https://cnodejs.org/topic/54745ac22804a0997d38b32d
用 Node.js 创建自签名的 HTTPS 服务器
用 Node.js 创建自签名的 HTTPS 服务器
创建自己的 CA 机构
创建服务器端证书
创建客户端证书
将证书打包
创建自己的 CA 机构
为 CA 生成私钥
openssl genrsa -out ca-key.pem -des 1024
通过 CA 私钥生成 CSR
openssl req -new -key ca-key.pem -out ca-csr.pem
通过 CSR 文件和私钥生成 CA 证书
openssl x509 -req -in ca-csr.pem -signkey ca-key.pem -out ca-cert.pem
可能会遇到的问题
你需要 root 或者 admin 的权限 Unable to load config info from /user/local/ssl/openssl.cnf 对于这个问题, 你可以从网上下载一份正确的 openssl.cnf 文件, 然后 set OPENSSL_CONF=openssl.cnf 文件的本地路径
创建服务器端证书
为服务器生成私钥
openssl genrsa -out server-key.pem 1024
利用服务器私钥文件服务器生成 CSR
openssl req -new -key server-key.pem -config openssl.cnf -out server-csr.pem
这一步非常关键, 你需要指定一份 openssl.cnf 文件. 可以用这个
- [req]
- distinguished_name = req_distinguished_name
- req_extensions = v3_req
- [req_distinguished_name]
- countryName = Country Name (2 letter code)
- countryName_default = CN
- stateOrProvinceName = State or Province Name (full name)
- stateOrProvinceName_default = BeiJing
- localityName = Locality Name (eg, city)
- localityName_default = YaYunCun
- organizationalUnitName = Organizational Unit Name (eg, section)
- organizationalUnitName_default = Domain Control Validated
- commonName = Internet Widgits Ltd
- commonName_max = 64
- [ v3_req ]
- # Extensions to add to a certificate request
- basicConstraints = CA:FALSE
- keyUsage = nonRepudiation, digitalSignature, keyEncipherment
- subjectAltName = @alt_names
- [alt_names]
- # 注意这个 IP.1 的设置, IP 地址需要和你的服务器的监听地址一样
- IP.1 = 127.0.0.1
通过服务器私钥文件和 CSR 文件生成服务器证书
openssl x509 -req -CA ca-cert.pem -CAkey ca-key.pem -CAcreateserial -in server-csr.pem -out server-cert.pem -extensions v3_req -extfile openssl.cnf
创建客户端证书
生成客户端私钥
openssl genrsa -out client-key.pem
利用私钥生成 CSR
openssl req -new -key client-key.pem -out client-csr.pem
生成客户端证书
openssl x509 -req -CA ca-cert.pem -CAkey ca-key.pem -CAcreateserial -in client-csr.pem -out client-cert.pem
HTTPS 服务器代码
- var https = require('https');
- var fs = require('fs');
- var options = {
- key: fs.readFileSync('./keys/server-key.pem'),
- ca: [fs.readFileSync('./keys/ca-cert.pem')],
- cert: fs.readFileSync('./keys/server-cert.pem')
- };
- https.createServer(options,function(req,res){
- res.writeHead(200);
- res.end('hello world\n');
- }).listen(3000,'127.0.0.1');
HTTPS 客户端代码
- var https = require('https');
- var fs = require('fs');
- var options = {
- hostname:'127.0.0.1',
- port:3000,
- path:'/',
- method:'GET',
- key:fs.readFileSync('./keys/client-key.pem'),
- cert:fs.readFileSync('./keys/client-cert.pem'),
- ca: [fs.readFileSync('./keys/ca-cert.pem')],
- agent:false
- };
- options.agent = new https.Agent(options);
- var req = https.request(options,function(res){
- console.log("statusCode:", res.statusCode);
- console.log("headers:", res.headers);
- res.setEncoding('utf-8');
- res.on('data',function(d){
- console.log(d);
- })
- });
- req.end();
- req.on('error',function(e){
- console.log(e);
- })
将证书打包
打包服务器端证书
openssl pkcs12 -export -in server-cert.pem -inkey server-key.pem -certfile ca-cert.pem -out server.pfx
打包客户端证书
openssl pkcs12 -export -in client-cert.pem -inkey client-key.pem -certfile ca-cert.pem -out client.pfx
服务器端代码
- var https = require('https');
- var fs = require('fs');
- var options = {
- pfx:fs.readFileSync('./keys/server.pfx'),
- passphrase:'your password'
- };
- https.createServer(options,function(req,res){
- res.writeHead(200);
- res.end('hello world\n');
- }).listen(3000,'127.0.0.1');
客户端代码
- var https = require('https');
- var fs = require('fs');
- var options = {
- hostname:'127.0.0.1',
- port:3000,
- path:'/',
- method:'GET',
- pfx:fs.readFileSync('./keys/server.pfx'),
- passphrase:'your password',
- agent:false
- };
- options.agent = new https.Agent(options);
- var req = https.request(options,function(res){
- console.log("statusCode:", res.statusCode);
- console.log("headers:", res.headers);
- res.setEncoding('utf-8');
- res.on('data',function(d){
- console.log(d);
- })
- });
- req.end();
- req.on('error',function(e){
- console.log(e);
- })
来源: http://www.bubuko.com/infodetail-2668278.html