• openssl建立证书,非常详细配置ssl+apache


    一,什么是ssl

    SSL证书通过在客户端浏览器和Web服务器之间建立一条SSL安全通道(Secure socket layer(SSL)安全协议是由Netscape Communication公司设计开发。该安全协议主要用来提供对用户和服务器的认证;对传送的数据进行加密和隐藏;确保数据在传送中不被改变,即数据的完整性,现已成为该领域中全球化的标准。由于SSL技术已建立到所有主要的浏览器和WEB服务器程序中,因此,仅需安装服务器证书就可以激活该功能了)。即通过它可以激活SSL协议,实现数据信息在客户端和服务器之间的加密传输,可以防止数据信息的泄露。保证了双方传递信息的安全性,而且用户可以通过服务器证书验证他所访问的网站是否是真实可靠。

     

    安全套接字层 (SSL) 技术通过加密信息和提供鉴权,保护您的网站安全。一份 SSL 证书包括一个公共密钥和一个私用密钥。公共密钥用于加密信息,私用密钥用于解译加密的信息。浏览器指向一个安全域时,SSL 同步确认服务器和客户端,并创建一种加密方式和一个唯一的会话密钥。它们可以启动一个保证消息的隐私性和完整性的安全会话。

    首先要有一个主证书,然后用主证书来签发服务器证书和客户证书,服务器证书和客户证书是平级关系,SSL所使用的证书可以自己生成,也可以通过一个商业性CA(如Verisign 或 Thawte)签署证书。签发证书的问题:如果使用的是商业证书,具体的签署方法请查看相关销售商的说明;如果是知己签发的证书,可以使用openssl 自带的CA.sh脚本工具。如果不为单独的客户端签发证书,客户端证书可以不用生成,客户端与服务器端使用相同的证书。

    二,安装所要的软件

    openssl :wget http://www.openssl.org/source/openssl-1.0.0a.tar.gz

    apache:  wget http://www.apache.org/dist/httpd/httpd-2.2.16.tar.gz

    三,安装

    在正式安装前,请不要直接看下面的安装,请看最后一部分,那是我安装时候所遇到的问题,这样可以使你少走不少弯路,我安装的时候,就走了不少弯路。

    1,安装openssl

    tar zxvf openssl-1.0.0a.tar.gz
    cd openssl-1.0.0a
    ./config –prefix=/usr/local/openssl
    make && make install

    2,安装apache

    如果你已经安装了apache,你又不想重新编译的话,请参考mod_ssl模块的安装,也就是添加ssl模块而已。

    tar zxvf httpd-2.2.16.tar.gz
    cd httpd-2.2.16
    ./configure –prefix=/usr/local/apache  –enable-ssl   –enable-rewrite  –enable-so   –with-ssl=/usr/local/openssl
    make && make install

