openssl建立证书,非常详细配置ssl+apache
|
一,什么是ssl SSL证书通过在客户端浏览器和Web服务器之间建立一条SSL安全通道(Secure socket layer(SSL)安全协议是由Netscape Communication公司设计开发。该安全协议主要用来提供对用户和服务器的认证;对传送的数据进行加密和隐藏;确保数据在传送中不被改变,即数据的完整性,现已成为该领域中全球化的标准。由于SSL技术已建立到所有主要的浏览器和WEB服务器程序中,因此,仅需安装服务器证书就可以激活该功能了)。即通过它可以激活SSL协议,实现数据信息在客户端和服务器之间的加密传输,可以防止数据信息的泄露。保证了双方传递信息的安全性,而且用户可以通过服务器证书验证他所访问的网站是否是真实可靠。
安全套接字层 (SSL) 技术通过加密信息和提供鉴权,保护您的网站安全。一份 SSL 证书包括一个公共密钥和一个私用密钥。公共密钥用于加密信息,私用密钥用于解译加密的信息。浏览器指向一个安全域时,SSL 同步确认服务器和客户端,并创建一种加密方式和一个唯一的会话密钥。它们可以启动一个保证消息的隐私性和完整性的安全会话。 首先要有一个主证书,然后用主证书来签发服务器证书和客户证书,服务器证书和客户证书是平级关系,SSL所使用的证书可以自己生成,也可以通过一个商业性CA(如Verisign 或 Thawte)签署证书。签发证书的问题:如果使用的是商业证书,具体的签署方法请查看相关销售商的说明;如果是知己签发的证书,可以使用openssl 自带的CA.sh脚本工具。如果不为单独的客户端签发证书,客户端证书可以不用生成,客户端与服务器端使用相同的证书。 二,安装所要的软件 openssl :wget http://www.openssl.org/source/openssl-1.0.0a.tar.gz apache:? wget http://www.apache.org/dist/httpd/httpd-2.2.16.tar.gz 三,安装 在正式安装前,请不要直接看下面的安装,请看最后一部分,那是我安装时候所遇到的问题,这样可以使你少走不少弯路,我安装的时候,就走了不少弯路。 1,安装openssl tar zxvf openssl-1.0.0a.tar.gz 2,安装apache 如果你已经安装了apache,你又不想重新编译的话,请参考mod_ssl模块的安装,也就是添加ssl模块而已。 tar zxvf httpd-2.2.16.tar.gz 如果你是yum install?,apt-get,pacman这样的软件管理工具进行安装的话,上面的二步可以省掉。 3,创建主证书 在/usr/local/apache/conf/下面建个目录ssl 3.1,mkdir ssl 3.2,cp /openssl的安装目录/ssl/misc/CA.sh /usr/local/apache/conf/ssl/ 3.3 用CA.sh来创建证书 [root@BlackGhost ssl]# ./CA.sh -newca //建立主证书 CA certificate filename (or enter to create) Making CA certificate ... Generating a 1024 bit RSA private key ............++++++ ......++++++ writing new private key to './demoCA/private/./cakey.pem' Enter PEM pass phrase: Verifying - Enter PEM pass phrase: Verify failure Enter PEM pass phrase: Verifying - Enter PEM pass phrase: ----- You are about to be asked to enter information that will be incorporated into your certificate request. What you are about to enter is what is called a Distinguished Name or a DN. There are quite a few fields but you can leave some blank For some fields there will be a default value,If you enter '.',the field will be left blank. ----- Country Name (2 letter code) [AU]:cn State or Province Name (full name) [Some-State]:cn Locality Name (eg,city) []:cn Organization Name (eg,company) [Internet Widgits Pty Ltd]:cn Organizational Unit Name (eg,section) []:cn Common Name (eg,YOUR name) []:localhost Email Address []:xtaying@gmail.com Please enter the following 'extra' attributes to be sent with your certificate request A challenge password []:****************** An optional company name []: Using configuration from /etc/ssl/openssl.cnf Enter pass phrase for ./demoCA/private/./cakey.pem: ? ? ? //填的是上面的PEM密码 Check that the request matches the signature Signature ok Certificate Details: Serial Number: 89:11:9f:a6:ca:03:63:ab Validity Not Before: Aug? 7 12:35:28 2010 GMT Not After : Aug? 6 12:35:28 2013 GMT Subject: countryName?????????????? = cn stateOrProvinceName?????? = cn organizationName????????? = cn organizationalUnitName??? = cn commonName??????????????? = localhost emailAddress????????????? = xtaying@gmail.com X509v3 extensions: X509v3 Subject Key Identifier: 