java go nginx android https 单向 双向认证

最新推荐文章于 2023-05-15 14:31:08 发布
最新推荐文章于 2023-05-15 14:31:08 发布
阅读量1k 收藏
点赞数
分类专栏: android
版权声明:本文为博主原创文章,遵循 CC 4.0 BY-SA 版权协议,转载请附上原文出处链接和本声明。
本文链接:https://blog.csdn.net/zhangguangtao1207/article/details/82819863
版权

闲聊

验证服务端证书 如果是花钱购买的 最好验证 如果不是 要跳过验证服务端证书
nginx 配置双向验证 中 server 可以和 根证书没有关系 可以使用两个ca 证书

#自己生成 证书 丢给权威机构认证
openssl genrsa -des3 -out jesonc.key 2048
openssl req -new -key jesonc.key -out jesonc.csr

#自己认证 使用下面的方式 nginx 会有保护吗
openssl x509 -req -days 3650 -in jesonc.csr -signkey jesonc.key -out jesonc.crt
#去掉保护码
openssl rsa -in jesonc.key -out jesonc_onpas.key
openssl req -new -key jesonc_onpas.key -out  jesonc.csr
openssl x509 -req -days 3650 -in  jesonc.csr -signkey jesonc_onpas.key  -out jesonc.crt
#一步到位
openssl genrsa -des3 -out jesonc.key 2048
openssl req -days 3650  -x509 -sha256 -nodes -newkey rsa:2048 -keyout server.key -out jesonc.crt

使用一个ca 签发 服务端 和客户端

#生成ca 证书
openssl genrsa -out ca.key 2048
openssl req -new -x509 -days 3650 -key ca.key -out ca.crt
#server 端
openssl genrsa -out server.pem 2048
openssl rsa -in server.pem -out server.key
openssl req -new -key server.pem -out server.csr
#生成签发
openssl x509 -req -sha256 -in server.csr -CA ca.crt -CAkey ca.key -CAcreateserial -days 3650 -out server.crt

#client端
openssl genrsa -out client.pem 2048
openssl rsa -in client.pem -out client.key
#生成签发请求
openssl req -new -key client.pem -out client.csr
openssl x509 -req -sha256 -in client.csr -CA ca.crt -CAkey ca.key -CAcreateserial -days 3650 -out client.crt
openssl pkcs12 -export -clcerts -in ./client.crt -inkey ./client.key -out ./client.p12
keytool -importkeystore -srckeystore client.p12 -srcstoretype PKCS12 -deststoretype JKS -destkeystore client.jks
openssl x509 -in ca.crt -out ca.cer -outform der

使用不同的ca证书

服务端 shell 脚本

openssl genrsa -des3 -out server.key 2048
openssl req -days 3650  -x509 -sha256 -nodes -newkey rsa:2048 -keyout server.key -out server.crt

配置客户端shell 脚本

# 双向认证 client ca 签发
openssl genrsa -out ca.key 2048
openssl req -new -x509 -days 3650 -key ca.key -out ca.crt
openssl genrsa -out client.pem 2048
openssl rsa -in client.pem -out client.key
#生成签发请求
openssl req -new -key client.pem -out client.csr
openssl x509 -req -sha256 -in client.csr -CA ca.crt -CAkey ca.key -CAcreateserial -days 3650 -out client.crt
openssl pkcs12 -export -clcerts -in ./client.crt -inkey ./client.key -out ./client.p12
keytool -importkeystore -srckeystore client.p12 -srcstoretype PKCS12 -deststoretype JKS -destkeystore client.jks
openssl x509 -in ca.crt -out ca.cer -outform der

ngxin https 单向认证配置

server {        
	server_name localhost;
	listen 8899;
	ssl on;
	ssl_certificate                 ca-demo5/server.crt;
	ssl_certificate_key             ca-demo5/server.key;
	location / {
			root html;
			index index.html index.htm;
	}
}

ngxin https 双向认证配置

server {        
	server_name localhost;
	listen 8899;
	ssl on;

	ssl_certificate                 ca-demo5/server.crt;
	ssl_certificate_key             ca-demo5/server.key;

	ssl_client_certificate          ca-demo5/ca.crt;
	ssl_verify_client               on;
	location / {
			root html;
			index index.html index.htm;
	}
}

java 端https 单向 双向 认证代码

//  跳过验证服务端证书
 private static final class DefaultTrustManager implements X509TrustManager {
        @Override
        public void checkClientTrusted(X509Certificate[] chain, String authType) throws CertificateException {
        }

        @Override
        public void checkServerTrusted(X509Certificate[] chain, String authType) throws CertificateException {
        }

        @Override
        public X509Certificate[] getAcceptedIssuers() {
            return null;
        }
    }

