, TUE, WED, THU, FRI, SAT, SUN }; enum DAY { MON=, TUE, WED, THU, FRI, SAT, SUN }; en ...

  10. c# winForm 将窗体状态栏StatusStrip 分成左中右三部分 右边显示当前时间

    实现效果:通过StatusStrip显示窗体状态栏同时将状态栏分成三部分居左边显示相关文字信息中间空白显示居右边显示时间信息 1.创建窗体及添加StatusStrip  默认StatusStrip名称 ...