QT+Nginx Openssl證書雙向認證
主要有以下幾點:
- 1.數字證書的生成
- 2.nginx證書的配置
- 3.Qt使用雙向認證
一、數字證書的生成
1.生成ca證書
生成ca祕鑰
建議用2048位密鑰,少於此可能會不安全或很快將不安全。
openssl genrsa -des3 -out ca.key 2048
這個命令會生成一個2048位的密鑰,同時有一個des3方法加密的密碼,如果你不想要每次都輸入密碼,可以改成:
#openssl genrsa -out privkey.pem 2048
導出ca證書
openssl rsa -in ca.key -out ca_decrypted.key
openssl req -new -subj "/C=CN/ST=shanghai/L=china/O=test/CN=www.test.com" -x509 -days 3650 -key ca.key -out ca.crt
2.生成服務端證書
openssl genrsa -des3 -out test.com.pem 1024
openssl rsa -in test.com.pem -out test.com.key
openssl req -new -subj "/C=CN/ST=shanghai/L=china/O=test/CN=www.test.com" -key test.com.pem -out test.com.csr
openssl ca -policy policy_anything -days 1460 -cert ca.crt -keyfile ca.key -in test.com.csr -out test.com.crt
3.生成客戶端證書
openssl genrsa -out client.pem 2048
openssl req -new -subj "/C=CN/ST=ShangHai/L=china/O=test/CN=www.test.com" -key client.pem -out client-req.csr
openssl ca -policy policy_anything -days 1460 -cert ca.crt -keyfile ca.key -in client-req.csr -out client.crt
openssl pkcs12 -export -clcerts -in client.crt -inkey client.pem -out client.p12
二.nginx中配置
server {
listen 443;
server_name www.test.com;
ssl on; #開啓ssl
ssl_certificate /home/hadoop/ssl/test.com.crt; #服務器證書位置
ssl_certificate_key /home/hadoop/ssl/test.com.key; #服務器私鑰
ssl_client_certificate /home/hadoop/ssl/ca.crt; #CA證書用於驗證客戶端證書的合法性
ssl_verify_client on; #開啓對客戶端的驗證
ssl_session_timeout 5m; #session有效期,5分鐘
ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
ssl_ciphers 'AES128+EECDH:AES128+EDH:!aNULL'; #加密算法
ssl_prefer_server_ciphers on;
...
}
3.Qt使用雙向認證
TestAuthentication.h
#ifndef TESTAUTHENTICATION_H
#define TESTAUTHENTICATION_H
#include <QObject>
#include <QNetworkAccessManager>
#include <QNetworkRequest>
#include <QNetworkReply>
#include <QEventLoop>
#include <QSslKey>
class TestAuthentication: public QObject
{
Q_OBJECT
public:
TestAuthentication(QObject*parent = 0);
~TestAuthentication();
void auth();
};
#endif // TESTAUTHENTICATION_H
TestAuthentication.cpp
#include "testauthentication.h"
TestAuthentication::TestAuthentication(QObject *parent) :
QObject(parent)
{
}
TestAuthentication::~TestAuthentication()
{
}
void TestAuthentication::auth()
{
QNetworkAccessManager manager;
QNetworkRequest request;
QSslConfiguration config;
QByteArray password="123456"; //生成客戶端證書時的密碼
QFile pkcs("D:\\ssl\\client.p12"); //生成的證書路徑
pkcs.open(QFile::ReadOnly);
QSslKey key;
QSslCertificate cert;
QList<QSslCertificate> certs;
bool import = QSslCertificate::importPkcs12(&pkcs,&key,&cert,&certs,password);
qDebug()<<import;
pkcs.close();
config.setPrivateKey(key);
config.setLocalCertificate(cert);
config.setProtocol(QSsl::TlsV1_2);
request.setSslConfiguration(config);
request.setUrl(QUrl("https://www.test.com"));
QNetworkReply *reply = manager.get(request);
QEventLoop loop;
connect(&manager,&QNetworkAccessManager::finished,&loop,&QEventLoop::quit);
loop.exec();
qDebug()<<reply->readAll();
}
#include "testauthentication.h"
#include <QApplication>
int main(int argc, char *argv[])
{
QApplication a(argc, argv);
TestAuthentication test;
test.auth();
return 0;
}
附件:
#!/bin/bash
SUBJECT="/C=CN/ST=shanghai/L=china/O=testServer/CN=www.test.com"
cd ~/
mkdir ssl
cd ssl
mkdir demoCA
cd demoCA
mkdir newcerts
mkdir private
touch index.txt
echo '01' > serial
cd ..
#openssl genrsa -des3 -out ca.key 2048
openssl genrsa -out ca.key 2048
openssl rsa -in ca.key -out ca_decrypted.key
openssl req -new -subj $SUBJECT -x509 -days 3650 -key ca.key -out ca.crt
#openssl genrsa -des3 -out test.com.pem 1024
openssl genrsa -out test.com.pem 1024
openssl rsa -in test.com.pem -out test.com.key
openssl req -new -subj $SUBJECT -key test.com.pem -out test.com.csr
openssl ca -policy policy_anything -days 1460 -cert ca.crt -keyfile ca.key -in test.com.csr -out test.com.crt
cat ca.crt >> test.com.crt
#openssl genrsa -des3 -out client.pem 2048
openssl genrsa -out client.pem 2048
SUBJECT="/C=CN/ST=ShangHai/L=china/O=testClient/CN=www.test.com"
openssl req -new -subj $SUBJECT -key client.pem -out client-req.csr
openssl ca -policy policy_anything -days 1460 -cert ca.crt -keyfile ca.key -in client-req.csr -out client.crt
openssl pkcs12 -export -clcerts -in client.crt -inkey client.pem -out client.p12