    如果你是yum install  ,apt-get,pacman这样的软件管理工具进行安装的话,上面的二步可以省掉。

    3,创建主证书

    在/usr/local/apache/conf/下面建个目录ssl

    3.1,mkdir ssl

    3.2,cp /openssl的安装目录/ssl/misc/CA.sh /usr/local/apache/conf/ssl/

    3.3 用CA.sh来创建证书

    1 [root@BlackGhost ssl]# ./CA.sh -newca //建立主证书
    2 CA certificate filename (or enter to create)
    3
    4 Making CA certificate ...
    5 Generating a 1024 bit RSA private key
    6 ............++++++
    7 ......++++++
    8 writing new private key to './demoCA/private/./cakey.pem'
    9  Enter PEM pass phrase:
    10 Verifying - Enter PEM pass phrase:
    11 Verify failure
    12  Enter PEM pass phrase:
    13 Verifying - Enter PEM pass phrase:
    14 -----
    15 You are about to be asked to enter information that will be incorporated
    16  into your certificate request.
    17 What you are about to enter is what is called a Distinguished Name or a DN.
    18 There are quite a few fields but you can leave some blank
    19 For some fields there will be a default value,
    20 If you enter '.', the field will be left blank.
    21 -----
    22 Country Name (2 letter code) [AU]:cn
    23 State or Province Name (full name) [Some-State]:cn
    24 Locality Name (eg, city) []:cn
    25 Organization Name (eg, company) [Internet Widgits Pty Ltd]:cn
    26 Organizational Unit Name (eg, section) []:cn
    27 Common Name (eg, YOUR name) []:localhost
    28 Email Address []:xtaying@gmail.com
    29
    30 Please enter the following 'extra' attributes
    31 to be sent with your certificate request
    32 A challenge password []:******************
    33 An optional company name []:
    34 Using configuration from /etc/ssl/openssl.cnf
    35  Enter pass phrase for ./demoCA/private/./cakey.pem: //填的是上面的PEM密码
    36 Check that the request matches the signature
    37 Signature ok
    38 Certificate Details:
    39 Serial Number:
    40 89:11:9f:a6:ca:03:63:ab
    41 Validity
    42 Not Before: Aug 7 12:35:28 2010 GMT
    43 Not After : Aug 6 12:35:28 2013 GMT
    44 Subject:
    45 countryName = cn
    46 stateOrProvinceName = cn
    47 organizationName = cn
    48 organizationalUnitName = cn
    49 commonName = localhost
    50 emailAddress = xtaying@gmail.com
    51 X509v3 extensions:
    52 X509v3 Subject Key Identifier:
    53 26:09:F3:D5:26:13:00:1F:3E:CC:86:1D:E4:EE:37:06:65:15:4E:76
    54 X509v3 Authority Key Identifier:
    55 keyid:26:09:F3:D5:26:13:00:1F:3E:CC:86:1D:E4:EE:37:06:65:15:4E:76
    56 DirName:/C=cn/ST=cn/O=cn/OU=cn/CN=localhost/emailAddress=xtaying@gmail.com
    57 serial:89:11:9F:A6:CA:03:63:AB
    58
    59 X509v3 Basic Constraints:
    60 CA:TRUE
    61 Certificate is to be certified until Aug 6 12:35:28 2013 GMT (1095 days)
    62
    63 Write out database with 1 new entries
    64 Data Base Updated
      

