QT+Nginx Openssl證書雙向認證

QT+Nginx Openssl證書雙向認證

主要有以下幾點：

• 1.數字證書的生成
• 2.nginx證書的配置
• 3.Qt使用雙向認證

---

一、數字證書的生成

1.生成ca證書

生成ca祕鑰

建議用2048位密鑰，少於此可能會不安全或很快將不安全。

openssl genrsa -des3 -out ca.key 2048  

這個命令會生成一個2048位的密鑰，同時有一個des3方法加密的密碼，如果你不想要每次都輸入密碼，可以改成：

#openssl genrsa -out privkey.pem 2048

導出ca證書

openssl rsa -in ca.key -out ca_decrypted.key  

openssl req -new -subj "/C=CN/ST=shanghai/L=china/O=test/CN=www.test.com" -x509 -days 3650 -key ca.key -out ca.crt  

2.生成服務端證書

openssl genrsa  -des3 -out test.com.pem 1024  

openssl rsa -in test.com.pem -out test.com.key  

openssl req -new -subj "/C=CN/ST=shanghai/L=china/O=test/CN=www.test.com" -key test.com.pem -out test.com.csr  

openssl ca -policy policy_anything -days 1460 -cert ca.crt -keyfile ca.key -in test.com.csr -out test.com.crt  

3.生成客戶端證書

openssl genrsa -out client.pem 2048  

openssl req -new -subj "/C=CN/ST=ShangHai/L=china/O=test/CN=www.test.com" -key client.pem -out client-req.csr  

openssl ca -policy policy_anything -days 1460 -cert ca.crt  -keyfile ca.key -in client-req.csr -out client.crt  

openssl pkcs12 -export -clcerts -in client.crt -inkey client.pem -out client.p12  

二.nginx中配置

server {
    listen       443;
    server_name  www.test.com;

    ssl on;                                             #開啓ssl  
    ssl_certificate  /home/hadoop/ssl/test.com.crt;    #服務器證書位置  
    ssl_certificate_key /home/hadoop/ssl/test.com.key; #服務器私鑰  
    ssl_client_certificate /home/hadoop/ssl/ca.crt;     #CA證書用於驗證客戶端證書的合法性  
    ssl_verify_client       on;                         #開啓對客戶端的驗證  
    ssl_session_timeout 5m;                             #session有效期，5分鐘  
    ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
    ssl_ciphers 'AES128+EECDH:AES128+EDH:!aNULL';       #加密算法  
    ssl_prefer_server_ciphers on;
    ...
}

3.Qt使用雙向認證

TestAuthentication.h

#ifndef TESTAUTHENTICATION_H
#define TESTAUTHENTICATION_H

#include <QObject>
#include <QNetworkAccessManager>
#include <QNetworkRequest>
#include <QNetworkReply>
#include <QEventLoop>
#include <QSslKey>


class TestAuthentication: public QObject
{
    Q_OBJECT
public:
    TestAuthentication(QObject*parent = 0);
    ~TestAuthentication();
    void auth();
};

#endif // TESTAUTHENTICATION_H

TestAuthentication.cpp

#include "testauthentication.h"

TestAuthentication::TestAuthentication(QObject *parent) :
    QObject(parent)
{
}

TestAuthentication::~TestAuthentication()
{
}
void TestAuthentication::auth()
{
    QNetworkAccessManager manager;
    QNetworkRequest request;
    QSslConfiguration config;
    QByteArray password="123456";      //生成客戶端證書時的密碼
    QFile pkcs("D:\\ssl\\client.p12"); //生成的證書路徑
    pkcs.open(QFile::ReadOnly);
    QSslKey key;
    QSslCertificate cert;
    QList<QSslCertificate> certs;
    bool import = QSslCertificate::importPkcs12(&pkcs,&key,&cert,&certs,password);

    qDebug()<<import;
    pkcs.close();

    config.setPrivateKey(key);
    config.setLocalCertificate(cert);
    config.setProtocol(QSsl::TlsV1_2);
    request.setSslConfiguration(config);

    request.setUrl(QUrl("https://www.test.com"));
    QNetworkReply *reply = manager.get(request);
    QEventLoop loop;
    connect(&manager,&QNetworkAccessManager::finished,&loop,&QEventLoop::quit);
    loop.exec();
    qDebug()<<reply->readAll();
}

#include "testauthentication.h"
#include <QApplication>

int main(int argc, char *argv[])
{
    QApplication a(argc, argv);
    TestAuthentication test;
    test.auth();
    return 0;
}

附件：

#!/bin/bash
SUBJECT="/C=CN/ST=shanghai/L=china/O=testServer/CN=www.test.com"
cd  ~/  
mkdir ssl  
cd ssl  
mkdir demoCA  
cd demoCA  
mkdir newcerts  
mkdir private  
touch index.txt  
echo '01' > serial  

cd ..

#openssl genrsa -des3 -out ca.key 2048  
openssl genrsa  -out ca.key 2048  

openssl rsa -in ca.key -out ca_decrypted.key  

openssl req -new -subj $SUBJECT -x509 -days 3650 -key ca.key -out ca.crt  

#openssl genrsa -des3 -out test.com.pem 1024  
openssl genrsa  -out test.com.pem 1024  

openssl rsa -in test.com.pem -out test.com.key  

openssl req -new -subj $SUBJECT -key test.com.pem -out test.com.csr  

openssl ca -policy policy_anything -days 1460 -cert ca.crt -keyfile ca.key -in test.com.csr -out test.com.crt  

cat ca.crt >> test.com.crt  

#openssl genrsa -des3 -out client.pem 2048  
openssl genrsa -out client.pem 2048  
SUBJECT="/C=CN/ST=ShangHai/L=china/O=testClient/CN=www.test.com"
openssl req -new -subj $SUBJECT -key client.pem -out client-req.csr  

openssl ca -policy policy_anything -days 1460 -cert ca.crt  -keyfile ca.key -in client-req.csr -out client.crt  

openssl pkcs12 -export -clcerts -in client.crt -inkey client.pem -out client.p12