|
1,安装openssl tar zxvf openssl-1.0.0a.tar.gz
cd openssl-1.0.0a
./config --prefix=/usr/local/openssl
make && make install 2,安装apache tar zxvf httpd-2.2.16.tar.gz
cd httpd-2.2.16
./configure --prefix=/usr/local/apache --enable-ssl --enable-rewrite--enable-so --with-ssl=/usr/local/openssl
make && make install 如果你是yum install ,apt-get,pacman这样的软件管理工具进行安装的话,上面的二步可以省掉。 3,创建主证书 在/usr/local/apache/conf/下面建个目录ssl 3.1,mkdir ssl 3.2,cp /openssl的安装目录/ssl/misc/CA.sh /usr/local/apache/conf/ssl/ 3.3 用CA.sh来创建证书 查看复制打印? 1. [iyunv@BlackGhost ssl]# ./CA.sh -newca //建立主证书 2. CA certificate filename (or enter to create) 3. 4. Making CA certificate ... 5. Generating a 1024 bit RSA private key 6. ............++++++ 7. ......++++++ 8. writing new private key to './demoCA/private/./cakey.pem' 9. Enter PEM pass phrase: 10. Verifying - Enter PEM pass phrase: 11. Verify failure 12. Enter PEM pass phrase: 13. Verifying - Enter PEM pass phrase: 14. ----- 15. You are about to be asked to enterinformation that will be incorporated 16. into your certificate request. 17. What you are about to enter is what iscalled a Distinguished Name or a DN. 18. There are quite a few fields but you canleave some blank 19. For some fields there will be a default value, 20. If you enter '.', the field will be left blank. 21. ----- 22. Country Name (2 letter code) [AU]:cn 23. State or Province Name (full name) [Some-State]:cn 24. Locality Name (eg, city) []:cn 25. Organization Name (eg, company) [InternetWidgits Pty Ltd]:cn 26. Organizational Unit Name (eg, section)[]:cn 27. Common Name (eg, YOUR name) []:localhost 28. Email Address []:xtaying@gmail.com 29. 30. Please enter the following 'extra' attributes 31. to be sent with your certificate request 32. A challenge password []:****************** 33. An optional company name []: 34. Using configuration from/etc/ssl/openssl.cnf 35. Enter pass phrase for ./demoCA/private/./cakey.pem: //填的是上面的PEM密码 36. Check that the request matches thesignature 37. Signature ok 38. Certificate Details: 39. Serial Number: 40. 89:11:9f:a6:ca:03:63:ab 41. Validity 42. Not Before: Aug 7 12:35:28 2010 GMT 43. Not After : Aug 6 12:35:28 2013 GMT 44. Subject: 45. countryName = cn 46. stateOrProvinceName = cn 47. organizationName = cn 48. organizationalUnitName = cn 49. commonName = localhost 51. X509v3 extensions: 52. X509v3 Subject Key Identifier: 53. 26:09:F3:D5:26:13:00:1F:3E:CC:86:1D:E4:EE:37:06:65:15:4E:76 54. X509v3 Authority Key Identifier: 55. keyid:26:09:F3:D5:26:13:00:1F:3E:CC:86:1D:E4:EE:37:06:65:15:4E:76 56. DirName:/C=cn/ST=cn/O=cn/OU=cn/CN=localhost/emailAddress=xtaying@gmail.com 57. serial:89:11:9F:A6:CA:03:63:AB 58. 59. X509v3 Basic Constraints: 60. CA:TRUE 61. Certificate is to be certified until Aug 612:35:28 2013 GMT (1095 days) 62. 63. Write out database with 1 new entries 64. Data Base Updated
[iyunv@BlackGhost ssl]# ./CA.sh-newca //建立主证书 CA certificate filename (orenter to create)