    安装成功的话,会在ssl目录下面产生一个文件夹demoCA

    4 生成服务器私钥和服务器证书

    1 [root@BlackGhost ssl]# openssl genrsa -des3 -out server.key 1024 //产生服务器私钥
    2 Generating RSA private key, 1024 bit long modulus
    3 .....................++++++
    4 .........++++++
    5 e is 65537 (0x10001)
    6  Enter pass phrase for server.key:
    7 Verifying - Enter pass phrase for server.key:
    8 [root@BlackGhost ssl]# openssl req -new -key server.key -out server.csr //生成服务器证书
    9  Enter pass phrase for server.key:
    10 You are about to be asked to enter information that will be incorporated
    11  into your certificate request.
    12 What you are about to enter is what is called a Distinguished Name or a DN.
    13 There are quite a few fields but you can leave some blank
    14 For some fields there will be a default value,
    15 If you enter '.', the field will be left blank.
    16 -----
    17 Country Name (2 letter code) [AU]:cn
    18 State or Province Name (full name) [Some-State]:cn
    19 Locality Name (eg, city) []:cn
    20 Organization Name (eg, company) [Internet Widgits Pty Ltd]:cn
    21 Organizational Unit Name (eg, section) []:cn
    22 Common Name (eg, YOUR name) []:localhost //要填全域名
    23 Email Address []:xtaying@gmail.com
    24
    25 Please enter the following 'extra' attributes
    26 to be sent with your certificate request
    27 A challenge password []:*****************
    28 An optional company name []:
    29  4.1 对产生的服务器证书进行签证
    30
    31 cp server.csr newseq.pem
    32
    33 查看复制打印?
    34 [root@BlackGhost ssl]# ./CA.sh -sign //为服务器证书签名
    35 Using configuration from /etc/ssl/openssl.cnf
    36  Enter pass phrase for ./demoCA/private/cakey.pem:
    37 Check that the request matches the signature
    38 Signature ok
    39 Certificate Details:
    40 Serial Number:
    41 89:11:9f:a6:ca:03:63:ac
    42 Validity
    43 Not Before: Aug 7 12:39:41 2010 GMT
    44 Not After : Aug 7 12:39:41 2011 GMT
    45 Subject:
    46 countryName = cn
    47 stateOrProvinceName = cn
    48 localityName = cn
    49 organizationName = cn
    50 organizationalUnitName = cn
    51 commonName = localhost
    52 emailAddress = xtaying@gmail.com
    53 X509v3 extensions:
    54 X509v3 Basic Constraints:
    55 CA:FALSE
    56 Netscape Comment:
    57 OpenSSL Generated Certificate
    58 X509v3 Subject Key Identifier:
    59 FE:20:56:04:8E:B6:BE:3E:3A:E1:DA:A6:4A:3A:E1:16:93:1D:3F:81
    60 X509v3 Authority Key Identifier:
    61 keyid:26:09:F3:D5:26:13:00:1F:3E:CC:86:1D:E4:EE:37:06:65:15:4E:76
    62
    63 Certificate is to be certified until Aug 7 12:39:41 2011 GMT (365 days)
    64 Sign the certificate? [y/n]:y
    65
    66  1 out of 1 certificate requests certified, commit? [y/n]y
    67 Write out database with 1 new entries
    68 Data Base Updated
    69  Certificate:
    70 Data:
    71 Version: 3 (0x2)
    72 Serial Number:
    73 89:11:9f:a6:ca:03:63:ac
    74 Signature Algorithm: sha1WithRSAEncryption
    75 Issuer: C=cn, ST=cn, O=cn, OU=cn, CN=localhost/emailAddress=xtaying@gmail.com
    76 Validity
    77 Not Before: Aug 7 12:39:41 2010 GMT
    78 Not After : Aug 7 12:39:41 2011 GMT
    79 Subject: C=cn, ST=cn, L=cn, O=cn, OU=cn, CN=localhost/emailAddress=xtaying@gmail.com
    80 Subject Public Key Info:
    81 Public Key Algorithm: rsaEncryption
    82 Public-Key: (1024 bit)
    83 Modulus:
    84 00:ce:d5:a8:df:d1:e7:ee:92:d1:d1:78:20:a9:6d:
    85 0a:1b:f6:09:dd:13:29:ef:72:1d:17:54:dd:1c:8d:
    86 28:27:69:fe:70:3b:fa:2b:a3:45:40:80:ea:0e:5b:
    87 a7:bd:40:d0:cd:bc:2c:74:03:8b:f7:6c:5e:1f:09:
    88 5d:c6:8a:05:ea:b8:72:fc:79:8b:62:62:38:0b:42:
    89 28:7e:0d:fc:e7:bb:b0:87:66:6a:b2:35:92:91:b9:
    90 78:9c:b6:76:01:0b:2a:74:df:5f:a1:8b:31:61:90:
    91 93:f9:20:db:46:59:12:2e:9b:59:c0:32:4e:92:14:
    92 a1:7e:52:7b:cc:02:5e:e2:45
    93 Exponent: 65537 (0x10001)
    94 X509v3 extensions:
    95 X509v3 Basic Constraints:
    96 CA:FALSE
    97 Netscape Comment:
    98 OpenSSL Generated Certificate
    99 X509v3 Subject Key Identifier:
    100 FE:20:56:04:8E:B6:BE:3E:3A:E1:DA:A6:4A:3A:E1:16:93:1D:3F:81
    101 X509v3 Authority Key Identifier:
    102 keyid:26:09:F3:D5:26:13:00:1F:3E:CC:86:1D:E4:EE:37:06:65:15:4E:76
    103
    104 Signature Algorithm: sha1WithRSAEncryption
    105 09:a0:16:43:a2:93:11:a7:ab:f5:17:b7:36:35:84:9f:3b:37:
    106 32:33:3f:93:63:b0:4c:bb:d1:b4:9b:4f:37:78:62:f4:ac:ff:
    107 28:b0:63:71:2e:9a:7c:f4:40:2e:b1:5f:ae:49:e7:e2:6f:de:
    108 cf:30:cc:9a:08:26:26:24:c5:00:03:32:20:48:41:b1:29:8f:
    109 5d:3d:2a:78:54:0e:a8:76:07:6c:7f:23:42:75:c2:fb:83:1d:
    110 70:44:5e:8c:90:cf:b4:23:b7:23:5b:06:05:32:58:e3:af:1c:
    111 be:1d:50:7b:fd:37:66:ba:9c:ec:bb:af:ee:b6:04:f7:c5:2e:
    112 59:22
    113 -----BEGIN CERTIFICATE-----
    114 MIIC2jCCAkOgAwIBAgIJAIkRn6bKA2OsMA0GCSqGSIb3DQEBBQUAMGoxCzAJBgNV
    115 BAYTAmNuMQswCQYDVQQIEwJjbjELMAkGA1UEChMCY24xCzAJBgNVBAsTAmNuMRIw
    116 EAYDVQQDEwlsb2NhbGhvc3QxIDAeBgkqhkiG9w0BCQEWEXh0YXlpbmdAZ21haWwu
    117 Y29tMB4XDTEwMDgwNzEyMzk0MVoXDTExMDgwNzEyMzk0MVowdzELMAkGA1UEBhMC
    118 Y24xCzAJBgNVBAgMAmNuMQswCQYDVQQHDAJjbjELMAkGA1UECgwCY24xCzAJBgNV
    119 BAsMAmNuMRIwEAYDVQQDDAlsb2NhbGhvc3QxIDAeBgkqhkiG9w0BCQEWEXh0YXlp
    120 bmdAZ21haWwuY29tMIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQDO1ajf0efu
    121 ktHReCCpbQob9gndEynvch0XVN0cjSgnaf5wO/oro0VAgOoOW6e9QNDNvCx0A4v3
    122 bF4fCV3GigXquHL8eYtiYjgLQih+Dfznu7CHZmqyNZKRuXictnYBCyp031+hizFh
    123 kJP5INtGWRIum1nAMk6SFKF+UnvMAl7iRQIDAQABo3sweTAJBgNVHRMEAjAAMCwG
    124 CWCGSAGG+EIBDQQfFh1PcGVuU1NMIEdlbmVyYXRlZCBDZXJ0aWZpY2F0ZTAdBgNV
    125 HQ4EFgQU/iBWBI62vj464dqmSjrhFpMdP4EwHwYDVR0jBBgwFoAUJgnz1SYTAB8+
    126 zIYd5O43BmUVTnYwDQYJKoZIhvcNAQEFBQADgYEACaAWQ6KTEaer9Re3NjWEnzs3
    127 MjM/k2OwTLvRtJtPN3hi9Kz/KLBjcS6afPRALrFfrknn4m/ezzDMmggmJiTFAAMy
    128 IEhBsSmPXT0qeFQOqHYHbH8jQnXC+4MdcERejJDPtCO3I1sGBTJY468cvh1Qe/03
    129 Zrqc7Luv7rYE98UuWSI=
    130 -----END CERTIFICATE-----
    131 Signed certificate is in newcert.pem

