對IP地址的自簽名
先說一下SSL的簽名機制,可以參考這篇文章
https://www.cnblogs.com/rinack/p/10743355.html
簡單的說,這里面有兩個角色,證書認證機構,即Certificate Authority(CA),其頒發的證書也叫CA證書。一般來說,這些CA是比較可信的
另外一個角色就是普通服務器,這個就不一定可信了,有可能是有人冒充或篡改的。這些服務器使用HTTPS時需要另外一個證書, 也就是服務器證書
那么有一個問題來了,服務器拿出一個證書,你怎么知道這個證書是真的還是假的?
所以,CA作為可信的中間人, 他在這個證書上寫了一句話,說:我證明這個證書是真的,並且簽了自己的名字。因為你相信這個CA,所以你也就相信了這個服務器拿出來的證書
做一個大家都能接受的簽名,需要選一個大家都能接受的CA。問題時,大部分情況都是對域名簽名的,而且很多CA都是要收費的(費用還不低)
如果只是個人或者小范圍的使用,並且沒有域名的情況下,大的CA可能並不適合;尤其是局域網內部的使用,一邊CA不會給你簽的
所以在這個情況下,我們討論對IP自簽名的方法
第一步是要創建CA,也就是證書認證機構
創建私鑰
pi@raspberrypi:~/ssl $ openssl genrsa -out ca.key 2048 Generating RSA private key, 2048 bit long modulus (2 primes) ..........................................+++++ ......+++++ e is 65537 (0x010001)
通過私鑰創建公鑰
pi@raspberrypi:~/ssl $ openssl req -new -x509 -days 208 -key ca.key -out ca.crt You are about to be asked to enter information that will be incorporated into your certificate request. What you are about to enter is what is called a Distinguished Name or a DN. There are quite a few fields but you can leave some blank For some fields there will be a default value, If you enter '.', the field will be left blank. ----- Country Name (2 letter code) [AU]: State or Province Name (full name) [Some-State]: Locality Name (eg, city) []: Organization Name (eg, company) [Internet Widgits Pty Ltd]:XXX Gmbh Organizational Unit Name (eg, section) []: Common Name (e.g. server FQDN or YOUR name) []:www.xxx.com Email Address []:
Country Name到Email Address 那里是需要填寫的,不過不重要,可以隨便填。建議在Organization Name 填一下有意義的名字,這樣導入以后容易找
接下來是服務器的密鑰對了,這里需要准備兩個文件
openssl.cnf, 內容是
[req] distinguished_name = req_distinguished_name req_extensions = v3_req [req_distinguished_name] countryName = Country Name (2 letter code) countryName_default = US stateOrProvinceName = State or Province Name (full name) stateOrProvinceName_default = NY localityName = Locality Name (eg, city) localityName_default = NYC organizationalUnitName = Organizational Unit Name (eg, section) organizationalUnitName_default = xxx commonName = xxx commonName_max = 64 [ v3_req ] # Extensions to add to a certificate request basicConstraints = CA:TRUE keyUsage = nonRepudiation, digitalSignature, keyEncipherment subjectAltName = @alt_names [alt_names] IP.1 = 192.168.0.10 IP.2 = x.x.x.x
[req_distinguished_name] 那部分也是隨便填的
重點是[alt_names],這里寫的ip地址是最后認證的,比較重要。端口不需要,一旦認證了ip以后所有端口都可以是https的
第二個文件,v3.ext
authorityKeyIdentifier=keyid,issuer basicConstraints=CA:FALSE keyUsage=digitalSignature, nonRepudiation, keyEncipherment, dataEncipherment subjectAltName=@alt_names
[alt_names]
IP.1 = 192.168.0.10 IP.2 = x.x.x.x
[alt_names]與openssl.cnf一致
接下來生成簽服務器證書
私鑰
pi@raspberrypi:~/ssl $ openssl genrsa -out server.key 2048 Generating RSA private key, 2048 bit long modulus (2 primes) ............+++++ .............................................................................................+++++ e is 65537 (0x010001)
公鑰
pi@raspberrypi:~/ssl $ openssl req -new -days 208 -key server.key -out server.csr -config openssl.cnf Ignoring -days; not generating a certificate You are about to be asked to enter information that will be incorporated into your certificate request. What you are about to enter is what is called a Distinguished Name or a DN. There are quite a few fields but you can leave some blank For some fields there will be a default value, If you enter '.', the field will be left blank. ----- Country Name (2 letter code) [US]: State or Province Name (full name) [NY]: Locality Name (eg, city) [NYC]: Organizational Unit Name (eg, section) [xxx]:
用自己的CA給自己的服務器簽名
pi@raspberrypi:~/ssl $ openssl x509 -days 208 -req -sha256 -extfile v3.ext -CA ca.crt -CAkey ca.key -CAcreateserial -in server.csr -out server.crt Signature ok subject=C = US, ST = NY, L = Centereach, OU = TD-Hydro Getting CA Private Key
這樣就得到了兩組密鑰對
把server的這組名鑰對放進HTTP服務器里
如果是Nginx的話,參考
server { listen 443 ssl default_server; ssl on; ssl_certificate /etc/nginx/ssl/server.crt; ssl_certificate_key /etc/nginx/ssl/server.key; error_page 497 https://$host/$request_uri; location / { proxy_redirect off; proxy_pass http://127.0.0.1:8080; proxy_set_header Host $http_host; } location = /.htaccess { return 404; } }
然后把CA.crt導入系統,作為可信的跟證書,這個網上資料比較多,就不贅述了
之后重啟瀏覽器,證書就可以被認證了。
