wamp下开启https双向验证

最新推荐文章于 2019-05-01 10:35:00 发布

腾飞的鱼

最新推荐文章于 2019-05-01 10:35:00 发布

阅读量565

点赞数 1

分类专栏： php 环境搭建文章标签： ssl https apache 双向认证 php

本文链接：https://blog.csdn.net/everdayPHP/article/details/78666845

版权

php 同时被 2 个专栏收录

16 篇文章 0 订阅

订阅专栏

环境搭建

6 篇文章 0 订阅

订阅专栏

wamp下开启https双向验证

一. 开启apache的https访问

D:\wamp\bin\apache\apache2.4.9\conf\httpd.conf文件中
Include conf/extra/httpd-ssl.conf
LoadModule ssl_module modules/mod_ssl.so

httpd.conf文件中Include conf/extra/httpd-ssl.conf

在httpd-ssl.conf里配置：

<VirtualHost *:443>
    ...
    SSLEngine on
    SSLCertificateFile      "${SRVROOT}/conf/ssl/server-cert.pem"
    #SSLCertificateChainFile /path/to/intermediate_certificate
    SSLCertificateKeyFile   "${SRVROOT}/conf/ssl/server-key.pem"

    # Uncomment the following directive when using client certificate authentication
    SSLCACertificateFile   "${SRVROOT}/conf/ssl/ca-cert.pem" #ie客户端未提示选择证书
    #SSLCARevocationFile    "${SRVROOT}/conf/ssl/ca.crt" #ie客户端提示选择证书

    #此块内容可以在客户端获取自己的信息
    SSLVerifyClient require
    SSLVerifyDepth  10
    SSLOptions +StdEnvVars

    ...
</VirtualHost>

二：生成CA证书

目前不使用第三方权威机构的CA来认证，自己充当CA的角色。
1. 创建私钥：

openssl genrsa -out D:/wamp/Apache24/conf/demoCA/ca/ca-key.pem 1024

2.创建证书请求：

openssl req -new -out D:/wamp/Apache24/conf/demoCA/ca/ca-req.csr -key D:/wamp/Apache24/conf/demoCA/ca/ca-key.pem(如果出现：unable to load config info from /user/local/ssl/openssl.cnf
加上命令参数为：openssl req -config openssl.cnf -new -out D:/wamp/Apache24/conf/demoCA/ca/ca-req.csr -key D:/wamp/Apache24/conf/demoCA/ca/ca-key.pem
openssl.cnf 为全路径，如果openssl.cnf与opensll.exe同目录下，则可写为：-config openssl.cnf ）
openssl req -config openssl.cnf -new -out D:/wamp/Apache24/conf/demoCA/ca/ca-req.csr -key D:/wamp/Apache24/conf/demoCA/ca/ca-key.pem)
----------
Country Name (2 letter code) [AU]:cn
State or Province Name (full name) [Some-State]:bj
Locality Name (eg, city) []:bj
Organization Name (eg, company) [Internet Widgits Pty Ltd]:tb
Organizational Unit Name (eg, section) []:tb
Common Name (eg, YOUR name) []:ca
Email Address []:ca@ca.com
Please enter the following 'extra' attributes
to be sent with your certificate request
A challenge password []:
An optional company name []:

3.自签署证书：

openssl x509 -req -in D:/wamp/Apache24/conf/demoCA/ca/ca-req.csr -out D:/wamp/Apache24/conf/demoCA/ca/ca-cert.pem -signkey D:/wamp/Apache24/conf/demoCA/ca/ca-key.pem -days 3650

4.将证书导出成浏览器支持的.p12格式：

openssl pkcs12 -export -clcerts -in D:/wamp/Apache24/conf/demoCA/ca/ca-cert.pem -inkey D:/wamp/Apache24/conf/demoCA/ca/ca-key.pem -out D:/wamp/Apache24/conf/demoCA/ca/ca.p12

