http://www.2cto.com/os/201209/156900.html
在网上看了很多资料,没有一个比较完整的,现在配置成功了,写个记录。
在网上看了很多资料,没有一个比较完整的,现在配置成功了,写个记录。
环境:linux(ubuntu)+openssl+apache2
一,首先切换到apache目录下,创建一个CA文件夹
sudo mkdir CA
sudo chmod 777 CA
二,然后进去CA文件夹
cd CA
三,创建其它文件
mkdir demoCA
mkdir demoCA/newcerts
mkdir demoCA/private
touch demoCA/index.txt
echo "01" >> demoCA/serial
四,创建证书
生成CA:
输入“openssl genrsa -out ca.key 1024”,生成CA私钥文件ca.key。
输入“openssl req -new -x509 -days 365 -key ca.key -out ca.crt ”,生成CA证书。
生成服务器证书:
输入“openssl genrsa -out server.key 1024”,生成网站服务器私钥文件server.key。
输入openssl req -new -out server.csr -key server.key (Common Name为要申请域名证书的域名或者服务器IP,另有资料说是:Common Name必须和httpd.conf中server name必须一致,否则apache不能启动,这种说法没有验证通过)
输入“openssl ca -in server.csr -out server.crt -cert ca.crt -keyfile ca.key”,之后会在bin目录下面看到多了一个server.crt文件,这就是签名以后的服务器证书。
打开
浏览器把ca的证书(ca.crt)导入浏览器。
五,生成 客户端证书
openssl genrsa -out client.key 1024
生成客户证书 请求文件
openssl req -new -key client.key -out client.csr
给证书签名 生成证书
openssl x509 -req -days 365 -CA ca.crt -CAkey ca.key -CAcreateserial -in client.csr -out client.crt
将client.crt转换为 .pfx 格式的证书
openssl pkcs12 -export -clcerts -in client.crt -inkey client.key -out client.p12
双击client.p12将其导入浏览器。
另有一个生成脚本:
另有一个生成脚本:
#!/bin/sh
echo ""
echo "Setting up certificates for MDM server testing!"
echo ""
echo "1. Creating Certificate Authority (CA)"
echo " ** For 'Common Name' enter something like 'MDM Test CA'"
echo ""
openssl req -new -x509 -extensions v3_ca -keyout cakey.key -out cacert.crt -days 365
echo ""
echo "2. Creating the Web Server private key and certificate request"
echo " ** For 'Common Name' enter your server's IP address **"
echo ""
openssl genrsa 2048 > server.key
openssl req -new -key server.key -out server.csr
echo ""
echo "3. Signing the server key with the CA. You'll the CA passphrase from step 1."
echo ""
openssl x509 -req -days 365 -in server.csr -CA cacert.crt -CAkey cakey.key -CAcreateserial -out server.crt -extfile ./server.cnf
echo ""
echo "4. Creating the device Identity key and certificate request"
echo " ** For 'Common Name' enter something like 'my device'"
echo ""
openssl genrsa 2048 > identity.key
openssl req -new -key identity.key -out identity.csr
echo ""
echo "5. Signing the identity key with the CA. You'll the CA passphrase from step 1."
echo " ** Give it a passphrase. You'll need to include that in the IPCU profile."
echo ""
openssl x509 -req -days 365 -in identity.csr -CA cacert.crt -CAkey cakey.key -CAcreateserial -out identity.crt
openssl pkcs12 -export -out identity.p12 -inkey identity.key -in identity.crt -certfile cacert.crt
echo ""
六,配置httpd.conf
[
html]
<VirtualHost _default_:443>
ServerAdmin crm.xiaolong.com
DocumentRoot /var/www
LogLevel warn
ErrorLog /var/log/apache2/error.log
CustomLog /var/log/apache2/ssl_access.log combined
[html]
SSLEngine on
SSLCertificateFile /etc/apache2/CA/server.crt
SSLCertificateKeyFile /etc/apache2/CA/server.key
SSLCACertificateFile /etc/apache2/CA/ca.crt
SSLVerifyClient require
SSLVerifyDepth 10
</VirtualHost>