IP地址自签名证书

对IP地址的自签名

先说一下SSL的签名机制，可以参考这篇文章

https://www.cnblogs.com/rinack/p/10743355.html

简单的说，这里面有两个角色，证书认证机构，即Certificate Authority（CA），其颁发的证书也叫CA证书。一般来说，这些CA是比较可信的

另外一个角色就是普通服务器，这个就不一定可信了，有可能是有人冒充或篡改的。这些服务器使用HTTPS时需要另外一个证书， 也就是服务器证书

那么有一个问题来了，服务器拿出一个证书，你怎么知道这个证书是真的还是假的？

所以，CA作为可信的中间人， 他在这个证书上写了一句话，说：我证明这个证书是真的，并且签了自己的名字。因为你相信这个CA，所以你也就相信了这个服务器拿出来的证书

 

做一个大家都能接受的签名，需要选一个大家都能接受的CA。问题时，大部分情况都是对域名签名的，而且很多CA都是要收费的（费用还不低）

如果只是个人或者小范围的使用，并且没有域名的情况下，大的CA可能并不适合；尤其是局域网内部的使用，一边CA不会给你签的

所以在这个情况下，我们讨论对IP自签名的方法

 

第一步是要创建CA，也就是证书认证机构

创建私钥

pi@raspberrypi:~/ssl $ openssl genrsa -out ca.key 2048
Generating RSA private key, 2048 bit long modulus (2 primes)
..........................................+++++
......+++++
e is 65537 (0x010001)

通过私钥创建公钥

pi@raspberrypi:~/ssl $ openssl req -new -x509 -days 208 -key ca.key -out ca.crt
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [AU]:
State or Province Name (full name) [Some-State]:
Locality Name (eg, city) []:
Organization Name (eg, company) [Internet Widgits Pty Ltd]:XXX Gmbh
Organizational Unit Name (eg, section) []:
Common Name (e.g. server FQDN or YOUR name) []:www.xxx.com
Email Address []:

Country Name到Email Address 那里是需要填写的，不过不重要，可以随便填。建议在Organization Name 填一下有意义的名字，这样导入以后容易找

 

接下来是服务器的密钥对了，这里需要准备两个文件

openssl.cnf, 内容是

[req]
distinguished_name = req_distinguished_name
req_extensions = v3_req

[req_distinguished_name]
countryName = Country Name (2 letter code)
countryName_default = US
stateOrProvinceName = State or Province Name (full name)
stateOrProvinceName_default = NY
localityName = Locality Name (eg, city)
localityName_default = NYC
organizationalUnitName  = Organizational Unit Name (eg, section)
organizationalUnitName_default  = xxx
commonName = xxx
commonName_max  = 64

[ v3_req ]
# Extensions to add to a certificate request
basicConstraints = CA:TRUE
keyUsage = nonRepudiation, digitalSignature, keyEncipherment
subjectAltName = @alt_names

[alt_names]
IP.1 = 192.168.0.10
IP.2 = x.x.x.x

[req_distinguished_name] 那部分也是随便填的

重点是[alt_names]，这里写的ip地址是最后认证的，比较重要。端口不需要，一旦认证了ip以后所有端口都可以是https的

第二个文件，v3.ext

authorityKeyIdentifier=keyid,issuer
basicConstraints=CA:FALSE
keyUsage=digitalSignature, nonRepudiation, keyEncipherment, dataEncipherment
subjectAltName=@alt_names

[alt_names]
IP.1 = 192.168.0.10
IP.2 = x.x.x.x

[alt_names]与openssl.cnf一致

接下来生成签服务器证书

私钥

pi@raspberrypi:~/ssl $ openssl genrsa -out server.key 2048
Generating RSA private key, 2048 bit long modulus (2 primes)
............+++++
.............................................................................................+++++
e is 65537 (0x010001)

公钥

pi@raspberrypi:~/ssl $ openssl req -new -days 208 -key server.key -out server.csr -config openssl.cnf 
Ignoring -days; not generating a certificate
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [US]:
State or Province Name (full name) [NY]:
Locality Name (eg, city) [NYC]:
Organizational Unit Name (eg, section) [xxx]:

用自己的CA给自己的服务器签名

pi@raspberrypi:~/ssl $ openssl x509 -days 208 -req -sha256 -extfile v3.ext -CA ca.crt -CAkey ca.key -CAcreateserial -in server.csr -out server.crt
Signature ok
subject=C = US, ST = NY, L = Centereach, OU = TD-Hydro
Getting CA Private Key

这样就得到了两组密钥对

把server的这组名钥对放进HTTP服务器里

如果是Nginx的话，参考

server {
    listen 443 ssl default_server;
    ssl on;
    ssl_certificate /etc/nginx/ssl/server.crt;
    ssl_certificate_key /etc/nginx/ssl/server.key;

    error_page 497 https://$host/$request_uri;

    location / {
        proxy_redirect off;
        proxy_pass http://127.0.0.1:8080;
        proxy_set_header Host $http_host;

    }
    location = /.htaccess {
      return 404;
      }
}

然后把CA.crt导入系统，作为可信的跟证书，这个网上资料比较多，就不赘述了

之后重启浏览器，证书就可以被认证了。