//双向认证
public static  SSLSocketFactory getSSLSocketFactory()
        {
            / /验证服务端ca证书 如果是花钱购买的 最好验证 如果不是 要跳过验证服务端证书
            String path1 = "D:\\openresty-1.13.6.2-win64\\conf\\ca-demo5\\ca.cer";

            try
            {
                InputStream certificates[] = {new FileInputStream(path1)};
                CertificateFactory certificateFactory = CertificateFactory.getInstance("X.509");
                KeyStore keyStore = KeyStore.getInstance(KeyStore.getDefaultType());
                keyStore.load(null);
                int index = 0;
                for (InputStream certificate : certificates)
                {
                    String certificateAlias = Integer.toString(index++);
                    keyStore.setCertificateEntry(certificateAlias, certificateFactory.generateCertificate(certificate));

                    try
                    {
                        if (certificate != null)
                            certificate.close();
                    } catch (IOException e)
                    {
                    }
                }

                String defaultAlgorithm = TrustManagerFactory.getDefaultAlgorithm();
                SSLContext sslContext = SSLContext.getInstance("TLS");
                TrustManagerFactory trustManagerFactory = TrustManagerFactory.
                        getInstance(defaultAlgorithm);
                trustManagerFactory.init(keyStore);

                //初始化keystore
                KeyStore clientKeyStore = KeyStore.getInstance(KeyStore.getDefaultType());

                String path = "D:\\openresty-1.13.6.2-win64\\conf\\ca-demo5\\client.jks";
                InputStream in = new FileInputStream(path);
               // 123456 是 jks 密码
                clientKeyStore.load(in, "123456".toCharArray());

                KeyManagerFactory keyManagerFactory = KeyManagerFactory.getInstance(KeyManagerFactory.getDefaultAlgorithm());
                //demo 是原密码 
                keyManagerFactory.init(clientKeyStore, "demo".toCharArray());

              //  sslContext.init(keyManagerFactory.getKeyManagers(), trustManagerFactory.getTrustManagers(), new SecureRandom());


                sslContext.init(keyManagerFactory.getKeyManagers(), new TrustManager[] { new DefaultTrustManager() }, new SecureRandom());


                //sslContext.init(null, trustManagerFactory.getTrustManagers(), new SecureRandom());

                SSLSocketFactory socketFactory = sslContext.getSocketFactory();

                return socketFactory;

            } catch (Exception e)
            {
                e.printStackTrace();
            }

            return null;
        }

private static HttpsURLConnection getHttpsURLConnection(String uri, String method) throws IOException {
        /*
        //单向认证
        SSLContext ctx = null;
        try {
            ctx = SSLContext.getInstance("TLS");
            ctx.init(new KeyManager[0], new TrustManager[] { new DefaultTrustManager() }, new SecureRandom());
        } catch (KeyManagementException e) {
            e.printStackTrace();
        } catch (NoSuchAlgorithmException e) {
            e.printStackTrace();
        }
        SSLSocketFactory ssf = ctx.getSocketFactory();
        */
        //这里使用双向认证
        SSLSocketFactory ssf = getSSLSocketFactory();

        URL url = new URL(uri);
        HttpsURLConnection httpsConn = (HttpsURLConnection) url.openConnection();
        httpsConn.setSSLSocketFactory(ssf);
        httpsConn.setHostnameVerifier(new HostnameVerifier() {
            @Override
            public boolean verify(String arg0, SSLSession arg1) {
                return true;
            }
        });
        httpsConn.setRequestMethod(method);
        httpsConn.setDoInput(true);
        httpsConn.setDoOutput(true);
        return httpsConn;
    }

golang 中实现双向认证

func main() {
	basePath := "D:\\openresty-1.13.6.2-win64\\conf\\ca-demo5"
	rootCa:=basePath+"\\ca.crt"
	client_crt:=basePath + "\\client.crt"
	client_key:=basePath + "\\client.key"
	pool := x509.NewCertPool()
	addTrust(pool, rootCa) //添加信任的证书,最好是服务端对应的根证书

	 cliCrt, err := tls.LoadX509KeyPair(client_crt, client_key)
	 if err != nil {
		 fmt.Println("Loadx509keypair err:", err)
		 return
		 }

	 tr := &http.Transport{
		 TLSClientConfig: &tls.Config{
		 RootCAs: pool,
		 Certificates: []tls.Certificate{cliCrt},
		 InsecureSkipVerify: true, //跳过验证服务端证书
		 },
		 }
	 client := &http.Client{Transport: tr}
	 //resp, err := client.Get("https://SZ:8008/") //此处必须使用域名或者host内的别名
	resp, err := client.Get("https://localhost:8899/") //此处必须使用域名或者host内的别名
	 if err != nil {
		 fmt.Println("Get error:", err)
		 return
		 }
	 defer resp.Body.Close()
	 body, err := ioutil.ReadAll(resp.Body)
	 fmt.Println(string(body))
}

func addTrust(pool *x509.CertPool, path string) {
	 aCrt, err := ioutil.ReadFile(path)
	 if err != nil {
		 fmt.Println("ReadFile err:", err)
		 return
		 }
	 pool.AppendCertsFromPEM(aCrt)
}

android 配置https 双向认证

https 证书配置 bks
工具下载
Download portecle-1.9.zip (3.4 MB)

