CentOS5.5+Apache2+openssl0.9.8o实现https验证
CentOS5.5+Apache2+openssl0.9.8o实现https验证
首先安装SSL,再编译安装APACHE,再配置证书即可
1.下载apache和openssl
网址:http://www.apache.org http://www.openssl.org
2.编译安装openssl,这个软件主要是用来生成证书:(以openssl-0.9.8o.tar.gz为例)
# tar -zxvf openssl-0.9.8o.tar.gz
# cd openssl-0.9.8o
# ./config --prefix=/usr/local/openssl --openssldir=/usr/local/openssl shared zlib
# make
# makeinstall
将系统原有的几个文件改名
# mv /usr/bin/openssl /usr/bin/openssl.OFF
# mv /usr/include/openssl /usr/include/openssl.OFF
# mv /usr/lib/libssl.so /usr/lib/libssl.so.OFF
# ln -s /usr/local/openssl/bin/openssl /usr/bin/openssl
# ln -s /usr/local/openssl/include/openssl /usr/include/openssl
# ln -s /usr/local/openssl/lib/libssl.so.0.9.8/usr/lib/libssl.so
# echo "/usr/local/openssl/lib" >> /etc/ld.so.conf
# ldconfig
2、apache安装过程略。此处使用httpd-2.2.17.tar.gz
安装目录为/usr/local/apache2
3.安装完毕,生成证书:
创建证书目录如下示:
# mkdir -p /usr/local/openssl/certs/bank
# cd /usr/local/openssl/certs/bank/
# ls
生成服务器私钥server.key 并要求输入key 的密码 1024表示长度:
# openssl genrsa -des3 -out server.key 1024
Generating RSA private key, 1024 bit long modulus
..........................++++++
............++++++
e is 65537 (0x10001)
下面需输入两次口令,类似于密码。要记清楚,下面会用到(输入后没有任何显示!)
Enter pass phrase for server.key:
Verifying - Enter pass phrase for server.key:
#
如下示执行完密码后在此目录下显示如下文件及内容:
# ls
server.key
# cat server.key
-----BEGIN RSA PRIVATE KEY-----
Proc-Type: 4,ENCRYPTED
DEK-Info: DES-EDE3-CBC,FBA67EF1416CEDAD
MzsLbwBNKqJJzvgDV/l0DQQE+9/d8suVuMdplcs4bmVBd47eJOyoC5wrD9zMOhrL
ne2QiFLAE98qv+9QJaArmzIMhMX9hK6065LF3VHwcMz6Xn0pY02NEcDkdlFwcGqm
Yt5vxF4ERrF+w4R4roNfVeBH3/qFT1a8wls7I2H/oJgUV4OmXyCdijckN7LPNwmV
4JlauqhtWdNlz9FVXnShMUR70PVOuPezBYul3mHOuhoTXDUtpnRGpeVgLort9JdF
YuX3/jenUeFFGuQcgb8s1+IY/KMePHzzXUeqy4BEQ7hdsCqFDY6J3zJaYCZs2moX
39woxJx/yNZO6IBnybHe9+5NEb1WIpVD/F5G0W4Og9A/Sng1ps5Dthzl26splfbT
JMSau00GGa8cstryeYsgMksmZHYVAIVTWbcWBB+MiwTq3m2o7KHZkVSIa+P2h2Us
reAT6zgQbUmWT2fWsjc1ynxOcGqZ3wd04a029wPn4zS0Tn41RWXi4QDyosb+rgph
1UdiD7zxUt4fE9/6dU8xqjJ9lBYddkvucH+FUjBU7I6/X8xXdFZs6P00aYnw2Ti1
9xr1Gx3oOUMviSKI4b9kflTKtgWTQZ1MtpsIxASXboYPa5djzLZZQUl0WxP7u0Lv
1H09nQjX4UmyAKIcyWsS/aBO0VjQOnBQ1Ft5hoo7RCmr2Y0IB/kcGAQn9PEwXM4E
nBdK8yVrpCXindtWP+FTVJytk1sqflUmLAx/tVJeztBZtUh44W+ljOvEpH6eTfzs
8sarcpT0yYRzSBDJOip6vl6HoOrWj8558XyuUP6lSCGmG4KQDmMaPQ==
