Openssl CA证书生成以及双向认证，及windows系统证书批量导出，android cer转bks

Openssl CA证书生成以及双向认证

首先本文主要参照这篇文章写的
http://h2appy.blog.51cto.com/609721/1181234

只是途中有些问题折腾了一下，比如openssl.cnf如何来的，这个文件在编译完openssl后，应该openssl根目录下/apps/demoCA有个，可以把他拷贝到openssl.exe同一级目录
里面有些目录配置，自己可以修改下，但是我没有修改，所以最后生成的文件路径必须按openssl.cnf里面来，至于如何编译openssl 请参考我的另一篇文章

开始生成证书,需要提前做一些准备，生成一些特定目录，这些目录和openssl.cnf里面配置要求一致，在demoCA目录下，还需要建立一个index.txt,index.txt.attr空文件，以及serial文件，serial文件里面写00
注意每次输入下一步命令前，如果index.txt serial文件内容发生改变，请把index.txt中的内容清空，serial重置为00,否则后续命令中会报错(比如报数据库更新错误,此时依然会产生证书，但是c++代码加载证书时却会报错)

打开openssl.cnf文件，可以看到其中的一些目录结构要求

serial文件内容图

cmd进入openssl.exe所在目录下，依次输入以下命令(证书名字可以自己调整,输入过程中需要输入一些信息，如国家，省，市，主机名，邮件，密码等，请尽量保持一致) 例如我的主机名就写127.0.0.1 可以检验证书域名，代码在客户端给出
https://www.cnblogs.com/littleatp/p/5878763.html

产生CA自签名证书
openssl.exe genrsa -out ca.key -des 2048
openssl.exe req -new -x509 -days 3650 -key ca.key -out ca.crt -subj “/C=US/ST=JS/L=NJ/O=wjr/OU=dev/CN=wjr.com”
openssl.exe x509 -in ca.crt -noout -text
//测试/C=US/ST=Mars/L=iTranswarp/O=iTranswarp/OU=iTranswarp/CN=wjr.com

产生server的证书过程
openssl.exe genrsa -out server.key 1024
openssl.exe req -new -key server.key -out server.csr -subj “/C=US/ST=JS/L=NJ/O=wjr/OU=dev/CN=wjr.com”
openssl x509 -req -days 3650 -in server.csr -CA ca.crt -CAkey ca.key -passin pass:123456 -CAcreateserial -out server.crt
openssl.exe x509 -in server.crt -noout -text

产生proxy的证书过程
openssl.exe genrsa -out private\proxy.key 1024
openssl.exe req -new -key private\proxy.key -out newcerts\proxy.csr -config openssl.cnf
openssl.exe ca -in newcerts\proxy.csr -cert private\ca.crt -keyfile private\ca.key -config openssl.cnf -policy policy_anything -out certs\proxy.crt
openssl.exe x509 -in certs\proxy.crt -noout -text

产生client的证书过程
openssl.exe genrsa -out private\client.key 1024
openssl.exe req -new -key private\client.key -out newcerts\client.csr -config openssl.cnf
openssl.exe ca -in newcerts\client.csr -cert private\ca.crt -keyfile private\ca.key -config openssl.cnf -policy policy_anything -out certs\client.crt
openssl.exe x509 -in certs\client.crt -noout -text

整个过程结束后

ca.crt为自签名证书；
server.crt，server.key为服务器端的证书和私钥文件；
proxy.crt，proxy.key为代理服务器端的证书和私钥文件；
client.crt，client.key为客户端的证书和私钥文件。

代码块

服务端测试代码，我做了点修改

//server  
#include <winsock2.h>  
#include <conio.h>  
#include <stdio.h>  
#include <winsock.h>  
#include "openssl/x509.h"  
#include "openssl/ssl.h"  
#include "openssl/err.h" 
 
