openssl建立证书,非常详细配置ssl+apache

晨曦之光 发布于 2012/04/25 17:27
阅读 1K+
收藏 0

华为开发者社区年中盛会,参与瓜分1亿码豆!>>>

openssl建立证书,非常详细配置ssl+apache

一,什么是ssl

SSL证书通过在客户端浏览器和Web服务器之间建立一条SSL安全通道(Secure socket layer(SSL)安全协议是由Netscape Communication公司设计开发。该安全协议主要用来提供对用户和服务器的认证;对传送的数据进行加密和隐藏;确保数据在传送中不被改变,即数据的完整性,现已成为该领域中全球化的标准。由于SSL技术已建立到所有主要的浏览器和WEB服务器程序中,因此,仅需安装服务器证书就可以激活该功能了)。即通过它可以激活SSL协议,实现数据信息在客户端和服务器之间的加密传输,可以防止数据信息的泄露。保证了双方传递信息的安全性,而且用户可以通过服务器证书验证他所访问的网站是否是真实可靠。

 

安全套接字层 (SSL) 技术通过加密信息和提供鉴权,保护您的网站安全。一份 SSL 证书包括一个公共密钥和一个私用密钥。公共密钥用于加密信息,私用密钥用于解译加密的信息。浏览器指向一个安全域时,SSL 同步确认服务器和客户端,并创建一种加密方式和一个唯一的会话密钥。它们可以启动一个保证消息的隐私性和完整性的安全会话。

首先要有一个主证书,然后用主证书来签发服务器证书和客户证书,服务器证书和客户证书是平级关系,SSL所使用的证书可以自己生成,也可以通过一个商业性CA(如Verisign 或 Thawte)签署证书。签发证书的问题:如果使用的是商业证书,具体的签署方法请查看相关销售商的说明;如果是知己签发的证书,可以使用openssl 自带的CA.sh脚本工具。如果不为单独的客户端签发证书,客户端证书可以不用生成,客户端与服务器端使用相同的证书。

二,安装所要的软件

openssl :wget http://www.openssl.org/source/openssl-1.0.0a.tar.gz

apache:  wget http://www.apache.org/dist/httpd/httpd-2.2.22.tar.gz

三,安装

在正式安装前,请不要直接看下面的安装,请看最后一部分,那是我安装时候所遇到的问题,这样可以使你少走不少弯路,我安装的时候,就走了不少弯路。

1,安装openssl

tar zxvf openssl-1.0.0a.tar.gz
cd openssl-1.0.0a
./config --prefix=/usr/local/openssl
make && make install

2,安装apache

如果你已经安装了apache,你又不想重新编译的话,请参考mod_ssl模块的安装,也就是添加ssl模块而已。

tar zxvf httpd-2.2.22.tar.gz
cd httpd-2.2.22
./configure --prefix=/usr/local/apache  –enable-ssl   –enable-rewrite  –enable-so   –with-ssl=/usr/local/openssl
make && make install

如果你是yum install  ,apt-get,pacman这样的软件管理工具进行安装的话,上面的二步可以省掉。

3,创建主证书

在/usr/local/apache/conf/下面建个目录ssl

3.1,mkdir ssl

3.2,cp /openssl的安装目录/ssl/misc/CA.sh /usr/local/apache/conf/ssl/

3.3 用CA.sh来创建证书

     
     