Making CA certificate ... Generating a 1024 bit RSAprivate key ............++++++ ......++++++ writing new private key to'./demoCA/private/./cakey.pem' Enter PEM pass phrase: Verifying - Enter PEM passphrase: Verify failure Enter PEM pass phrase: Verifying - Enter PEM passphrase: ----- You are about to be asked toenter information that will be incorporated into your certificate request. What you are about to enter iswhat is called a Distinguished Name or a DN. There are quite a few fieldsbut you can leave some blank For some fields there will be adefault value, If you enter '.', the fieldwill be left blank. ----- Country Name (2 letter code)[AU]:cn State or Province Name (fullname) [Some-State]:cn Locality Name (eg, city) []:cn Organization Name (eg, company)[Internet Widgits Pty Ltd]:cn Organizational Unit Name (eg,section) []:cn Common Name (eg, YOUR name)[]:localhost Email Address []:xtaying@gmail.com
Please enter the following'extra' attributes to be sent with yourcertificate request A challenge password[]:****************** An optional company name []: Using configuration from/etc/ssl/openssl.cnf Enter pass phrase for ./demoCA/private/./cakey.pem: //填的是上面的PEM密码 Check that the request matchesthe signature Signature ok Certificate Details: Serial Number: 89:11:9f:a6:ca:03:63:ab Validity Not Before: Aug 7 12:35:28 2010 GMT Not After : Aug 6 12:35:28 2013 GMT Subject: countryName = cn stateOrProvinceName = cn organizationName = cn organizationalUnitName = cn commonName = localhost X509v3 extensions: X509v3 Subject Key Identifier: 26:09:F3:D5:26:13:00:1F:3E:CC:86:1D:E4:EE:37:06:65:15:4E:76 X509v3 Authority Key Identifier: keyid:26:09:F3:D5:26:13:00:1F:3E:CC:86:1D:E4:EE:37:06:65:15:4E:76 DirName:/C=cn/ST=cn/O=cn/OU=cn/CN=localhost/emailAddress=xtaying@gmail.com serial:89:11:9F:A6:CA:03:63:AB
X509v3 Basic Constraints: CA:TRUE Certificate is to be certifieduntil Aug 6 12:35:28 2013 GMT (1095days)
Write out database with 1 new entries Data Base Updated 安装成功的话,会在ssl目录下面产生一个文件夹demoCA 4 生成服务器私钥和服务器证书 查看复制打印? 1. [iyunv@BlackGhost ssl]# openssl genrsa-des3 -out server.key 1024 //产生服务器私钥 2. Generating RSA private key, 1024 bit long modulus 3. .....................++++++ 4. .........++++++ 5. e is 65537 (0x10001) 6. Enter pass phrase for server.key: 7. Verifying - Enter pass phrase for server.key: 8. [iyunv@BlackGhost ssl]# openssl req -new -key server.key -out server.csr //生成服务器证书 9. Enter pass phrase for server.key: 10. You are about to be asked to enterinformation that will be incorporated 11. into your certificate request. 12. What you are about to enter is what iscalled a Distinguished Name or a DN. 13. There are quite a few fields but you canleave some blank 14. For some fields there will be a default value, 15. If you enter '.', the field will be left blank. 16. ----- 17. Country Name (2 letter code) [AU]:cn 18. State or Province Name (full name) [Some-State]:cn 19. Locality Name (eg, city) []:cn 20. Organization Name (eg, company) [InternetWidgits Pty Ltd]:cn 21. Organizational Unit Name (eg, section)[]:cn 22. Common Name (eg, YOUR name) []:localhost //要填全域名 23. Email Address []:xtaying@gmail.com 24. 25. Please enter the following 'extra' attributes 26. to be sent with your certificate request 27. A challenge password []:***************** 28. An optional company name []:
[iyunv@BlackGhost ssl]# opensslgenrsa -des3 -out server.key 1024 //产生服务器私钥 Generating RSA private key,1024 bit long modulus .....................++++++ .........++++++ e is 65537 (0x10001) Enter pass phrase forserver.key: Verifying - Enter pass phrasefor server.key: [iyunv@BlackGhost ssl]# opensslreq -new -key server.key -out server.csr //生成服务器证书 Enter pass phrase forserver.key: You are about to be asked toenter information that will be incorporated into your certificate request. What you are about to enter iswhat is called a Distinguished Name or a DN. There are quite a few fieldsbut you can leave some blank For some fields there will be adefault value, If you enter '.', the fieldwill be left blank. ----- Country Name (2 letter code)[AU]:cn State or Province Name (fullname) [Some-State]:cn Locality Name (eg, city) []:cn Organization Name (eg, company)[Internet Widgits Pty Ltd]:cn Organizational Unit Name (eg,section) []:cn Common Name (eg, YOUR name) []:localhost //要填全域名 Email Address[]:xtaying@gmail.com
