| 系统 FreeBSD8.2 apache22 1、创建主证书 利用CA.sh创建主证书 #mkdir -p /usr/local/etc/apache22/ssl 创建一个目录存放ssl证书 #cp /usr/src/crypto/openssl/apps/CA.sh /usr/local/etc/apache22/ssl 把CA.sh拷贝进来 #cd /usr/loca/etc/apach22/ssl #./CA.sh -newca CA certificate filename (or enter to create) Making CA certificate ...
Generating a 1024 bit RSA private key
.................................................++++++
................++++++
writing new private key to './demoCA/private/./cakey.pem' Enter PEM pass phrase:
Verifying - Enter PEM pass phrase:
-----
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [AU]:CN
State or Province Name (full name) [Some-State]:ShangHai
Locality Name (eg, city) []:ShangHai
Organization Name (eg, company) [Internet Widgits Pty Ltd]:DaoXiLa Ltd
Organizational Unit Name (eg, section) []:DaoXiLa
Common Name (eg, YOUR name) []:daoxila.com
Email Address []:sa@daoxila.com Please enter the following 'extra' attributes
to be sent with your certificate request
A challenge password []:
An optional company name []:DaoXiLa
Using configuration from /etc/ssl/openssl.cnf
Enter pass phrase for ./demoCA/private/./cakey.pem:
Check that the request matches the signature
Signature ok
Certificate Details:
Serial Number:
c0:c4:03:a6:34:24:ac:f5
Validity
Not Before: Jun 10 01:46:22 2012 GMT
Not After : Jun 10 01:46:22 2015 GMT
Subject:
countryName = CN
stateOrProvinceName = ShangHai
organizationName = DaoXiLa Ltd
organizationalUnitName = DaoXiLa
commonName = daoxila.com
emailAddress = sa@daoxila.com
X509v3 extensions:
X509v3 Subject Key Identifier:
19:C9:F0:C8:EA:0A:80:3D:A8:E7:18:3E:AB:8A:86:E8:08:52:AC:94
X509v3 Authority Key Identifier:
keyid:19:C9:F0:C8:EA:0A:80:3D:A8:E7:18:3E:AB:8A:86:E8:08:52:AC:94
DirName:/C=CN/ST=ShangHai/O=DaoXiLa Ltd/OU=DaoXiLa/CN=daoxila.com/emailAddress=sa@daoxila.com
serial:C0:C4:03:A6:34:24:AC:F5 X509v3 Basic Constraints:
CA:TRUE
Certificate is to be certified until Jun 10 01:46:22 2015 GMT (1095 days) Write out database with 1 new entries
Data Base Updated 2、生成服务器私钥和服务器证书 生成私钥 openssl genrsa -des3 -out server.key 1024
Generating RSA private key, 1024 bit long modulus
...................++++++
.............++++++
e is 65537 (0x10001)
Enter pass phrase for dxlcs.key: 输入密码
Verifying - Enter pass phrase for dxlcs.key:重复密码 生成服务器证书
# openssl req -new -key server.key -out server.csr
Enter pass phrase for server.key:
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [AU]:CN
State or Province Name (full name) [Some-State]:Shanghai
Locality Name (eg, city) []:Shanghai
Organization Name (eg, company) [Internet Widgits Pty Ltd]:DaoXiLa Ltd
