QT Nginx Openssl证书双向认证

QT+Nginx Openssl证书双向认证

主要有以下几点：

• 1.数字证书的生成
• 2.nginx证书的配置
• 3.Qt使用双向认证

---

一、数字证书的生成

1.生成ca证书

生成ca秘钥

建议用2048位密钥，少于此可能会不安全或很快将不安全。

openssl genrsa -des3 -out ca.key 2048

• 1

这个命令会生成一个2048位的密钥，同时有一个des3方法加密的密码，如果你不想要每次都输入密码，可以改成：

#openssl genrsa -out privkey.pem 2048
1

导出ca证书

openssl rsa -in ca.key -out ca_decrypted.key

• 1

openssl req -new -subj '/C=CN/ST=shanghai/L=china/O=test/CN=www.' -x509 -days 3650 -key ca.key -out ca.crt  
1

2.生成服务端证书

openssl genrsa -des3 -out test.com.pem 1024

• 1

openssl rsa -in test.com.pem -out test.com.key  
1

openssl req -new -subj '/C=CN/ST=shanghai/L=china/O=test/CN=www.' -key test.com.pem -out test.com.csr

• 1

openssl ca -policy policy_anything -days 1460 -cert ca.crt -keyfile ca.key -in test.com.csr -out test.com.crt  
1

3.生成客户端证书

openssl genrsa -out client.pem 2048

• 1

openssl req -new -subj '/C=CN/ST=ShangHai/L=china/O=test/CN=www.' -key client.pem -out client-req.csr  
1

openssl ca -policy policy_anything -days 1460 -cert ca.crt -keyfile ca.key -in client-req.csr -out client.crt

• 1

openssl pkcs12 -export -clcerts -in client.crt -inkey client.pem -out client.p12  
1

二.nginx中配置

server { listen 443; server_name www.; ssl on; #开启ssl ssl_certificate /home/hadoop/ssl/.crt; #服务器证书位置 ssl_certificate_key /home/hadoop/ssl/.key; #服务器私钥 ssl_client_certificate /home/hadoop/ssl/ca.crt; #CA证书用于验证客户端证书的合法性 ssl_verify_client on; #开启对客户端的验证 ssl_session_timeout 5m; #session有效期，5分钟 ssl_protocols TLSv1 TLSv1.1 TLSv1.2; ssl_ciphers 'AES128+EECDH:AES128+EDH:!aNULL'; #加密算法 ssl_prefer_server_ciphers on; ...}

• 1
• 2
• 3
• 4
• 5
• 6
• 7
• 8
• 9
• 10
• 11
• 12
• 13
• 14
• 15

3.Qt使用双向认证

TestAuthentication.h

#ifndef TESTAUTHENTICATION_H#define TESTAUTHENTICATION_H#include <QObject>#include <QNetworkAccessManager>#include <QNetworkRequest>#include <QNetworkReply>#include <QEventLoop>#include <QSslKey>class TestAuthentication: public QObject{    Q_OBJECTpublic:    TestAuthentication(QObject*parent = 0);    ~TestAuthentication();    void auth();};#endif // TESTAUTHENTICATION_H
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22

TestAuthentication.cpp

#include 'testauthentication.h'TestAuthentication::TestAuthentication(QObject *parent) : QObject(parent){}TestAuthentication::~TestAuthentication(){}void TestAuthentication::auth(){ QNetworkAccessManager manager; QNetworkRequest request; QSslConfiguration config; QByteArray password='123456'; //生成客户端证书时的密码 QFile pkcs('D:\\ssl\\client.p12'); //生成的证书路径 pkcs.open(QFile::ReadOnly); QSslKey key; QSslCertificate cert; QList<QSslCertificate> certs; bool import = QSslCertificate::importPkcs12(&pkcs,&key,&cert,&certs,password); qDebug()<<import; pkcs.close(); config.setPrivateKey(key); config.setLocalCertificate(cert); config.setProtocol(QSsl::TlsV1_2); request.setSslConfiguration(config); request.setUrl(QUrl('https://www.')); QNetworkReply *reply = manager.get(request); QEventLoop loop; connect(&manager,&QNetworkAccessManager::finished,&loop,&QEventLoop::quit); loop.exec(); qDebug()<<reply->readAll();}

• 1
• 2
• 3
• 4
• 5
• 6
• 7
• 8
• 9
• 10
• 11
• 12
• 13
• 14
• 15
• 16
• 17
• 18
• 19
• 20
• 21
• 22
• 23
• 24
• 25
• 26
• 27
• 28
• 29
• 30
• 31
• 32
• 33
• 34
• 35
• 36
• 37
• 38
• 39
• 40

#include 'testauthentication.h'#include <QApplication>int main(int argc, char *argv[]){    QApplication a(argc, argv);    TestAuthentication test;    test.auth();    return 0;}
1
2
3
4
5
6
7
8
9
10
11

附件：

#!/bin/bashSUBJECT='/C=CN/ST=shanghai/L=china/O=testServer/CN=www.'cd ~/ mkdir ssl cd ssl mkdir demoCA cd demoCA mkdir newcerts mkdir private touch index.txt echo '01' > serial cd ..#openssl genrsa -des3 -out ca.key 2048 openssl genrsa -out ca.key 2048 openssl rsa -in ca.key -out ca_decrypted.key openssl req -new -subj $SUBJECT -x509 -days 3650 -key ca.key -out ca.crt #openssl genrsa -des3 -out .pem 1024 openssl genrsa -out .pem 1024 openssl rsa -in .pem -out .key openssl req -new -subj $SUBJECT -key .pem -out .csr openssl ca -policy policy_anything -days 1460 -cert ca.crt -keyfile ca.key -in .csr -out .crt cat ca.crt >> .crt #openssl genrsa -des3 -out client.pem 2048 openssl genrsa -out client.pem 2048 SUBJECT='/C=CN/ST=ShangHai/L=china/O=testClient/CN=www.'openssl req -new -subj $SUBJECT -key client.pem -out client-req.csr openssl ca -policy policy_anything -days 1460 -cert ca.crt -keyfile ca.key -in client-req.csr -out client.crt openssl pkcs12 -export -clcerts -in client.crt -inkey client.pem -out client.p12

• 1
• 2
• 3
• 4
• 5
• 6
• 7
• 8
• 9
• 10
• 11
• 12
• 13
• 14
• 15
• 16
• 17
• 18
• 19
• 20
• 21
• 22
• 23
• 24
• 25
• 26
• 27
• 28
• 29
• 30
• 31
• 32
• 33
• 34
• 35
• 36
• 37
• 38
• 39
• 40
• 41
• 42