===ca 部分===
*私鑰openssl genrsa -des3 -out ca/ca-key.pem 1024
*req證書
openssl req -new -out ca/ca-req.csr -key ca/ca-key.pem -config ./openssl.cnf
*x509證書
openssl x509 -req -in ca/ca-req.csr -out ca/ca-cert.pem -signkey ca/ca-key.pem -days 3650
*吊銷證書
openssl ca -revoke client/client-cert.crt -config ./openssl.cnf
openssl ca -gencrl -out ca/ca-cert.crl -config ./openssl.cnf
===server證書部分===
*私鑰openssl genrsa -des3 -out server/server-key.pem 1024
*windows(32)私鑰支援
openssl rsa -in server/server-key.pem -out server/server-key-w32.pem
*req證書
openssl req -new -key server/server-key.pem -out server/server-req.csr -config ./openssl.cnf
*伺服器證書
openssl ca -policy policy_anything -in server/server-req.csr -cert ca/ca-cert.pem -keyfile ca/ca-key.pem -out server/server-cert.pem -days 3650 -config ./openssl.cnf
====apache ssl====
*需要檔案
**server-cert.pem
**server-key-w32.pem
**ca-cert.pem
*配置部分
**sslcertificatefile 伺服器證書路徑
**sslcertificatekeyfile 伺服器私鑰(windows32)
**sslcertificatechainfile ca 證書路徑.
**sslverifyclient require 是否雙向認證
**sslrequire ( ... ) 客戶端證書過濾
*執行部分
apache -d ssl
====tomcat ssl====
*需要檔案
**server_keystore
keytool -genkey -alias erp -validity 3650 -keyalg rsa -keysize 1024 -keypass changeit -storepass changeit -dname "subject" -keystore server/server_keystore
keytool -certreq -alias erp -sigalg md5withrsa -file server/server-req.csr -keypass changeit -keystore server/server_keystore -storepass changeit
**cacerts
keytool -import -v -trustcacerts -storepass helloechange1301 -alias ca -file ca/ca-cert.pem -keystore server/cacerts
*配置部分
**server_keystore檔案配置到 tomcat conf/server.xml connector節keystorefile屬性及keystorepass
**cacerts檔案配置到%jre_home%/lib/security路徑下
**server.xml 相關 ssl 其它章節
*執行部分
tomcat 重啟生效
===client證書部分===
*私鑰openssl genrsa -des3 -out client/client-key.pem 1024
*req證書
openssl req -new -key client/client-key.pem -out client/client-req.csr -config ./openssl.cnf
*個人證書
openssl x509 -req -in client/client-req.csr -signkey client/client-key.pem -ca ca/ca-cert.pem -cakey ca/ca-key.pem -cacreateserial -days 3650 -out client/client-cert.crt
*個人證書(p12格式)
openssl pkcs12 -export -clcerts -in client/client-cert.crt -inkey client/client-key.pem -out client/client-p12.p12
Nginx配置客戶端SSL雙向認證
安裝需求環境 server ssl on ssl certificate uuht ca ca.crt https證書公鑰 ssl certificate key uuht ca ca.key https私鑰 ssl client certificate uuht ca cacert.pem 啟用s...
ssl 客戶端配置
基本上,ssh客戶端的詳細設定都放在 etc ssh ssh config 裡面!etc ssh ssh config 檔案是openssh系統範圍的配置檔案 允許你通過設定不同的選項來改變客戶端程式的執行方式。site wide defaults for various options host ...
使用Nginx配置客戶端實現SSL雙向認證
1.ca 與自簽名 建立相關目錄 mkdir ssl cd ssl製作 ca 私鑰 openssl genrsa out ca.key 2048製作 ca 根證書 公鑰 openssl req new x509 days 3650 key ca.key out ca.crt2.伺服器端證書 製作服務...