-----END RSA PRIVATE KEY-----
#
生成服务器证书请求文件(server.CSR)相当于公钥,这时需要你输入在上一步时生成的密码
并按要求填些相关证书信息:
# openssl req -new -key server.key -out server.csr
此命令将提示您输入X.509证书所要求的字段信息,包括国家(中国添CN)、省份、所在城市、单位名称、单位部门名称(可以不填直接回车)。请注意: 除国家缩写必须填CN外,其余都可以是英文或中文
Enter pass phrase for server.key:
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) :CN 中国添CN
State or Province Name (full name) :BeiJing省份
Locality Name (eg, city) []:BeiJing 所在城市
Organization Name (eg, company) :BeiJing New Media of Vision Information Technology Co.,Ltd. 单位名称
Organizational Unit Name (eg, section) []:单位部门名称(可以不填直接回车) 如填写IT Dept
Common Name (eg, YOUR name) []:bank.xinpindao.com 输入您要申请SSL证书的域名即使用 SSL 的网站名称,如果您需要为www.domain.com申请SSL证书就不能只输入domain.com
注意:请不要输入Email、口令(challenge password)和可选的公司名称,直接打回车即可
Email Address []:
Please enter the following 'extra' attributes
to be sent with your certificate request
A challenge password []:
An optional company name []:
#
完成上述设置后将会生成另一个文件
# ls
server.csrserver.key
您现在已经成功生成了密钥对,私钥文件:server.key 保存在您的服务器中, 请把CSR文件:server.csr 发给WoTrust/Thawte
注:WoTrust/Thawte负责销售代理品牌数字证书产品的公司,包括 VeriSign 、Thawte 、GeoTrust 和 TC 品牌产品,当然也代理销售 WoSign 品牌数字证书产品。
CSR文件格式如下所示
[# cat server.csr
-----BEGIN CERTIFICATE REQUEST-----
MIICdDCCAd0CAQAwgcgxCzAJBgNVBAYTAkNOMRAwDgYDVQQIEwdCZWlKaW5nMRAw
DgYDVQQHEwdCZWlKaW5nMREwDwYDVQQKEwh5dWFueWFuZzFEMEIGA1UECxM7QmVp
SmluZyBOZXcgTWVkaWEgb2YgVmlzaW9uIEluZm9ybWF0aW9uIFRlY2hub2xvZ3kg
Q28uLEx0ZC4xGzAZBgNVBAMTEmJhbmsueGlucGluZGFvLmNvbTEfMB0GCSqGSIb3
DQEJARYQeGlhb3hsQGNubXZpLmNvbTCBnzANBgkqhkiG9w0BAQEFAAOBjQAwgYkC
gYEAxGrZVDMo1qQlYQcoj91PKhc/LO6lItnRPHIuD2gcvmDMe2najaugeVO7ZKG+
9bAtkcMQf3JkNZgxb28iUVILTtbEv3QjCZHom+Kf6ogSx7rBMOotTUwSH9OCdtWP
sqRU5SdNJuhOU1qFog1EnwvWx5tCzxhvdauLJDp+B7LTFncCAwEAAaBrMB0GCSqG
SIb3DQEJBzEQFg54aW5waW5kYW9AMjAxMTBKBgkqhkiG9w0BCQIxPRM7QmVpSmlu
ZyBOZXcgTWVkaWEgb2YgVmlzaW9uIEluZm9ybWF0aW9uIFRlY2hub2xvZ3kgQ28u
LEx0ZC4wDQYJKoZIhvcNAQEFBQADgYEAhbaxpC7Z2ojBzl5FfcICGwQ13sBZZbGi
oYK9CTYDwjEW3wbv9CvYFTuk7IGUSOeKH23holPlKysi5iHnQsEIP4M7HoeuXKxQ
nU5VvdBdchu1yRGcYVJnLGC6P1UVTJ0E/QLAvWlBKTzlh0lqvYeE5iQsfqAOGh9N
U9hqswWYRd4=
-----END CERTIFICATE REQUEST-----
更详细CSR证书生成指南请参考:http://blog.itechol.com/space.php?uid=33&do=blog&id=5149
#
签证--生成证书(模拟CA机构生成证书用于测试) 生成server.cert