    cp newcert.pem server.crt

    5,产生客户端证书

    生成客户私钥:
    openssl genrsa -des3 -out client.key 1024

    生成客户证书
    openssl req -new -key client.key -out client.csr

    签证:
    openssl ca -in client.csr -out client.crt

    转换成pkcs12格式,为客户端安装所用
    openssl pkcs12 -export -clcerts -in client.crt -inkey client.key -out client.pfx

    这一步根安装服务器的证书差不多,不同的是签证,最后安装的时候,client.pfx的密码要记住,在客户端安装的时候要用到的。

    [root@BlackGhost ssl]# openssl pkcs12 -export -clcerts   -in client.crt -inkey client.key -out client.pfx
    Enter pass phrase for client.key:
    Enter Export Password:
    Verifying – Enter Export Password:

    客户端和服务器端都可以使用服务器端证书,所以这一步不做也行。

    6,集中所以证书和私私钥到一起

    #cp demoCA/cacert.pem cacert.pem

    同时复制一份证书,更名为ca.crt
    #cp cacert.pem ca.crt

    7,apache配置

    1 ssl开启
    2 SSLEngine on
    3
    4 指定服务器证书位置
    5 SSLCertificateFile /usr/local/apache/conf/ssl/server.crt
    6
    7 指定服务器证书key位置
    8 SSLCertificateKeyFile /usr/local/apache/conf/ssl/server.key
    9
    10 证书目录
    11 SSLCACertificatePath /usr/local/apache/conf/ssl
    12
    13 根证书位置
    14 SSLCACertificateFile /usr/local/apache/conf/ssl/cacert.pem
    15
    16 要求客户拥有证书
    17 SSLVerifyClient require
    18 SSLVerifyDepth 1
    19 SSLOptions +StdEnvVars
    20
    21 记录log
    22 CustomLog "/usr/local/apache/logs/ssl_request_log" \
    23 "%t %h %{SSL_PROTOCOL}x %{SSL_CIPHER}x \"%r\" %b"
    24 vi /usr/local/apache/conf/extra/httpd_vhosts.conf

