root@arduino:~/openssl# mkdir openssl
root@arduino:~/openssl# cd openssl
root@arduino:~/openssl# mkdir private
// 產生 根私鑰
root@arduino:~/openssl# openssl genrsa -out private/cakey.pem 2048
root@arduino:~/openssl# vi /etc/ssl/openssl.cnf
dir = /root/openssl # Where everything is kept
default_md = sha512 # 使用預設(sha1)方法,chrome 會報說此方法已經不安全,不給用
ountryName = Country Name (2 letter code)
countryName_default = TW
stateOrProvinceName = State or Province Name (full name)
stateOrProvinceName_default = Taiwan
localityName = Locality Name (eg, city)
localityName_default = Taichung
0.organizationName = Organization Name (eg, company)
0.organizationName_default = SDL
organizationalUnitName = Organizational Unit Name (eg, section)
organizationalUnitName_default = R&D
// 產生 根證書
root@arduino:~/openssl# touch index.txt serial
root@arduino:~/openssl# echo 01 >serial
root@arduino:~/openssl# mkdir newcerts
root@arduino:~/openssl# mkdir web1
// 產生網站要用的私鑰,通常在別台電腦
root@arduino:~/openssl# openssl genrsa -out web1/httpd.key 2048
root@arduinoYun:~/openssl# cp /etc/ssl/openssl.cnf web1/
root@arduinoYun:~/openssl# vi web/openssl.cnf
req_extensions = v3_req # The extensions to add to a certificate request
[ v3_req ]
subjectAltName = @alt_names
# Extensions to add to a certificate request
basicConstraints = CA:FALSE
keyUsage = nonRepudiation, digitalSignature, keyEncipherment
[alt_names]
IP.1 = 192.168.1.61
IP.2 = 192.168.240.1
IP.3 = 192.168.43.201
DNS.1 = arduinoyun.local
root@arduino:~/openssl# openssl req -new -key web1/httpd.key -out web1/httpd.csr -sha512 -config web1/openssl.cnf
// 填入要簽署的網址
Common Name (e.g. server FQDN or YOUR name) []:Arduino Yun
// 下面兩個不要填
A challenge password []:
An optional company name []:
// 可用下面命令,查看證書申請
root@arduinoYun:~/openssl# openssl req -text -noout -in web1/httpd.csr
// 將證書申請書送到根證書的機器,簽屬證書
root@arduino:~/openssl# openssl ca -in web1/httpd.csr -out web1/httpd.crt -days 3650 -extensions v3_req -extfile web1/openssl.cnf
// 回答兩個 y 即可,若發生下列錯誤,查詢 newcerts 目錄下最後的一個 pem
failed to update database
TXT_DB error number 2
// 使用命令
root@arduinoYun:~/openssl# openssl ca -revoke newcerts/02.pem
root@arduino:~/openssl# cd ..
root@arduino:~# vi pythonWeb.py
server.socket = ssl.wrap_socket(server.socket,
keyfile='openssl/web1/httpd.key',
certfile='openssl/web1/httpd.crt',
#cert_reqs=ssl.CERT_REQUIRED,
#ca_certs='openssl/cacert.pem',
server_side=True,
ssl_version=ssl.PROTOCOL_TLSv1)
傳送根證書 cacert.pem 到 local, 並改名為 cacert.crt
匯入憑證
沒有留言:
張貼留言