CentOS5.5+Apache2+openssl0.9.8o实现https验证
首先安装SSL,再编译安装APACHE,再配置证书即可
1.下载apache和openssl
网址:http://www.apache.org http://www.openssl.org
2.编译安装openssl,这个软件主要是用来生成证书:(以openssl-0.9.8o.tar.gz为例)
[root@webmaster software]# tar -zxvf openssl-0.9.8o.tar.gz
[root@webmaster software]# cd openssl-0.9.8o
[root@webmaster openssl-0.9.8o]# ./config --prefix=/usr/local/openssl --openssldir=/usr/local/openssl shared zlib
[root@webmaster openssl-0.9.8o]# make
[root@webmaster openssl-0.9.8o]# make install
将系统原有的几个文件改名
[root@webmaster bin]# mv /usr/bin/openssl /usr/bin/openssl.OFF
[root@webmaster bin]# mv /usr/include/openssl /usr/include/openssl.OFF
[root@webmaster bin]# mv /usr/lib/libssl.so /usr/lib/libssl.so.OFF
[root@webmaster bin]# ln -s /usr/local/openssl/bin/openssl /usr/bin/openssl
[root@webmaster bin]# ln -s /usr/local/openssl/include/openssl /usr/include/openssl
[root@webmaster bin]# ln -s /usr/local/openssl/lib/libssl.so.0.9.8 /usr/lib/libssl.so
[root@webmaster bin]# echo "/usr/local/openssl/lib" >> /etc/ld.so.conf
[root@webmaster bin]# ldconfig
2、apache安装过程略。此处使用httpd-2.2.17.tar.gz
安装目录为/usr/local/apache2
3.安装完毕,生成证书:
创建证书目录如下示:
[root@webmaster ~]# mkdir -p /usr/local/openssl/certs/bank
[root@webmaster ~]# cd /usr/local/openssl/certs/bank/
[root@webmaster bank]# ls
生成服务器私钥server.key 并要求输入key 的密码 1024表示长度:
[root@webmaster bank]# openssl genrsa -des3 -out server.key 1024
Generating RSA private key, 1024 bit long modulus
..........................++++++
............++++++
e is 65537 (0x10001)
下面需输入两次口令,类似于密码。要记清楚,下面会用到(输入后没有任何显示!)
Enter pass phrase for server.key:
Verifying - Enter pass phrase for server.key:
[root@webmaster bank]#
如下示执行完密码后在此目录下显示如下文件及内容:
[root@webmaster bank]# ls
server.key
[root@webmaster bank]# cat server.key
-----BEGIN RSA PRIVATE KEY-----
Proc-Type: 4,ENCRYPTED
DEK-Info: DES-EDE3-CBC,FBA67EF1416CEDAD
MzsLbwBNKqJJzvgDV/l0DQQE+9/d8suVuMdplcs4bmVBd47eJOyoC5wrD9zMOhrL
ne2QiFLAE98qv+9QJaArmzIMhMX9hK6065LF3VHwcMz6Xn0pY02NEcDkdlFwcGqm
Yt5vxF4ERrF+w4R4roNfVeBH3/qFT1a8wls7I2H/oJgUV4OmXyCdijckN7LPNwmV
4JlauqhtWdNlz9FVXnShMUR70PVOuPezBYul3mHOuhoTXDUtpnRGpeVgLort9JdF
YuX3/jenUeFFGuQcgb8s1+IY/KMePHzzXUeqy4BEQ7hdsCqFDY6J3zJaYCZs2moX
39woxJx/yNZO6IBnybHe9+5NEb1WIpVD/F5G0W4Og9A/Sng1ps5Dthzl26splfbT
JMSau00GGa8cstryeYsgMksmZHYVAIVTWbcWBB+MiwTq3m2o7KHZkVSIa+P2h2Us
reAT6zgQbUmWT2fWsjc1ynxOcGqZ3wd04a029wPn4zS0Tn41RWXi4QDyosb+rgph
1UdiD7zxUt4fE9/6dU8xqjJ9lBYddkvucH+FUjBU7I6/X8xXdFZs6P00aYnw2Ti1
9xr1Gx3oOUMviSKI4b9kflTKtgWTQZ1MtpsIxASXboYPa5djzLZZQUl0WxP7u0Lv
1H09nQjX4UmyAKIcyWsS/aBO0VjQOnBQ1Ft5hoo7RCmr2Y0IB/kcGAQn9PEwXM4E
nBdK8yVrpCXindtWP+FTVJytk1sqflUmLAx/tVJeztBZtUh44W+ljOvEpH6eTfzs