使用okhttp 来访问

 public void http()throws Exception{
       // p12 转过来的 bks 
        InputStream in = getAssets().open("client.bks");
        //信任的证书  最后不加入
        InputStream in2 = getAssets().open("ca.cer");
        InputStream[] certificates = {in2};
        // SslSocketFactory 工具
        HttpsUtils.SSLParams demo = HttpsUtils.getSslSocketFactory(null, in, "demo");

        OkHttpClient client = new OkHttpClient.Builder()
               // 添加 主机名 验证 或者会报错
                .hostnameVerifier(new HostnameVerifier() {
                    @Override
                    public boolean verify(String hostname, SSLSession session){
                        return true;
                    }
                })
                //重点
         .sslSocketFactory(demo.sSLSocketFactory,demo.trustManager).build();
        String url = "https://192.168.1.103:8899/";
        Request request = new Request.Builder().url(url).build();

        client.newCall(request).enqueue(new Callback() {
            @Override
            public void onFailure(Call call, IOException e) {
                Log.e(TAG2, "onFailure: " +e.toString());
                runOnUiThread(new Runnable() {
                    @Override
                    public void run() {
                        Toast.makeText(MainActivity.this, "onFailure", Toast.LENGTH_SHORT).show();
                    }
                });
            }
            @Override
            public void onResponse(Call call, Response response) throws IOException {
                runOnUiThread(new Runnable() {
                    @Override
                    public void run() {
                        Toast.makeText(MainActivity.this, "成功", Toast.LENGTH_SHORT).show();
                    }
                });
            }
        });
    }

HttpsUtils 工具类

package demo.zgt.com.myapplication.demo;

import java.io.IOException;
import java.io.InputStream;
import java.security.KeyManagementException;
import java.security.KeyStore;
import java.security.KeyStoreException;
import java.security.NoSuchAlgorithmException;
import java.security.UnrecoverableKeyException;
import java.security.cert.CertificateException;
import java.security.cert.CertificateFactory;
import java.security.cert.X509Certificate;

import javax.net.ssl.HostnameVerifier;
import javax.net.ssl.KeyManager;
import javax.net.ssl.KeyManagerFactory;
import javax.net.ssl.SSLContext;
import javax.net.ssl.SSLSession;
import javax.net.ssl.SSLSocketFactory;
import javax.net.ssl.TrustManager;
import javax.net.ssl.TrustManagerFactory;
import javax.net.ssl.X509TrustManager;

/**
 * Created by zhy on 15/12/14.
 */
public class HttpsUtils
{
    public static class SSLParams
    {
        public SSLSocketFactory sSLSocketFactory;
        public X509TrustManager trustManager;
    }

    public static SSLParams getSslSocketFactory(InputStream[] certificates, InputStream bksFile, String password)
    {
        SSLParams sslParams = new SSLParams();
        try
        {
            TrustManager[] trustManagers = prepareTrustManager(certificates);
            KeyManager[] keyManagers = prepareKeyManager(bksFile, password);
            SSLContext sslContext = SSLContext.getInstance("TLS");
            X509TrustManager trustManager = null;
            if (trustManagers != null)
            {
                trustManager = new MyTrustManager(chooseTrustManager(trustManagers));
            } else
            {
                trustManager = new UnSafeTrustManager();
            }
            sslContext.init(keyManagers, new TrustManager[]{trustManager},null);
            sslParams.sSLSocketFactory = sslContext.getSocketFactory();
            sslParams.trustManager = trustManager;
            return sslParams;
        } catch (NoSuchAlgorithmException e)
        {
            throw new AssertionError(e);
        } catch (KeyManagementException e)
        {
            throw new AssertionError(e);
        } catch (KeyStoreException e)
        {
            throw new AssertionError(e);
        }
    }

    private class UnSafeHostnameVerifier implements HostnameVerifier
    {
        @Override
        public boolean verify(String hostname, SSLSession session)
        {
            return true;
        }
    }

    private static class UnSafeTrustManager implements X509TrustManager
    {
        @Override
        public void checkClientTrusted(X509Certificate[] chain, String authType)
                throws CertificateException
        {
        }

        @Override
        public void checkServerTrusted(X509Certificate[] chain, String authType)
                throws CertificateException
        {
        }

        @Override
        public X509Certificate[] getAcceptedIssuers()
        {
            return new java.security.cert.X509Certificate[]{};
            //return null;
        }
    }

    private static TrustManager[] prepareTrustManager(InputStream... certificates)
    {
        if (certificates == null || certificates.length <= 0) return null;
        try
        {