# openssl x509 -req -days 700 -in server.csr -signkey server.key -out server.cert
Signature ok
subject=/C=CN/ST=BeiJing/L=BeiJing/O=yuanyang/OU=BeiJing New Media of Vision Information Technology Co.,Ltd./CN=bank.xinpindao.com/emailAddress=xiaoxl@cnmvi.com
Getting Private key
Enter pass phrase for server.key: 再次输入server.key口令
#
完成上面的步骤在此目录中又产生了另一个文件。
# ls
server.certserver.csrserver.key
# cat server.cert
-----BEGIN CERTIFICATE-----
MIIDCTCCAnICCQDth9x0CxkeuzANBgkqhkiG9w0BAQUFADCByDELMAkGA1UEBhMC
Q04xEDAOBgNVBAgTB0JlaUppbmcxEDAOBgNVBAcTB0JlaUppbmcxETAPBgNVBAoT
CHl1YW55YW5nMUQwQgYDVQQLEztCZWlKaW5nIE5ldyBNZWRpYSBvZiBWaXNpb24g
SW5mb3JtYXRpb24gVGVjaG5vbG9neSBDby4sTHRkLjEbMBkGA1UEAxMSYmFuay54
aW5waW5kYW8uY29tMR8wHQYJKoZIhvcNAQkBFhB4aWFveGxAY25tdmkuY29tMB4X
DTExMTAxMDEwMDQ0OFoXDTEzMDkwOTEwMDQ0OFowgcgxCzAJBgNVBAYTAkNOMRAw
DgYDVQQIEwdCZWlKaW5nMRAwDgYDVQQHEwdCZWlKaW5nMREwDwYDVQQKEwh5dWFu
eWFuZzFEMEIGA1UECxM7QmVpSmluZyBOZXcgTWVkaWEgb2YgVmlzaW9uIEluZm9y
bWF0aW9uIFRlY2hub2xvZ3kgQ28uLEx0ZC4xGzAZBgNVBAMTEmJhbmsueGlucGlu
ZGFvLmNvbTEfMB0GCSqGSIb3DQEJARYQeGlhb3hsQGNubXZpLmNvbTCBnzANBgkq
hkiG9w0BAQEFAAOBjQAwgYkCgYEAxGrZVDMo1qQlYQcoj91PKhc/LO6lItnRPHIu
D2gcvmDMe2najaugeVO7ZKG+9bAtkcMQf3JkNZgxb28iUVILTtbEv3QjCZHom+Kf
6ogSx7rBMOotTUwSH9OCdtWPsqRU5SdNJuhOU1qFog1EnwvWx5tCzxhvdauLJDp+
B7LTFncCAwEAATANBgkqhkiG9w0BAQUFAAOBgQALEqvFYCGodqdJQ8ohPypTAO9J
ab0/n7UKgU9QJKkdzknK4Eu4t82A0+SGJIl8sK7MT+VGDARmMecmNisWhy+BlRkL
TKQtYsLiTViDB0tugx1scXd5PmdRTQOsAWwuf55emG9Z4hyyOe+nfNn+dRC68Ggl
VDyFeKoXIyy5257BPQ==
-----END CERTIFICATE-----
#
# ll
total 12
-rw-r--r-- 1 root root 1115 Oct 10 18:04 server.cert
-rw-r--r-- 1 root root928 Oct 10 18:00 server.csr
-rw-r--r-- 1 root root963 Oct 10 17:53 server.key
为了安全,然后我们把这些文件的权限都设为400
# chmod 400 server.cert server.key
# ll
total 12
-r-------- 1 root root 1115 Oct 10 18:04 server.cert
-rw-r--r-- 1 root root928 Oct 10 18:00 server.csr
-r-------- 1 root root963 Oct 10 17:53 server.key
3、创建自动应答文件
注意:
如果没有此步 将会在后面启动apache的过程中要求输入证书密码,正确输入后ssl就连同apache一起启动
# vi /usr/local/openssl/certs/bank/server.pass
#!/bin/bash
SSLPhrasePassword='xinpindao@2011'
echo$SSLPhrasePassword
4、修改httpd-ssl.conf文件
cp httpd-ssl.conf httpd-ssl.conf.old
vi /usr/local/apache2/conf/extra/httpd-ssl.conf
修改的地方如下几处:
#SSLCertificateFile "/usr/local/apache2/conf/server.crt"
