系统 FreeBSD8.2 apache22 1、创建主证书 利用CA.sh创建主证书 #mkdir -p /usr/local/etc/apache22/ssl 创建一个目录存放ssl证书 #cp /usr/src/crypto/openssl/apps/CA.sh /usr/local/etc/apache22/ssl 把CA.sh拷贝进来 #cd /usr/loca/etc/apach22/ssl #./CA.sh -newca CA certificate filename (or enter to create) Making CA certificate ... Generating a 1024 bit RSA private key .................................................++++++ ................++++++ writing new private key to './demoCA/private/./cakey.pem' Enter PEM pass phrase: Verifying - Enter PEM pass phrase: ----- You are about to be asked to enter information that will be incorporated into your certificate request. What you are about to enter is what is called a Distinguished Name or a DN. There are quite a few fields but you can leave some blank For some fields there will be a default value, If you enter '.', the field will be left blank. ----- Country Name (2 letter code) [AU]:CN State or Province Name (full name) [Some-State]:ShangHai Locality Name (eg, city) []:ShangHai Organization Name (eg, company) [Internet Widgits Pty Ltd]:DaoXiLa Ltd Organizational Unit Name (eg, section) []:DaoXiLa Common Name (eg, YOUR name) []:daoxila.com Email Address []:sa@daoxila.com Please enter the following 'extra' attributes to be sent with your certificate request A challenge password []: An optional company name []:DaoXiLa Using configuration from /etc/ssl/openssl.cnf Enter pass phrase for ./demoCA/private/./cakey.pem: Check that the request matches the signature Signature ok Certificate Details: Serial Number: c0:c4:03:a6:34:24:ac:f5 Validity Not Before: Jun 10 01:46:22 2012 GMT Not After : Jun 10 01:46:22 2015 GMT Subject: countryName = CN stateOrProvinceName = ShangHai organizationName = DaoXiLa Ltd organizationalUnitName = DaoXiLa commonName = daoxila.com emailAddress = sa@daoxila.com X509v3 extensions: X509v3 Subject Key Identifier: 19:C9:F0:C8:EA:0A:80:3D:A8:E7:18:3E:AB:8A:86:E8:08:52:AC:94 X509v3 Authority Key Identifier: keyid:19:C9:F0:C8:EA:0A:80:3D:A8:E7:18:3E:AB:8A:86:E8:08:52:AC:94 DirName:/C=CN/ST=ShangHai/O=DaoXiLa Ltd/OU=DaoXiLa/CN=daoxila.com/emailAddress=sa@daoxila.com serial:C0:C4:03:A6:34:24:AC:F5 X509v3 Basic Constraints: CA:TRUE Certificate is to be certified until Jun 10 01:46:22 2015 GMT (1095 days) Write out database with 1 new entries Data Base Updated 2、生成服务器私钥和服务器证书 生成私钥 openssl genrsa -des3 -out server.key 1024 Generating RSA private key, 1024 bit long modulus ...................++++++ .............