            CertificateFactory certificateFactory = CertificateFactory.getInstance("X.509");
            KeyStore keyStore = KeyStore.getInstance(KeyStore.getDefaultType());
            keyStore.load(null);
            int index = 0;
            for (InputStream certificate : certificates)
            {
                String certificateAlias = Integer.toString(index++);
                keyStore.setCertificateEntry(certificateAlias, certificateFactory.generateCertificate(certificate));
                try
                {
                    if (certificate != null)
                        certificate.close();
                } catch (IOException e)

                {
                }
            }
            TrustManagerFactory trustManagerFactory = null;

            trustManagerFactory = TrustManagerFactory.
                    getInstance(TrustManagerFactory.getDefaultAlgorithm());
            trustManagerFactory.init(keyStore);

            TrustManager[] trustManagers = trustManagerFactory.getTrustManagers();

            return trustManagers;
        } catch (NoSuchAlgorithmException e)
        {
            e.printStackTrace();
        } catch (CertificateException e)
        {
            e.printStackTrace();
        } catch (KeyStoreException e)
        {
            e.printStackTrace();
        } catch (Exception e)
        {
            e.printStackTrace();
        }
        return null;

    }

    private static KeyManager[] prepareKeyManager(InputStream bksFile, String password)
    {
        try
        {
            if (bksFile == null || password == null) return null;

            KeyStore clientKeyStore = KeyStore.getInstance("BKS");
            clientKeyStore.load(bksFile, password.toCharArray());
            KeyManagerFactory keyManagerFactory = KeyManagerFactory.getInstance(KeyManagerFactory.getDefaultAlgorithm());
            keyManagerFactory.init(clientKeyStore, password.toCharArray());
            return keyManagerFactory.getKeyManagers();

        } catch (KeyStoreException e)
        {
            e.printStackTrace();
        } catch (NoSuchAlgorithmException e)
        {
            e.printStackTrace();
        } catch (UnrecoverableKeyException e)
        {
            e.printStackTrace();
        } catch (CertificateException e)
        {
            e.printStackTrace();
        } catch (IOException e)
        {
            e.printStackTrace();
        } catch (Exception e)
        {
            e.printStackTrace();
        }
        return null;
    }

    private static X509TrustManager chooseTrustManager(TrustManager[] trustManagers)
    {
        for (TrustManager trustManager : trustManagers)
        {
            if (trustManager instanceof X509TrustManager)
            {
                return (X509TrustManager) trustManager;
            }
        }
        return null;
    }


    private static class MyTrustManager implements X509TrustManager
    {
        private X509TrustManager defaultTrustManager;
        private X509TrustManager localTrustManager;

        public MyTrustManager(X509TrustManager localTrustManager) throws NoSuchAlgorithmException, KeyStoreException
        {
            TrustManagerFactory var4 = TrustManagerFactory.getInstance(TrustManagerFactory.getDefaultAlgorithm());
            var4.init((KeyStore) null);
            defaultTrustManager = chooseTrustManager(var4.getTrustManagers());
            this.localTrustManager = localTrustManager;
        }


        @Override
        public void checkClientTrusted(X509Certificate[] chain, String authType) throws CertificateException
        {

        }

        @Override
        public void checkServerTrusted(X509Certificate[] chain, String authType) throws CertificateException
        {
            try
            {
                defaultTrustManager.checkServerTrusted(chain, authType);
            } catch (CertificateException ce)
            {
                localTrustManager.checkServerTrusted(chain, authType);
            }
        }


        @Override
        public X509Certificate[] getAcceptedIssuers()
        {
            return new X509Certificate[0];
        }
    }
}

如何失败了可以试试下面的方法

#生成CA 证书
openssl genrsa -des3 -out cakey.pem 2048
openssl req -new -x509 -days 3650 -key cakey.pem -out ca.crt

#生成service 认证
openssl genrsa -out server.key
openssl req -new -key server.key -out server.csr
openssl ca -in server.csr -cert ca.crt -keyfile cakey.pem -out server.crt -days 3650

#生成client 认证
openssl genrsa -des3 -out client.key 2048
openssl req -new -key client.key -out client.csr
openssl ca -in client.csr -cert ca.crt -keyfile cakey.pem -out client.crt -config "/etc/ssl/openssl.cnf"
openssl pkcs12 -export -clcerts -in client.crt -inkey client.key -out client.p12


#不同ca service 认证
openssl genrsa -des3 -out server.key 2048
openssl req -days 3650  -x509 -sha256 -nodes -newkey rsa:2048 -keyout server.key -out server.crt

/etc/ssl/openssl.cnf 文件内容


#
# OpenSSL example configuration file.
# This is mostly being used for generation of certificate requests.
#

# This definition stops the following lines choking if HOME isn't
# defined.
HOME			= .
RANDFILE		= $ENV::HOME/.rnd

# Extra OBJECT IDENTIFIER info:
#oid_file		= $ENV::HOME/.oid
oid_section		= new_oids

# To use this configuration file with the "-extfile" option of the
# "openssl x509" utility, name here the section containing the
# X.509v3 extensions to use:
# extensions		= 
# (Alternatively, use a configuration file that has only
# X.509v3 extensions in its main [= default] section.)

