製作SSL自簽證書及Apache配置
一. 安裝OpenSSL
tar zxvf openssl-0.9.7g.tar.gz
cd openssl-0.9.7g
./config
make
make install
二. 安裝Apache
tar zxvf httpd-2.2.8.tar.gz
./configure --prefix=/opt/apache2 --enable-ssl=static --with-ssl=/usr/local/ssl
make
make install
三、 配置ca伺服器(注意:為了安全起見,不讓密碼混淆,所有密碼全部都是用123456)
1、配置ca伺服器,生成ca自己的公鑰,私鑰ca對自己進行證書自簽名
vi /etc/pki/tls/openssl.cnf
178行
註釋basicConstraints=CA:FALSE
basicConstraints=CA:TRUE //自簽署證書可以使用
2、製作CA證書
cd /etc/pki/CA/
/etc/pki/tls/misc/CA -newca
CA certificate filename (or enter to create)//按確定鍵
Making CA certificate ...
Generating a 1024 bit RSA private key
..............++++++
............ ................................++++++
writing new private key to '../../CA/private/./cakey.pem' //私鑰
Enter PEM pass phrase:123456 //鍵入密碼
Verifying - Enter PEM pass phrase:123456 //鍵入密碼
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [GB]:cn //身份資訊
State or Province Name (full name) [Berkshire]:bj
Locality Name (eg, city) [Newbury]:bj
Organization Name (eg, company) [My Company Ltd]:abcd
Organizational Unit Name (eg, section) []:it
Common Name (eg, your name or your server's hostname) []:abcd.com
Email Address []:[email protected]
Please enter the following 'extra' attributes
to be sent with your certificate request
A challenge password []:123456
An optional company name []:123456
Using configuration from /etc/pki/tls/openssl.cnf
Enter pass phrase for ../../CA/private/./cakey.pem: //使用私鑰自簽名
Check that the request matches the signature
Signature ok
Certificate Details:
Serial Number: 0 (0x0)
Validity
Not Before: Aug 26 09:34:27 2013 GMT
Not After : Aug 25 09:34:27 2016 GMT
Subject:
countryName = cn
stateOrProvinceName = bj
organizationName = abcd
organizationalUnitName = it
commonName = abcd.com
emailAddress = [email protected]
X509v3 extensions:
X509v3 Basic Constraints:
CA:TRUE
Netscape Comment:
OpenSSL Generated Certificate
X509v3 Subject Key Identifier:
3B:E9:78:DC:EB:CB:4A:41:EB:6B:40:CE:E0:D6:10:63:2D:D5:C5:C8
X509v3 Authority Key Identifier:
keyid:3B:E9:78:DC:EB:CB:4A:41:EB:6B:40:CE:E0:D6:10:63:2D:D5:C5:C8
Certificate is to be certified until Aug 25 09:34:27 2016 GMT (1095 days)
Write out database with 1 new entries
Data Base Updated
3、製作完成,可以獲得以下證書:
/etc/CA/private/cakey.pem //私鑰
/etc/CA/cacert.pem //根證書
/etc/CA/careq.pem //證書請求
四、 配置web伺服器
1、web伺服器生成自己的私鑰
cd /opt/apache2/conf/
openssl genrsa -des3 -out server.key
Generating RSA private key, 512 bit long modulus
...............++++++++++++
...............++++++++++++
e is 65537 (0x10001)
Enter pass phrase for server.key:123456 //鍵入密碼
Verifying - Enter pass phrase for server.key:123456 //鍵入密碼
(執行完此命令之後會在當前目錄下生成server.key,此檔案是web伺服器的私鑰。)
2、生成伺服器證書請求檔案
openssl req -new -key server.key > server.csr
Enter pass phrase for server.key:123456
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
--------------------------------------------------------------------
Country Name (2 letter code) [GB]:cn
State or Province Name (full name) [Berkshire]:bj
Locality Name (eg, city) [Newbury]:bj //這部分資訊要求與ca一致
Organization Name (eg, company) [My Company Ltd]:abcd
Organizational Unit Name (eg, section) []:it
Common Name (eg, your name or your server's hostname) []:abcd.com
Email Address []:[email protected]
----------------------------------------------------------------------
Please enter the following 'extra' attributes
to be sent with your certificate request
A challenge password []:123456
An optional company name []:123456
完成後當前目錄下會生成一個server.csr的檔案
3、ca伺服器對證書請求進行數字簽名
cd /etc/pki/CA/