Please enter the following'extra' attributes to be sent with yourcertificate request A challenge password[]:***************** An optional company name []: 4.1 对产生的服务器证书进行签证 cp server.csr newseq.pem 查看复制打印? 1. [iyunv@BlackGhost ssl]# ./CA.sh -sign //为服务器证书签名 2. Using configuration from/etc/ssl/openssl.cnf 3. Enter pass phrase for ./demoCA/private/cakey.pem: 4. Check that the request matches thesignature 5. Signature ok 6. Certificate Details: 7. Serial Number: 8. 89:11:9f:a6:ca:03:63:ac 9. Validity 10. Not Before: Aug 7 12:39:41 2010 GMT 11. Not After : Aug 7 12:39:41 2011 GMT 12. Subject: 13. countryName = cn 14. stateOrProvinceName = cn 15. localityName = cn 16. organizationName = cn 17. organizationalUnitName = cn 18. commonName = localhost 20. X509v3 extensions: 21. X509v3 Basic Constraints: 22. CA:FALSE 23. Netscape Comment: 24. OpenSSL Generated Certificate 25. X509v3 Subject Key Identifier: 26. FE:20:56:04:8E:B6:BE:3E:3A:E1:DA:A6:4A:3A:E1:16:93:1D:3F:81 27. X509v3 Authority Key Identifier: 28. keyid:26:09:F3:D5:26:13:00:1F:3E:CC:86:1D:E4:EE:37:06:65:15:4E:76 29. 30. Certificate is to be certified until Aug 712:39:41 2011 GMT (365 days) 31. Sign the certificate? [y/n]:y 32. 33. 1 out of 1 certificate requests certified,commit? [y/n]y 34. Write out database with 1 new entries 35. Data Base Updated 36. Certificate: 37. Data: 38. Version: 3 (0x2) 39. Serial Number: 40. 89:11:9f:a6:ca:03:63:ac 41. Signature Algorithm: sha1WithRSAEncryption 42. Issuer: C=cn, ST=cn, O=cn, OU=cn,CN=localhost/emailAddress=xtaying@gmail.com 43. Validity 44. Not Before: Aug 7 12:39:41 2010 GMT 45. Not After : Aug 7 12:39:41 2011 GMT 46. Subject: C=cn, ST=cn, L=cn, O=cn, OU=cn,CN=localhost/emailAddress=xtaying@gmail.com 47. Subject Public Key Info: 48. Public Key Algorithm: rsaEncryption 49. Public-Key: (1024 bit) 50. Modulus: 51. 00:ce:d5:a8:df:d1:e7:ee:92:d1:d1:78:20:a9:6d: 52. 0a:1b:f6:09:dd:13:29:ef:72:1d:17:54:dd:1c:8d: 53. 28:27:69:fe:70:3b:fa:2b:a3:45:40:80:ea:0e:5b: 54. a7:bd:40:d0:cd:bc:2c:74:03:8b:f7:6c:5e:1f:09: 55. 5d:c6:8a:05:ea:b8:72:fc:79:8b:62:62:38:0b:42: 56. 28:7e:0d:fc:e7:bb:b0:87:66:6a:b2:35:92:91:b9: 57. 78:9c:b6:76:01:0b:2a:74:df:5f:a1:8b:31:61:90: 58. 93:f9:20:db:46:59:12:2e:9b:59:c0:32:4e:92:14: 59. a1:7e:52:7b:cc:02:5e:e2:45 60. Exponent: 65537 (0x10001) 61. X509v3 extensions: 62. X509v3 Basic Constraints: 63. CA:FALSE 64. Netscape Comment: 65. OpenSSL Generated Certificate 66. X509v3 Subject Key Identifier: 67. FE:20:56:04:8E:B6:BE:3E:3A:E1:DA:A6:4A:3A:E1:16:93:1D:3F:81 68. X509v3 Authority Key Identifier: 69. keyid:26:09:F3:D5:26:13:00:1F:3E:CC:86:1D:E4:EE:37:06:65:15:4E:76 70. 71. Signature Algorithm: sha1WithRSAEncryption 72. 09:a0:16:43:a2:93:11:a7:ab:f5:17:b7:36:35:84:9f:3b:37: 73. 32:33:3f:93:63:b0:4c:bb:d1:b4:9b:4f:37:78:62:f4:ac:ff: 74. 28:b0:63:71:2e:9a:7c:f4:40:2e:b1:5f:ae:49:e7:e2:6f:de: 75. cf:30:cc:9a:08:26:26:24:c5:00:03:32:20:48:41:b1:29:8f: 76. 