[ new_oids ]

# We can add new OIDs in here for use by 'ca', 'req' and 'ts'.
# Add a simple OID like this:
# testoid1=1.2.3.4
# Or use config file substitution like this:
# testoid2=${testoid1}.5.6

# Policies used by the TSA examples.
tsa_policy1 = 1.2.3.4.1
tsa_policy2 = 1.2.3.4.5.6
tsa_policy3 = 1.2.3.4.5.7

####################################################################
[ ca ]
default_ca	= CA_default		# The default ca section

####################################################################
[ CA_default ]

dir		= /etc/pki/CA		# Where everything is kept
certs		= $dir/certs		# Where the issued certs are kept
crl_dir		= $dir/crl		# Where the issued crl are kept
database	= $dir/index.txt	# database index file.
#unique_subject	= no			# Set to 'no' to allow creation of
					# several ctificates with same subject.
new_certs_dir	= $dir/newcerts		# default place for new certs.

certificate	= $dir/cacert.pem 	# The CA certificate
serial		= $dir/serial 		# The current serial number
crlnumber	= $dir/crlnumber	# the current crl number
					# must be commented out to leave a V1 CRL
crl		= $dir/crl.pem 		# The current CRL
private_key	= $dir/private/cakey.pem# The private key
RANDFILE	= $dir/private/.rand	# private random number file

x509_extensions	= usr_cert		# The extentions to add to the cert

# Comment out the following two lines for the "traditional"
# (and highly broken) format.
name_opt 	= ca_default		# Subject Name options
cert_opt 	= ca_default		# Certificate field options

# Extension copying option: use with caution.
# copy_extensions = copy

# Extensions to add to a CRL. Note: Netscape communicator chokes on V2 CRLs
# so this is commented out by default to leave a V1 CRL.
# crlnumber must also be commented out to leave a V1 CRL.
# crl_extensions	= crl_ext

default_days	= 3650			# how long to certify for
default_crl_days= 30			# how long before next CRL
default_md	= sha256		# use SHA-256 by default
preserve	= no			# keep passed DN ordering

# A few difference way of specifying how similar the request should look
# For type CA, the listed attributes must be the same, and the optional
# and supplied fields are just that :-)
policy		= policy_match

# For the CA policy
[ policy_match ]
countryName		= match
stateOrProvinceName	= match
organizationName	= match
organizationalUnitName	= optional
commonName		= supplied
emailAddress		= optional

# For the 'anything' policy
# At this point in time, you must list all acceptable 'object'
# types.
[ policy_anything ]
countryName		= optional
stateOrProvinceName	= optional
localityName		= optional
organizationName	= optional
organizationalUnitName	= optional
commonName		= supplied
emailAddress		= optional

####################################################################
[ req ]
default_bits		= 2048
default_md		= sha256
default_keyfile 	= privkey.pem
distinguished_name	= req_distinguished_name
attributes		= req_attributes
x509_extensions	= v3_ca	# The extentions to add to the self signed cert

# Passwords for private keys if not present they will be prompted for
# input_password = secret
# output_password = secret

# This sets a mask for permitted string types. There are several options. 
# default: PrintableString, T61String, BMPString.
# pkix	 : PrintableString, BMPString (PKIX recommendation before 2004)
# utf8only: only UTF8Strings (PKIX recommendation after 2004).
# nombstr : PrintableString, T61String (no BMPStrings or UTF8Strings).
# MASK:XXXX a literal mask value.
# WARNING: ancient versions of Netscape crash on BMPStrings or UTF8Strings.
string_mask = utf8only

# req_extensions = v3_req # The extensions to add to a certificate request

[ req_distinguished_name ]
countryName			= Country Name (2 letter code)
countryName_default		= XX
countryName_min			= 2
countryName_max			= 2

stateOrProvinceName		= State or Province Name (full name)
#stateOrProvinceName_default	= Default Province

localityName			= Locality Name (eg, city)
localityName_default		= Default City

0.organizationName		= Organization Name (eg, company)
0.organizationName_default	= Default Company Ltd

# we can do this but it is not needed normally :-)
#1.organizationName		= Second Organization Name (eg, company)
#1.organizationName_default	= World Wide Web Pty Ltd

organizationalUnitName		= Organizational Unit Name (eg, section)
#organizationalUnitName_default	=

commonName			= Common Name (eg, your name or your server\'s hostname)
commonName_max			= 64

emailAddress			= Email Address
emailAddress_max		= 64

# SET-ex3			= SET extension number 3

[ req_attributes ]
challengePassword		= A challenge password
challengePassword_min		= 4
challengePassword_max		= 20

unstructuredName		= An optional company name

[ usr_cert ]

# These extensions are added when 'ca' signs a request.

# This goes against PKIX guidelines but some CAs do it and some software
# requires this to avoid interpreting an end user certificate as a CA.

basicConstraints=CA:FALSE

# Here are some examples of the usage of nsCertType. If it is omitted
# the certificate can be used for anything *except* object signing.