8sarcpT0yYRzSBDJOip6vl6HoOrWj8558XyuUP6lSCGmG4KQDmMaPQ==
-----END RSA PRIVATE KEY-----
[root@webmaster bank]#
生成服务器证书请求文件(server.CSR)相当于公钥 ,这时需要你输入在上一步时生成的密码
并按要求填些相关证书信息:
[root@webmaster bank]# openssl req -new -key server.key -out server.csr
此命令将提示您输入X.509证书所要求的字段信息 ,包括国家(中国添CN)、省份、所在城市、单位名称、单位部门名称(可以不填直接回车)。请注意: 除国家缩写必须填CN外,其余都可以是英文或中文
Enter pass phrase for server.key:
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [AU]:CN 中国添CN
State or Province Name (full name) [Some-State]:BeiJing 省份
Locality Name (eg, city) []:BeiJing 所在城市
Organization Name (eg, company) [Internet Widgits Pty Ltd]:BeiJing New Media of Vision Information Technology Co.,Ltd. 单位名称
Organizational Unit Name (eg, section) []:单位部门名称(可以不填直接回车) 如填写IT Dept
Common Name (eg, YOUR name) []:bank.xinpindao.com 输入您要申请SSL证书的域名即使用 SSL 的网站名称,如果您需要为www.domain.com申请SSL证书就不能只输入domain.com
注意:请不要输入Email、口令(challenge password)和可选的公司名称,直接打回车即可
Email Address []:
Please enter the following 'extra' attributes
to be sent with your certificate request
A challenge password []:
An optional company name []:
[root@webmaster bank]#
完成上述设置后将会生成另一个文件
[root@webmaster bank]# ls
server.csr server.key
您现在已经成功生成了密钥对,私钥文件:server.key 保存在您的服务器中, 请把CSR文件:server.csr 发给WoTrust/Thawte
注:WoTrust/Thawte负责销售代理品牌数字证书产品的公司,包括 VeriSign 、Thawte 、GeoTrust 和 TC 品牌产品,当然也代理销售 WoSign 品牌数字证书产品。
CSR文件格式如下所示
[[root@webmaster bank]# cat server.csr
-----BEGIN CERTIFICATE REQUEST-----
MIICdDCCAd0CAQAwgcgxCzAJBgNVBAYTAkNOMRAwDgYDVQQIEwdCZWlKaW5nMRAw
DgYDVQQHEwdCZWlKaW5nMREwDwYDVQQKEwh5dWFueWFuZzFEMEIGA1UECxM7QmVp
SmluZyBOZXcgTWVkaWEgb2YgVmlzaW9uIEluZm9ybWF0aW9uIFRlY2hub2xvZ3kg
Q28uLEx0ZC4xGzAZBgNVBAMTEmJhbmsueGlucGluZGFvLmNvbTEfMB0GCSqGSIb3
DQEJARYQeGlhb3hsQGNubXZpLmNvbTCBnzANBgkqhkiG9w0BAQEFAAOBjQAwgYkC
gYEAxGrZVDMo1qQlYQcoj91PKhc/LO6lItnRPHIuD2gcvmDMe2najaugeVO7ZKG+
9bAtkcMQf3JkNZgxb28iUVILTtbEv3QjCZHom+Kf6ogSx7rBMOotTUwSH9OCdtWP
sqRU5SdNJuhOU1qFog1EnwvWx5tCzxhvdauLJDp+B7LTFncCAwEAAaBrMB0GCSqG
SIb3DQEJBzEQFg54aW5waW5kYW9AMjAxMTBKBgkqhkiG9w0BCQIxPRM7QmVpSmlu
ZyBOZXcgTWVkaWEgb2YgVmlzaW9uIEluZm9ybWF0aW9uIFRlY2hub2xvZ3kgQ28u
LEx0ZC4wDQYJKoZIhvcNAQEFBQADgYEAhbaxpC7Z2ojBzl5FfcICGwQ13sBZZbGi
oYK9CTYDwjEW3wbv9CvYFTuk7IGUSOeKH23holPlKysi5iHnQsEIP4M7HoeuXKxQ
nU5VvdBdchu1yRGcYVJnLGC6P1UVTJ0E/QLAvWlBKTzlh0lqvYeE5iQsfqAOGh9N
U9hqswWYRd4=
-----END CERTIFICATE REQUEST-----
更详细CSR证书生成指南请参考:http://blog.itechol.com/space.php?uid=33&do=blog&id=5149
[root@webmaster bank]#
签证--生成证书(模拟CA机构生成证书用于测试) 生成 server.cert
[root@webmaster bank]# openssl x509 -req -days 700 -in server.csr -signkey server.key -out server.cert
Signature ok
