wamp下开启https双向验证

来源：互联网发布：淘宝app里面是h5吗编辑：程序博客网时间：2024/05/21 21:37

wamp下开启https双向验证

一. 开启apache的https访问

D:\wamp\bin\apache\apache2.4.9\conf\httpd.conf文件中
Include conf/extra/httpd-ssl.conf
LoadModule ssl_module modules/mod_ssl.so

httpd.conf文件中Include conf/extra/httpd-ssl.conf

在httpd-ssl.conf里配置：

<VirtualHost *:443>    ...    SSLEngine on    SSLCertificateFile      "${SRVROOT}/conf/ssl/server-cert.pem"    #SSLCertificateChainFile /path/to/intermediate_certificate    SSLCertificateKeyFile   "${SRVROOT}/conf/ssl/server-key.pem"    # Uncomment the following directive when using client certificate authentication    SSLCACertificateFile   "${SRVROOT}/conf/ssl/ca-cert.pem" #ie客户端未提示选择证书    #SSLCARevocationFile    "${SRVROOT}/conf/ssl/ca.crt" #ie客户端提示选择证书    #此块内容可以在客户端获取自己的信息    SSLVerifyClient require    SSLVerifyDepth  10    SSLOptions +StdEnvVars    ...</VirtualHost>

二：生成CA证书

目前不使用第三方权威机构的CA来认证，自己充当CA的角色。
1. 创建私钥：

openssl genrsa -out D:/wamp/Apache24/conf/demoCA/ca/ca-key.pem 1024

2.创建证书请求：

openssl req -new -out D:/wamp/Apache24/conf/demoCA/ca/ca-req.csr -key D:/wamp/Apache24/conf/demoCA/ca/ca-key.pem(如果出现：unable to load config info from /user/local/ssl/openssl.cnf加上命令参数为：openssl req -config openssl.cnf -new -out D:/wamp/Apache24/conf/demoCA/ca/ca-req.csr -key D:/wamp/Apache24/conf/demoCA/ca/ca-key.pemopenssl.cnf 为全路径，如果openssl.cnf与opensll.exe同目录下，则可写为：-config openssl.cnf ）openssl req -config openssl.cnf -new -out D:/wamp/Apache24/conf/demoCA/ca/ca-req.csr -key D:/wamp/Apache24/conf/demoCA/ca/ca-key.pem)----------Country Name (2 letter code) [AU]:cnState or Province Name (full name) [Some-State]:bjLocality Name (eg, city) []:bjOrganization Name (eg, company) [Internet Widgits Pty Ltd]:tbOrganizational Unit Name (eg, section) []:tbCommon Name (eg, YOUR name) []:caEmail Address []:ca@ca.comPlease enter the following 'extra' attributesto be sent with your certificate requestA challenge password []:An optional company name []:

3.自签署证书：

openssl x509 -req -in D:/wamp/Apache24/conf/demoCA/ca/ca-req.csr -out D:/wamp/Apache24/conf/demoCA/ca/ca-cert.pem -signkey D:/wamp/Apache24/conf/demoCA/ca/ca-key.pem -days 3650

4.将证书导出成浏览器支持的.p12格式：

openssl pkcs12 -export -clcerts -in D:/wamp/Apache24/conf/demoCA/ca/ca-cert.pem -inkey D:/wamp/Apache24/conf/demoCA/ca/ca-key.pem -out D:/wamp/Apache24/conf/demoCA/ca/ca.p12