5d:3d:2a:78:54:0e:a8:76:07:6c:7f:23:42:75:c2:fb:83:1d: 77. 70:44:5e:8c:90:cf:b4:23:b7:23:5b:06:05:32:58:e3:af:1c: 78. be:1d:50:7b:fd:37:66:ba:9c:ec:bb:af:ee:b6:04:f7:c5:2e: 79. 59:22 80. -----BEGIN CERTIFICATE----- 81. MIIC2jCCAkOgAwIBAgIJAIkRn6bKA2OsMA0GCSqGSIb3DQEBBQUAMGoxCzAJBgNV 82. BAYTAmNuMQswCQYDVQQIEwJjbjELMAkGA1UEChMCY24xCzAJBgNVBAsTAmNuMRIw 83. EAYDVQQDEwlsb2NhbGhvc3QxIDAeBgkqhkiG9w0BCQEWEXh0YXlpbmdAZ21haWwu 84. Y29tMB4XDTEwMDgwNzEyMzk0MVoXDTExMDgwNzEyMzk0MVowdzELMAkGA1UEBhMC 85. Y24xCzAJBgNVBAgMAmNuMQswCQYDVQQHDAJjbjELMAkGA1UECgwCY24xCzAJBgNV 86. BAsMAmNuMRIwEAYDVQQDDAlsb2NhbGhvc3QxIDAeBgkqhkiG9w0BCQEWEXh0YXlp 87. bmdAZ21haWwuY29tMIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQDO1ajf0efu 88. ktHReCCpbQob9gndEynvch0XVN0cjSgnaf5wO/oro0VAgOoOW6e9QNDNvCx0A4v3 89. bF4fCV3GigXquHL8eYtiYjgLQih+Dfznu7CHZmqyNZKRuXictnYBCyp031+hizFh 90. kJP5INtGWRIum1nAMk6SFKF+UnvMAl7iRQIDAQABo3sweTAJBgNVHRMEAjAAMCwG 91. CWCGSAGG+EIBDQQfFh1PcGVuU1NMIEdlbmVyYXRlZCBDZXJ0aWZpY2F0ZTAdBgNV 92. HQ4EFgQU/iBWBI62vj464dqmSjrhFpMdP4EwHwYDVR0jBBgwFoAUJgnz1SYTAB8+ 93. zIYd5O43BmUVTnYwDQYJKoZIhvcNAQEFBQADgYEACaAWQ6KTEaer9Re3NjWEnzs3 94. MjM/k2OwTLvRtJtPN3hi9Kz/KLBjcS6afPRALrFfrknn4m/ezzDMmggmJiTFAAMy 95. IEhBsSmPXT0qeFQOqHYHbH8jQnXC+4MdcERejJDPtCO3I1sGBTJY468cvh1Qe/03 96. Zrqc7Luv7rYE98UuWSI= 97. -----END CERTIFICATE----- 98. Signed certificate is in newcert.pem
[iyunv@BlackGhost ssl]# ./CA.sh-sign //为服务器证书签名 Using configuration from/etc/ssl/openssl.cnf Enter pass phrase for./demoCA/private/cakey.pem: Check that the request matchesthe signature Signature ok Certificate Details: Serial Number: 89:11:9f:a6:ca:03:63:ac Validity Not Before: Aug 7 12:39:41 2010 GMT Not After : Aug 7 12:39:41 2011 GMT Subject: countryName = cn stateOrProvinceName = cn localityName = cn organizationName = cn organizationalUnitName = cn commonName = localhost X509v3 extensions: X509v3 Basic Constraints: CA:FALSE Netscape Comment: OpenSSL Generated Certificate X509v3 Subject Key Identifier: FE:20:56:04:8E:B6:BE:3E:3A:E1:DA:A6:4A:3A:E1:16:93:1D:3F:81 X509v3 Authority Key Identifier: keyid:26:09:F3:D5:26:13:00:1F:3E:CC:86:1D:E4:EE:37:06:65:15:4E:76
Certificate is to be certifieduntil Aug 7 12:39:41 2011 GMT (365 days) Sign the certificate? [y/n]:y
1 out of 1 certificate requestscertified, commit? [y/n]y Write out database with 1 newentries Data Base Updated Certificate: Data: Version: 3 (0x2) Serial Number: 89:11:9f:a6:ca:03:63:ac Signature Algorithm: sha1WithRSAEncryption Issuer: C=cn, ST=cn, O=cn, OU=cn,CN=localhost/emailAddress=xtaying@gmail.com Validity Not Before: Aug 7 12:39:41 2010 GMT Not After : Aug 7 12:39:41 2011 GMT Subject: C=cn, ST=cn, L=cn, O=cn, OU=cn,CN=localhost/emailAddress=xtaying@gmail.com Subject Public Key Info: Public Key Algorithm: rsaEncryption Public-Key: (1024 bit) Modulus: 00:ce:d5:a8:df:d1:e7:ee:92:d1:d1:78:20:a9:6d: 0a:1b:f6:09:dd:13:29:ef:72:1d:17:54:dd:1c:8d: 28:27:69:fe:70:3b:fa:2b:a3:45:40:80:ea:0e:5b: a7:bd:40:d0:cd:bc:2c:74:03:8b:f7:6c:5e:1f:09: 5d:c6:8a:05:ea:b8:72:fc:79:8b:62:62:38:0b:42: 28:7e:0d:fc:e7:bb:b0:87:66:6a:b2:35:92:91:b9: 78:9c:b6:76:01:0b:2a:74:df:5f:a1:8b:31:61:90: 93:f9:20:db:46:59:12:2e:9b:59:c0:32:4e:92:14: a1:7e:52:7b:cc:02:5e:e2:45 Exponent: 65537 (0x10001) X509v3 extensions: X509v3 Basic Constraints: CA:FALSE Netscape Comment: OpenSSL Generated Certificate X509v3 Subject Key Identifier: FE:20:56:04:8E:B6:BE:3E:3A:E1:DA:A6:4A:3A:E1:16:93:1D:3F:81 X509v3 Authority Key Identifier: keyid:26:09:F3:D5:26:13:00:1F:3E:CC:86:1D:E4:EE:37:06:65:15:4E:76