1 [root@BlackGhost ssl]# ./CA.sh -newca //建立主证书
2 CA certificate filename ( or enter to create)
3
4 Making CA certificate ...
5 Generating a 1024 bit RSA private key
6 ............++++++
7 ......++++++
8 writing new private key to ' ./demoCA/private/./cakey.pem '
9   Enter PEM pass phrase:
10 Verifying - Enter PEM pass phrase:
11 Verify failure
12   Enter PEM pass phrase:
13 Verifying - Enter PEM pass phrase:
14 -----
15 You are about to be asked to enter information that will be incorporated
16   into your certificate request.
17 What you are about to enter is what is called a Distinguished Name or a DN.
18 There are quite a few fields but you can leave some blank
19 For some fields there will be a default value,
20 If you enter ' . ' , the field will be left blank.
21 -----
22 Country Name ( 2 letter code) [AU]:cn
23 State or Province Name (full name) [Some-State]:cn
24 Locality Name (eg, city) []:cn
25 Organization Name (eg, company) [Internet Widgits Pty Ltd]:cn
26 Organizational Unit Name (eg, section) []:cn
27 Common Name (eg, YOUR name) []:localhost
28 Email Address []:xtaying@gmail.com
29
30 Please enter the following ' extra ' attributes
31 to be sent with your certificate request
32 A challenge password []:******************
33 An optional company name []:
34 Using configuration from /etc/ssl/openssl.cnf
35   Enter pass phrase for ./demoCA/private/./cakey. pem: //填的是上面的PEM密码
36 Check that the request matches the signature
37 Signature ok
38 Certificate Details:
39 Serial Number:
40 89 : 11 :9 f:a6🇨🇦 03 : 63 :ab
41 Validity
42 Not Before: Aug 7 12 : 35 : 28 2010 GMT
43 Not After : Aug 6 12 : 35 : 28 2013 GMT
44 Subject:
45 countryName = cn
46 stateOrProvinceName = cn
47 organizationName = cn
48 organizationalUnitName = cn
49 commonName = localhost
50 emailAddress = xtaying@gmail.com
51 X509v3 extensions:
52 X509v3 Subject Key Identifier:
53 26 : 09 : F3:D5: 26 : 13 : 00 :1 F: 3 E:CC: 86 :1 D:E4:EE: 37 : 06 : 65 : 15 :4 E: 76
54 X509v3 Authority Key Identifier:
55 keyid: 26 : 09 : F3:D5: 26 : 13 : 00 :1 F: 3 E:CC: 86 :1 D:E4:EE: 37 : 06 : 65 : 15 :4 E: 76
56 DirName: /C=cn/ST=cn/O=cn/OU=cn/CN=localhost/emailAddress=xtaying@gmail.com
57 serial: 89 : 11 :9 F:A6:CA: 03 : 63 :AB
58
59 X509v3 Basic Constraints:
60 CA: TRUE
61 Certificate is to be certified until Aug 6 12 : 35 : 28 2013 GMT ( 1095 days)
62
63 Write out database with 1 new entries
64 Data Base Updated
  

安装成功的话,会在ssl目录下面产生一个文件夹demoCA

4 生成服务器私钥和服务器证书

     
     
