2. 科技
    3. windows server https ca 证书 免费 自己创建 微信小程序 服务端使用证书

    windows server https ca 证书 免费 自己创建 微信小程序 服务端使用证书

    科技2022-07-16  158

    一、使用openssl生成ca证书

    1、下载 openssl安装包和源码,如下图https://oomake.com/download/openssl

    2、安装Win64 OpenSSL v1.0.1j

    3、解压源码

    解压openssl-1.0.1j.tar.gz,找到\openssl-1.0.1j\apps目录,拷贝demoCA目录和openssl.cnf文件到Openssl的安装目录下的bin目录下(即C:\OpenSSL-Win64\bin\)

    二、使用openssl生成证书:

    依次执行下述命令。

    (一)生成CA证书

    1.创建私钥:

    D:\OpenSSL-Win64\bin>openssl genrsa -out ca/ca-key.pem 1024

    2.创建证书请求:

    D:\OpenSSL-Win64\bin>openssl req -new -out ca/ca-req.csr -key ca/ca-key.pem -config openssl.cnf

    -----

    Country Name (2 letter code) [AU]:CN

    State or Province Name (full name) [Some-State]:BJ

    Locality Name (eg, city) []:BJ

    Organization Name (eg, company) [Internet Widgits PtyLtd]:ple

    Organizational Unit Name (eg, section) []:live

    Common Name (eg, YOUR name) []:root

    Email Address []:

     

    Please enter the following 'extra' attributes

    to be sent with your certificate request

    A challenge password []:

    An optional company name []:

    3.自签署证书:

    D:\OpenSSL-Win64\bin>openssl x509 -req -in ca/ca-req.csr -out ca/ca-cert.pem -signkey ca/ca-key.pem -days3650

    4.将证书导出成浏览器支持的.p12格式:

    D:\OpenSSL-Win64\bin>openssl pkcs12 -export -clcerts -in ca/ca-cert.pem -inkey ca/ca-key.pem -out ca/ca.p12

    密码:passca     

    (二)生成server证书

    1.创建私钥:

    D:\OpenSSL-Win64\bin>openssl genrsa -out server/server-key.pem 1024

    2.创建证书请求:

    D:\OpenSSL-Win64\bin>openssl req -new -out server/server-req.csr -key server/server-key.pem -config openssl.cnf

    -----

    Country Name (2 letter code) [AU]:CN

    State or Province Name (full name) [Some-State]:BJ

    Locality Name (eg, city) []:BJ

    Organization Name (eg, company) [Internet Widgits PtyLtd]:ple

    Organizational Unit Name (eg, section) []:live

    Common Name (eg, YOUR name) []:localhost   注释:一定要写服务器所在的ip地址//红色这里是本机测试,所以我写localhost

    Email Address []:

     

    Please enter the following 'extra' attributes

    to be sent with your certificate request

    A challenge password []:

    An optional company name []:

    3.自签署证书:

    D:\OpenSSL-Win64\bin>opensslx509 -req -in server/server-req.csr -out server/server-cert.pem -signkeyserver/server-key.pem -CA ca/ca-cert.pem -CAkey ca/ca-key.pem -CAcreateserial-days 3650

    4.将证书导出成浏览器支持的.p12格式:

    D:\OpenSSL-Win64\bin>opensslpkcs12 -export -clcerts -in server/server-cert.pem -inkey server/server-key.pem-out server/server.p12

    密码:passca  

    (三)生成client证书

    1.创建私钥:

    D:\OpenSSL-Win64\bin>openssl genrsa -out client/client-key.pem 1024

    2.创建证书请求:

    D:\OpenSSL-Win64\bin>openssl req -new -out client/client-req.csr -key client/client-key.pem -config openssl.cnf

    -----

    Country Name (2 letter code) [AU]:CN

    State or Province Name (full name) [Some-State]:BJ

    Locality Name (eg, city) []:BJ

    Organization Name (eg, company) [Internet Widgits PtyLtd]:ple

    Organizational Unit Name (eg, section) []:live

    Common Name (eg, YOUR name) []:client

    Email Address []:

     

    Please enter the following 'extra' attributes

    to be sent with your certificate request

    A challenge password []:

    An optional company name []:

    3.自签署证书:

    D:\OpenSSL-Win64\bin>openssl x509 -req -in client/client-req.csr -out client/client-cert.pem -signkeyclient/client-key.pem -CA ca/ca-cert.pem -CAkey ca/ca-key.pem -CAcreateserial -days 3650

    4.将证书导出成浏览器支持的.p12格式:

    D:\OpenSSL-Win64\bin>openssl pkcs12 -export -clcerts-in client/client-cert.pem -inkey client/client-key.pem -out client/client_err.p12

    密码:passca

    5. 生成客户端证书导出成浏览器支持的.p12格式(用于导入浏览器):

    D:\OpenSSL-Win64\bin>openssl pkcs12 -export -clcerts -in ca/ca-cert.pem -inkey ca/ca-key.pem -outclient/client.p12

    密码:passca

    (四)根据ca证书生成jks文件

    D:\OpenSSL-Win64\bin>keytool -keystore D:/OpenSSL-Win64/bin/jks/truststore.jks -keypass 222222 -storepass 222222 -alias ca -import -trustcacerts -file D:/OpenSSL-Win64/bin/ca/ca-cert.pem

    (五)配置tomcat ssl

    修改conf/server.xml。配置如下。xml 代码

     默认情况下<Connector port="8443"……/>是被注释的,配置时需把“<!-- -->”去掉,然后对其节点进行相应的修改,需区分tomcat版本来修改,同时将原来的tomcat端口8080或者80的注释掉

         

    <Connector port="443" protocol="org.apache.coyote.http11.Http11Protocol" maxThreads="150" SSLEnabled="true" scheme="https" secure="true" clientAuth="false" sslProtocol="TLS" keystoreFile="server.p12" keystorePass="Qdgeng12345" keystoreType="PKCS12" truststoreFile="truststore.jks" truststorePass="222222" truststoreType="JKS" SSLCertificateFile="../bin/server-cert.pem" SSLCertificateKeyFile="../bin/server-key.pem"/>

    这里使用到了四个文件,各个文件都是在前面的步骤中生成的。

         将server.p12和truststore.jks这两个文件需要放在tomcat的根目录下(如D:\application\tomcat)。

         将server-cert.pem和server-key.pem默认是放在tomcat的bin文件夹下的(如D:\application\tomcat\bin)。

       

    (六)验证ssl配置是否正确

    访问系统http://localhost :8443/usm。如图:

     

    (七)导入证书

    将ca/ca.p12,client/client.p12分别导入到IE中去(打开IE->;Internet选项->内容->证书)。

    ca.p12导入至受信任的根证书颁发机构,client.p12导入至个人。

     重新访问系统。

     

    注:1、细心的不难发现生成client.p12跟ca.p12是一样的,我测试时发现导入正常方式的client_err.p12不能正常访问系统,导入ca.p12能正常访问,有了解的大神帮助解决下。

    Processed: 0.012, SQL: 8