# This is OK for an SSL server.
# nsCertType			= server

# For an object signing certificate this would be used.
# nsCertType = objsign

# For normal client use this is typical
# nsCertType = client, email

# and for everything including object signing:
# nsCertType = client, email, objsign

# This is typical in keyUsage for a client certificate.
# keyUsage = nonRepudiation, digitalSignature, keyEncipherment

# This will be displayed in Netscape's comment listbox.
nsComment			= "OpenSSL Generated Certificate"

# PKIX recommendations harmless if included in all certificates.
subjectKeyIdentifier=hash
authorityKeyIdentifier=keyid,issuer

# This stuff is for subjectAltName and issuerAltname.
# Import the email address.
# subjectAltName=email:copy
# An alternative to produce certificates that aren't
# deprecated according to PKIX.
# subjectAltName=email:move

# Copy subject details
# issuerAltName=issuer:copy

#nsCaRevocationUrl		= http://www.domain.dom/ca-crl.pem
#nsBaseUrl
#nsRevocationUrl
#nsRenewalUrl
#nsCaPolicyUrl
#nsSslServerName

# This is required for TSA certificates.
# extendedKeyUsage = critical,timeStamping

[ v3_req ]

# Extensions to add to a certificate request

basicConstraints = CA:FALSE
keyUsage = nonRepudiation, digitalSignature, keyEncipherment

[ v3_ca ]


# Extensions for a typical CA


# PKIX recommendation.

subjectKeyIdentifier=hash

authorityKeyIdentifier=keyid:always,issuer

# This is what PKIX recommends but some broken software chokes on critical
# extensions.
#basicConstraints = critical,CA:true
# So we do this instead.
basicConstraints = CA:true

# Key usage: this is typical for a CA certificate. However since it will
# prevent it being used as an test self-signed certificate it is best
# left out by default.
# keyUsage = cRLSign, keyCertSign

# Some might want this also
# nsCertType = sslCA, emailCA

# Include email address in subject alt name: another PKIX recommendation
# subjectAltName=email:copy
# Copy issuer details
# issuerAltName=issuer:copy

# DER hex encoding of an extension: beware experts only!
# obj=DER:02:03
# Where 'obj' is a standard or added object
# You can even override a supported extension:
# basicConstraints= critical, DER:30:03:01:01:FF

[ crl_ext ]

# CRL extensions.
# Only issuerAltName and authorityKeyIdentifier make any sense in a CRL.

# issuerAltName=issuer:copy
authorityKeyIdentifier=keyid:always

[ proxy_cert_ext ]
# These extensions should be added when creating a proxy certificate

# This goes against PKIX guidelines but some CAs do it and some software
# requires this to avoid interpreting an end user certificate as a CA.

basicConstraints=CA:FALSE

# Here are some examples of the usage of nsCertType. If it is omitted
# the certificate can be used for anything *except* object signing.

# This is OK for an SSL server.
# nsCertType			= server

# For an object signing certificate this would be used.
# nsCertType = objsign

# For normal client use this is typical
# nsCertType = client, email

# and for everything including object signing:
# nsCertType = client, email, objsign

# This is typical in keyUsage for a client certificate.
# keyUsage = nonRepudiation, digitalSignature, keyEncipherment

# This will be displayed in Netscape's comment listbox.
nsComment			= "OpenSSL Generated Certificate"

# PKIX recommendations harmless if included in all certificates.
subjectKeyIdentifier=hash
authorityKeyIdentifier=keyid,issuer

# This stuff is for subjectAltName and issuerAltname.
# Import the email address.
# subjectAltName=email:copy
# An alternative to produce certificates that aren't
# deprecated according to PKIX.
# subjectAltName=email:move

# Copy subject details
# issuerAltName=issuer:copy

#nsCaRevocationUrl		= http://www.domain.dom/ca-crl.pem
#nsBaseUrl
#nsRevocationUrl
#nsRenewalUrl
#nsCaPolicyUrl
#nsSslServerName

# This really needs to be in place for it to be a proxy certificate.
proxyCertInfo=critical,language:id-ppl-anyLanguage,pathlen:3,policy:foo

####################################################################
[ tsa ]

default_tsa = tsa_config1	# the default TSA section

[ tsa_config1 ]