Signature Algorithm: sha1WithRSAEncryption 09:a0:16:43:a2:93:11:a7:ab:f5:17:b7:36:35:84:9f:3b:37: 32:33:3f:93:63:b0:4c:bb:d1:b4:9b:4f:37:78:62:f4:ac:ff: 28:b0:63:71:2e:9a:7c:f4:40:2e:b1:5f:ae:49:e7:e2:6f:de: cf:30:cc:9a:08:26:26:24:c5:00:03:32:20:48:41:b1:29:8f: 5d:3d:2a:78:54:0e:a8:76:07:6c:7f:23:42:75:c2:fb:83:1d: 70:44:5e:8c:90:cf:b4:23:b7:23:5b:06:05:32:58:e3:af:1c: be:1d:50:7b:fd:37:66:ba:9c:ec:bb:af:ee:b6:04:f7:c5:2e: 59:22 -----BEGIN CERTIFICATE----- MIIC2jCCAkOgAwIBAgIJAIkRn6bKA2OsMA0GCSqGSIb3DQEBBQUAMGoxCzAJBgNV BAYTAmNuMQswCQYDVQQIEwJjbjELMAkGA1UEChMCY24xCzAJBgNVBAsTAmNuMRIw EAYDVQQDEwlsb2NhbGhvc3QxIDAeBgkqhkiG9w0BCQEWEXh0YXlpbmdAZ21haWwu Y29tMB4XDTEwMDgwNzEyMzk0MVoXDTExMDgwNzEyMzk0MVowdzELMAkGA1UEBhMC Y24xCzAJBgNVBAgMAmNuMQswCQYDVQQHDAJjbjELMAkGA1UECgwCY24xCzAJBgNV BAsMAmNuMRIwEAYDVQQDDAlsb2NhbGhvc3QxIDAeBgkqhkiG9w0BCQEWEXh0YXlp bmdAZ21haWwuY29tMIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQDO1ajf0efu ktHReCCpbQob9gndEynvch0XVN0cjSgnaf5wO/oro0VAgOoOW6e9QNDNvCx0A4v3 bF4fCV3GigXquHL8eYtiYjgLQih+Dfznu7CHZmqyNZKRuXictnYBCyp031+hizFh kJP5INtGWRIum1nAMk6SFKF+UnvMAl7iRQIDAQABo3sweTAJBgNVHRMEAjAAMCwG CWCGSAGG+EIBDQQfFh1PcGVuU1NMIEdlbmVyYXRlZCBDZXJ0aWZpY2F0ZTAdBgNV HQ4EFgQU/iBWBI62vj464dqmSjrhFpMdP4EwHwYDVR0jBBgwFoAUJgnz1SYTAB8+ zIYd5O43BmUVTnYwDQYJKoZIhvcNAQEFBQADgYEACaAWQ6KTEaer9Re3NjWEnzs3 MjM/k2OwTLvRtJtPN3hi9Kz/KLBjcS6afPRALrFfrknn4m/ezzDMmggmJiTFAAMy IEhBsSmPXT0qeFQOqHYHbH8jQnXC+4MdcERejJDPtCO3I1sGBTJY468cvh1Qe/03 Zrqc7Luv7rYE98UuWSI= -----END CERTIFICATE----- Signed certificate is innewcert.pem cp newcert.pem server.crt 5,产生客户端证书 生成客户私钥:
openssl genrsa -des3 -out client.key 1024 生成客户证书
openssl req -new -key client.key -out client.csr 签证:
openssl ca -in client.csr -out client.crt 转换成pkcs12格式,为客户端安装所用
openssl pkcs12 -export -clcerts -in client.crt -inkey client.key -outclient.pfx 这一步根安装服务器的证书差不多,不同的是签证,最后安装的时候,client.pfx的密码要记住,在客户端安装的时候要用到的。 [iyunv@BlackGhost ssl]# openssl pkcs12 -export -clcerts -in client.crt-inkey client.key -out client.pfx
Enter pass phrase for client.key:
Enter Export Password:
Verifying - Enter Export Password: 客户端和服务器端都可以使用服务器端证书,所以这一步不做也行。 6,集中所以证书和私私钥到一起 #cp demoCA/cacert.pem cacert.pem 同时复制一份证书,更名为ca.crt
#cp cacert.pem ca.crt 7,apache配置 vi /usr/local/apache/conf/extra/ssl.conf 查看复制打印? 1. ssl开启 2. SSLEngine on 3. 4. 指定服务器证书位置 5. SSLCertificateFile/usr/local/apache/conf/ssl/server.crt 6. 7. 指定服务器证书key位置 8. SSLCertificateKeyFile/usr/local/apache/conf/ssl/server.key 9. 10. 证书目录 11. SSLCACertificatePath/usr/local/apache/conf/ssl 12. 13. 根证书位置 14. SSLCACertificateFile/usr/local/apache/conf/ssl/cacert.pem 15. 16. 要求客户拥有证书 17. SSLVerifyClient require 18. SSLVerifyDepth 1 19. SSLOptions +StdEnvVars 20. 21. 记录log 22. CustomLog "/usr/local/apache/logs/ssl_request_log" \ 23. "%t %h%{SSL_PROTOCOL}x %{SSL_CIPHER}x \"%r\" %b"
ssl开启 SSLEngine on
指定服务器证书位置 SSLCertificateFile/usr/local/apache/conf/ssl/server.crt
指定服务器证书key位置 SSLCertificateKeyFile/usr/local/apache/conf/ssl/server.key
证书目录 SSLCACertificatePath /usr/local/apache/conf/ssl
根证书位置 SSLCACertificateFile/usr/local/apache/conf/ssl/cacert.pem
要求客户拥有证书 SSLVerifyClient require SSLVerifyDepth 1 SSLOptions +StdEnvVars