openssl ca -keyfile /etc/pki/CA/private/cakey.pem -cert /etc/pki/CA/cacert.pem -in /opt/apache2/conf/server.csr -out /opt/apache2/conf/server.crt
sing configuration from /etc/pki/tls/openssl.cnf
Enter pass phrase for /etc/CA/private/cakey.pem:
Check that the request matches the signature
Signature ok
Certificate Details:
Serial Number: 1 (0x1)
Validity
Not Before: Aug 27 07:20:17 2013 GMT
Not After : Aug 27 07:20:17 2014 GMT
Subject:
countryName = cn
stateOrProvinceName = bj
organizationName = abcd
organizationalUnitName = it
commonName = abcd.com
emailAddress = root@root.com
X509v3 extensions:
X509v3 Basic Constraints:
CA:TRUE
Netscape Comment:
OpenSSL Generated Certificate
X509v3 Subject Key Identifier:
BE:FE:86:46:AA:5E:CC:54:39:5E:62:C4:99:BC:0E:34:A6:E6:01:B2
X509v3 Authority Key Identifier:
keyid:96:B6:29:B1:79:0B:18:60:08:B6:08:D3:15:38:87:69:63:BA:81:CA
Certificate is to be certified until Aug 27 07:20:17 2014 GMT (365 days)
Sign the certificate? [y/n]:y
1 out of 1 certificate requests certified, commit? [y/n]y
Write out database with 1 new entries
Data Base Updated
完成後,會在/opt/apache2/conf目錄下生成server.crt檔案
若報錯openssl生成CA的時候出錯:TXT_DB error number 2 解決:
修改demoCA下 index.txt.attr
將
unique_subject = yes
改為
unique_subject = no
刪除demoCA下的index.txt,並再touch下
rm index.txt
touch index.txt
4、修改配置檔案
cp /etc/pki/CA/cacert.pem /opt/apache2/conf/
vim /opt/apache2/conf/httpd.conf
ServerName localhost:80
Include conf/extra/httpd-ssl.conf //解註釋
vim /opt/apache2/conf/extra/httpd-ssl.conf
Listen 443 //可以改成其他埠
SSLPassPhraseDialog builtin //每次重啟Apache時需要輸入密碼
SSLSessionCache shmcb:/var/cache/mod_ssl/scache(512000)
SSLSessionCacheTimeout 300
SSLMutex default
SSLRandomSeed startup builtin
SSLRandomSeed connect builtin
<VirtualHost _default_:443>
ServerName localhost:443
SSLEngine on
SSLCertificateFile /opt/apache2/conf/ssl.crt/server.crt //證書檔案
SSLCertificateKeyFile /opt/apache2/conf/ssl.crt/server.key //私鑰檔案
SSLCACertificateFile /opt/apache2/conf/ssl.crt/ca.crt //證書鏈檔案
</VirtualHost>
可以按照如下方式重新匯入KEY檔案,則可以不用每次重啟Apache都需要輸入KEY檔案密碼
openssl rsa -in server.key -out server2.key
mv server.key server.key.originalkey
mv server2.key server.key
五、客戶端瀏覽器匯入證書
IE為例:
將伺服器中的證書到處到客戶端----開啟瀏覽器------【工具】--》【internet選項】--》【內容】--》【證書】--》【受信任的根證書頒發機構】r--》【匯入】,匯入server.crt
六、驗證
開啟瀏覽器,輸入https://IP 可以開啟與http同樣的頁面則表示SSL證書生效。
七、強制https跳轉
a) 檢查Apache有沒有編譯rewrite_module模組
ls /opt/httpd/modules
是否存在mod_rewrite.so
並且httpd.conf 是否有LoadModule …….mod_rewrite.so語句
若有一處不存在則需增加mod_rewrite模組:
1. find / -name mod_rewrite.c
//在apache的原始碼安裝目錄中尋找mod_rewrite.c檔案
2. 進入搜尋到的目錄
3. /opt/httpd/bin/apxs -c mod_rewrite.c
4. /opt/httpd/bin/apxs -i -a -n mod_rewrite mod_rewrite.la
5. vim /opt/httpd/conf/httpd.conf
修改LoadModule …….mod_rewrite.so為
LoadModule rewrite_module modules/mod_rewrite.so
儲存退出。
b) 配置 httpd.conf
對應以下位置作新增或修改:
# Options FileInfo AuthConfig Limit
AllowOverride All
Order allow,deny
Allow from all
RewriteEngine on
RewriteCond %{SERVER_PORT} !^443$
RewriteRule ^(.*)?$ https://cccb.com:443/$1 [L,R]
儲存退出
c) 驗證
在瀏覽器輸入http域名,會跳轉到https域名則配置成功。
注:
單、向雙認證區別在http://blog.csdn.net/chenboblog/article/details/53835856有詳細介紹(在此鳴謝chenboblog的博文)
八、補充
以上為SSL雙向驗證的配置方法,服務端與客戶端都需要證書驗證,
如果使用單向驗證就不必這麼繁瑣,只需要在服務端配置證書即可,客戶端無需匯入證書。
單向驗證證書配置方法:
進入apache安裝目錄,將所有證書生成在此目錄下cd /opt/apache2/conf/
1) 生成金鑰:openssl genrsa 1024 > server.key
說明:這是用128位rsa演算法生成金鑰,得到server.key檔案
2) 生成證書請求檔案:openssl req -new -key server.key > server.csr
說明:這是用步驟1的金鑰生成證書請求檔案server.csr,
3) 生成證書:openssl req -x509 -days 365 -key server.key -in server.csr > server.crt
說明:這是用步驟1,2的的金鑰和證書請求生成證書server.crt,-days引數指明證書有效期,單位為天
然後修改相應配置檔案證書路徑(此處生成的單向認證證書名與雙向認證證書檔名一致,所以只需從起httpd即會生效)