#define MSGLENGTH      1024  
#define PORT           8443  
#define CACERT         "ca.crt"  
#define SVRCERTF       "server.crt"  
#define SVRKEYF        "server.key" 
 
int main()  
{  
    WSADATA wsaData;  
    WSAStartup(MAKEWORD(2,2), &wsaData);  
    SOCKET sock;  
    SSL_METHOD *meth;  
    SSL_CTX* ctx;  
    SSL* ssl;  
    //SSL初始化  
    OpenSSL_add_ssl_algorithms();  
    //SSL错误信息初始化  
    SSL_load_error_strings(); 
 
    //创建本次会话所使用的协议  
    meth = TLSv1_server_method();  
    //申请SSL会话的环境  
    ctx = SSL_CTX_new(meth);  
    if (NULL == ctx)  
        exit(1); 
 
   //设置会话的握手方式并加载CA证书  
	SSL_CTX_set_verify(ctx, SSL_VERIFY_PEER, NULL);
	SSL_CTX_load_verify_locations(ctx, "D:\\usr\\local\\ssl\\bin\\private\\ca.crt", NULL);
	//加载服务器端的证书  
	if (0 == SSL_CTX_use_certificate_file(ctx, "D:\\usr\\local\\ssl\\bin\\certs\\server.crt", SSL_FILETYPE_PEM)) 
	{
		ERR_print_errors_fp(stderr);
		exit(1);
	}
	//加载服务器端的私钥  
	if (0 == SSL_CTX_use_PrivateKey_file(ctx, "D:\\usr\\local\\ssl\\bin\\private\\server.key", SSL_FILETYPE_PEM))
	{
		ERR_print_errors_fp(stderr);
		exit(1);
	}
	//检查服务器端的证书和私钥是否匹配  
	if (!SSL_CTX_check_private_key(ctx)) {
		printf("Private key does not match the certificate public key\n");
		exit(1);
	}
 
    //加密方式  
    SSL_CTX_set_cipher_list(ctx, "RC4-MD5");  
    //处理握手多次  
    SSL_CTX_set_mode(ctx, SSL_MODE_AUTO_RETRY); 
 
    /*以下是正常的TCP socket建立过程 .............................. */  
    printf("Begin tcp socket...\n");  
    sock = socket(AF_INET, SOCK_STREAM, 0);  
    if (sock == INVALID_SOCKET) {  
        printf("SOCKET有问题. \n");  
        return 0;  
    } 
 
    sockaddr_in addr;  
    memset(&addr, '\0', sizeof(addr));  
    addr.sin_family = AF_INET;  
    addr.sin_port = htons(PORT); /* Server Port number */  
    addr.sin_addr.s_addr = INADDR_ANY; 
 
    //绑定sock  
    int nResult = bind(sock, (sockaddr *)&addr, sizeof(addr));  
    if (nResult == SOCKET_ERROR) {  
        printf("绑定SOCKET有问题. \n");  
        return 0;  
    }  
    printf("服务器启动成功,端口:%d\n正在等待连接\n", PORT); 
 
    /*接受TCP链接*/  
    sockaddr_in sa_cli;  
    int err = listen(sock, 5);  
    if (-1 == err)  
        exit(1);  
    int client_len = sizeof(sa_cli);  
    int ss = accept(sock, (struct sockaddr *) &sa_cli, &client_len);  
    if (ss == -1) {  
        exit(1);  
    }  
    closesocket(sock);  
    printf("Connection from %d, port %d\n", sa_cli.sin_addr.s_addr, sa_cli.sin_port); 
 