Organizational Unit Name (eg, section) []:DaoXiLa
Common Name (eg, YOUR name) []:cs.daoxila.com
Email Address []:sa@daoxila.com
Please enter the following 'extra' attributes
to be sent with your certificate request
A challenge password []:
An optional company name []: 对产生的服务器证书进行签证 # mv server.csr newreq.pem t# ./CA.sh -sign
Using configuration from /etc/ssl/openssl.cnf
Enter pass phrase for ./demoCA/private/cakey.pem:
Check that the request matches the signature
Signature ok
Certificate Details:
Serial Number:
95:37:b2:00:9a:e1:c2:60
Validity
Not Before: Jun 13 13:54:42 2012 GMT
Not After : Jun 13 13:54:42 2013 GMT
Subject:
countryName = CN
stateOrProvinceName = Shanghai
localityName = Shanghai
organizationName = DaoXiLa Ltd
organizationalUnitName = DaoXiLa
commonName = cs.daoxila.com
emailAddress = sa@daoxila.com
X509v3 extensions:
X509v3 Basic Constraints:
CA:FALSE
Netscape Comment:
OpenSSL Generated Certificate
X509v3 Subject Key Identifier:
05:59:78:BD:B6:61:5F:48:1E:16:2B:E6:79:1E:B7:B9:98:81:5B:02
X509v3 Authority Key Identifier:
keyid:9D:20:76:DE:FD:D0:A0:87:86:F7:FF:6E:2E:2C:AA:20:B3:40:A9:D8 Certificate is to be certified until Jun 13 13:54:42 2013 GMT (365 days)
Sign the certificate? [y/n]:y
1 out of 1 certificate requests certified, commit? [y/n]y
Write out database with 1 new entries
Data Base Updated
Certificate:
Data:
Version: 3 (0x2)
Serial Number:
95:37:b2:00:9a:e1:c2:60
Signature Algorithm: sha1WithRSAEncryption
Issuer: C=CN, ST=Shanghai, O=DaoXiLa Ltd, OU=DaoXiLa, CN=cs.daoxila.com/emailAddress=sa@daoxila.com
Validity
Not Before: Jun 13 13:54:42 2012 GMT
Not After : Jun 13 13:54:42 2013 GMT
Subject: C=CN, ST=Shanghai, L=Shanghai, O=DaoXiLa Ltd, OU=DaoXiLa, CN=cs.daoxila.com/emailAddress=sa@daoxila.com
Subject Public Key Info:
Public Key Algorithm: rsaEncryption
RSA Public Key: (1024 bit)
Modulus (1024 bit):
00:a5:36:38:4b:b5:4f:c8:ae:6f:f8:c8:7e:c9:9e:
b2:6c:ea:a9:35:02:43:a4:93:70:7d:04:b5:ce:00:
9e:30:7e:dd:dc:fd:23:03:60:f8:2a:e3:dc:6b:97:
95:46:6f:b9:7d:2e:d2:9c:f1:f8:b4:32:c8:c2:73:
6c:63:99:98:65:2b:2b:6c:76:34:1b:1a:ba:14:8e:
f5:c8:3b:6c:70:d4:9e:6f:fc:92:16:5c:78:40:41:
a2:20:8a:cd:ed:37:cc:67:2c:aa:fa:17:d8:c4:df:
d4:7c:25:40:bc:13:91:a5:54:96:cd:27:63:a2:18:
a6:5e:98:3d:a6:ba:ec:70:81
Exponent: 65537 (0x10001)
X509v3 extensions:
X509v3 Basic Constraints:
CA:FALSE
Netscape Comment:
OpenSSL Generated Certificate
X509v3 Subject Key Identifier:
05:59:78:BD:B6:61:5F:48:1E:16:2B:E6:79:1E:B7:B9:98:81:5B:02
X509v3 Authority Key Identifier:
keyid:9D:20:76:DE:FD:D0:A0:87:86:F7:FF:6E:2E:2C:AA:20:B3:40:A9:D8
