自签证书生成

之前我们了解了https大致流程，如果不懂请参考我的另一篇文章：白话理解https

下面介绍自签证书的制作。

cfssl工具

工具下载地址：http://pkg.cfssl.org/

所需工具下载cfssl、cfssl-json、cfssl-certinfo(可选，用来校验证书而已)

这里我在window上演示一遍：

CA证书

准备ca-config.json（根证书配置文件）

{
    "signing": {
        "default": {
            "expiry": "43800h"
        },
        "profiles": {
            "server": {
                "expiry": "43800h",
                "usages": [
                    "signing",
                    "key encipherment",
                    "server auth"
                ]
            },
            "client": {
                "expiry": "43800h",
                "usages": [
                    "signing",
                    "key encipherment",
                    "client auth"
                ]
            },
            "peer": {
                "expiry": "43800h",
                "usages": [
                    "signing",
                    "key encipherment",
                    "server auth",
                    "client auth"
                ]
            }
        }
    }
}

ca-csr.json(根证书请求配置文件)

注意：

因为自签证书，ca-csr配置里的CN不要以"www"开头，测试过www开头会导致通信失败。

{
    "CN": "MYCA",
    "key": {
        "algo": "rsa",
        "size": 2048
    },
    "names": [
        { 
            "C": "CN",
           "ST": "Guangzhou",
           "L": "Guangzhou",
           "O": "组织",
           "OU": "部门"
       }    
    ]
}

生成CA证书

cfssl gencert -initca ca-csr.json | cfssljson -bare ca - 

服务端证书

server-csr.json

hosts为服务端的IP，请根据需要自行补充。

{
    "CN": "my-server",
    "hosts": [
      "127.0.0.1"
    ],
    "key": {
        "algo": "rsa",
        "size": 2048
    },
    "names": [
        {
           "C": "CN",
           "ST": "Guangzhou",
           "L": "Guangzhou",
           "O": "组织",
           "OU": "部门"
        }
    ]
}

生成服务端证书

cfssl gencert -ca=ca.pem\
-ca-key=ca-key.pem\
-config=ca-config.json\
-profile=server server-csr.json | cfssljson -bare server

客户端证书

客户端证书和服务端证书生成步骤一样，只不过不需要配置host字段。

client-csr.json

{
    "CN": "my-client",
    "key": {
        "algo": "rsa",
        "size": 2048
    },
    "names": [
        {
           "C": "CN",
           "ST": "Guangzhou",
           "L": "Guangzhou",
           "O": "组织",
           "OU": "部门"
        }
    ]
}

生成客户端证书

cfssl gencert -ca=ca.pem\
-ca-key=ca-key.pem\
-config=ca-config.json\
-profile=client client-csr.json | cfssljson -bare client

最后会生成以下证书

.
├── ca.csr
├── ca.pem
├── ca-key.pem
├── client.csr
├── client.pem
├── client-key.pem
├── server.csr
├── server.pem
├── server-key.pem

 openssl工具

生成CA证书

# 生成 CA 私钥
openssl genrsa -out ca.key 1024
# X.509 Certificate Signing Request (CSR) Management.
openssl req -new -key ca.key -out ca.csr
# X.509 Certificate Data Management.
openssl x509 -req -in ca.csr -signkey ca.key -out ca.crt

在执行第二部时候会出现类似让你填写信息：

➜  keys  openssl req -new -key ca.key -out ca.csr
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [AU]:CN
State or Province Name (full name) [Some-State]:Zhejiang
Locality Name (eg, city) []:Hangzhou
Organization Name (eg, company) [Internet Widgits Pty Ltd]:My CA
Organizational Unit Name (eg, section) []:
Common Name (e.g. server FQDN or YOUR name) []:localhost
Email Address []:

PS: 当然，你可以事先准备好ca.config, 设置好默认值，然后就可以一步到位(按回车)了。

比如：

vi ca.config

[ req ]
default_bits       = 4096
distinguished_name = req_distinguished_name

[ req_distinguished_name ]
countryName                 = Country Name (2 letter code)
countryName_default         = CN
stateOrProvinceName         = State or Province Name (full name)
stateOrProvinceName_default = Guangdong
localityName                = Locality Name (eg, city)
localityName_default        = Guangzhou
organizationName            = Organization Name (eg, company)
organizationName_default    = XXXX
commonName                  = Common Name (e.g. server FQDN or YOUR name)
commonName_max              = 64
commonName_default          = xxx

然后再第二部命令多加个-config  ca.config就行

openssl req \
  -new \
  -sha256 \
  -out ca.csr \
  -key ca.key \
  -config ca.conf

生成公钥和私钥

# 生成服务器端私钥
openssl genrsa -out server.key 1024
# 生成服务器端公钥
openssl rsa -in server.key -pubout -out server.pem
 
# 生成客户端私钥
openssl genrsa -out client.key 1024
# 生成客户端公钥
openssl rsa -in client.key -pubout -out client.pem

生成端证书

# 服务器端需要向 CA 机构申请签名证书，在申请签名证书之前依然是创建自己的 CSR 文件
openssl req -new -key server.key -out server.csr
# 向自己的 CA 机构申请证书，签名过程需要 CA 的证书和私钥参与，最终颁发一个带有 CA 签名的证书
openssl x509 -req -CA ca.crt -CAkey ca.key -CAcreateserial -in server.csr -out server.crt
 
# client 端
openssl req -new -key client.key -out client.csr
# client 端到 CA 签名
openssl x509 -req -CA ca.crt -CAkey ca.key -CAcreateserial -in client.csr -out client.crt

PS：.crt转.pem命令

openssl x509 -in mycert.crt -out mycert.pem -outform PEM

此时就生成下面的证书了

.
├── https-client.js
├── https-server.js
└── keys
    ├── ca.crt
    ├── ca.csr
    ├── ca.key
    ├── ca.pem
    ├── ca.srl
    ├── client.crt
    ├── client.csr
    ├── client.key
    ├── client.pem
    ├── server.crt
    ├── server.csr
    ├── server.key
    └── server.pem

（完）