    /* TCP 链接已建立.开始 SSL 握手过程.......................... */  
    //绑定套接字  
    ssl = SSL_new(ctx);  
    if (NULL == ssl)  
        exit(1);  
    if (0 == SSL_set_fd(ssl, ss)) {  
        printf("Attach to Line fail!\n");  
        exit(1);  
    }  
    //SSL握手  
    //SSL_accept(ssl);  
    int k = SSL_accept(ssl);  
    if (0 == k) {  
        printf("%d\n", k);  
        printf("SSL connect fail!\n");  
        exit(1);  
    }  
    //进行信息验证  
    X509 *client_cert;  
    client_cert = SSL_get_peer_certificate(ssl); 
 
    printf("发现客户端尝试连接\n");  
    if (client_cert != NULL) {  
        printf ("Client certificate:\n"); 
 
		int rv = SSL_get_verify_result(ssl);
		if (rv != X509_V_OK)
		{
			printf("认证出错!\n");
			exit(1);
		}
        //读取证书subject名并显示  
        char *str = X509_NAME_oneline(X509_get_subject_name(client_cert), 0, 0);  
        if (NULL == str) {  
            printf("认证出错!\n");  
            exit(1);  
        }  
        printf("subject: %s\n", str);  
        //读取证书的issuer名并显示  
        str = X509_NAME_oneline(X509_get_issuer_name(client_cert), 0, 0);  
        if (NULL == str) {  
            printf("证书名为空\n");  
            exit(1);  
        }  
        printf("issuer: %s\n", str);  
        printf("连接成功\n"); 
 
        X509_free (client_cert);/*如不再需要,需将证书释放 */  
        OPENSSL_free(str);  
    }  
    else {  
        printf("找不到客户端的认证证书\n");  
        exit(1);  
    } 
 
    char buf[MSGLENGTH];  
    SSL_write(ssl, "Server is connect to you!\n", strlen("Server is connect to you!\n"));  
    printf("Listen to the client: \n");  
    while (1) {  
        err = SSL_read(ssl, buf, sizeof(buf));  
        if(err == -1)
	        break;
        buf[err] = '\0';  
        printf("%s\n", buf);  
    } 
 
    //关闭套接字  
    SSL_shutdown(ssl);  
    SSL_free(ssl);  
    SSL_CTX_free(ctx);  
    WSACleanup();  
    getch();  
    return 0;  
} 

客户端测试代码，我做了点修改

//client  
#include <winsock2.h>  
#include <conio.h>  
#include <stdio.h>  
#include "openssl/x509.h"  
#include "openssl/ssl.h"  
#include "openssl/err.h"  
#include "openssl/rand.h" 
 
#define PORT       8443  
#define SERVER     "127.0.0.1"  
#define CACERT     "D:\\usr\\local\\ssl\\bin\\private\\ca.crt"  
#define MYCERTF    "D:\\usr\\local\\ssl\\bin\\certs\\client.crt"  
#define MYKEYF     "D:\\usr\\local\\ssl\\bin\\private\\client.key"  
#define MSGLENGTH  1024 
 
int GetSrvCert(SSL * ssl, X509 ** pCert)
{
	int rv = -1;
	if (ssl == NULL)
	{
		return rv;
	}
	rv = SSL_get_verify_result(ssl);
	*pCert = SSL_get_peer_certificate(ssl);
	return rv;
}

//验证证书的合法性
int VerifyCert(X509 * pCert, const char * hostname)
{
	char commonName[512] = { 0 };
	X509_name_st * name = NULL;

	if (pCert == NULL || hostname == NULL)
	{
		return -1;
	}
	//获取commonName
	name = X509_get_subject_name(pCert);
	X509_NAME_get_text_by_NID(name, NID_commonName, commonName, 512);
	fprintf(stderr, "VerifyCert - Common Name on certificate: %s\n", commonName);
	if (strcmp(commonName, hostname) == 0)
	{
		printf("证书主机名%s\n", commonName);
		return 1;
	}
	else
	{
		return 0;
	}
}

int main()  
{  
   WSADATA wsadata;
	WSAStartup(MAKEWORD(2, 2), &wsadata);
	sockaddr_in sin;
	int seed_int[100]; /*存放随机序列*/

	SSL*ssl;
	const SSL_METHOD *meth;
	SSL_CTX *ctx;

	//SSL初始化  
	OpenSSL_add_ssl_algorithms();
	//SSL错误信息初始化  
	SSL_load_error_strings();