Signature Algorithm: sha1WithRSAEncryption
2f:94:d2:b8:62:cd:ef:04:bf:c7:7c:07:47:7b:cd:9e:ff:8c:
04:da:6f:ed:c7:36:38:96:57:6d:3e:5b:9d:15:75:69:ae:7d:
7c:78:c6:c5:dc:b3:52:20:50:16:62:95:70:d7:ff:38:37:4a:
8a:f9:17:2b:8e:41:18:b2:b7:70:ca:45:69:56:a1:31:fb:02:
c2:66:8a:99:d1:ce:05:53:1a:14:ca:75:a4:85:c6:77:af:71:
4f:f0:1f:81:7f:be:c4:c1:61:f0:5f:6e:a4:5d:78:04:23:fe:
3a:33:7d:eb:6b:49:a5:47:d7:e3:1f:32:f0:e0:5d:a8:21:8e:
68:45
-----BEGIN CERTIFICATE-----
MIIDDjCCAnegAwIBAgIJAJU3sgCa4cJgMA0GCSqGSIb3DQEBBQUAMIGAMQswCQYD
VQQGEwJDTjERMA8GA1UECBMIU2hhbmdoYWkxFDASBgNVBAoTC0Rhb1hpTGEgTHRk
MRAwDgYDVQQLEwdEYW9YaUxhMRcwFQYDVQQDEw5jcy5kYW94aWxhLmNvbTEdMBsG
CSqGSIb3DQEJARYOc2FAZGFveGlsYS5jb20wHhcNMTIwNjEzMTM1NDQyWhcNMTMw
NjEzMTM1NDQyWjCBkzELMAkGA1UEBhMCQ04xETAPBgNVBAgTCFNoYW5naGFpMREw
DwYDVQQHEwhTaGFuZ2hhaTEUMBIGA1UEChMLRGFvWGlMYSBMdGQxEDAOBgNVBAsT
B0Rhb1hpTGExFzAVBgNVBAMTDmNzLmRhb3hpbGEuY29tMR0wGwYJKoZIhvcNAQkB
Fg5zYUBkYW94aWxhLmNvbTCBnzANBgkqhkiG9w0BAQEFAAOBjQAwgYkCgYEApTY4
S7VPyK5v+Mh+yZ6ybOqpNQJDpJNwfQS1zgCeMH7d3P0jA2D4KuPca5eVRm+5fS7S
nPH4tDLIwnNsY5mYZSsrbHY0Gxq6FI71yDtscNSeb/ySFlx4QEGiIIrN7TfMZyyq
+hfYxN/UfCVAvBORpVSWzSdjohimXpg9prrscIECAwEAAaN7MHkwCQYDVR0TBAIw
ADAsBglghkgBhvhCAQ0EHxYdT3BlblNTTCBHZW5lcmF0ZWQgQ2VydGlmaWNhdGUw
HQYDVR0OBBYEFAVZeL22YV9IHhYr5nket7mYgVsCMB8GA1UdIwQYMBaAFJ0gdt79
0KCHhvf/bi4sqiCzQKnYMA0GCSqGSIb3DQEBBQUAA4GBAC+U0rhize8Ev8d8B0d7
zZ7/jATab+3HNjiWV20+W50VdWmufXx4xsXcs1IgUBZilXDX/zg3Sor5FyuOQRiy
t3DKRWlWoTH7AsJmipnRzgVTGhTKdaSFxnevcU/wH4F/vsTBYfBfbqRdeAQj/joz
fetrSaVH1+MfMvDgXaghjmhF
-----END CERTIFICATE-----
Signed certificate is in newcert.pem #mv newcert.pem server.crt 3、产生客户端证书 生成客户私钥:
openssl genrsa -des3 -out client.key 1024 生成客户证书
openssl req -new -key client.key -out client.csr 签证:
openssl ca -in client.csr -out client.crt -days 3650 openssl无法同时建两个crt文件——建完server.crt 后,建立client.crt时报错,删掉上次server.crt时生成的demoCA/index.txt,再touch一个新的,即可
# rm index.txt
# touch index.txt Using configuration from /etc/ssl/openssl.cnf
Enter pass phrase for ./demoCA/private/cakey.pem:
Check that the request matches the signature
Signature ok
Certificate Details:
Serial Number:
95:37:b2:00:9a:e1:c2:61
Validity
Not Before: Jun 13 14:11:48 2012 GMT
Not After : Jun 11 14:11:48 2022 GMT
Subject:
countryName = CN
stateOrProvinceName = Shanghai
organizationName = DaoXiLa Ltd
organizationalUnitName = DaoXiLa
commonName = cs.daoxila.com
emailAddress = sa@daoxila.com
X509v3 extensions:
X509v3 Basic Constraints:
CA:FALSE
Netscape Comment:
OpenSSL Generated Certificate
X509v3 Subject Key Identifier:
