wamp下开启https双向验证
一. 开启apache的https访问
D:\wamp\bin\apache\apache2.4.9\conf\httpd.conf文件中
Include conf/extra/httpd-ssl.conf
LoadModule ssl_module modules/mod_ssl.so
httpd.conf文件中Include conf/extra/httpd-ssl.conf
在httpd-ssl.conf里配置:
<VirtualHost *:443>
...
SSLEngine on
SSLCertificateFile "${SRVROOT}/conf/ssl/server-cert.pem"
#SSLCertificateChainFile /path/to/intermediate_certificate
SSLCertificateKeyFile "${SRVROOT}/conf/ssl/server-key.pem"
# Uncomment the following directive when using client certificate authentication
SSLCACertificateFile "${SRVROOT}/conf/ssl/ca-cert.pem" #ie客户端未提示选择证书
#SSLCARevocationFile "${SRVROOT}/conf/ssl/ca.crt" #ie客户端提示选择证书
#此块内容可以在客户端获取自己的信息
SSLVerifyClient require
SSLVerifyDepth 10
SSLOptions +StdEnvVars
...
</VirtualHost>
二:生成CA证书
目前不使用第三方权威机构的CA来认证,自己充当CA的角色。
1. 创建私钥 :
openssl genrsa -out D:/wamp/Apache24/conf/demoCA/ca/ca-key.pem 1024
2.创建证书请求 :
openssl req -new -out D:/wamp/Apache24/conf/demoCA/ca/ca-req.csr -key D:/wamp/Apache24/conf/demoCA/ca/ca-key.pem(如果出现:unable to load config info from /user/local/ssl/openssl.cnf
加上命令参数为:openssl req -config openssl.cnf -new -out D:/wamp/Apache24/conf/demoCA/ca/ca-req.csr -key D:/wamp/Apache24/conf/demoCA/ca/ca-key.pem
openssl.cnf 为全路径,如果openssl.cnf与opensll.exe同目录下,则可写为:-config openssl.cnf )
openssl req -config openssl.cnf -new -out D:/wamp/Apache24/conf/demoCA/ca/ca-req.csr -key D:/wamp/Apache24/conf/demoCA/ca/ca-key.pem)
----------
Country Name (2 letter code) [AU]:cn
State or Province Name (full name) [Some-State]:bj
Locality Name (eg, city) []:bj
Organization Name (eg, company) [Internet Widgits Pty Ltd]:tb
Organizational Unit Name (eg, section) []:tb
Common Name (eg, YOUR name) []:ca
Email Address []:ca@ca.com
Please enter the following 'extra' attributes
to be sent with your certificate request
A challenge password []:
An optional company name []:
3.自签署证书 :
openssl x509 -req -in D:/wamp/Apache24/conf/demoCA/ca/ca-req.csr -out D:/wamp/Apache24/conf/demoCA/ca/ca-cert.pem -signkey D:/wamp/Apache24/conf/demoCA/ca/ca-key.pem -days 3650
4.将证书导出成浏览器支持的.p12格式 :
openssl pkcs12 -export -clcerts -in D:/wamp/Apache24/conf/demoCA/ca/ca-cert.pem -inkey D:/wamp/Apache24/conf/demoCA/ca/ca-key.pem -out D:/wamp/Apache24/conf/demoCA/ca/ca.p12
密码:123456
5.复制ca-cert.pem 到 conf/ssl/ca-cert.pem
///备注
subject=/C=cn/ST=bj/L=bj/O=tb/OU=tb/CN=ca/emailAddress=ca@ca.com
三.生成server证书
1.创建私钥 :
openssl genrsa -out D:/wamp/Apache24/conf/demoCA/server/server-key.pem 1024
2.创建证书请求 :
openssl req -new -out D:/wamp/Apache24/conf/demoCA/server/server-req.csr -key D:/wamp/Apache24/conf/demoCA/server/server-key.pem
-----
Country Name (2 letter code) [AU]:cn
State or Province Name (full name) [Some-State]:bj
Locality Name (eg, city) []:bj
Organization Name (eg, company) [Internet Widgits Pty Ltd]:tb
Organizational Unit Name (eg, section) []:tb
Common Name (eg, YOUR name) []:localhost #此处一定要写服务器所在ip
Email Address []:server@server.com
Please enter the following 'extra' attributes
to be sent with your certificate request
A challenge password []:
An optional company name []:
3.自签署证书 :
openssl x509 -req -in D:/wamp/Apache24/conf/demoCA/server/server-req.csr -out D:/wamp/Apache24/conf/demoCA/server/server-cert.pem -signkey D:/wamp/Apache24/conf/demoCA/server/server-key.pem -CA D:/wamp/Apache24/conf/demoCA/ca/ca-cert.pem -CAkey D:/wamp/Apache24/conf/demoCA/ca/ca-key.pem -CAcreateserial -days 3650
4.将证书导出成浏览器支持的.p12格式 :
openssl pkcs12 -export -clcerts -in D:/wamp/Apache24/conf/demoCA/server/server-cert.pem -inkey D:/wamp/Apache24/conf/demoCA/server/server-key.pem -out D:/wamp/Apache24/conf/demoCA/server/server.p12
密码:123456
5.复制server-cert.pem 到 conf/ssl/server-cert.pem;复制server-key.pem 到 conf/ssl/server-key.pem。
///备注
subject=/C=cn/ST=bj/L=bj/O=tb/OU=tb/CN=localhost/emailAddress=server@server.com
四.生成client证书(每个客户端需要制作不同的客户端证书,使用同一个CA来制作客户端证书)
1.创建私钥 :
openssl genrsa -out D:/wamp/Apache24/conf/demoCA/client/client-key.pem 1024
2.创建证书请求 :
openssl req -new -out D:/wamp/Apache24/conf/demoCA/client/client-req.csr -key D:/wamp/Apache24/conf/demoCA/client/client-key.pem
-----
Country Name (2 letter code) [AU]:cn
State or Province Name (full name) [Some-State]:bj
Locality Name (eg, city) []:bj
Organization Name (eg, company) [Internet Widgits Pty Ltd]:tb
Organizational Unit Name (eg, section) []:tb
Common Name (eg, YOUR name) []:dong(填写为客户端机器IP)
Email Address []:dong@dong.com
Please enter the following 'extra' attributes
to be sent with your certificate request
A challenge password []:
An optional company name []:
3.自签署证书 :
openssl x509 -req -in D:/wamp/Apache24/conf/demoCA/client/client-req.csr -out D:/wamp/Apache24/conf/demoCA/client/client-cert.pem -signkey D:/wamp/Apache24/conf/demoCA/client/client-key.pem -CA D:/wamp/Apache24/conf/demoCA/ca/ca-cert.pem -CAkey D:/wamp/Apache24/conf/demoCA/ca/ca-key.pem -CAcreateserial -days 3650
4.将证书导出成浏览器支持的.p12格式 :
openssl pkcs12 -export -clcerts -in D:/wamp/Apache24/conf/demoCA/client/client-cert.pem -inkey D:/wamp/Apache24/conf/demoCA/client/client-key.pem -out D:/wamp/Apache24/conf/demoCA/client/client.p12
密码:123456
五、客户端导入将ca12,client12证书
IE中(打开IE->;Internet选项->内容->证书)
ca12导入至受信任的根证书颁发机构,client12导入至个人
Firefox中(工具-选项-高级-加密-查看证书-您的证书)
将ca12和client12均导入这里
浏览器敲入url测试(https://localhost/index.php),会弹出证书选择,验证通过后会打印出SSL_CLIENT_VERIFY等ssl信息。