密码：123456
5.复制ca-cert.pem 到 conf/ssl/ca-cert.pem

///备注
subject=/C=cn/ST=bj/L=bj/O=tb/OU=tb/CN=ca/emailAddress=ca@ca.com

三.生成server证书
1.创建私钥：

openssl genrsa -out D:/wamp/Apache24/conf/demoCA/server/server-key.pem 1024

2.创建证书请求：

openssl req -new -out D:/wamp/Apache24/conf/demoCA/server/server-req.csr -key D:/wamp/Apache24/conf/demoCA/server/server-key.pem-----Country Name (2 letter code) [AU]:cnState or Province Name (full name) [Some-State]:bjLocality Name (eg, city) []:bjOrganization Name (eg, company) [Internet Widgits Pty Ltd]:tbOrganizational Unit Name (eg, section) []:tbCommon Name (eg, YOUR name) []:localhost   #此处一定要写服务器所在ipEmail Address []:server@server.comPlease enter the following 'extra' attributesto be sent with your certificate requestA challenge password []:An optional company name []:

3.自签署证书：

openssl x509 -req -in D:/wamp/Apache24/conf/demoCA/server/server-req.csr -out D:/wamp/Apache24/conf/demoCA/server/server-cert.pem -signkey D:/wamp/Apache24/conf/demoCA/server/server-key.pem -CA D:/wamp/Apache24/conf/demoCA/ca/ca-cert.pem -CAkey D:/wamp/Apache24/conf/demoCA/ca/ca-key.pem -CAcreateserial -days 3650

4.将证书导出成浏览器支持的.p12格式：

openssl pkcs12 -export -clcerts -in D:/wamp/Apache24/conf/demoCA/server/server-cert.pem -inkey D:/wamp/Apache24/conf/demoCA/server/server-key.pem -out D:/wamp/Apache24/conf/demoCA/server/server.p12

密码：123456
5.复制server-cert.pem 到 conf/ssl/server-cert.pem；复制server-key.pem 到 conf/ssl/server-key.pem。

///备注
subject=/C=cn/ST=bj/L=bj/O=tb/OU=tb/CN=localhost/emailAddress=server@server.com

四.生成client证书(每个客户端需要制作不同的客户端证书,使用同一个CA来制作客户端证书)
1.创建私钥：

openssl genrsa -out D:/wamp/Apache24/conf/demoCA/client/client-key.pem 1024

2.创建证书请求：

openssl req -new -out D:/wamp/Apache24/conf/demoCA/client/client-req.csr -key D:/wamp/Apache24/conf/demoCA/client/client-key.pem-----Country Name (2 letter code) [AU]:cnState or Province Name (full name) [Some-State]:bjLocality Name (eg, city) []:bjOrganization Name (eg, company) [Internet Widgits Pty Ltd]:tbOrganizational Unit Name (eg, section) []:tbCommon Name (eg, YOUR name) []:dong(填写为客户端机器IP)Email Address []:dong@dong.comPlease enter the following 'extra' attributesto be sent with your certificate requestA challenge password []:An optional company name []:

3.自签署证书：

openssl x509 -req -in D:/wamp/Apache24/conf/demoCA/client/client-req.csr -out D:/wamp/Apache24/conf/demoCA/client/client-cert.pem -signkey D:/wamp/Apache24/conf/demoCA/client/client-key.pem -CA D:/wamp/Apache24/conf/demoCA/ca/ca-cert.pem -CAkey D:/wamp/Apache24/conf/demoCA/ca/ca-key.pem -CAcreateserial -days 3650

4.将证书导出成浏览器支持的.p12格式：

openssl pkcs12 -export -clcerts -in D:/wamp/Apache24/conf/demoCA/client/client-cert.pem -inkey D:/wamp/Apache24/conf/demoCA/client/client-key.pem -out D:/wamp/Apache24/conf/demoCA/client/client.p12

密码：123456

五、客户端导入将ca12，client12证书

IE中（打开IE->;Internet选项->内容->证书）
ca12导入至受信任的根证书颁发机构，client12导入至个人
Firefox中（工具-选项-高级-加密-查看证书-您的证书）
将ca12和client12均导入这里

浏览器敲入url测试（https://localhost/index.php），会弹出证书选择，验证通过后会打印出SSL_CLIENT_VERIFY等ssl信息。

阅读全文

1 0