标签:
第一步,自制CA证书和Server证书,私钥
自制CA私钥 openssl genrsa -des3 -out ca.key 4096 自制CA证书 openssl req -new -x509 -days 3650 -key ca.key -out ca.crt 自制Server私钥,生成免密码版本 openssl genrsa -des3 -out server.key 4096 openssl rsa -in server.key -out server.nosecret.key 制作csr文件 openssl req -new -key server.key -out server.csr 用CA证书私钥对csr签名(CA不能用X509,这点需要注意)生成Server证书 openssl ca -days 3650 -in server.csr -cert ca.crt -keyfile ca.key -out server.crt
第二步,配置web服务器,nginx配置方法如下
server { listen 443; server_name www.mydomain.com; ssl on; ssl_certificate ssl/server.crt; ssl_certificate_key ssl/server.nosecret.key; location /t { echo "Hello World"; } }
第三步,验证方法如下
浏览器使用需导入ca.crt到根证书,curl和wget命令行工具使用方法如下 curl -v --cacert ca.crt "https://www.mydomain.com/t" wget --ca-certificate=ca.crt https://www.mydomain.com/t 不检查证书 curl需要指定-k参数,wget需要带参数-no-check-certificate
附,libcurl使用如下
function curlPost($url, $data = array(), $timeout = 30, $CA = true){ $cacert = getcwd() . ‘/ca.crt‘; //CA根证书 $SSL = substr($url, 0, 8) == "https://" ? true : false; $ch = curl_init(); curl_setopt($ch, CURLOPT_URL, $url); curl_setopt($ch, CURLOPT_TIMEOUT, $timeout); curl_setopt($ch, CURLOPT_CONNECTTIMEOUT, $timeout-2); if ($SSL && $CA) { curl_setopt($ch, CURLOPT_SSLVERSION, 3); curl_setopt($ch, CURLOPT_SSLCERTTYPE, ‘PEM‘);//默认PEM curl_setopt($ch, CURLOPT_SSL_VERIFYPEER, true); // 只信任CA颁布的证书 curl_setopt($ch, CURLOPT_SSLCERTPASSWD, true); // 只信任CA颁布的证书 curl_setopt($ch, CURLOPT_CAINFO, $cacert); // CA根证书(用来验证的网站证书是否是CA颁布) curl_setopt($ch, CURLOPT_SSL_VERIFYHOST, 2); // 检查证书中是否设置域名,并且是否与提供的主机名匹配 } else if ($SSL && !$CA) { curl_setopt($ch, CURLOPT_SSL_VERIFYPEER, false); // 信任任何证书 curl_setopt($ch, CURLOPT_SSL_VERIFYHOST, 1); // 检查证书中是否设置域名 } curl_setopt($ch, CURLOPT_RETURNTRANSFER, true); curl_setopt($ch, CURLOPT_HTTPHEADER, array(‘Expect:‘)); //避免data数据过长问题 curl_setopt($ch, CURLOPT_POST, true); curl_setopt($ch, CURLOPT_POSTFIELDS, $data); //curl_setopt($ch, CURLOPT_POSTFIELDS, http_build_query($data)); //data with URLEncode $ret = curl_exec($ch); //var_dump(curl_error($ch)); //查看报错信息 curl_close($ch); return $ret; } $ret = curlPost("https://www.mydomain.com/t"); echo $ret; ?>
查看证书内容,有效期,用途方法如下
openssl x509 -in ca.crt -noout -text openssl x509 -in ca.crt -noout -dates openssl x509 -in ca.crt -noout -purpose
标签:
原文地址:http://www.cnblogs.com/ciaos/p/4887505.html