devbox
Cpp五条
这个屌丝很懒,什么也没留下!
关注作者
热门标签
热门文章
当前位置:   article > 正文

通过OpenSSL创建自签名证书在Flask实现HTTPS_openssl生成的证书,如何让flask使用

作者:Cpp五条 | 2024-04-17 11:01:10

openssl生成的证书,如何让flask使用

方案一) 生成X.509 v3 certificate with SAN(Subject Alternative Names )

 注释:Starting with Chrome v58 they no longer accept certificates without SAN information. 

除了上面的提示以外, 我们要的不仅仅是生成SSL certificate,而是不得不构建一个带有根证书的SSL certificate chain,

在连接一个 HTTPS 网站的时候,服务器会发送证书链,但光有证书链,客户端/浏览器是不能完成证书校验的,(客户端/浏览器)必须有一张根证书才能迭代完成签名认证,

也就是说客户端必须信任根证书才能构建信任基础。(注意中间证书则是可省的,我们构建的SSL证书链就没有)

1) 创建根证书及密钥

  1. #create a private key
  2. #This creates a key, 2048 bits long, The -des3 parameter specifies to use the #Tripple DES algorithm to encrypt the key 
  3. openssl genrsa -des3 -out rootCA.key 2048 
  1. #Now to generate the root certificate:
  2. #new: create a new request
  3. #nodes: don’t encrypt the output key
  4. #x509: specifies the kind of certificate to make
  5. #key: the file with the private key to use
  6. #sha256: this is the hashing algorithm. When you omit this it will default to the #SHA1 algorithm which will result in the browser generating a warning
  7. #days: the number of days the certificate should be valid for. Use as high a number #as you feel comfortable with for your development environment
  8. #out: the name of the file to write the certificate to.
  9.  
  10.  
  11. openssl req -x509 -new -nodes -key rootCA.key -sha256 -days 1024  -out rootCA.pem

创建的过程中,会要求你题写基本信息到你的根证书里面。

我的如下:

  1. Country Name (2 letter code) [AU]:CN
  2. State or Province Name (full name) [Some-State]:
  3. Locality Name (eg, city) []:
  4. Organization Name (eg, company) [Internet Widgits Pty Ltd]:CMCM
  5. Organizational Unit Name (eg, section) []:CM
  6. Common Name (e.g. server FQDN or YOUR name) []:HL ROOT CA
  7. Email Address []:499389897@qq.com

有了根证书,现在创建服务器用到的ssl证书。

2)创建服务器用的ssl证书及密钥

因为只有X.509 v3证书承载SAN信息,所以与创建X.509 v1证书时相比,它需要做更多的工作。

在同一目录下,先创建一个v3.ext文件,把下面信息放进去,alt_names下面换成你自己的域名

  1. authorityKeyIdentifier=keyid,issuer
  2. basicConstraints=CA:FALSE
  3. keyUsage = digitalSignature, nonRepudiation, keyEncipherment, dataEncipherment
  4. subjectAltName = @alt_names
  5. [alt_names]
  6. DNS.1 = acme-site.dev
  7. DNS.2 = www.acme-site.dev

The first step is to create a private key for the SSL certificate and a certificate signing request. 

openssl req -new -nodes -out server.csr -newkey rsa:2048 -keyout server.key

同样创建服务器ssl证书也会要你填写一些基本信息,我填写如下:

  1. Country Name (2 letter code) [AU]:CN
  2. State or Province Name (full name) [Some-State]:
  3. Locality Name (eg, city) []:
  4. Organization Name (eg, company) [Internet Widgits Pty Ltd]:CMCM
  5. Organizational Unit Name (eg, section) []:CM
  6. Common Name (e.g. server FQDN or YOUR name) []:HL ROOT CA
  7. Email Address []:499389897@qq.com
  8.  
  9. Please enter the following 'extra' attributes
  10. to be sent with your certificate request
  11. A challenge password []:
  12. An optional company name []:

3)关键步骤,根证书颁发信任给服务器ssl证书

openssl x509 -req -in server.csr -CA rootCA.pem -CAkey rootCA.key -CAcreateserial -out server.crt -days 500 -sha256 -extfile v3.ext

方案二)

参考资料:

https://support.citrix.com/article/CTX135602_

新建文件req.conf,内容如下:

  1. [req]
  2. distinguished_name = req_distinguished_name
  3. x509_extensions = v3_req
  4. prompt = no
  5. [req_distinguished_name]
  6. C = US
  7. ST = VA
  8. L = SomeCity
  9. O = MyCompany
  10. OU = MyDivision
  11. CN = www.myser.com
  12. [v3_req]
  13. keyUsage = keyEncipherment, dataEncipherment
  14. extendedKeyUsage = serverAuth
  15. subjectAltName = @alt_names
  16. [alt_names]
  17. DNS.1 = www.myser.net
  18. DNS.2 = myser.com
  19. DNS.3 = myser.net

注:

CN 为www.myser.com

DNS.1 设定为域名 www.myser.net
DNS.2 设定为域名 myser.com
DNS.3 设定为域名 myser.net

生成私钥和自签名证书:

openssl req -x509 -nodes -days 365 -newkey rsa:2048 -keyout server.key -out server.crt -config req.conf -sha256

三)拿到证书后,配置服务器

修改Flask中ssl的配置,指定新的私钥文件(sever.key)和证书文件(sever.crt),如下:

  1. from flask import Flask, jsonify
  2. import os
  3.  
  4. ASSETS_DIR = os.path.dirname(os.path.abspath(__file__))
  5. app = Flask(__name__)
  6.  
  7.  
  8. @app.route('/')
  9. def index():
  10.     return 'Flask is running!'
  11.  
  12.  
  13. @app.route('/data')
  14. def names():
  15.     data = {"names": ["John", "Jacob", "Julie", "Jennifer"]}
  16.     return jsonify(data)
  17.  
  18.  
  19. if __name__ == '__main__':
  20.     context = ('server.crt', 'server.key')#certificate and key files
  21.     app.run(debug=True, ssl_context=context)

重启服务

chrome导入根证书,作为信任链之基础

chrome安装自签名证书文件server.crt

访问服务器,证书有效,一切正常,如下图

参考文章:

https://www.jianshu.com/p/35c31b865bb9

https://medium.com/@tbusser/creating-a-browser-trusted-self-signed-ssl-certificate-2709ce43fd15

 
声明:本文内容由网友自发贡献,不代表【wpsshop博客】立场,版权归原作者所有,本站不承担相应法律责任。如您发现有侵权的内容,请联系我们。转载请注明出处:https://www.wpsshop.cn/w/Cpp五条/article/detail/439858?site
推荐阅读
相关标签

Copyright © 2003-2013 www.wpsshop.cn 版权所有,并保留所有权利。

  

闽ICP备14008679号