记录log CustomLog"/usr/local/apache/logs/ssl_request_log" \ "%t %h %{SSL_PROTOCOL}x%{SSL_CIPHER}x \"%r\" %b" vi /usr/local/apache/conf/extra/httpd_vhosts.conf 查看复制打印? 1. listen 443 https 2. NameVirtualHost *:443 3. <VirtualHost _default_:443> 4. 5. DocumentRoot "/home/zhangy/www/metbee/trunk/src/web" 6. ServerName *:443 7. ErrorLog "/home/zhangy/apache/www.metbee.com-error.log" 8. CustomLog "/home/zhangy/apache/www.metbee.com-access.log" common 9. Include conf/extra/ssl.conf 10. 11. </VirtualHost>
listen 443 https NameVirtualHost *:443 <VirtualHost _default_:443>
DocumentRoot"/home/zhangy/www/metbee/trunk/src/web" ServerName *:443 ErrorLog"/home/zhangy/apache/www.metbee.com-error.log" CustomLog"/home/zhangy/apache/www.metbee.com-access.log" common Include conf/extra/ssl.conf
</VirtualHost> vi /usr/local/apache/conf/httpd.conf把Includeconf/extra/httpd-vhosts.conf前面的注释去掉 启动 /usr/local/apache/bin/apachectl -D SSL -k start Server *:10000 (RSA)
Enter pass phrase:输入的是server的密钥 OK: Pass Phrase Dialog successful. 8,安装客户端证书 把ca.crt和client.pfx copy到客户端,双击client.pfx就会进入证书的安装向导,下一步就行了,中间会让你输入密码 四,安装所遇到的问题 1,生成的密码很多,一会让输入密码,会忘得,并且主证书的密码和下面的证书的密码不能重得,会报错的,所以要搞个文本记下来。 2,升级openssl引发的问题 httpd: Syntax error on line 56 of /usr/local/apache/conf/httpd.conf:Cannot load /usr/local/apache/modules/libphp5.so into server: libssl.so.0.9.8:cannot open shared object file: No such file or directory httpd: Syntax error on line 56 of /usr/local/apache/conf/httpd.conf:Cannot load /usr/local/apache/modules/libphp5.so into server:libcrypto.so.0.9.8: cannot open shared object file: No such file or directory 用ln-s来建立软链接,就可以了。不过这种方法不是万能的,比如我把libpng从1.2升到1.4,libjpeg从7.0升到8.0结果是系统差点崩掉,用软链接不管用,我把他们弄掉,从网上下的低版本重装。 3,证书的国家名称,省名要相同不然生成空证书, The countryName field needed to be the same in the
CA certificate (cn) and the request (sh) 4,提示CommonName时,要添写全域名,会提示警告 RSA server certificate CommonName (CN) `cn' does NOT match server name!? 5,相同的证书不能生成二次,名字不一样也不行,也就是说server.cst和client.csr信息不能完相同,不然会报 failed to update database
TXT_DB error number 2 6,页面浏览时,会看到提示,你的证书是不可信的,是因为我配置的不对,还是自己建的证书就是不要信的呢? 7,当我加了SSLVerifyClient requireSSLVerifyDepth 1 这二个配置时,在windows下面,要你输入证书后,就可以看到页面了,但在用firefox就是不行呢?看下面的ssl_request_log日志,192.168.18.3是用windows的IE浏览器 [09/Aug/2010:22:02:21 +0800] 127.0.0.1 TLSv1 DHE-RSA-CAMELLIA256-SHA"GET /robots.txt HTTP/1.1" 208
[09/Aug/2010:22:02:21 +0800] 127.0.0.1 TLSv1 DHE-RSA-CAMELLIA256-SHA "GET/robots.txt HTTP/1.1" 208
[09/Aug/2010:22:02:21 +0800] 127.0.0.1 TLSv1 DHE-RSA-CAMELLIA256-SHA "GET/robots.txt HTTP/1.1" 208
[09/Aug/2010:22:02:55 +0800] 192.168.18.3 TLSv1 RC4-MD5 "GET /HTTP/1.1" 1505
[09/Aug/2010:22:02:55 +0800] 192.168.18.3 TLSv1 RC4-MD5 "GET /HTTP/1.1" 1505
[09/Aug/2010:22:02:55 +0800] 192.168.18.3 TLSv1 RC4-MD5 "GET /HTTP/1.1" 1505
加密解密 传统加密(对称加密) openssl enc –ciphername(加密算法) –k password(口令) –in file(被加密的算法) -out (输出文件)file 解密 openssl enc –ciphername –k password-d –in file -out file
加密算法有:base64,des,des3,rc2,rc5,aes256
例如: /bin/openssl enc –des3 –kboobooke –in pt.txt –out ct.bin //加密
/bin/openssl enc –des3 –d –k boobooke –in ct.bin –out pt1.txt //解密
非对称加密
Generate the private/public key Openssl genrsa –out file 1024 例如: Openssl genrsa –out priv.key 1024 //用rsa算法生成私钥(priv.key)
Openssl rsa –in file –pubout 例如: Openssl rsa –in priv.key –pubout>pub.key //用私钥priv.key生成公钥,并重定向到pub.key这个文件里面
Encrypt the file with public key Openssl rsautl –in file –outfile –inkey file –pubin –encrypt 例如: Openssl rsautl –in test.txt –outtest.bin –inkey pub.key –pubin –encrypt //利用公钥文件(pub.key)对text.txt文件进行加密,生成加密后的文件text.bin