76:35:CA:6D:22:BE:FE:A0:72:9F:74:C6:7D:5D:86:3F:0E:C4:CC:9E
X509v3 Authority Key Identifier:
keyid:9D:20:76:DE:FD:D0:A0:87:86:F7:FF:6E:2E:2C:AA:20:B3:40:A9:D8 Certificate is to be certified until Jun 11 14:11:48 2022 GMT (3650 days)
Sign the certificate? [y/n]:y
1 out of 1 certificate requests certified, commit? [y/n]y
Write out database with 1 new entries
Data Base Updated
转换成pkcs12格式,为客户端安装所用
openssl pkcs12 -export -clcerts -in client.crt -inkey client.key -out client.pfx 拷贝一份根证书
cp demoCA/cacert.pem ./
在拷贝一份根证书给浏览器安装
cp cacert.pem CA.crt Apache虚拟主机配置 <VirtualHost *:443>
DocumentRoot /www
ServerName www.axin.net
ServerAlias axin.net
SSLEngine on
SSLCACertificatePath /usr/local/etc/apache22/ssl ssl目录
SSLCACertificateFile /usr/local/etc/apache22/ssl/cacert.pem ssl根证书
SSLCertificateFile /usr/local/etc/apache22/cs_ssl/server.crt ssl服务器证书
SSLCertificateKeyFile /usr/local/etc/apache22/cs_ssl/server.key ssl密钥
SSLVerifyClient require 要求客户端证书
SSLVerifyDepth 10 客户端证书深度
</VirtualHost> 启动时不要密码 在httpd-ssl.conf 增加一条 SSLPassPhraseDialog exec:/usr/local/etc/apache22/apache_pass.sh vim apache_pass.sh
#!/bin/sh
echo "password" Nginx配置 大型网站应用apache在后端 nginx做反向代理负载均衡 server {
listen 443;
server_name www.axin.net;
index index.html index.htm index.php; ssl on;
ssl_certificate ssl/server.crt;
ssl_certificate_key ssl/server.key;
ssl_client_certificate ssl/cacert.pem;
ssl_verify_client on;
ssl_verify_depth 1;
ssl_session_timeout 5m; ssl_protocols SSLv2 SSLv3 TLSv1;
ssl_ciphers HIGH:!aNULL:!MD5;
ssl_prefer_server_ciphers on; location / {
proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $remote_addr;
proxy_pass http://192.168.2.150;
}
location ~ .*\.(gif|jpg|jpeg|png|bmp|swf|js|css)$
{
proxy_next_upstream http_502 http_504 error timeout invalid_header;
# proxy_cache cache_one;
# proxy_cache_valid 200 304 12h;
# proxy_cache_valid 301 302 1m;
# proxy_cache_valid any 1m;
# proxy_cache_key $host$uri$is_args$args;
proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $remote_addr;
proxy_set_header Accept-Encoding "none";
proxy_ignore_headers "Cache-Control" "Expires";
proxy_pass http://192.168.2.150;
#expires 1d;
# add_header nid nginx-1;
}
location ~ .*\.(php|jsp|cgi)?$ {
proxy_set_header Host $host;
proxy_set_header X-Forwarded-For $remote_addr;
proxy_pass http://192.168.2.150;
# add_header nid nginx-1;
}
} nginx启动免输入密码 openssl rsa -in server.key -out server.key.nopass 修改 ssl_certificate_key ssl/server.key ssl_certificate_key ssl/server.key.nopass
根证书签发的时间
一次签发默认时间是一年,到期了会影响服务
一次签发10年
修改 etc/ssl/openssl.cnf
default_days = 3650 | 
848
被折叠的 条评论
为什么被折叠?
到【灌水乐园】发言
