客户端在Node.js上的ssl授权
我正在尝试使用自签名进行客户端授权。
首先,我正在创build证书:
CA证书
openssl genrsa -des3 -out ca.key 2048 openssl req -new -x509 -days 365 -key ca.key -out ca.crt 服务器证书
openssl genrsa -out server.key 1024 openssl req -new -key server.key -out server.csr openssl x509 -req -in server.csr -out server.crt -CA ca.crt -CAkey ca.key -CAcreateserial -days 365
客户证书
openssl genrsa -out client.key 1024 openssl req -new -key client.key -out client.csr openssl x509 -req -in client.csr -out client.crt -CA ca.crt -CAkey ca.key -CAcreateserial -days 365
将客户端证书转换为p12
openssl pkcs12 -export -in client.crt -inkey client.key -name "My cert" -out client.p12
打开并安装p12证书打开client.p12
我的node.js服务器(使用express.js)
var express = require('express') , routes = require('./routes') , user = require('./routes/user') , http = require('http') , path = require('path') , https = require('https') , fs = require('fs'); var app = express(); app.configure(function () { app.set('port', process.env.PORT || 3000); app.set('views', __dirname + '/views'); app.set('view engine', 'ejs'); app.use(express.favicon()); app.use(express.logger('dev')); app.use(express.bodyParser()); app.use(express.methodOverride()); app.use(app.router); app.use(express.static(path.join(__dirname, 'public'))); }); app.configure('development', function () { app.use(express.errorHandler()); }); app.get('/', function(req, res) { console.log(req.client.authorized); res.send(req.client.authorized) }); var options = { key:fs.readFileSync('ssl/server.key'), cert:fs.readFileSync('ssl/server.crt'), ca:[fs.readFileSync('ssl/ca.crt')], requestCert:true, rejectUnauthorized:false, passphrase: 'passphrase', agent: false }; https.createServer(options,app).listen(app.get('port'), function () { console.log("Express server listening on port " + app.get('port')); });
当服务器运行时,我在Chrome中打开https://localhost:3000 ,但身份validation不通过:req.client.authorized为false
Chrome邮件是
The identity of this website has not been verified. • Server's certificate does not match the URL.
我的错误在哪里?
服务器URL与服务器证书的通用名称部分相匹配。
当您创build服务器证书请求时,请记住将您的服务器的主机名称设置为通用名称部分。 如果您只是在本地进行testing(使用https://localhost作为地址),请使用localhost作为通用名称。
通过HTTPS支持,使用request.connection.verifyPeer()和request.connection.getPeerCertificate()来获取客户端的authentication细节。