Decrypt the file the private key Openssl rsautl –in file –outfile –inkey file –decrypt 例如: Openssl rsautl –in text.bin –outtext1.txt –inkey priv.key –decrypt //利用私钥priv.key对公钥加密的text.bin进行加密的文件进行解密,生成解密后的文件是text1.txt
Use openssl sign/verify functions(数字签名)
Generate the private/public key 生成密钥对 Openssl genrsa –out file 1024 Openssl rsa –in file –pubout
Sign the file with the private key Openssl rsautl –in file –outfile –inkey file –sign 例如: Openssl rsatul –in test.txt –outtest.sig –inkey priv.key –sign //利用私钥对test.txt 进行加密也就是签名 Openssl rsautl –in file –outfile –inkey file –pubin –verify 例如: Openssl rsautl –in test.sig –outtest2.txt –inkey pub.key –pubin –verify //利用公钥对私钥加密后的文件(test.sig)进行解密或是认证
Hash functions(hash函数)……MD5 SHA1 作用:主要是验证文件的完整性,没有被别人篡改! Generate the md5 hash result Openssl dgst –md5 file 或 Md5sum file 例如: Openssl dgst –md5 openssl.tar.gz //生成MD5值 Md5sum openssl.tar.gz
Generate the sha1 hash result Openssl dgst –sha1file 或 Sha1sum file 例如: Openssl –dgst –sha1openssl.tar.gz //生成sha1值
Install apache Configure the environment tar –zxvf httpd-2.0.63.tar.gz cd httpd-2.0.63 ./configure –prefix=/usr/local/apache –enable-ssl –with-ssl=/usr/local/openssl make make install
Configure ssl in apache openssl req -new -x509 -days 30 -keyout server.key -outserver.crt -subj '/CN=Test Only Certifiecate' 或者 Openssl req –new –x509 –days 365 –sha1 –nodes –newkey rsa:1024 keyout server.key –out server.crt –subj ‘/O=Seccure/OU=Seccure Labs/CN=www.secdemo.com’
Cpy the .key and .crt file to the proper directory //一般都是存放在apache的conf 目录下面,具体存放路径是在apache的配置文件中定义的
Vi httpd.conf <IfModule mod_ssl.c> Include conf/ssl.conf //ssl 的配置文件被包含在conf/ssl.conf </IfModule>
Vi conf/ssl.conf
SSLCertificateKeyFile/usr/local/apache/conf/ssl.crt/server.key //server.key存放路径 SSLCertificateFile/usr/local/apache/conf/ssl.crt/server.crt //server.crt 存放路径
Apache2.2直接启动apache服务就可以启动SSL Apache2.0启动ssl:apachectlstartssl //端口号为443端口
Vi conf/ssl.conf <Directory /> SSLRequireSSL //此目录只允许使用https协议访问 </Directory>
<Directory /usr/local/apache/htdocs/ssldemo> SSLRequireSSL </Directory> //ssldemo这个目录必须使用https协议访 问,应为利用ssl安全访问存在着密钥的 加密解密以及传送,所以访问会很慢,所 以一般都是把一些需要中到https协议访 访问的程序放在一个目录中,而其他的站 点依然用http协议访问
一、安装 Openssl
? 下载 openssl 源代码:
? wget http://www.openssl.org/source/ openssl-0.9.8k.tar.gz
? 解压缩:
? tar zxvfopenssl-0.9.8k.tar.gz
? 设定Openssl 安装,( --prefix )参数为欲安装之目录,也就是安装后的档案会出现在该目录下:
? cd openssl-0.9.8k
? ./config--prefix=/root/openssl
? 编译 Openssl:
? make
? 安装 Openssl:
? make install
? 修改配置文件:
? cat ~/openssl/ssl/openssl.cnf
? 修改其中的配置内容
1) dir=/home/blave/openssl/ssl/misc/demoCA # 设定存取凭证的路径, 并将blave 改成您自己
2) default_days= 3650 # 设定凭证可使用之天数
3) default_bits = 2048 # 设定密钥长度(bits)
二、产生 CA 凭证
? 我们所产生的 CA 凭证,将放置在 ~/openssl/ssl/misc/demoCA下,以下我们将介绍怎样产生出最上层的 CA 凭证。
? 执行CA 凭证产生程式:
? cd ~/openssl/ssl/misc
? ./CA.sh -newca
? 确定CA 凭证及密钥是否产生:
? cd~/openssl/ssl/misc/demoCA
? ls
? cacert.pem certs crlindex.txt newcerts private serial
? 可见「cacert.pem」即是CA 之凭证,而「private」目录即是存放CA 私钥之处。
? 对 CA 证书请求进行签名:
u openssl ca -selfsign-in careq.pem -out cacert.pem
? 设定CA 凭证之存取权限,仅允许本人能存取,他人必须限制其存取权限:
? chmod -R 660~/openssl/ssl/misc/ demoCA
三、以 CA 产生次级凭证
? 在CA 凭证产生完之后,我们便能够产生使用者或公司所需要之凭证,此次级凭证产生后,使用者便可应用于Email 签章加密或https 等ssl 传输加密。
? 产生使用者之密钥档及CSR 档(CertificateSigning Request) :
? cd~/openssl/ssl/misc/demoCA
