我有一个在localhost:9002上运行https的节点/表达服务器,并且我想对在localhost:8080(webpack开发服务器)上运行的react应用程序使用客户端证书。 react应用程序正在将带有超级代理的Ajax请求与https服务器一起使用,并且我有一个护照中间件来自动检查证书。
Windows 10,Chrome版本71.0.3578.98
使用openssl,我创建了一个根CA。然后,我生成了服务器证书和客户端证书。这是使用的脚本(我使用git bash运行它,因此它是UNIX风格,但是我在Windows上):
## CREATE CERTIFICATES FOR AUTHENTICATION
#########################################
## 1. Create Root Certificate Authority #
#########################################
# Root CA private key
openssl genrsa -out ./rootCA.key 4096
# Root CA certificate to register in RootCA store on OS
openssl req -x509 -new -nodes -key ./rootCA.key -sha256 -days 3650 -out ./rootCA.pem
#################################
## 2. Create Server certificate #
#################################
# Create private key for server
openssl genrsa -out ./server.key 4096
# Create server certificate sign request (CSR) based on the private key
openssl req -new -sha256 -nodes -out ./server.csr -key ./server.key -config ./server.csr.conf
# Create server certificate linked to the previoulsy created Root CA
openssl x509 -req -in ./server.csr -CA ./rootCA.pem -CAkey ./rootCA.key -CAcreateserial -out ./server.crt -days 3650 -sha256 -extfile ./v3.ext
#################################
## 3. Create Client certificate #
#################################
# Create private key for client
openssl genrsa -out ./client.key 4096
# Create the Certificate Sign Request (CSR) file from the client private key
openssl req -new -config ./client.csr.conf -key ./client.key -out ./client.csr
# Self sign the certificate for 10 years
openssl x509 -req -days 3650 -in ./client.csr -CA ./server.crt -CAkey ./server.key -CAcreateserial -out ./client.crt
# Display the fingerprint of the newly generated fingerprint
openssl x509 -noout -fingerprint -inform pem -in ./client.crt
# Generate a PFX file for integration in browser
openssl pkcs12 -export -out ./client.pfx -inkey ./client.key -in ./client.crt -passout pass:
以下是使用的不同配置:
server.csr.conf
[ req ]
default_bits = 4096
default_md = sha512
prompt = no
encrypt_key = no
distinguished_name = req_distinguished_name
# distinguished_name
[ req_distinguished_name ]
countryName = "FR"
localityName = "Lille"
organizationName = "Sopra Steria"
organizationalUnitName = "Webskillz"
commonName = "localhost"
v3.ext
authorityKeyIdentifier=keyid,issuer
basicConstraints=CA:FALSE
keyUsage = digitalSignature, nonRepudiation, keyEncipherment, dataEncipherment
subjectAltName = @alt_names
[alt_names]
DNS.1 = localhost
client.csr.conf
[ req ]
default_bits = 4096
default_md = sha512
default_keyfile = server.key
prompt = no
encrypt_key = no
distinguished_name = req_distinguished_name
# distinguished_name
[ req_distinguished_name ]
countryName = "FR"
localityName = "Lille"
organizationName = "Sopra Steria"
organizationalUnitName = "Webskillz"
commonName = "localhost"
最后,我使用certmgr.msc将rootCA.pem添加到了受信任的根证书颁发机构,并且将client.pfx和server.crt证书添加到了个人商店。
Chrome烦人地将http://localhost:8080重定向到https://localhost:8080,我不想系统地打开chrome://net-internals/#hsts来删除localhost键...
当我最终访问http://localhost:8080时,系统要求我选择要向https://localhost:9002进行身份验证的证书(是的!),但是我仍然得到401,这不是由护照cert-auth中间件(我的中间件中没有日志)。
我设法在没有根证书的情况下使此客户端/服务器设置正常工作,但是问题是我从Chrome那里获得了NET::ERR_CERT_AUTHORITY_INVALID的...这就是为什么我在遵循有关World的一些建议后添加了根CA的原因万维网...确实可以解决问题,但后来我无法进行身份验证,Chrome开始自动将http重定向到httpsಠ෴ಠ
哦,顺便说一下,CORS被允许在服务器端使用,所以CORS不会出现任何问题。
护照身份验证策略:我们只需要检查数据库中的指纹即可。
cert-auth.js
import { Strategy } from 'passport-client-cert';
export default new Strategy(async (clientCert, done) => {
console.log(clientCert); // NO LOG HERE!!
if (clientCert.fingerprint) {
try {
const user = await findByFingerprintInMyAwesomeDb({ fingerprint: clientCert.fingerprint });
return done(null, user);
} catch (err) {
return done(new Error(err));
}
}
return done(null, false);
});
bootstrap-express.js
import passport from 'passport';
import certificateStrategy from 'cert-auth';
export default (app) => {
// CORS setup, bodyparser stuff & all...
// ... //
// Using authentication based on certificate
passport.use(certificateStrategy);
app.use(passport.initialize());
app.use(passport.authenticate('client-cert', { session: false }));
// Api routes.
app.get('/api/stream',
passport.authenticate('client-cert', { session: false }),
(req, res) => {
// Some router stuff
});
};
index.js
import https from 'https';
import express from 'express';
import fs from 'fs';
import path from 'path';
import bootstrapExpress from 'bootstrap-express';
const certDir = path.join(__dirname, '..', 'cert');
const listenPromise = server => port => new Promise((resolve, reject) => {
const listener = server.listen(port, err => (err ? reject(err) : resolve(listener)));
});
const options = {
key: fs.readFileSync(path.join(certDir, 'server.key')),
cert: fs.readFileSync(path.join(certDir, 'server.crt')),
ca: fs.readFileSync(path.join(certDir, 'server.crt')),
requestCert: true,
rejectUnauthorized: false,
};
(async function main() {
try {
logger.info('Initializing server');
const app = express();
bootstrapExpress(app);
const httpsServer = https.createServer(options, app);
const httpsListener = await listenPromise(httpsServer)(9002);
logger.info(`HTTPS listening on port ${httpsListener.address().port} in ${app.get('env')} environment`);
} catch (err) {
logger.error(err);
process.exit(1);
}
}());
欢迎任何帮助:)
致谢
答案 0 :(得分:0)
好的,我做了很多更改,以便使证书链更加清晰,但是我尽一切努力后仍然拥有401的原因是因为我的快速服务器中有此配置:
const options = {
key: fs.readFileSync(path.join(certDir, 'server.key')),
cert: fs.readFileSync(path.join(certDir, 'server.crt')),
ca: fs.readFileSync(path.join(certDir, 'server.crt')),
requestCert: true,
rejectUnauthorized: false,
};
工作配置如下(用rootCA替换ca):
const options = {
key: fs.readFileSync(path.join(certDir, 'server.key')),
cert: fs.readFileSync(path.join(certDir, 'server.crt')),
ca: fs.readFileSync(path.join(certDir, 'rootCA.pem')),
requestCert: true,
rejectUnauthorized: false,
};
这个问题为我提供了帮助,但几分钟前我才发现:https://github.com/nodejs/help/issues/253 ^
其他信息:由于我的服务器位于本地DNS上,因此为了避免从http重定向到https,我只是在C:\ Windows \ System32 \ drivers \ etc \ host中添加了一个新DNS
127.0.0.1 mysuperdns
因此,服务器证书的通用名称必须为mysuperdns。