1 [root@BlackGhost ssl]# openssl genrsa -des3 - out server.key 1024 //产生服务器私钥
2 Generating RSA private key, 1024 bit long modulus
3 .....................++++++
4 .........++++++
5 e is 65537 (0x10001)
6   Enter pass phrase for server. key:
7 Verifying - Enter pass phrase for server. key:
8 [root@BlackGhost ssl]# openssl req -new -key server.key - out server.csr //生成服务器证书
9   Enter pass phrase for server. key:
10 You are about to be asked to enter information that will be incorporated
11   into your certificate request.
12 What you are about to enter is what is called a Distinguished Name or a DN.
13 There are quite a few fields but you can leave some blank
14 For some fields there will be a default value,
15 If you enter ' . ' , the field will be left blank.
16 -----
17 Country Name ( 2 letter code) [AU]:cn
18 State or Province Name (full name) [Some-State]:cn
19 Locality Name (eg, city) []:cn
20 Organization Name (eg, company) [Internet Widgits Pty Ltd]:cn
21 Organizational Unit Name (eg, section) []:cn
22 Common Name (eg, YOUR name) []:localhost //要填全域名
23 Email Address []:xtaying@gmail.com
24
25 Please enter the following ' extra ' attributes
26 to be sent with your certificate request
27 A challenge password []:*****************
28 An optional company name []:
29   4 . 1 对产生的服务器证书进行签证
30
31 cp server.csr newreq.pem
32
33 查看复制打印?
34 [root@BlackGhost ssl]# ./CA.sh -sign //为服务器证书签名
35 Using configuration from /etc/ssl/openssl.cnf
36   Enter pass phrase for ./demoCA/private/cakey. pem:
37 Check that the request matches the signature
38 Signature ok
39 Certificate Details:
40 Serial Number:
41 89 : 11 :9 f:a6🇨🇦 03 : 63 :ac
42 Validity
43 Not Before: Aug 7 12 : 39 : 41 2010 GMT
44 Not After : Aug 7 12 : 39 : 41 2011 GMT
45 Subject:
46 countryName = cn
47 stateOrProvinceName = cn
48 localityName = cn
49 organizationName = cn
50 organizationalUnitName = cn
51 commonName = localhost
52 emailAddress = xtaying@gmail.com
53 X509v3 extensions:
54 X509v3 Basic Constraints:
55 CA: FALSE
56 Netscape Comment:
57 OpenSSL Generated Certificate
58 X509v3 Subject Key Identifier:
59 FE: 20 : 56 : 04 :8 E:B6:BE: 3 E: 3 A:E1:DA:A6: 4 A: 3 A:E1: 16 : 93 :1 D: 3 F: 81
60 X509v3 Authority Key Identifier:
61 keyid: 26 : 09 : F3:D5: 26 : 13 : 00 :1 F: 3 E:CC: 86 :1 D:E4:EE: 37 : 06 : 65 : 15 :4 E: 76
62
63 Certificate is to be certified until Aug 7 12 : 39 : 41 2011 GMT ( 365 days)
64 Sign the certificate? [y/n]:y
65
66   1 out of 1 certificate requests certified, commit? [y/n]y
67 Write out database with 1 new entries
68 Data Base Updated
69   Certificate:
70 Data:
71 Version: 3 (0x2)
72 Serial Number:
73 89 : 11 :9 f:a6🇨🇦 03 : 63 :ac
74 Signature Algorithm: sha1WithRSAEncryption
75 Issuer: C=cn, ST=cn, O=cn, OU=cn, CN=localhost/emailAddress=xtaying@gmail.com
76 Validity
77 Not Before: Aug 7 12 : 39 : 41 2010 GMT
78 Not After : Aug 7 12 : 39 : 41 2011 GMT
79 Subject: C=cn, ST=cn, L=cn, O=cn, OU=cn, CN=localhost/emailAddress=xtaying@gmail.com