	//创建本次会话所使用的协议  
	meth = TLSv1_client_method();
	//申请SSL会话的环境  
	ctx = SSL_CTX_new(meth);
	if (NULL == ctx)
		exit(1);

	SSL_CTX_set_default_passwd_cb(ctx, pem_password_cb1);
	//SSL_CTX_set_default_passwd_cb_userdata(ctx, (void*)"555555");
	//设置会话的握手方式并加载CA证书  
	SSL_CTX_set_verify(ctx, SSL_VERIFY_PEER, NULL);
	SSL_CTX_load_verify_locations(ctx, CACERT, NULL);
	//加载自己的证书  
	if (0 == SSL_CTX_use_certificate_file(ctx, MYCERTF, SSL_FILETYPE_PEM)) {
		ERR_print_errors_fp(stderr);
		exit(1);
	}
	//加载自己的私钥  
	if (0 == SSL_CTX_use_PrivateKey_file(ctx, MYKEYF, SSL_FILETYPE_PEM)) {
		ERR_print_errors_fp(stderr);
		exit(1);
	}

	

	//检查自己的证书和私钥是否匹配  
	if (!SSL_CTX_check_private_key(ctx)) {
		printf("Private key does not match the certificate public key\n");
		exit(1);
	}

	

	/*构建随机数生成机制,WIN32平台必需*/
	srand((unsigned)time(NULL));
	for (int i = 0; i < 100; i++)
		seed_int[i] = rand();
	RAND_seed(seed_int, sizeof(seed_int));

	//加密方式  
	SSL_CTX_set_cipher_list(ctx, "RC4-MD5");
	//处理握手多次  
	SSL_CTX_set_mode(ctx, SSL_MODE_AUTO_RETRY);

	/*以下是正常的TCP socket建立过程 .............................. */
	SOCKET sock;
	printf("Begin tcp socket...\n");
	sock = socket(AF_INET, SOCK_STREAM, 0);
	if (sock == INVALID_SOCKET) {
		printf("SOCKET有问题. \n");
	}

	memset(&sin, '\0', sizeof(sin));
	sin.sin_family = AF_INET;
	sin.sin_addr.s_addr = inet_addr(SERVER); /* Server IP */
	sin.sin_port = htons(PORT); /* Server Port number */

	int icnn = connect(sock, (sockaddr *)&sin, sizeof(sin));
	if (icnn == SOCKET_ERROR) {
		printf("连不上服务器\n", GetLastError());
		exit(1);
	}

	/* TCP 链接已建立.开始 SSL 握手过程.......................... */
	//绑定套接字  
	ssl = SSL_new(ctx);
	if (NULL == ssl)
		exit(1);
	if (0 >= SSL_set_fd(ssl, sock)) {
		printf("Attach to Line fail!\n");
		exit(1);
	}
	//SSL握手  
	//SSL_connect(ssl);  
	int k = SSL_connect(ssl);
	if (0 == k) {
		printf("%d\n", k);
		printf("SSL connect fail!\n");
		exit(1);
	}
	printf("连接服务器成功\n");

	fprintf(stderr, "Retrieving peer certificate\n");
	//获取服务器证书

	X509* pCert = NULL;
	if (GetSrvCert(ssl, &pCert) != X509_V_OK)
	{
		if (SSL_get_verify_result(ssl) != X509_V_ERR_UNABLE_TO_GET_ISSUER_CERT_LOCALLY)
		{
			fprintf(stderr, "Certificate verification error: %i\n", SSL_get_verify_result(ssl));			
			SSL_CTX_free(ctx);
			return 0;
		}
		else
		{
			fprintf(stderr, "X509_V_ERR_UNABLE_TO_GET_ISSUER_CERT_LOCALLY\n");
		}
	}


	//校验服务器证书
	fprintf(stderr, "Validating peer certificate\n");
	if (!VerifyCert(pCert, "127.0.0.1"))
	{
		fprintf(stderr, "Hostname and Common Name do not match\n");
		