# These are used by the TSA reply generation only.
dir		= ./demoCA		# TSA root directory
serial		= $dir/tsaserial	# The current serial number (mandatory)
crypto_device	= builtin		# OpenSSL engine to use for signing
signer_cert	= $dir/tsacert.pem 	# The TSA signing certificate
					# (optional)
certs		= $dir/cacert.pem	# Certificate chain to include in reply
					# (optional)
signer_key	= $dir/private/tsakey.pem # The TSA private key (optional)

default_policy	= tsa_policy1		# Policy if request did not specify it
					# (optional)
other_policies	= tsa_policy2, tsa_policy3	# acceptable policies (optional)
digests		= sha1, sha256, sha384, sha512	# Acceptable message digests (mandatory)
accuracy	= secs:1, millisecs:500, microsecs:100	# (optional)
clock_precision_digits  = 0	# number of digits after dot. (optional)
ordering		= yes	# Is ordering defined for timestamps?
				# (optional, default: no)
tsa_name		= yes	# Must the TSA name be included in the reply?
				# (optional, default: no)
ess_cert_id_chain	= no	# Must the ESS cert id chain be included?
				# (optional, default: no)
张广涛
关注
专栏目录
HTTPS-Linux服务器Nginx配置、Android客户端证书生成
Marvin
05-29 6908
实现HTTPS通信:          Server端在WEB服务器Nginx 上配置Https连接,接收Https连接请求,实现Https协议。 安卓客户端加载可信证书,BKS格式证书。该证书从服务器端证书导出来。   (一)       Linux服务器端配置步骤 #号表示命令引导符 1. 首先确保机器上安装了openssl和openssl-devel   #yum insta
2022年Java 工程师面试题
weixin_42572320的博客
03-03 2551
第 1 页 共 485 页 目录 1、什么是 Mybatis?............................................................................... 33 2、Mybaits 的优点:............................................................................... 33 3、MyBatis 框架的缺点:.............................
android 开启Https单向认证
raykwok1150的博客
12-04 2584
android 开启Https单项认证,有两种方法:第一种方法是将根证书内置到系统中:Android管理根证书的方式比较简单,将证书放入指定位置编译系统即可,证书的具体路径是:lei@lei-pc:~/code/mstar/1/libcore/luni/src/main/files/cacerts$ ls 00673b5b.0 124bbd54.0 21855f49.0 399e7759.0
AndroidHttps数据传输单向认证
Cricket_7的博客
05-03 774
单项认证:当客户端传输数据的时候,使用公钥加密,当数据传输到服务器端时,使用私钥进行解析,这样就算拿到客户端传输的数据,没有私钥也没有办法解析数据。 把公钥存放在本地 添加网络权限 <uses-permission android:name="android.permission.INTERNET"/> 客户端进行单项认证 private void c...
AndroidHttps请求单向验证
anig2014的专栏
07-20 995
最近公司将所有的接口请求方式改为了Https,所以在这记录分享一下。 一、Https有什么优势和劣势。 优势:       1、使用HTTPS协议可认证用户和服务器,确保数据发送到正确的客户机和服务器; 2、HTTPS协议是由SSL+HTTP协议构建的可进行加密传输、身份认证的网络协议,要比http协议安全,可防止数据在传输过程中不被窃取、改变,确保数据的完整性。 3、HTTP
Androidhttps请求的单向认证双向认证
anshi4203351518的博客
06-28 466
转载:http://blog.csdn.net/u011394071/article/details/52880062一、HTTPS 单向认证1. 给服务器生成密钥[html]view plaincopykeytool-genkeypair-aliasskxy-keyalgRSA-validity3650-keypass123456-storepass123...
Java开发常见专业术语
weixin_42408447的博客
05-10 1万+
1.脚本 脚本(Script),是使用一种特定的描述性语言,依据一定的格式编写的可执行文件。 2.http协议 HTTP协议,即超文本传输协议(Hyper text transfer protocol)。是一种详细规定了浏览器和万维网(WWW = World Wide Web)服务器之间互相通信的规则,通过因特网传送万维网文档的数据传送协议。 3.B/S结构和C/S结构 B/S(Browser/Server):指浏览器和服务器架构。 C/S(Client/Server):指客户端和服务器架构 4.报文 报文
亿级IM系统
tulingxueyuanXM的博客
04-06 931