80 Subject Public Key Info:
81 Public Key Algorithm: rsaEncryption
82 Public- Key: ( 1024 bit)
83 Modulus:
84 00 : ce:d5:a8:df:d1:e7🇪🇪 92 : d1:d1: 78 : 20 : a9: 6 d:
85 0a :1 b:f6: 09 : dd: 13 : 29 : ef: 72 :1 d: 17 : 54 : dd: 1 c: 8 d:
86 28 : 27 : 69 : fe: 70 :3 b:fa: 2 b:a3: 45 : 40 : 80 : ea: 0e :5 b:
87 a7🇧🇩 40 : d0💿bc: 2 c: 74 : 03 :8 b:f7: 6 c: 5 e: 1 f: 09 :
88 5 d:c6: 8 a: 05 : ea:b8: 72 : fc: 79 :8 b: 62 : 62 : 38 : 0b : 42 :
89 28 :7 e: 0d : fc:e7🇧🇧b0: 87 : 66 :6 a:b2: 35 : 92 : 91 : b9:
90 78 :9 c:b6: 76 : 01 : 0b :2 a: 74 : df: 5 f:a1: 8 b: 31 : 61 : 90 :
91 93 : f9: 20 : db: 46 : 59 : 12 :2 e: 9 b: 59 : c0: 32 :4 e: 92 : 14 :
92 a1: 7 e: 52 :7 b:cc: 02 :5 e:e2: 45
93 Exponent: 65537 (0x10001)
94 X509v3 extensions:
95 X509v3 Basic Constraints:
96 CA: FALSE
97 Netscape Comment:
98 OpenSSL Generated Certificate
99 X509v3 Subject Key Identifier:
100 FE: 20 : 56 : 04 :8 E:B6:BE: 3 E: 3 A:E1:DA:A6: 4 A: 3 A:E1: 16 : 93 :1 D: 3 F: 81
101 X509v3 Authority Key Identifier:
102 keyid: 26 : 09 : F3:D5: 26 : 13 : 00 :1 F: 3 E:CC: 86 :1 D:E4:EE: 37 : 06 : 65 : 15 :4 E: 76
103
104 Signature Algorithm: sha1WithRSAEncryption
105 09 : a0: 16 : 43 : a2: 93 : 11 : a7🆎f5: 17 : b7: 36 : 35 : 84 :9 f: 3 b: 37 :
106 32 : 33 :3 f: 93 : 63 : b0: 4 c🇧🇧d1:b4: 9 b: 4 f: 37 : 78 : 62 : f4:ac:ff:
107 28 : b0: 63 : 71 :2 e: 9 a: 7 c:f4: 40 :2 e:b1: 5 f🇦🇪 49 : e7:e2: 6 f🇩🇪
108 cf: 30 : cc: 9 a: 08 : 26 : 26 : 24 : c5: 00 : 03 : 32 : 20 : 48 : 41 : b1: 29 :8 f:
109 5 d: 3 d: 2 a: 78 : 54 : 0e : a8: 76 : 07 :6 c: 7 f: 23 : 42 : 75 : c2:fb: 83 :1 d:
110 70 : 44 :5 e: 8 c: 90 : cf:b4: 23 : b7: 23 :5 b: 06 : 05 : 32 : 58 : e3🇦🇫 1 c:
111 be: 1 d: 50 :7 b:fd: 37 : 66 : ba: 9 c:ec🇧🇧af🇪🇪b6: 04 : f7:c5: 2 e:
112 59 : 22
113 -----BEGIN CERTIFICATE-----
114 MIIC2jCCAkOgAwIBAgIJAIkRn6bKA2OsMA0GCSqGSIb3DQEBBQUAMGoxCzAJBgNV
115 BAYTAmNuMQswCQYDVQQIEwJjbjELMAkGA1UEChMCY24xCzAJBgNVBAsTAmNuMRIw
116 EAYDVQQDEwlsb2NhbGhvc3QxIDAeBgkqhkiG9w0BCQEWEXh0YXlpbmdAZ21haWwu
117 Y29tMB4XDTEwMDgwNzEyMzk0MVoXDTExMDgwNzEyMzk0MVowdzELMAkGA1UEBhMC
118 Y24xCzAJBgNVBAgMAmNuMQswCQYDVQQHDAJjbjELMAkGA1UECgwCY24xCzAJBgNV
119 BAsMAmNuMRIwEAYDVQQDDAlsb2NhbGhvc3QxIDAeBgkqhkiG9w0BCQEWEXh0YXlp
120 bmdAZ21haWwuY29tMIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQDO1ajf0efu
121 ktHReCCpbQob9gndEynvch0XVN0cjSgnaf5wO/oro0VAgOoOW6e9QNDNvCx0A4v3
122 bF4fCV3GigXquHL8eYtiYjgLQih+Dfznu7CHZmqyNZKRuXictnYBCyp031+hizFh
123 kJP5INtGWRIum1nAMk6SFKF+UnvMAl7iRQIDAQABo3sweTAJBgNVHRMEAjAAMCwG
124 CWCGSAGG+EIBDQQfFh1PcGVuU1NMIEdlbmVyYXRlZCBDZXJ0aWZpY2F0ZTAdBgNV
125 HQ4EFgQU/iBWBI62vj464dqmSjrhFpMdP4EwHwYDVR0jBBgwFoAUJgnz1SYTAB8+
126 zIYd5O43BmUVTnYwDQYJKoZIhvcNAQEFBQADgYEACaAWQ6KTEaer9Re3NjWEnzs3
127 MjM/k2OwTLvRtJtPN3hi9Kz/KLBjcS6afPRALrFfrknn4m/ezzDMmggmJiTFAAMy
128 IEhBsSmPXT0qeFQOqHYHbH8jQnXC+4MdcERejJDPtCO3I1sGBTJY468cvh1Qe/ 03
129 Zrqc7Luv7rYE98UuWSI=
130 -----END CERTIFICATE-----
131 Signed certificate is in newcert.pem