    vi /usr/local/apache/conf/extra/ssl.conf

    1 listen 443 https
    2 NameVirtualHost *:443
    3 <VirtualHost _default_:443>
    4
    5 DocumentRoot "/home/zhangy/www/metbee/trunk/src/web"
    6 ServerName *:443
    7 ErrorLog "/home/zhangy/apache/www.metbee.com-error.log"
    8 CustomLog "/home/zhangy/apache/www.metbee.com-access.log" common
    9 Include conf/extra/ssl.conf
    10
    11 </VirtualHost>

    vi /usr/local/apache/conf/httpd.conf把Include conf/extra/httpd-vhosts.conf前面的注释去掉

    启动 /usr/local/apache/bin/apachectl -D SSL -k start

    Server *:10000 (RSA)
    Enter pass phrase:输入的是server的密钥

    OK: Pass Phrase Dialog successful.

    8,安装客户端证书

    把ca.crt和client.pfx  copy到客户端,双击client.pfx就会进入证书的安装向导,下一步就行了,中间会让你输入密码

    四,安装所遇到的问题

    1,生成的密码很多,一会让输入密码,会忘得,并且主证书的密码和下面的证书的密码不能重得,会报错的,所以要搞个文本记下来。

    2,升级openssl引发的问题

    httpd: Syntax error on line 56 of /usr/local/apache/conf/httpd.conf: Cannot load /usr/local/apache/modules/libphp5.so into server: libssl.so.0.9.8: cannot open shared object file: No such file or directory

    httpd: Syntax error on line 56 of /usr/local/apache/conf/httpd.conf: Cannot load /usr/local/apache/modules/libphp5.so into server: libcrypto.so.0.9.8: cannot open shared object file: No such file or directory

    用ln -s来建立软链接,就可以了。不过这种方法不是万能的,比如我把libpng从1.2升到1.4,libjpeg从7.0升到8.0结果是系统差点崩掉,用软链接不管用,我把他们弄掉,从网上下的低版本重装。

    3,证书的国家名称,省名要相同不然生成空证书,

    The countryName field needed to be the same in the
    CA certificate (cn) and the request (sh)

    4,提示CommonName时,要添写全域名,会提示警告

    RSA server certificate CommonName (CN) `cn’ does NOT match server name!?

    5,相同的证书不能生成二次,名字不一样也不行,也就是说server.cst和client.csr信息不能完相同,不然会报

    failed to update database
    TXT_DB error number 2

    6,页面浏览时,会看到提示,你的证书是不可信的,是因为我配置的不对,还是自己建的证书就是不要信的呢?

    7,当我加了SSLVerifyClient require SSLVerifyDepth 1 这二个配置时,在windows下面,要你输入证书后,就可以看到页面了,但在用firefox就是不行呢?看下面的ssl_request_log日志,192.168.18.3是用windows的IE浏览器

    [09/Aug/2010:22:02:21 +0800] 127.0.0.1 TLSv1 DHE-RSA-CAMELLIA256-SHA “GET /robots.txt HTTP/1.1″ 208
    [09/Aug/2010:22:02:21 +0800] 127.0.0.1 TLSv1 DHE-RSA-CAMELLIA256-SHA “GET /robots.txt HTTP/1.1″ 208
    [09/Aug/2010:22:02:21 +0800] 127.0.0.1 TLSv1 DHE-RSA-CAMELLIA256-SHA “GET /robots.txt HTTP/1.1″ 208
    [09/Aug/2010:22:02:55 +0800] 192.168.18.3 TLSv1 RC4-MD5 “GET / HTTP/1.1″ 1505
    [09/Aug/2010:22:02:55 +0800] 192.168.18.3 TLSv1 RC4-MD5 “GET / HTTP/1.1″ 1505
    [09/Aug/2010:22:02:55 +0800] 192.168.18.3 TLSv1 RC4-MD5 “GET / HTTP/1.1″ 1505

    遇到肯定不止这几个,有的想不起来了。关于6,7,还请高手指教。谢谢

  • 相关阅读:
    BoundsChecker下载
    大型系统内部资源定位的途径
    架构的焦点
    为什么日志只应该有三个级别
    回收站引发ORACLE查询表空间使用缓慢
    题目记录
    广搜入门 待改进的广搜
    归并排序的使用
    大数数组中滚动数组的应用
    多重背包问题
  • 原文地址:https://www.cnblogs.com/shuaixf/p/2036043.html
Copyright © 2020-2023  润新知