26:09:F3:D5:26:13:00:1F:3E:CC:86:1D:E4:EE:37:06:65:15:4E:76 X509v3 Authority Key Identifier: keyid:26:09:F3:D5:26:13:00:1F:3E:CC:86:1D:E4:EE:37:06:65:15:4E:76 DirName:/C=cn/ST=cn/O=cn/OU=cn/CN=localhost/emailAddress=xtaying@gmail.com serial:89:11:9F:A6:CA:03:63:AB X509v3 Basic Constraints: CA:TRUE Certificate is to be certified until Aug? 6 12:35:28 2013 GMT (1095 days) Write out database with 1 new entries Data Base Updated 安装成功的话,会在ssl目录下面产生一个文件夹demoCA 4 生成服务器私钥和服务器证书 [root@BlackGhost ssl]# openssl genrsa -des3 -out server.key 1024 //产生服务器私钥 Generating RSA private key,1024 bit long modulus .....................++++++ .........++++++ e is 65537 (0x10001) Enter pass phrase for server.key: Verifying - Enter pass phrase for server.key: [root@BlackGhost ssl]# openssl req -new -key server.key -out server.csr //生成服务器证书 Enter pass phrase for server.key: You are about to be asked to enter information that will be incorporated into your certificate request. What you are about to enter is what is called a Distinguished Name or a DN. There are quite a few fields but you can leave some blank For some fields there will be a default value,YOUR name) []:localhost ? ? //要填全域名 Email Address []:xtaying@gmail.com Please enter the following 'extra' attributes to be sent with your certificate request A challenge password []:***************** An optional company name []: 4.1 对产生的服务器证书进行签证 cp server.csr newseq.pem [root@BlackGhost ssl]# ./CA.sh -sign //为服务器证书签名 Using configuration from /etc/ssl/openssl.cnf Enter pass phrase for ./demoCA/private/cakey.pem: Check that the request matches the signature Signature ok Certificate Details: Serial Number: 89:11:9f:a6:ca:03:63:ac Validity Not Before: Aug? 7 12:39:41 2010 GMT Not After : Aug? 7 12:39:41 2011 GMT Subject: countryName?????????????? = cn stateOrProvinceName?????? = cn localityName????????????? = cn organizationName????????? = cn organizationalUnitName??? = cn commonName??????????????? = localhost emailAddress????????????? = xtaying@gmail.com X509v3 extensions: X509v3 Basic Constraints: CA:FALSE Netscape Comment: OpenSSL Generated Certificate X509v3 Subject Key Identifier: FE:20:56:04:8E:B6:BE:3E:3A:E1:DA:A6:4A:3A:E1:16:93:1D:3F:81 X509v3 Authority Key Identifier: keyid:26:09:F3:D5:26:13:00:1F:3E:CC:86:1D:E4:EE:37:06:65:15:4E:76 Certificate is to be certified until Aug? 7 12:39:41 2011 GMT (365 days) Sign the certificate? [y/n]:y 1 out of 1 certificate requests certified,commit? [y/n]y Write out database with 1 new entries Data Base Updated Certificate: Data: Version: 3 (0x2) Serial Number: 89:11:9f:a6:ca:03:63:ac Signature Algorithm: sha1WithRSAEncryption Issuer: C=cn,ST=cn,O=cn,OU=cn,CN=localhost/emailAddress=xtaying@gmail.com Validity Not Before: Aug? 7 12:39:41 2010 GMT Not After : Aug? 7 12:39:41 2011 GMT Subject: C=cn,L=cn,CN=localhost/emailAddress=xtaying@gmail.com Subject Public Key Info: Public Key Algorithm: rsaEncryption Public-Key: (1024 bit) Modulus: 00:ce:d5:a8:df:d1:e7:ee:92:d1:d1:78:20:a9:6d: 0a:1b:f6:09:dd:13:29:ef:72:1d:17:54:dd:1c:8d: 28:27:69:fe:70:3b:fa:2b:a3:45:40:80:ea:0e:5b: a7:bd:40:d0:cd:bc:2c:74:03:8b:f7:6c:5e:1f:09: 5d:c6:8a:05:ea:b8:72:fc:79:8b:62:62:38:0b:42: 28:7e:0d:fc:e7:bb:b0:87:66:6a:b2:35:92:91:b9: 78:9c:b6:76:01:0b:2a:74:df:5f:a1:8b:31:61:90: 93:f9:20:db:46:59:12:2e:9b:59:c0:32:4e:92:14: a1:7e:52:7b:cc:02:5e:e2:45 Exponent: 65537 (0x10001) X509v3 extensions: X509v3 Basic Constraints: CA:FALSE Netscape Comment: OpenSSL Generated Certificate X509v3 Subject Key Identifier: FE:20:56:04:8E:B6:BE:3E:3A:E1:DA:A6:4A:3A:E1:16:93:1D:3F:81 X509v3 Authority Key Identifier: keyid:26:09:F3:D5:26:13:00:1F:3E:CC:86:1D:E4:EE:37:06:65:15:4E:76 Signature Algorithm: sha1WithRSAEncryption 09:a0:16:43:a2:93:11:a7:ab:f5:17:b7:36:35:84:9f:3b:37: 32:33:3f:93:63:b0:4c:bb:d1:b4:9b:4f:37:78:62:f4:ac:ff: 28:b0:63:71:2e:9a:7c:f4:40:2e:b1:5f:ae:49:e7:e2:6f:de: cf:30:cc:9a:08:26:26:24:c5:00:03:32:20:48:41:b1:29:8f: 5d:3d:2a:78:54:0e:a8:76:07:6c:7f:23:42:75:c2:fb:83:1d: 70:44:5e:8c:90:cf:b4:23:b7:23:5b:06:05:32:58:e3:af:1c: be:1d:50:7b:fd:37:66:ba:9c:ec:bb:af:ee:b6:04:f7:c5:2e: 59:22 -----BEGIN CERTIFICATE----- MIIC2jCCAkOgAwIBAgIJAIkRn6bKA2OsMA0GCSqGSIb3DQEBBQUAMGoxCzAJBgNV BAYTAmNuMQswCQYDVQQIEwJjbjELMAkGA1UEChMCY24xCzAJBgNVBAsTAmNuMRIw EAYDVQQDEwlsb2NhbGhvc3QxIDAeBgkqhkiG9w0BCQEWEXh0YXlpbmdAZ21haWwu Y29tMB4XDTEwMDgwNzEyMzk0MVoXDTExMDgwNzEyMzk0MVowdzELMAkGA1UEBhMC Y24xCzAJBgNVBAgMAmNuMQswCQYDVQQHDAJjbjELMAkGA1UECgwCY24xCzAJBgNV BAsMAmNuMRIwEAYDVQQDDAlsb2NhbGhvc3QxIDAeBgkqhkiG9w0BCQEWEXh0YXlp bmdAZ21haWwuY29tMIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQDO1ajf0efu ktHReCCpbQob9gndEynvch0XVN0cjSgnaf5wO/oro0VAgOoOW6e9QNDNvCx0A4v3 bF4fCV3GigXquHL8eYtiYjgLQih+Dfznu7CHZmqyNZKRuXictnYBCyp031+hizFh kJP5INtGWRIum1nAMk6SFKF+UnvMAl7iRQIDAQABo3sweTAJBgNVHRMEAjAAMCwG CWCGSAGG+EIBDQQfFh1PcGVuU1NMIEdlbmVyYXRlZCBDZXJ0aWZpY2F0ZTAdBgNV HQ4EFgQU/iBWBI62vj464dqmSjrhFpMdP4EwHwYDVR0jBBgwFoAUJgnz1SYTAB8+ zIYd5O43BmUVTnYwDQYJKoZIhvcNAQEFBQADgYEACaAWQ6KTEaer9Re3NjWEnzs3 MjM/k2OwTLvRtJtPN3hi9Kz/KLBjcS6afPRALrFfrknn4m/ezzDMmggmJiTFAAMy IEhBsSmPXT0qeFQOqHYHbH8jQnXC+4MdcERejJDPtCO3I1sGBTJY468cvh1Qe/03 Zrqc7Luv7rYE98UuWSI= -----END CERTIFICATE----- Signed certificate is in newcert.pem cp newcert.pem server.crt 5,产生客户端证书 生成客户私钥: 生成客户证书 签证: 转换成pkcs12格式,为客户端安装所用 这一步根安装服务器的证书差不多,不同的是签证,最后安装的时候,client.pfx的密码要记住,在客户端安装的时候要用到的。 [root@BlackGhost ssl]# openssl pkcs12 -export -clcerts?? -in client.crt -inkey client.key -out client.pfx 客户端和服务器端都可以使用服务器端证书,所以这一步不做也行。 6,集中所以证书和私私钥到一起 #cp demoCA/cacert.pem cacert.pem 同时复制一份证书,更名为ca.crt 7,apache配置 vi /usr/local/apache/conf/extra/ssl.conf ssl开启
SSLEngine on
指定服务器证书位置
SSLCertificateFile /usr/local/apache/conf/ssl/server.crt
指定服务器证书key位置
SSLCertificateKeyFile /usr/local/apache/conf/ssl/server.key
证书目录
SSLCACertificatePath /usr/local/apache/conf/ssl
根证书位置
SSLCACertificateFile /usr/local/apache/conf/ssl/cacert.pem
要求客户拥有证书
SSLVerifyClient require
SSLVerifyDepth 1
SSLOptions +StdEnvVars
记录log
CustomLog "/usr/local/apache/logs/ssl_request_log"
"%t %h %{SSL_PROTOCOL}x %{SSL_CIPHER}x "%r" %b"
vi /usr/local/apache/conf/extra/httpd_vhosts.conf listen 443 https NameVirtualHost *:443 |