? openssl req -nodes-new -keyout test_key.pem /-out test_req.pem -days 3650 -config~/openssl/ssl/openssl.cnf
? 此处「-keyout 」即为产生Privatekey 之文档名,这里以「test_key.pem」为例,您可自行设定。而「-out 」则产生CSR 档,我们以「test_req.pem」为例。
? 产生使用者之凭证:
? openssl ca -config~/openssl/ssl/openssl.cnf /-policy policy_anything –out test_cert.pem -infilestest_req.pem
? 检查凭证是否产生:
? cd~/openssl/ssl/misc/demoCA
? ls
? 当前目录内容:cacert.pem
crl index.txt.attr test_cert.pem test_req.pem
private serial.old certs index.txt
index.txt.old test_key.pem newcerts serial
? 以上可见,test_cert.pem、test_req.pem及test_key.pem分别为刚刚所产生出来的凭证、CSR 及PrivateKey 。
四、 Openssl 应用
? 以cacert 验证产生出来的使用者cert :
? openssl verify -CApath. /-CAfile cacert.pem test_cert.pem
? 检查产生的序号:
? openssl x509 -noout-serial -in test_cert.pem
? 检查发行者资讯:
? openssl x509 -noout-issuer -in test_cert.pem
? 检查凭证起始及终止日期时间:
? openssl x509 -noout-in test_cert.pem -dates
? 检查个人凭证资讯subject :
? openssl x509 -noout-in test_cert.pem -subject
? 检查MD5fingerprint 或SHA-1fingerprint :
? openssl x509 -noout-in islab_cert.pem -fingerprint -md5/-sha1
? 由PEM 转至PKCS12 。MicrosoftOutlook Express 使用PKCS12 格式,因此欲使用MicrosoftOutlook Express 寄出签章信件,只要将产生出来的“*.p12”文档安装在Windows 即可使用:
? openssl pkcs12 -export-in test_cert.pem -out test_cert.p12 -name "My Certificate" -inkeytest_key.pem
? 由PKCS12 转至PEM:
? openssl pkcs12 -intest_cert.p12 -out test_key2.pem
? 再由PrivateKey 产生凭证:
? openssl x509 -intest_key2.pem -text /-out test_cert2.pem
? 文档加密: 「test_cert.pem 」为个人凭证,能够公开给大家,因此某人欲加密传送一文档给我,便能够依下列方式加密。编辑一个纯文字档,在此我们预设档名为「document.txt 」,而经加密码之档名为「document.enc 」:
? echo "This is atext file." > document.txt
? cat document.txt
? openssl smime -encrypt-in document.txt /-out document.enc islab_cert.pem
? cat document.enc
? 文档解密: 倘若我们收到了某人传送的「document.enc」,我们便能使用PrivateKey 来进行解密:
? openssl smime -decrypt-in document.enc /-recip test_cert.pem –inkey test_key.pem
? 文档签章: 为文档签章可证实文档的来源为本人无误,并且能够验证文档是否被篡改。我们依前例,为一纯文字档「document.txt」签章,签章后文档名为「document.sig」:
? openssl smime -sign-inkey test_key.pem /-signer test_cert.pem -in document.txt -out document.sig
? 文档签章验证: 当某人收到这份文档时,可利用我们的凭证(test_cert.pem) 连同CA 凭证(cacert.pem) 来验证文档:
? openssl smime -verify-in document.sig /-signer islab_cert.pem -out document.txt -CAfile cacert.pem
? 因此我们能够知道,验证方必须事先取得 CA 凭证( cacert.pem ) 方可验证文档。
? 文档加密并签章:我们已知怎样加解密连同签章验证的方法了,因此要将文档加密并签章实非难事。我们必须先将文档进行签章再加密,而收方则以相反步骤进行解密再验证即可。
Linux下Openssl的安装全过程 2、在下载的GZ目录中,用命令执行:tar -xzfopenssl-openssl-1.0.0e.tar.gz 3、进入解压的目录:openssl-1.0.0e [.......]#cd openssl-1.0.0e 4、[.....openssl-1.0.0e]#./config --prefix=/usr/local/openssl 5[...../openssl-1.0.0e]# ./config -t 6[...../openssl-1.0.0e]# make depend 7[...../openssl-1.0.0e]# cd /usr/local 8/usr/local]# ln -s openssl ssl 9在/etc/ld.so.conf文件的最后面,添加如下内容: /usr/local/openssl/lib 10...]# ldconfig 11添加OPESSL的环境变量: 在etc/的profile的最后一行,添加: export OPENSSL=/usr/local/openssl/bin export PATH=$OPENSSL:$PATH:$HOME/bin 12退出命令界面,再从新登录。 13、以上OPENSSL就安装完毕,下面进行一些检查。 14依次如下执行: [iyunv@localhost /]# cd /usr/local [iyunv@localhost local]# ldd/usr/local/openssl/bin/openssl 会出现类似如下信息: linux-vdso.so.1 => (0x00007fff3bc73000)
libdl.so.2 => /lib64/libdl.so.2 (0x00007fc5385d7000)
libc.so.6 => /lib64/libc.so.6 (0x00007fc538279000)
/lib64/ld-linux-x86-64.so.2 (0x00007fc5387db000)
15查看路径 ...]# which openssl /usr/local/openssl/bin/openssl 16查看版本 ...]# openssl version OpenSSL 1.0.0e 6 Sep 2011
| 
QQ群⑧:
窥视卡
雷达卡
发表于 2014-9-2 09:00:31
提升卡
置顶卡
沉默卡
喧嚣卡
变色卡
千斤顶
显身卡