-
Notifications
You must be signed in to change notification settings - Fork 362
WeDemo生成密钥与自签名证书指南
cs-jeason edited this page Dec 20, 2016
·
2 revisions
##目录
##生成RSA密钥对
在本例中,我们将生成一个 2048 位 RSA 密钥对。较短的密钥不足以抵御暴力猜测攻击,如 1024 位。 更长的密钥则有点过度,例如 4096 位。长远来看,随着计算机处理 成本变得更便宜,密钥长度会增加。目前 2048 是最佳长度。
用于生成 RSA 密钥对的命令为:
openssl genrsa -out rsa_private.key 2048
openssl rsa -in rsa_private.key -out rsa_public.key -pubout这将在当前目录下生成私钥文件rsa_private.key和公钥文件rsa_public.key。
##生成自签名证书
这里我们提供了一个脚本供开发者生成自签名的证书,开发者可以根据自己的信息修改脚本,然后在服务器上运行即可。
#!/bin/sh
printf "[req]
default_bits = 4096
default_md = sha256
prompt = no
encrypt_key = no
string_mask = utf8only
distinguished_name = cert_distinguished_name
req_extensions = req_x509v3_extensions
#将下面的信息替换成你的信息
[ cert_distinguished_name ]
C = CN
ST = GD
L = GZ
O = Tencent
OU = WXG
CN = wechatauthdemo.com
[req_x509v3_extensions]
basicConstraints = critical,CA:true
subjectKeyIdentifier = hash
keyUsage = critical,digitalSignature,keyCertSign,cRLSign #,keyEncipherment
extendedKeyUsage = critical,serverAuth #, clientAuth
subjectAltName=@alt_names
#将下面的信息替换成你的信息
[alt_names]
DNS.1 = *.wechatauthdemo.com
DNS.2 = *.api.wechatauthdemo.com
DNS.3 = wechatauthdemo.com
">ca_cert.conf
#将下面的信息替换成你的信息
key_file=wechatauthdemo.com.key
tmp_cert_file=tmp_wechatauthdemo.com.crt
csr_file=wechatauthdemo.com.csr
cert_file=wechatauthdemo.com.crt
#openssl genrsa -out $key_file 2048
openssl ecparam -out $key_file -name prime256v1 -genkey
openssl req -new -sha256 -x509 -days 7300 -config ca_cert.conf -extensions req_x509v3_extensions -key $key_file -out $cert_file
openssl x509 -in $cert_file -serial -noout
openssl verify -verbose -CAfile $cert_file $cert_file
exit
#keytool -printcert -v -file $cert_file
openssl s_server -cert $cert_file -key $key_file -CAfile $cert_file -Verify 3 -accept 4430 -www &
pid=$$
#将下面的信息替换成你的信息
echo 'GET /HTTP/1.1'|openssl s_client -connect www.wechatauthdemo.com:4430 -cert $cert_file -key $key_file -CAfile $cert_file
kill $$##服务器配置 为了能让你的自签名证书能与服务器配合使用,我们也提供了脚本供开发者修改使用:
###Nginx
#
# HTTPS server configuration
#
server {
listen 443;
server_name wechatauthdemo.com;
ssl on;
# certs sent to the client in SERVER HELLO are concatenated in ssl_certificate
ssl_certificate /etc/nginx/conf.d/wechatauthdemo.com.crt;
ssl_certificate_key /etc/nginx/conf.d/wechatauthdemo.com.key;
ssl_session_timeout 1d;
ssl_session_cache shared:SSL:50m;
ssl_session_tickets on;
# Diffie-Hellman parameter for DHE ciphersuites, recommended 2048 bits
# generate you own using cmd:
# "openssl dhparam -out /etc/nginx/conf.d/dhparam_2048.pem 2048"
ssl_dhparam /etc/nginx/conf.d/dhparam_2048.pem;
# modern configuration. tweak to your needs.
# generate using tool https://mozilla.github.io/server-side-tls/ssl-config-generator/
ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
ssl_ciphers 'ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-DSS-AES128-GCM-SHA256:kEDH+AESGCM:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-DSS-AES128-SHA256:DHE-RSA-AES256-SHA256:DHE-DSS-AES256-SHA:DHE-RSA-AES256-SHA:!aNULL:!eNULL:!EXPORT:!DES:!RC4:!3DES:!MD5:!PSK';
ssl_prefer_server_ciphers on;
# HSTS (ngx_http_headers_module is required) (15768000 seconds = 6 months)
add_header Strict-Transport-Security max-age=15768000;
location / {
root /usr/share/nginx/www/;
index index.html index.htm;
}
location ~ .*\.(php|php5)$
{
fastcgi_pass 127.0.0.1:9000;
fastcgi_index index.php;
include fcgi.conf;
root /usr/share/nginx/www;
}
}