want to use my own CA certificate for self-signing. Then have my clients import my CA

PKCS1 error about lua-resty-openssl HOT 1 CLOSED

iakuf commented on August 29, 2024

PKCS1 error

from lua-resty-openssl.

Comments (1)

iakuf commented on August 29, 2024

local openssl_pkey = require("resty.openssl.pkey")
local openssl_bignum = require("resty.openssl.bn")
local openssl_csr = require("resty.openssl.x509.csr")
local openssl_name = require("resty.openssl.x509.name")
local openssl_rand = require("resty.openssl.rand")

-- CA证书和私钥的PEM内容
local ca_cert_pem = [[

-----END CERTIFICATE-----
]]
local ca_pkey_pem = [[
-----BEGIN PRIVATE KEY-----

-----END PRIVATE KEY-----
]]

-- 加载CA证书和私钥
local ca_cert, err = openssl_x509.new(ca_cert_pem)
if not ca_cert then
ngx.log(ngx.ERR, "failed to load CA cert: ", err)
return
end

local ca_pkey, err = openssl_pkey.new(ca_pkey_pem)
if not ca_pkey then
ngx.log(ngx.ERR, "failed to load CA pkey: ", err)
return
end

local _M = {}

-- 创建证书
function _M:generateCert(domain)
-- 生成和签署 SSL 证书时
-- step1: 生成新的密钥对：为待签名的证书生成一个新的公钥和私钥。
-- 创建私钥
local pkey, err = openssl_pkey.new({ type = "RSA", bits = 2048 })
if not pkey then
ngx.log(ngx.ERR, "failed to create pkey: ", err)
return
end

-- step2 生成 CSR（证书签名请求）：使用新生成的私钥和相关信息（如域名、组织信息等）生成 CSR。
local csr, err = openssl_csr.new()
if not csr then
    ngx.log(ngx.ERR, "failed to create csr: ", err)
    return
end

local subject = openssl_name.new({
    { C = "CN" },
    { ST = "Beijing" },
    { L = "Beijing" },
    { O = "Example Corp" },
    { CN = domain },
})
csr:set_subject_name(subject)
csr:set_pubkey(pkey)

-- step3 使用 CA 签署 CSR：用 CA 的私钥签署这个 CSR，生成最终的证书。
local openssl_x509 = require "resty.openssl.x509"
local resty_random = require "resty.openssl.rand"
local cert, err = openssl_x509.new()
if not cert then
    ngx.log(ngx.ERR, "failed to create cert: ", err)
    return
end

cert:set_serial_number(openssl_bignum.from_binary(openssl_rand.bytes(16)))
cert:set_subject_name(csr:get_subject_name())
cert:set_pubkey(csr:get_pubkey())
cert:set_issuer_name(ca_cert:get_subject_name())
cert:set_not_before(ngx.time())
cert:set_not_after(ngx.time() + 365 * 24 * 60 * 60)  -- 一年有效期
cert:sign(ca_pkey)

-- 获取证书的PEM格式
local cert_pem, err = cert:to_PEM()
if not cert_pem then
    ngx.log(ngx.ERR, "failed to get cert PEM: ", err)
    return
end

-- 获取私钥的PEM格式
local pkey_pem, err = pkey:to_PEM("private")
if not pkey_pem then
    ngx.log(ngx.ERR, "failed to get pkey PEM: ", err)
    return
end

end
return _M

local cert_pem, key_pem = generateCert("www.test.com")
-- Save to files
-- local cert_file = io.open("generated_cert1.pem", "w")
-- cert_file:write(cert_pem)
-- cert_file:close()

-- local key_file = io.open("generated_key2.pem", "w")
-- key_file:write(pkey_pem)
-- key_file:close()

I am is ok

from lua-resty-openssl.

Recommend Projects

PKCS1 error about lua-resty-openssl HOT 1 CLOSED

Comments (1)

local cert_pem, key_pem = generateCert("www.test.com")
-- Save to files
-- local cert_file = io.open("generated_cert1.pem", "w")
-- cert_file:write(cert_pem)
-- cert_file:close()

Related Issues (20)

Recommend Projects

React

Vue.js

Typescript

TensorFlow

Django

Laravel

D3

Recommend Topics

javascript

web

server

Machine learning

Visualization

Game

Recommend Org

Facebook

Microsoft

Google

Alibaba

D3

Tencent

Comments (1)

local cert_pem, key_pem = generateCert("www.test.com") -- Save to files -- local cert_file = io.open("generated_cert1.pem", "w") -- cert_file:write(cert_pem) -- cert_file:close()

Related Issues (20)

Recommend Projects

Recommend Topics

Recommend Org

local cert_pem, key_pem = generateCert("www.test.com")
-- Save to files
-- local cert_file = io.open("generated_cert1.pem", "w")
-- cert_file:write(cert_pem)
-- cert_file:close()