Win10使用OpenSSL生成证书的详细步骤(NodeJS Https服务器源码)

远程开启硬件权限，会用到SSL证书。

以下是Win10系统下用OpenSSL生成测试用证书的步骤。

Step 1. 下载OpenSSL,一般选择64位的MSI

Win32/Win64 OpenSSL Installer for Windows - Shining Light Productions    

一路点下来，如果后续请你捐款，可以不选择。

win10下很可能的安装路径为: C:\Program Files\OpenSSL-Win64

Step 2. 将 C:\Program Files\OpenSSL-Win64\bin这个路径添加到系统环境变量中。

Step 3. 新建一个目录，例如我的: D:\dev\openssl\

新建一个文件夹是防止系统环境下有读写权限限制问题。

Step 4. 在这个目录下新建一个 openssl.cnf 文件保存为utf-8格式。

文件内容为:

#
# OpenSSL configuration file.
#

# Establish working directory.

dir                         = .

[ ca ]
default_ca                  = CA_default

[ CA_default ]
serial                      = $dir/serial
database                    = $dir/certindex.txt
new_certs_dir               = $dir/certs
certificate                 = $dir/cacert.pem
private_key                 = $dir/private/cakey.pem
default_days                = 365
default_md                  = md5
preserve                    = no
email_in_dn                 = no
nameopt                     = default_ca
certopt                     = default_ca
policy                      = policy_match

[ policy_match ]
countryName                 = match
stateOrProvinceName         = match
organizationName            = match
organizationalUnitName      = optional
commonName                  = supplied
emailAddress                = optional

[ req ]
default_bits                = 1024          # Size of keys
default_keyfile             = key.pem       # name of generated keys
default_md                  = md5               # message digest algorithm
string_mask                 = nombstr       # permitted characters
distinguished_name          = req_distinguished_name
req_extensions              = v3_req

[ req_distinguished_name ]
# Variable name             Prompt string
#-------------------------    ----------------------------------
0.organizationName          = Organization Name (company)
organizationalUnitName      = Organizational Unit Name (department, division)
emailAddress                = Email Address
emailAddress_max            = 40
localityName                = Locality Name (city, district)
stateOrProvinceName         = State or Province Name (full name)
countryName                 = Country Name (2 letter code)
countryName_min             = 2
countryName_max             = 2
commonName                  = Common Name (hostname, IP, or your name)
commonName_max              = 64

# Default values for the above, for consistency and less typing.
# Variable name             Value
#------------------------     ------------------------------
0.organizationName_default  = My Company
localityName_default        = My Town
stateOrProvinceName_default = State or Providence
countryName_default         = US

[ v3_ca ]
basicConstraints            = CA:TRUE
subjectKeyIdentifier        = hash
authorityKeyIdentifier      = keyid:always,issuer:always

[ v3_req ]
basicConstraints            = CA:FALSE
subjectKeyIdentifier        = hash

感谢: Unable to load config info from /usr/local/ssl/openssl.cnf on Windows - Stack Overflow

Step 5. 在新建的D:\dev\openssl\文件夹下，打开cmd窗口，设置openssl.cnf路径环境变量，命令如下:

set OPENSSL_CONF=D:\dev\openssl\openssl.cnf

如果没有正确指定这个环境变量，则会报如下错误:

Unable to load config info from /z/extlib/_openssl_/ssl/openssl.cnf

Step 6. 在命令行中创建privateKey.pem

openssl.exe genrsa -out privateKey.pem 4096

执行成功，打印如下:

Generating RSA private key, 4096 bit long modulus
..............................................................................................................................................++
............................................................................++
e is 65537 (0x10001)

感谢: openssl - Unable to load Private Key. (PEM routines:PEM_read_bio:no start line:pem_lib.c:648:Expecting: ANY PRIVATE KEY) - Stack Overflow

Step7. 生成证书，命令如下:

openssl.exe req -new -x509 -nodes -days 3600 -key privateKey.pem -out caKey.pem

会提示你输入组织名称，email地址，联系地址、所属国家等信息，正常输入就ok了。

如果没有正确生成 privateKey.pem或者找不到这个文件，则会报错：

req: Can't open "privateKey.key" for writing, Permission denied

Step 8. 恭喜，搞定。

Step 9. 在用NodeJS写一个简单的https Server试试。代码如下:

// server.js
const https = require('https');
const fs = require('fs');

const options = {
  key: fs.readFileSync('privateKey.pem'),
  cert: fs.readFileSync('caKey.pem')
};

const app = function (req, res) {
  res.writeHead(200);
  res.end("hello world\n");
}

https.createServer(options, app).listen(9000);

Step 10. 在浏览器中输入 https://localhost:9000/就能访问。如果是chrome浏览器，会提示这是不安全链接，需要你在当前页面里点击高级，然后选择继续访问。成功访问的话，会在页面中显示:

hello world

Step 11. 再来一个功能更丰富的Sever。

const https = require('https');
const fs = require('fs');
const path = require('path');

const options = {
  key: fs.readFileSync('privateKey.pem'),
  cert: fs.readFileSync('./caKey.pem')
};
var serverPort = 9100;
https.createServer(options, (req, res) => {
  const filePath = '.' + req.url;
  const extname = path.extname(filePath);
  let contentType = 'text/html';

  switch (extname) {
    case '.js':
      contentType = 'text/javascript';
      break;
    case '.css':
      contentType = 'text/css';
      break;
    case '.json':
      contentType = 'application/json';
      break;
    case '.png':
      contentType = 'image/png';
      break;
    case '.jpg':
      contentType = 'image/jpg';
      break;
    case '.wav':
      contentType = 'audio/wav';
      break;
  }

  fs.readFile(filePath, (error, content) => {
    if (error) {
      if (error.code == 'ENOENT') {
        fs.readFile('./404.html', (error, content) => {
          res.writeHead(200, { 'Content-Type': contentType });
          res.end(content, 'utf-8');
        });
      } else {
        res.writeHead(500);
        res.end('Sorry, check with the site admin for error: ' + error.code + ' ..\n');
        res.end();
      }
    } else {
      res.writeHead(200, { 'Content-Type': contentType });
      res.end(content, 'utf-8');
    }
  });

}).listen(serverPort);

console.log(`Server running at https://127.0.0.1:${serverPort}/`);