使用自签名证书 [英] Using a self-signed certificate

问题描述

我只是想让我了解SSL.

I am just trying to get my head around SSL.

我已经在本地主机上设置了Jetty服务器，并使用键盘工具.

I have set up a Jetty server on my localhost, and generated my own certificate using Keytool.

现在，当我转到 https://localhost:8443/时，我得到了无法信任此证书错误

Now when I go to https://localhost:8443/ I get the can't trust this certificate error.

我使用

keytool -export -alias pongus -keystore keystore -file certfile.cer

keytool -export -alias pongus -keystore keystore -file certfile.cer

要创建证书，我认为这是客户端需要通过服务器进行身份验证的证书. (这是我可能非常错误的地方！)

To create the certificate which I think is what the client needs to authenticate with the server. (This is where I could be very wrong!)

我有以下红宝石代码:

require 'net/https'
require 'openssl'

require 'open-uri'

puts 'yay' if File.exists?('certfile.cer')

uri = URI.parse("https://localhost:8443/")
http_session = Net::HTTP.new(uri.host, uri.port)
http_session.use_ssl = true
http_session.verify_mode = OpenSSL::SSL::VERIFY_PEER
http_session.ca_file = 'certfile.cer'
res = http_session.start do |http|
  # do some requests here
  http.get('/')
end

这确实会打印'yay'，所以certfile.cer文件确实存在.

This does print 'yay', so the certfile.cer file does exist.

但是我得到了错误

/Applications/NetBeans/NetBeans 6.8.app/Contents/Resources/NetBeans/ruby2/jruby-1.4.0/lib/ruby/1.8/net/http.rb:586 warning: can't set verify locations
/Applications/NetBeans/NetBeans 6.8.app/Contents/Resources/NetBeans/ruby2/jruby-1.4.0/lib/ruby/1.8/net/http.rb:586:in `connect': certificate verify failed (OpenSSL::SSL::SSLError)

有任何想法我在做什么错吗?

Any ideas what I am doing wrong?

编辑

我想要得到它，所以我保证我正在连接到正确的服务器，并且该服务器可以保证是我在连接它，而不会在它们之间进行任何篡改.我正在开发服务器和客户端.

I want to get it so I guarantee that I am connecting to the right server, and the server can guarantee that it is me connecting to it, without any tampering in between. I am developing both the server and the client.

推荐答案

您的客户需要访问其 私钥.

Your client needs access to its private key.

您不需要私钥即可进行服务器证书验证.您只需要包含公共密钥的证书本身.只有服务器具有私钥.在 http://www.helpbytes.co.uk/https.php 中进行了详细说明此处 http://www.verisign.com/ssl /ssl-information-center/how-ssl-security-works/

You dont need the private key for server certificate verification. All you need is the certificate itself which contains the public key. Only the server has the private key. Well described here http://www.helpbytes.co.uk/https.php and here http://www.verisign.com/ssl/ssl-information-center/how-ssl-security-works/

我的建议很简单.检查您的证书是否正确.

My recommendation is simple. Check your certificate is correct.

openssl x509 -text -in mycert.crt

如果您有权访问服务器，则可以明确验证证书和密钥(用于httpd配置)是否正确(匹配):

Also if you have access to the server you can explicitely validate if the certificate and key (used in httpd configuration) are correct (matches): http://kb.wisc.edu/middleware/page.php?id=4064 Please note this is explicit check ran on server. Never give out the private key. This check can be done only by the administrator to verify if the httpd was not misconfigured.

(openssl x509 -noout -modulus -in server.pem | openssl md5 ;\
   openssl rsa -noout -modulus -in server.key | openssl md5) | uniq

您还可以使用标准openssl命令调试SSL证书通信.发出此命令，然后等待几秒钟，然后键入QUIT并按Enter.您将看到服务器发出的证书.

You can also debug the SSL certificate communication using standard openssl command. Issue this command then wait few seconds and then type QUIT and hit enter. You will see the certificate the server sends out.

openssl s_client -connect your.server.com:443

还尝试将证书导入到浏览器并访问URL资源.浏览器能够通过单击https(Firefox和Chrome)来对其进行验证.然后，您将看到证书本身和有效性信息.

Also try to import the certificate to your browser and access the URL resource. Browser is able to validate it by clicking on https (Firefox and Chrome). Then you will see the certificate itself and validity information.

以上所有都是关于服务器证书的.这只是问题的一部分. "我正在连接到正确的服务器，并且服务器可以保证它是我在连接它".在上面的代码中，您只能检查服务器证书.现在.如果您需要客户证书(语句的第二部分)，而在Ruby中则不需要:

All the above was all about the server certificate. This is only one part of the problem. "I am connecting to the right server, and the server can guarantee that it is me connecting to it" Actully in your code above you only check for the server cert. Now. If you want a client certificate (the second part of your statement) than you need this in Ruby:

File.open( "client_certificate.pem", 'rb' ) { |f| cert = f.read }
File.open( "client_key.pem", 'rb' ) { |f| key = f.read }
http_session.cert = OpenSSL::X509::Certificate.new(cert)
http_session.key = OpenSSL::PKey::RSA.new(key, nil)

这是在Ruby中使用客户端证书的方式.如果您的私钥已使用密码加密，则只需在RSA构造函数的第二个参数中将其传递为nil.

This is how client cert should be used in Ruby. If your private key is encrypted with a password just pass it instead nil in the second argument of RSA constructor.

我强烈建议您开始使用服务器证书(您的代码)，然后从客户端证书开始.请注意，请保留当前代码(ca_cert，验证常量)，并在其上面添加以上四行.

I highly recommend to get server certificate working (your code) and then start with client certificate. Please note you keep your current code (ca_cert, validation constant) and add the above four lines to it.

希望这会有所帮助.

这篇关于使用自签名证书的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！