SSLCertificateFile "/usr/local/openssl/certs/bank/server.cert"
#SSLCertificateKeyFile "/usr/local/apache2/conf/server.key"
SSLCertificateKeyFile "/usr/local/openssl/certs/bank/server.key"
#SSLPassPhraseDialogbuiltin
SSLPassPhraseDialogexec:/usr/local/openssl/certs/bank/server.pass
这样我们就基本配好了ssl现在我们来让apache启动ssl
首先配置http.conf:
# vi /usr/local/apache2/conf/httpd.conf
打开此项 Include conf/extra/httpd-ssl.conf
# /usr/local/apache2/bin/apachectl start
注意此处出现错误,请仔细阅读错误说明
Syntax error on line 57 of /usr/local/apache2/conf/extra/httpd-ssl.conf:
Invalid command 'SSLPassPhraseDialog', perhaps misspelled or defined by a module not included in the server configuration
无效的SSLPassPhraseDialog”命令,或者写错或定义为一个模块并不包括在服务器配置
是不是缺少模块啊,检查apache已编译的模块
# httpd -l
Compiled in modules:
core.c
prefork.c
http_core.c
mod_so.c
发现缺少mod_ssl.c
查看apache编译参数,看是否编译过ssl模块
# cat /usr/local/apache2/build/config.nice
#! /bin/sh
#
# Created by configure
"./configure" \
"--prefix=/usr/local/apache2" \
"--enable-so" \
"--enable-rewrite" \
"--disable-ipv6" \
"$@"
从上面可以看出当初安装apache时没有将ssl模块编译进去,下面重新编译apache
apache保留原来配置的情况下添加模块介绍请参阅
http://blog.itechol.com/space.php?uid=33&do=blog&id=5146
cp -rf/usr/local/apache2/conf/httpd.conf /tmp/httpd.conf
tar -xzvf httpd-2.2.17.tar.gz
cd httpd-2.2.17
./configure --prefix=/usr/local/apache2 --enable-so --enable-rewrite --disable-ipv6 --enable-ssl --with-ssl=/usr/local/openssl
make && make install
我又重新编译了一把,加上--enable-ssl
cp -rf /tmp/httpd.conf /usr/local/apache2/conf/httpd.conf
重新启动进行验证,成功了!如下示:
# /usr/local/apache2/bin/apachectl restart
# netstat -tulnp
Active Internet connections (only servers)
Proto Recv-Q Send-Q Local Address Foreign Address State PID/Program name
tcp 0 0 0.0.0.0:111 0.0.0.0:* LISTEN 2494/portmap
tcp 0 0 0.0.0.0:80 0.0.0.0:* LISTEN 3613/httpd
tcp 0 0 0.0.0.0:443 0.0.0.0:* LISTEN 3613/httpd
tcp 0 0 :::3306 :::* LISTEN 2917/mysqld
tcp 0 0 :::22 :::* LISTEN 3048/sshd
udp 0 0 0.0.0.0:111 0.0.0.0:* 2494/portmap
5、验证证书是否安装成功
在浏览器中输入:https://192.168.18.82如果出现要求下载证书,OK~好了~结束~就是这么简单。如下示:
http://blog.itechol.com/image/zoom.gifhttp://blog.itechol.com/attachment/201110/11/33_1318324259oGGx.jpg
http://blog.itechol.com/image/zoom_h.gif
http://blog.itechol.com/attachment/201110/11/33_1318324451ygYu.jpg
更多相关文章请参阅:http://blog.itechol.com/space.html
页:
[1]