[英]Doing SSL client authentication is python
OK, I am trying to use client certificates to authenticate a python client to an Nginx server. 好的,我正在尝试使用客户端证书向Nginx服务器认证python客户端。 Here is what I tried so far:
这是我到目前为止尝试过的:
Created a local CA 创建一个本地CA
openssl genrsa -des3 -out ca.key 4096 openssl req -new -x509 -days 365 -key ca.key -out ca.crt
Created server key and certificate 创建的服务器密钥和证书
openssl genrsa -des3 -out server.key 1024 openssl rsa -in server.key -out server.key openssl req -new -key server.key -out server.csr openssl x509 -req -days 365 -in server.csr -CA ca.crt -CAkey ca.key -set_serial 01 -out server.crt
Used similar procedure to create a client key and certificate 使用类似的过程来创建客户端密钥和证书
openssl genrsa -des3 -out client.key 1024 openssl rsa -in client.key -out client.key openssl req -new -key client.key -out client.csr openssl x509 -req -days 365 -in client.csr -CA ca.crt -CAkey ca.key -set_serial 01 -out client.crt
Add these lines to my nginx config 将这些行添加到我的Nginx配置中
server { listen 443; ssl on; server_name dev.lightcloud.com; keepalive_timeout 70; access_log /usr/local/var/log/nginx/lightcloud.access.log; error_log /usr/local/var/log/nginx/lightcloud.error.log; ssl_certificate /Users/wombat/Lightcloud-Web/ssl/server.crt; ssl_certificate_key /Users/wombat/Lightcloud-Web/ssl/server.key; ssl_client_certificate /Users/wombat/Lightcloud-Web/ssl/ca.crt; ssl_verify_client on; location / { uwsgi_pass unix:///tmp/uwsgi.socket; include uwsgi_params; } }
created a PEM client file 创建了PEM客户端文件
cat client.crt client.key ca.crt > client.pem
created a test python script 创建了一个测试python脚本
import ssl import http.client context = ssl.SSLContext(ssl.PROTOCOL_SSLv23) context.load_verify_locations("ca.crt") context.load_cert_chain("client.pem") conn = http.client.HTTPSConnection("localhost", context=context) conn.set_debuglevel(3) conn.putrequest('GET', '/') conn.endheaders() response = conn.getresponse() print(response.read())
And now I get 400 The SSL certificate error from the server. 现在,我从服务器收到400 SSL证书错误。 What am I doing wrong?
我究竟做错了什么?
It seems that my problem was that I did not create the CA properly and wasn't signing keys the right way. 看来我的问题是我没有正确创建CA,并且没有以正确的方式对密钥进行签名。 A CA cert needs to be signed and if you pretend to be top level CA you self-sign your CA cert.
需要对CA证书进行签名,如果您假装为顶级CA,则需要对CA证书进行自签名。
openssl req -new -newkey rsa:2048 -keyout ca.key -out ca.pem openssl ca -create_serial -out cacert.pem -days 365 -keyfile ca.key -selfsign -infiles ca.pem
Then you use ca command to sign requests 然后使用ca命令对请求进行签名
openssl genrsa -des3 -out server.key 1024 openssl req -new -key server.key -out server.csr openssl ca -out server.pem -infiles server.csr
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.