HTTPS双向认证+USB硬件加密锁（加密狗）配置

置顶

大囚长

已于 2024-02-05 14:58:18 修改

阅读量10w+

点赞数

分类专栏：黑客帝国文章标签： apache ssl 加密狗双向认证 https

于 2017-09-06 13:52:53 首次发布

本文链接：https://blog.csdn.net/Jailman/article/details/77865474

版权

本文档介绍了在Ubuntu14.04系统上，如何配置Apache2服务器进行HTTPS双向认证，并结合USB硬件加密锁（加密狗）进行安全设置。详细步骤包括安装Apache2、生成服务器和客户端证书、创建.pfx证书、解除私钥密码、配置Apache2 HTTPS，以及最终通过USB加密锁进行安全访问的测试。

摘要由CSDN通过智能技术生成

环境： Ubuntu14.04，apache2.4.7, openssl1.0.1f

安装apache2

apt-get install apache2 -y

一般openssl默认已经安装

开启apache的ssl模块和ssl站点

a2enmod ssl

a2ensite default-ssl.conf

创建证书目录

mkdir /etc/apache2/certs

进入目录创建证书和秘钥

cd /etc/apache2/certs

/usr/lib/ssl/misc/CA.sh -newca



    root@bogon:/etc/apache2/certs# /usr/lib/ssl/misc/CA.sh -newca

   CA certificate filename (or enter to create)

   

   Making CA certificate ...

   Generating a 2048 bit RSA private key

   .............................................................................................+++

   ..+++

   writing new private key to './demoCA/private/./cakey.pem'

   Enter PEM pass phrase:

   Verifying - Enter PEM pass phrase:

   -----

   You are about to be asked to enter information that will be incorporated

   into your certificate request.

   What you are about to enter is what is called a Distinguished Name or aDN.

   There are quite a few fields but you can leave some blank

    For some fields there will be a defaultvalue,

   If you enter '.', the field will be left blank.

   -----

   Country Name (2 letter code) [AU]:CN

   State or Province Name (full name) [Some-State]:Beijing

   Locality Name (eg, city) []:Beijing

    OrganizationName (eg, company) [Internet Widgits Pty Ltd]:PWRD

   Organizational Unit Name (eg, section) []:OPS

   Common Name (e.g. server FQDN or YOUR name) []:10.1.1.128

   Email Address []:jailman@sina.com

   

   Please enter the following 'extra' attributes

   to be sent with your certificate request

    Achallenge password []:111111

   An optional company name []:pwrd

   Using configuration from /usr/lib/ssl/openssl.cnf

   Enter pass phrase for ./demoCA/private/./cakey.pem:

   Check that the request matches the signature

   Signature ok

   Certificate Details:

           Serial Number: 14695213526817228816 (0xcbefe2d81474c810)

           Validity

                Not Before: Jan  5 05:30:34 2017 GMT

                Not After : Jan  5 05:30:34 2020 GMT

           Subject:

                countryName               = CN

                stateOrProvinceName       = Beijing

                organizationName          = PWRD

                organizationalUnitName    = OPS

                commonName                = 10.1.1.128

                emailAddress              = jailman@sina.com

           X509v3 extensions:

                X509v3 Subject Key Identifier:

                   50:CA:37:3C:45:11:0E:E1:BA:E7:80:74:66:D0:98:B9:21:8E:13:BD

                X509v3 Authority KeyIdentifier:

                   keyid:50:CA:37:3C:45:11:0E:E1:BA:E7:80:74:66:D0:98:B9:21:8E:13:BD

   

                X509v3 Basic Constraints:

                    CA:TRUE

   Certificate is to be certified until Jan 5 05:30:34 2020 GMT (1095 days)

   

   Write out database with 1 new entries

   Data Base Updated

tree命令查看一下