subject=/C=CN/ST=BeiJing/L=BeiJing/O=yuanyang/OU=BeiJing New Media of Vision Information Technology Co.,Ltd./CN=bank.xinpindao.com/emailAddress=xiaoxl@cnmvi.com
Getting Private key
Enter pass phrase for server.key: 再次输入server.key口令
[root@webmaster bank]#
完成上面的步骤在此目录中又产生了另一个文件。
[root@webmaster bank]# ls
server.cert server.csr server.key
[root@webmaster bank]# cat server.cert
-----BEGIN CERTIFICATE-----
MIIDCTCCAnICCQDth9x0CxkeuzANBgkqhkiG9w0BAQUFADCByDELMAkGA1UEBhMC
Q04xEDAOBgNVBAgTB0JlaUppbmcxEDAOBgNVBAcTB0JlaUppbmcxETAPBgNVBAoT
CHl1YW55YW5nMUQwQgYDVQQLEztCZWlKaW5nIE5ldyBNZWRpYSBvZiBWaXNpb24g
SW5mb3JtYXRpb24gVGVjaG5vbG9neSBDby4sTHRkLjEbMBkGA1UEAxMSYmFuay54
aW5waW5kYW8uY29tMR8wHQYJKoZIhvcNAQkBFhB4aWFveGxAY25tdmkuY29tMB4X
DTExMTAxMDEwMDQ0OFoXDTEzMDkwOTEwMDQ0OFowgcgxCzAJBgNVBAYTAkNOMRAw
DgYDVQQIEwdCZWlKaW5nMRAwDgYDVQQHEwdCZWlKaW5nMREwDwYDVQQKEwh5dWFu
eWFuZzFEMEIGA1UECxM7QmVpSmluZyBOZXcgTWVkaWEgb2YgVmlzaW9uIEluZm9y
bWF0aW9uIFRlY2hub2xvZ3kgQ28uLEx0ZC4xGzAZBgNVBAMTEmJhbmsueGlucGlu
ZGFvLmNvbTEfMB0GCSqGSIb3DQEJARYQeGlhb3hsQGNubXZpLmNvbTCBnzANBgkq
hkiG9w0BAQEFAAOBjQAwgYkCgYEAxGrZVDMo1qQlYQcoj91PKhc/LO6lItnRPHIu
D2gcvmDMe2najaugeVO7ZKG+9bAtkcMQf3JkNZgxb28iUVILTtbEv3QjCZHom+Kf
6ogSx7rBMOotTUwSH9OCdtWPsqRU5SdNJuhOU1qFog1EnwvWx5tCzxhvdauLJDp+
B7LTFncCAwEAATANBgkqhkiG9w0BAQUFAAOBgQALEqvFYCGodqdJQ8ohPypTAO9J
ab0/n7UKgU9QJKkdzknK4Eu4t82A0+SGJIl8sK7MT+VGDARmMecmNisWhy+BlRkL
TKQtYsLiTViDB0tugx1scXd5PmdRTQOsAWwuf55emG9Z4hyyOe+nfNn+dRC68Ggl
VDyFeKoXIyy5257BPQ==
-----END CERTIFICATE-----
[root@webmaster bank]#
[root@webmaster bank]# ll
total 12
-rw-r--r-- 1 root root 1115 Oct 10 18:04 server.cert
-rw-r--r-- 1 root root 928 Oct 10 18:00 server.csr
-rw-r--r-- 1 root root 963 Oct 10 17:53 server.key
为了安全,然后我们把这些文件的权限都设为400
[root@webmaster bank]# chmod 400 server.cert server.key
[root@webmaster bank]# ll
total 12
-r-------- 1 root root 1115 Oct 10 18:04 server.cert
-rw-r--r-- 1 root root 928 Oct 10 18:00 server.csr
-r-------- 1 root root 963 Oct 10 17:53 server.key
3、创建自动应答文件
注意:
如果没有此步 将会在后面启动apache的过程中要求输入证书密码,正确输入后 ssl就连同apache一起启动
[root@webmaster bank]# vi /usr/local/openssl/certs/bank/server.pass
#!/bin/bash
SSLPhrasePassword='xinpindao@2011'
echo $SSLPhrasePassword
4、修改httpd-ssl.conf文件
[root@webmaster bank]cp httpd-ssl.conf httpd-ssl.conf.old
[root@webmaster bank]vi /usr/local/apache2/conf/extra/httpd-ssl.conf
修改的地方如下几处:
#SSLCertificateFile "/usr/local/apache2/conf/server.crt"
SSLCertificateFile "/usr/local/openssl/certs/bank/server.cert"
#SSLCertificateKeyFile "/usr/local/apache2/conf/server.key"
SSLCertificateKeyFile "/usr/local/openssl/certs/bank/server.key"
#SSLPassPhraseDialog builtin
SSLPassPhraseDialog exec:/usr/local/openssl/certs/bank/server.pass