++++++ e is 65537 (0x10001) Enter pass phrase for dxlcs.key: 输入密码 Verifying - Enter pass phrase for dxlcs.key:重复密码 生成服务器证书 # openssl req -new -key server.key -out server.csr Enter pass phrase for server.key: You are about to be asked to enter information that will be incorporated into your certificate request. What you are about to enter is what is called a Distinguished Name or a DN. There are quite a few fields but you can leave some blank For some fields there will be a default value, If you enter '.', the field will be left blank. ----- Country Name (2 letter code) [AU]:CN State or Province Name (full name) [Some-State]:Shanghai Locality Name (eg, city) []:Shanghai Organization Name (eg, company) [Internet Widgits Pty Ltd]:DaoXiLa Ltd Organizational Unit Name (eg, section) []:DaoXiLa Common Name (eg, YOUR name) []:cs.daoxila.com Email Address []:sa@daoxila.com Please enter the following 'extra' attributes to be sent with your certificate request A challenge password []: An optional company name []: 对产生的服务器证书进行签证 # mv server.csr newreq.pem t# ./CA.sh -sign Using configuration from /etc/ssl/openssl.cnf Enter pass phrase for ./demoCA/private/cakey.pem: Check that the request matches the signature Signature ok Certificate Details: Serial Number: 95:37:b2:00:9a:e1:c2:60 Validity Not Before: Jun 13 13:54:42 2012 GMT Not After : Jun 13 13:54:42 2013 GMT Subject: countryName = CN stateOrProvinceName = Shanghai localityName = Shanghai organizationName = DaoXiLa Ltd organizationalUnitName = DaoXiLa commonName = cs.daoxila.com emailAddress = sa@daoxila.com X509v3 extensions: X509v3 Basic Constraints: CA:FALSE Netscape Comment: OpenSSL Generated Certificate X509v3 Subject Key Identifier: 05:59:78:BD:B6:61:5F:48:1E:16:2B:E6:79:1E:B7:B9:98:81:5B:02 X509v3 Authority Key Identifier: keyid:9D:20:76:DE:FD:D0:A0:87:86:F7:FF:6E:2E:2C:AA:20:B3:40:A9:D8 Certificate is to be certified until Jun 13 13:54:42 2013 GMT (365 days) Sign the certificate? [y/n]:y 1 out of 1 certificate requests certified, commit? [y/n]y Write out database with 1 new entries Data Base Updated Certificate: Data: Version: 3 (0x2) Serial Number: 95:37:b2:00:9a:e1:c2:60 Signature Algorithm: sha1WithRSAEncryption Issuer: C=CN, ST=Shanghai, O=DaoXiLa Ltd, OU=DaoXiLa, CN=cs.daoxila.com/emailAddress=sa@daoxila.com Validity Not Before: Jun 13 13:54:42 2012 GMT Not After : Jun 13 13:54:42 2013 GMT Subject: C=CN, ST=Shanghai, L=Shanghai, O=DaoXiLa Ltd, OU=DaoXiLa, CN=cs.daoxila.com/emailAddress=sa@daoxila.com Subject Public Key Info: Public Key Algorithm: rsaEncryption RSA Public Key: (1024 bit) Modulus (1024 bit): 00:a5:36:38:4b:b5:4f:c8:ae:6f:f8:c8:7e:c9:9e: b2:6c:ea:a9:35:02:43:a4:93:70:7d:04:b5:ce:00: 9e:30:7e:dd:dc:fd:23:03:60:f8:2a:e3:dc:6b:97: 95:46:6f:b9:7d:2e:d2:9c:f1:f8:b4:32:c8:c2:73: 6c:63:99:98:65:2b:2b:6c:76:34:1b:1a:ba:14:8e: f5:c8:3b:6c:70:d4:9e:6f:fc:92:16:5c:78:40:41: a2:20:8a:cd:ed:37:cc:67:2c:aa:fa:17:d8:c4:df: d4:7c:25:40:bc:13:91:a5:54:96:cd:27:63:a2:18: a6:5e:98:3d:a6:ba:ec:70:81 Exponent: 65537 (0x10001) X509v3 extensions: X509v3 Basic Constraints: CA:FALSE Netscape Comment: OpenSSL Generated Certificate X509v3 Subject Key Identifier: 05:59:78:BD:B6:61:5F:48:1E:16:2B:E6:79:1E:B7:B9:98:81:5B:02 X509v3 Authority Key Identifier: keyid:9D:20:76:DE:FD:D0:A0:87:86:F7:FF:6E:2E:2C:AA:20:B3:40:A9:D8 Signature Algorithm: sha1WithRSAEncryption 2f:94:d2:b8:62:cd:ef:04:bf:c7:7c:07:47:7b:cd:9e:ff:8c: 04:da:6f:ed:c7:36:38:96:57:6d:3e:5b:9d:15:75:69:ae:7d: 7c:78:c6:c5:dc:b3:52:20:50:16:62:95:70:d7:ff:38:37:4a: 8a:f9:17:2b:8e:41:18:b2:b7:70:ca:45:69:56:a1:31:fb:02: c2:66:8a:99:d1:ce:05:53:1a:14:ca:75:a4:85:c6:77:af:71: 4f:f0:1f:81:7f:be:c4:c1:61:f0:5f:6e:a4:5d:78:04:23:fe: 3a:33:7d:eb:6b:49:a5:47:d7:e3:1f:32:f0:e0:5d:a8:21:8e: 68:45 -----BEGIN CERTIFICATE----- MIIDDjCCAnegAwIBAgIJAJU3sgCa4cJgMA0GCSqGSIb3DQEBBQUAMIGAMQswCQYD VQQGEwJDTjERMA8GA1UECBMIU2hhbmdoYWkxFDASBgNVBAoTC0Rhb1hpTGEgTHRk MRAwDgYDVQQLEwdEYW9YaUxhMRcwFQYDVQQDEw5jcy5kYW94aWxhLmNvbTEdMBsG CSqGSIb3DQEJARYOc2FAZGFveGlsYS5jb20wHhcNMTIwNjEzMTM1NDQyWhcNMTMw NjEzMTM1NDQyWjCBkzELMAkGA1UEBhMCQ04xETAPBgNVBAgTCFNoYW5naGFpMREw DwYDVQQHEwhTaGFuZ2hhaTEUMBIGA1UEChMLRGFvWGlMYSBMdGQxEDAOBgNVBAsT B0Rhb1hpTGExFzAVBgNVBAMTDmNzLmRhb3hpbGEuY29tMR0wGwYJKoZIhvcNAQkB Fg5zYUBkYW94aWxhLmNvbTCBnzANBgkqhkiG9w0BAQEFAAOBjQAwgYkCgYEApTY4 S7VPyK5v+Mh+yZ6ybOqpNQJDpJNwfQS1zgCeMH7d3P0jA2D4KuPca5eVRm+5fS7S nPH4tDLIwnNsY5mYZSsrbHY0Gxq6FI71yDtscNSeb/ySFlx4QEGiIIrN7TfMZyyq +hfYxN/UfCVAvBORpVSWzSdjohimXpg9prrscIECAwEAAaN7MHkwCQYDVR0TBAIw ADAsBglghkgBhvhCAQ0EHxYdT3BlblNTTCBHZW5lcmF0ZWQgQ2VydGlmaWNhdGUw HQYDVR0OBBYEFAVZeL22YV9IHhYr5nket7mYgVsCMB8GA1UdIwQYMBaAFJ0gdt79 0KCHhvf/bi4sqiCzQKnYMA0GCSqGSIb3DQEBBQUAA4GBAC+U0rhize8Ev8d8B0d7 zZ7/jATab+3HNjiWV20+W50VdWmufXx4xsXcs1IgUBZilXDX/zg3Sor5FyuOQRiy t3DKRWlWoTH7AsJmipnRzgVTGhTKdaSFxnevcU/wH4F/vsTBYfBfbqRdeAQj/joz fetrSaVH1+MfMvDgXaghjmhF -----END CERTIFICATE----- Signed certificate is in newcert.pem #mv newcert.pem server.crt 3、产生客户端证书 生成客户私钥: openssl genrsa -des3 -out client.key 1024 生成客户证书 openssl req -new -key client.key -out client.csr 签证: openssl ca -in client.csr -out client.crt -days 3650 openssl无法同时建两个crt文件——建完server.crt 后,建立client.crt时报错,删掉上次server.crt时生成的demoCA/index.txt,再touch一个新的,即可 # rm index.txt # touch index.txt Using configuration from /etc/ssl/openssl.cnf Enter pass phrase for ./demoCA/private/cakey.pem: Check that the request matches the signature Signature ok Certificate Details: Serial Number: 95:37:b2:00:9a:e1:c2:61 Validity Not Before: Jun 13 14:11:48 2012 GMT Not After : Jun 11 14:11:48 2022 GMT Subject: countryName = CN stateOrProvinceName = Shanghai organizationName = DaoXiLa Ltd organizationalUnitName = DaoXiLa commonName = cs.daoxila.com emailAddress = sa@daoxila.com X509v3 extensions: X509v3 Basic Constraints: CA:FALSE Netscape Comment: OpenSSL Generated Certificate X509v3 Subject Key Identifier: 76:35:CA:6D:22:BE:FE:A0:72:9F:74:C6:7D:5D:86:3F:0E:C4:CC:9E X509v3 Authority Key Identifier: keyid:9D:20:76:DE:FD:D0:A0:87:86:F7:FF:6E:2E:2C:AA:20:B3:40:A9:D8 Certificate is to be certified until Jun 11 14:11:48 2022 GMT (3650 days) Sign the certificate? [y/n]:y 1 out of 1 certificate requests certified, commit? [y/n]y Write out database with 1 new entries Data Base Updated 转换成pkcs12格式,为客户端安装所用 openssl pkcs12 -export -clcerts -in client.crt -inkey client.key -out client.pfx 拷贝一份根证书 cp demoCA/cacert.pem ./ 在拷贝一份根证书给浏览器安装 cp cacert.pem CA.crt Apache虚拟主机配置 <VirtualHost *:443> DocumentRoot /www ServerName www.axin.net ServerAlias axin.net SSLEngine on SSLCACertificatePath /usr/local/etc/apache22/ssl ssl目录 SSLCACertificateFile /usr/local/etc/apache22/ssl/cacert.pem ssl根证书 SSLCertificateFile /usr/local/etc/apache22/cs_ssl/server.crt ssl服务器证书 SSLCertificateKeyFile /usr/local/etc/apache22/cs_ssl/server.key ssl密钥 SSLVerifyClient require 要求客户端证书 SSLVerifyDepth 10 客户端证书深度 </VirtualHost> 启动时不要密码 在httpd-ssl.conf 增加一条 SSLPassPhraseDialog exec:/usr/local/etc/apache22/apache_pass.sh vim apache_pass.sh #!/bin/sh echo "password" Nginx配置 大型网站应用apache在后端 nginx做反向代理负载均衡 server { listen 443; server_name www.axin.net; index index.html index.htm index.php; ssl on; ssl_certificate ssl/server.crt; ssl_certificate_key ssl/server.key; ssl_client_certificate ssl/cacert.pem; ssl_verify_client on; ssl_verify_depth 1; ssl_session_timeout 5m; ssl_protocols SSLv2 SSLv3 TLSv1; ssl_ciphers HIGH:!aNULL:!MD5; ssl_prefer_server_ciphers on; location / { proxy_set_header Host $host; proxy_set_header X-Real-IP $remote_addr; proxy_set_header X-Forwarded-For $remote_addr; proxy_pass http://192.168.2.150; } location ~ .*\.(gif|jpg|jpeg|png|bmp|swf|js|css)$ { proxy_next_upstream http_502 http_504 error timeout invalid_header; # proxy_cache cache_one; # proxy_cache_valid 200 304 12h; # proxy_cache_valid 301 302 1m; # proxy_cache_valid any 1m; # proxy_cache_key $host$uri$is_args$args; proxy_set_header Host $host; proxy_set_header X-Real-IP $remote_addr; proxy_set_header X-Forwarded-For $remote_addr; proxy_set_header Accept-Encoding "none"; proxy_ignore_headers "Cache-Control" "Expires"; proxy_pass http://192.168.2.150; #expires 1d; # add_header nid nginx-1; } location ~ .*\.(php|jsp|cgi)?$ { proxy_set_header Host $host; proxy_set_header X-Forwarded-For $remote_addr; proxy_pass http://192.168.2.150; # add_header nid nginx-1; } } nginx启动免输入密码 openssl rsa -in server.key -out server.key.nopass 修改 ssl_certificate_key ssl/server.key ssl_certificate_key ssl/server.key.nopass
根证书签发的时间 一次签发默认时间是一年,到期了会影响服务 一次签发10年 修改 etc/ssl/openssl.cnf default_days = 3650 |