密码：123456
5.复制ca-cert.pem 到 conf/ssl/ca-cert.pem

///备注
subject=/C=cn/ST=bj/L=bj/O=tb/OU=tb/CN=ca/emailAddress=ca@ca.com

三.生成server证书
1.创建私钥：

openssl genrsa -out D:/wamp/Apache24/conf/demoCA/server/server-key.pem 1024

2.创建证书请求：

openssl req -new -out D:/wamp/Apache24/conf/demoCA/server/server-req.csr -key D:/wamp/Apache24/conf/demoCA/server/server-key.pem
-----
Country Name (2 letter code) [AU]:cn
State or Province Name (full name) [Some-State]:bj
Locality Name (eg, city) []:bj
Organization Name (eg, company) [Internet Widgits Pty Ltd]:tb
Organizational Unit Name (eg, section) []:tb
Common Name (eg, YOUR name) []:localhost   #此处一定要写服务器所在ip
Email Address []:server@server.com
Please enter the following 'extra' attributes
to be sent with your certificate request
A challenge password []:
An optional company name []:

3.自签署证书：

openssl x509 -req -in D:/wamp/Apache24/conf/demoCA/server/server-req.csr -out D:/wamp/Apache24/conf/demoCA/server/server-cert.pem -signkey D:/wamp/Apache24/conf/demoCA/server/server-key.pem -CA D:/wamp/Apache24/conf/demoCA/ca/ca-cert.pem -CAkey D:/wamp/Apache24/conf/demoCA/ca/ca-key.pem -CAcreateserial -days 3650

4.将证书导出成浏览器支持的.p12格式：

openssl pkcs12 -export -clcerts -in D:/wamp/Apache24/conf/demoCA/server/server-cert.pem -inkey D:/wamp/Apache24/conf/demoCA/server/server-key.pem -out D:/wamp/Apache24/conf/demoCA/server/server.p12

密码：123456
5.复制server-cert.pem 到 conf/ssl/server-cert.pem；复制server-key.pem 到 conf/ssl/server-key.pem。

///备注
subject=/C=cn/ST=bj/L=bj/O=tb/OU=tb/CN=localhost/emailAddress=server@server.com

四.生成client证书(每个客户端需要制作不同的客户端证书,使用同一个CA来制作客户端证书)
1.创建私钥：

openssl genrsa -out D:/wamp/Apache24/conf/demoCA/client/client-key.pem 1024

2.创建证书请求：

openssl req -new -out D:/wamp/Apache24/conf/demoCA/client/client-req.csr -key D:/wamp/Apache24/conf/demoCA/client/client-key.pem
-----
Country Name (2 letter code) [AU]:cn
State or Province Name (full name) [Some-State]:bj
Locality Name (eg, city) []:bj
Organization Name (eg, company) [Internet Widgits Pty Ltd]:tb
Organizational Unit Name (eg, section) []:tb
Common Name (eg, YOUR name) []:dong(填写为客户端机器IP)
Email Address []:dong@dong.com
Please enter the following 'extra' attributes
to be sent with your certificate request
A challenge password []:
An optional company name []:

3.自签署证书：

openssl x509 -req -in D:/wamp/Apache24/conf/demoCA/client/client-req.csr -out D:/wamp/Apache24/conf/demoCA/client/client-cert.pem -signkey D:/wamp/Apache24/conf/demoCA/client/client-key.pem -CA D:/wamp/Apache24/conf/demoCA/ca/ca-cert.pem -CAkey D:/wamp/Apache24/conf/demoCA/ca/ca-key.pem -CAcreateserial -days 3650

4.将证书导出成浏览器支持的.p12格式：

openssl pkcs12 -export -clcerts -in D:/wamp/Apache24/conf/demoCA/client/client-cert.pem -inkey D:/wamp/Apache24/conf/demoCA/client/client-key.pem -out D:/wamp/Apache24/conf/demoCA/client/client.p12

密码：123456

五、客户端导入将ca12，client12证书

IE中（打开IE->;Internet选项->内容->证书）
ca12导入至受信任的根证书颁发机构，client12导入至个人
Firefox中（工具-选项-高级-加密-查看证书-您的证书）
将ca12和client12均导入这里

浏览器敲入url测试（https://localhost/index.php），会弹出证书选择，验证通过后会打印出SSL_CLIENT_VERIFY等ssl信息。

腾飞的鱼

关注

1
点赞
踩
0

收藏

觉得还不错? 一键收藏
0
评论
wamp下开启https双向验证

wamp下开启https双向验证一. 开启apache的https访问D:\wamp\bin\apache\apache2.4.9\conf\httpd.conf文件中 Include conf/extra/httpd-ssl.conf LoadModule ssl_module modules/mod_ssl.sohttpd.conf文件中Include conf/extra/httpd-ss
复制链接

扫一扫