这样我们就基本配好了ssl现在我们来让apache启动ssl
首先配置http.conf:
[root@webmaster conf]# vi /usr/local/apache2/conf/httpd.conf
打开此项 Include conf/extra/httpd-ssl.conf
[root@webmaster bank]# /usr/local/apache2/bin/apachectl start
注意此处出现错误,请仔细阅读错误说明
Syntax error on line 57 of /usr/local/apache2/conf/extra/httpd-ssl.conf:
Invalid command 'SSLPassPhraseDialog', perhaps misspelled or defined by a module not included in the server configuration
无效的SSLPassPhraseDialog”命令,或者写错或定义为一个模块并不包括在服务器配置
是不是缺少模块啊,检查apache已编译的模块
[root@webmaster logs]# httpd -l
Compiled in modules:
core.c
prefork.c
http_core.c
mod_so.c
发现缺少mod_ssl.c
查看apache编译参数,看是否编译过ssl模块
[root@webmaster ~]# cat /usr/local/apache2/build/config.nice
#! /bin/sh
#
# Created by configure
"./configure" \
"--prefix=/usr/local/apache2" \
"--enable-so" \
"--enable-rewrite" \
"--disable-ipv6" \
"$@"
从上面可以看出当初安装apache时没有将ssl模块编译进去,下面重新编译apache
apache保留原来配置的情况下添加模块介绍请参阅
http://blog.itechol.com/space.php?uid=33&do=blog&id=5146
cp -rf /usr/local/apache2/conf/httpd.conf /tmp/httpd.conf
tar -xzvf httpd-2.2.17.tar.gz
cd httpd-2.2.17
./configure --prefix=/usr/local/apache2 --enable-so --enable-rewrite --disable-ipv6 --enable-ssl --with-ssl=/usr/local/openssl
make && make install
我又重新编译了一把,加上--enable-ssl
cp -rf /tmp/httpd.conf /usr/local/apache2/conf/httpd.conf
重新启动进行验证,成功了!如下示:
[root@webmaster conf]# /usr/local/apache2/bin/apachectl restart
[root@webmaster conf]# netstat -tulnp
Active Internet connections (only servers)
Proto Recv-Q Send-Q Local Address Foreign Address State PID/Program name
tcp 0 0 0.0.0.0:111 0.0.0.0:* LISTEN 2494/portmap
tcp 0 0 0.0.0.0:80 0.0.0.0:* LISTEN 3613/httpd
tcp 0 0 0.0.0.0:443 0.0.0.0:* LISTEN 3613/httpd
tcp 0 0 :::3306 :::* LISTEN 2917/mysqld
tcp 0 0 :::22 :::* LISTEN 3048/sshd
udp 0 0 0.0.0.0:111 0.0.0.0:* 2494/portmap
5、验证证书是否安装成功
在浏览器中输入:https://192.168.18.82 如果出现要求下载证书,OK~好了~结束~就是这么简单。如下示:
http://blog.itechol.com/image/zoom.gif http://blog.itechol.com/attachment/201110/11/33_1318324259oGGx.jpg
http://blog.itechol.com/image/zoom_h.gif
http://blog.itechol.com/attachment/201110/11/33_1318324451ygYu.jpg
更多相关文章请参阅:http://blog.itechol.com/space.html
运维网声明
1、欢迎大家加入本站运维交流群:群②:261659950 群⑤:202807635 群⑦870801961 群⑧679858003
2、本站所有主题由该帖子作者发表,该帖子作者与运维网 享有帖子相关版权
3、所有作品的著作权均归原作者享有,请您和我们一样尊重他人的著作权等合法权益。如果您对作品感到满意,请购买正版
4、禁止制作、复制、发布和传播具有反动、淫秽、色情、暴力、凶杀等内容的信息,一经发现立即删除。若您因此触犯法律,一切后果自负,我们对此不承担任何责任
5、所有资源均系网友上传或者通过网络收集,我们仅提供一个展示、介绍、观摩学习的平台,我们不对其内容的准确性、可靠性、正当性、安全性、合法性等负责,亦不承担任何法律责任
6、所有作品仅供您个人学习、研究或欣赏,不得用于商业或者其他用途,否则,一切后果均由您自己承担,我们对此不承担任何法律责任
7、如涉及侵犯版权等问题,请您及时通知我们,我们将立即采取措施予以解决
8、联系人Email:admin@iyunv.com 网址:www.yunweiku.com