cp newcert.pem server.crt

5,产生客户端证书

生成客户私钥:
openssl genrsa -des3 -out client.key 1024

生成客户证书
openssl req -new -key client.key -out client.csr

签证:
openssl ca -in client.csr -out client.crt

转换成pkcs12格式,为客户端安装所用
openssl pkcs12 -export -clcerts -in client.crt -inkey client.key -out client.pfx(切记:设置最好和服务证书有点不同,但是前面是cn,后面必须是cn,可以邮箱不同)

这一步根安装服务器的证书差不多,不同的是签证,最后安装的时候,client.pfx的密码要记住,在客户端安装的时候要用到的。

[root@BlackGhost ssl]# openssl pkcs12 -export -clcerts   -in client.crt -inkey client.key -out client.pfx
Enter pass phrase for client.key:
Enter Export Password:
Verifying – Enter Export Password:

客户端和服务器端都可以使用服务器端证书,所以这一步不做也行。

6,集中所以证书和私私钥到一起

#cp demoCA/cacert.pem cacert.pem

同时复制一份证书,更名为ca.crt
#cp cacert.pem ca.crt

7,apache配置

vi /usr/local/apache/conf/extra/http-ssl.conf

     
     
1 ssl开启
2 SSLEngine on
3
4 指定服务器证书位置
5 SSLCertificateFile /usr/local/apache/conf/ssl/server.crt
6
7 指定服务器证书key位置
8 SSLCertificateKeyFile /usr/local/apache/conf/ssl/server.key
9
10 证书目录
11 SSLCACertificatePath /usr/local/apache/conf/ssl
12
13 根证书位置
14 SSLCACertificateFile /usr/local/apache/conf/ssl/cacert.pem
15
16 要求客户拥有证书
17 SSLVerifyClient require
18 SSLVerifyDepth 1
19 SSLOptions +StdEnvVars
20
21 记录log
22 CustomLog " /usr/local/apache/logs/ssl_request_log " \
23 " %t %h %{SSL_PROTOCOL}x %{SSL_CIPHER}x \ " %r\ " %b "
24 vi /usr/local/apache/conf/extra/httpd_vhosts.conf

vi /usr/local/apache/conf/extra/ssl.conf

     
     
vi /usr/local/apache/conf/httpd.conf把Include conf/extra/httpd-ssl.conf前面的注释去掉

启动 /usr/local/apache/bin/apachectl -D SSL -k start

Server *:10000 (RSA)
Enter pass phrase:输入的是server的密钥

OK: Pass Phrase Dialog successful.

8,安装客户端证书

把ca.crt和client.pfx  copy到客户端,双击client.pfx就会进入证书的安装向导,下一步就行了,中间会让你输入密码

四,安装所遇到的问题

1,生成的密码很多,一会让输入密码,会忘得,并且主证书的密码和下面的证书的密码不能重得,会报错的,所以要搞个文本记下来。

2,升级openssl引发的问题

httpd: Syntax error on line 56 of /usr/local/apache/conf/httpd.conf: Cannot load /usr/local/apache/modules/libphp5.so into server: libssl.so.0.9.8: cannot open shared object file: No such file or directory

httpd: Syntax error on line 56 of /usr/local/apache/conf/httpd.conf: Cannot load /usr/local/apache/modules/libphp5.so into server: libcrypto.so.0.9.8: cannot open shared object file: No such file or directory

用ln -s来建立软链接,就可以了。不过这种方法不是万能的,比如我把libpng从1.2升到1.4,libjpeg从7.0升到8.0结果是系统差点崩掉,用软链接不管用,我把他们弄掉,从网上下的低版本重装。

3,证书的国家名称,省名要相同不然生成空证书,

The countryName field needed to be the same in the
CA certificate (cn) and the request (sh)

4,提示CommonName时,要添写全域名,会提示警告

RSA server certificate CommonName (CN) `cn’ does NOT match server name!?

5,相同的证书不能生成二次,名字不一样也不行,也就是说server.cst和client.csr信息不能完相同,不然会报

failed to update database
TXT_DB error number 2

6,页面浏览时,会看到提示,你的证书是不可信的,是因为我配置的不对,还是自己建的证书就是不要信的呢?

7,当我加了SSLVerifyClient require SSLVerifyDepth 1 这二个配置时,在windows下面,要你输入证书后,就可以看到页面了,但在用firefox就是不行呢?看下面的ssl_request_log日志,192.168.18.3是用windows的IE浏览器

[09/Aug/2010:22:02:21 +0800] 127.0.0.1 TLSv1 DHE-RSA-CAMELLIA256-SHA “GET /robots.txt HTTP/1.1″ 208
[09/Aug/2010:22:02:21 +0800] 127.0.0.1 TLSv1 DHE-RSA-CAMELLIA256-SHA “GET /robots.txt HTTP/1.1″ 208
[09/Aug/2010:22:02:21 +0800] 127.0.0.1 TLSv1 DHE-RSA-CAMELLIA256-SHA “GET /robots.txt HTTP/1.1″ 208
[09/Aug/2010:22:02:55 +0800] 192.168.18.3 TLSv1 RC4-MD5 “GET / HTTP/1.1″ 1505
[09/Aug/2010:22:02:55 +0800] 192.168.18.3 TLSv1 RC4-MD5 “GET / HTTP/1.1″ 1505
[09/Aug/2010:22:02:55 +0800] 192.168.18.3 TLSv1 RC4-MD5 “GET / HTTP/1.1″ 1505

遇到肯定不止这几个,有的想不起来了。关于6,7,还请高手指教。谢谢


原文链接:http://blog.csdn.net/qpengyanting123/article/details/7445402
加载中
返回顶部
顶部