本文将在亿级消息量、分布式IM系统这个技术前提下,分析和总结实现这套系统所需要掌握的知识点,内容没有高深的技术概念,尽量做到新手老手皆能读懂。 本文不会给出一套通用的IM方案,也不会评判某种架构的好坏,而是讨论设计IM系统的常见难题跟业界的解决方案。 因为也没有所谓的通用IM架构方案,不同的解决方案都各有其优缺点,只有最满足业务的系统才是一个好的系统。 在人力、物力、时间资源有限的前提下,通常需要做出很多权衡,此时,一个能够支持快速迭代、方便扩展的IM系统才是最优解。 IM常见术语 用户:.
JavaEE知识体系
热门推荐
yuh2012的博客
07-11 2万+
1 1.文件上传下载 1.1 文件上传 1.1.1 文件上传的作用 例如网络硬盘!就是用来上传下载文件的。 在智联招聘上填写一个完整的简历还需要上传照片呢。 1.1.2 文件上传对页面的要求 1.必须使用表单,而不能是超链接; 2.表单的method必须是POST,而不能是GET; 3.表单的enctype必须是multipart/form-data; 4.在表单中添加file表
PHP 面试知识点整理归纳
PHP学习日志——地雷
09-05 1万+
全文已整理补充完毕,以后还会继续更新文章里面的错误,以及补充尚不完善的问题。 该篇文章是针对Github上wudi/PHP-Interview-Best-Practices-in-China资源的答案个人整理 lz也是初学者,以下知识点均为自己整理且保持不断更新,也希望各路大神多多指点,若发现错误或有补充,可直接comment,lz时刻关注着。 由于内容比较多,没有直接目录,请自行对照 Gi...
linux nginx双向认证服务搭建
02-13
linux nginx双向认证服务搭建tomcat ssl 步骤
Android+Nginx一步步配置https单向/双向认证请求
Dream Fly的专栏
09-26 2331
  最近想实现一个旧项目https的防抓包功能,重新学习并且配置了下https相关通信知识,参考了不少文章,有些文章比较旧不全或者有误,走了不少弯路和坑,所以整理出来方便自己巩固以及供大家参考,指出不足或者有误之处互相学习。   本文的服务端环境: Debian 9.8 Nginx 原创文章,欢迎转载,转载请注明:ifish.site 作者:JaydenZhou 一、需要的前置知识点   本文...
android nginx https,nginx配置httpsAndroid客户端访问自签名证书
weixin_36417642的博客
05-27 283
前一篇随笔通过keytool生成keystore并为tomcat配置https,这篇随笔记录如何给nginx配置https。如果nginx已配置https,则tomcat就不需要再配置https了。通过以下三步生成自签名证书# 生成一个key,你的私钥,openssl会提示你输入一个密码,可以输入,也可以不输,# 输入的话,以后每次使用这个key的时候都要输入密码,安全起见,还是应该有一个密码保护...
golang与java通过自建ca证书进行https双向验证通讯
kidoo1012的博客
04-19 3174
原创文章,转发请注明出处java的keytool、单向验证https等网上有很多教程,这里不再讲述,本篇文章着重讲述:1、go如何使用openssl生产的证书(crt文件)建立https服务器与客户端进行双向验证2、go如何与javahttps服务进行通讯生成证书:第一步、生成根证书:opensslgenrsa -out ca.key 2048 opensslreq -x509 -new -n...
android单向认证双向认证
倒骑驴走着瞧的博客
03-14 1036
客户端校验服务端需要使用cer证书 服务端校验客户端证书: SSLHelper import java.io.IOException; import java.io.InputStream; import java.security.KeyManagementException; import java.security.KeyStore; import java.security.KeyStor...
(转)为 Ingress-nginx 配置双向认证(mtls)
最新发布
senlin1202的博客
05-15 898
这种格式可以保存证书和私钥,有时我们也把PEM 格式的私钥的后缀改为 .key 以区别证书与私钥。相信 tls 大家都比较熟悉,就是 server 端提供一个授信证书,当我们使用 https 协议访问server端时,client 会向 server 端索取证书认证(浏览器会与自己的授信域匹配或弹出不安全的页面)。Java Key Storage,很容易知道这是 JAVA 的专属格式,利用 JAVA 的一个叫 keytool 的工具可以进行格式转换。这就说明服务端认为我们是不可信的,因为没有携带证书
nginx中配置ssl双向认证详解
远玖的博客
11-16 8281
nginx中配置ssl双向认证详解 需求说明:公司内部一些业务系统对安全性要求比较高,例如mis、bi等,这些业务系统只允许公司内部人员访问,而且要求浏览器要安装证书登录,对公司入职有需求的人员开通证书,流失的人员注销证书。 一、首先修改openssl配置的参数  ##没安装openssl需要先安装 vim  /etc/pki/tls/openssl.cnf #下面只列出配置文件中和自建C
openresty配置ssl证书
TechTrek
05-22 5273
1.安装openresty与openssl安装参考 2.证书生成 创建服务器私钥,命令会让你输入一个口令: openssl genrsa -des3 -out ca.key 1024 创建签名请求的证书(CSR): openssl req -new -key ca.key -out ca.csr 在加载SSL支持的Nginx并使用上述私钥时除去必须的口令: cp ca.key ca.k
Linux环境下Nginx与Tomcat的SSL双向认证配置
"Linux Nginx 双向认证服务搭建步骤涉及了Linux系统管理、Nginx服务器配置以及Java环境的安装。" 在搭建Linux Nginx双向认证服务时,首要任务是确保系统的Java开发环境已经正确配置。这通常涉及到安装Java ...
评论
添加红包

请填写红包祝福语或标题

红包个数最小为10个

红包金额最低5元

当前余额3.43前往充值 >
需支付:10.00
成就一亿技术人!
领取后你会自动成为博主和红包主的粉丝 规则
hope_wisdom
发出的红包
实付
使用余额支付
点击重新获取
扫码支付
钱包余额 0

抵扣说明:

1.余额是钱包充值的虚拟货币,按照1:1的比例进行支付金额的抵扣。
2.余额无法直接购买下载,可以购买VIP、付费专栏及课程。

余额充值