		SSL_CTX_free(ctx);
		return 0;
	}

	char sendmsg[MSGLENGTH] = "\0";
	char revmsg[MSGLENGTH] = "\0";

	int err = SSL_read(ssl, revmsg, sizeof(revmsg));
	revmsg[err] = '\0';
	printf("%s\n", revmsg);

	while (1) {
		printf("请输入所要发送的数据:\n");
		scanf("%s", sendmsg);
		SSL_write(ssl, sendmsg, strlen(sendmsg));
		printf("发送消息“ %s ”成功！\n", sendmsg);
	}

	//关闭套接字  
	SSL_shutdown(ssl);
	SSL_free(ssl);
	SSL_CTX_free(ctx);
	closesocket(sock);
	WSACleanup();	
	return 0;
} 

#系统内置证书问题
现在有个问题，当访问百度，支付宝，银联的时候，浏览器是内置证书，怎么获取批量获取这些证书呢？
在cmd中输入certmgr.msc

选择受信任的根证书颁发机构，全选，点邮件，所有任务，导出

输入密码

就生成一个pfx文件，现在只要用openssl转成cer文件就可以了,命令
openssl pkcs12 -nodes -nokeys -in 11.pfx -out 1.cer -passin pass:123456
在程序中使用SSL_CTX_load_verify_locations 预先加载这个1.cer文件就可以了

#Android BKS证书
Android加载bks格式证书，Ios/Pc加载cer格式证书，一般而言，生成cer格式比较常见，因此需要进行cer转bks操作，操作步骤如下：

首先要下载特定版本的JCE Provider包
http://www.bouncycastle.org/download/bcprov-jdk15on-146.jar
或者
http://pan.baidu.com/s/1c1ur13y

转换命令说明：
keytool -importcert -v -trustcacerts -alias 位置1
-file 位置2
-keystore 位置3 -storetype BKS
-providerclass org.bouncycastle.jce.provider.BouncyCastleProvider
-providerpath 位置4 -storepass 位置5

位置1:是个随便取的别名
位置2:cer或crt证书的全地址
位置3:生成后bks文件的位置,建议写全地址
位置4:上面下载JCE Provider包的位置
位置5:生成后证书的密码

转换完整示例
keytool -importcert -v -trustcacerts -alias my12306 -file C:\Users\Administrator\Desktop\证书\srca.cer -keystore C:\Users\Administrator\Desktop\证书\srca.bks -storetype BKS -providerclass org.bouncycastle.jce.provider.BouncyCastleProvider -providerpath C:\Users\Administrator\Desktop\证书\bcprov-jdk15on-146.jar -storepass 123456

其他参考文献
http://stackoverflow.com/questions/2256950/openssl-ignore-self-signed-certificate-error
http://www.ibm.com/developerworks/cn/linux/l-openssl.html
http://www.zhihu.com/question/25847151
http://blog.csdn.net/jun55xiu/article/details/8980812
http://blog.sina.com.cn/s/blog_4c451e0e010143v3.html
http://blog.csdn.net/jinhill/article/details/6960874
http://blog.csdn.net/xiexievv/article/details/44494599
http://h2appy.blog.51cto.com/609721/1181234
http://blog.chinaunix.net/uid-12707183-id-2919172.html
https://www.openssl.org/docs/manmaster/ssl/SSL_CTX_load_verify_locations.html 只能是pem
http://www.360doc.com/content/14/1210/17/18924983_431836560.shtml
http://blog.csdn.net/yi_zz32/article/details/50097325
http://blog.csdn.net/jinhill/article/details/6960874
http://kyfxbl.iteye.com/blog/1910891
http://zctya.blog.163.com/blog/static/1209178201251310292958/
http://www.cnblogs.com/dvking/archive/2010/01/09/2368719.html
http://zctya.blog.163.com/blog/static/1209178201251310292958/
http://h2appy.blog.51cto.com/609721/1181234
http://www.oschina.net/question/565065_81274