(写的比较乱,仅供个人参考)
两台服务器,一台做CA,一台做apache服务器
原理:
1、先在CA服务器上生产CA签名证书,分发到各客户端浏览器,并导入证书;
2、在apache服务器上,用openssl生成私钥server.key 和请求证书request.pem,并把request.pem拷贝
到CA服务器的requests目录下,用openssl CA命令产生signed.pem文件。
3、把signed.pem文件发到apache服务器,并通过openssl转换成x509格式,并放在conf/ssl.key目录下,修改
httpd-ssl.conf文件。具体操作如下:
一、在CA服务器上
1、在/usr/local/中建立文件夹ca,并在ca文件夹下建立如下的文件夹
[root@localhost local]# cd ca
[root@localhost ca]# mkdir certs
[root@localhost ca]# mkdir crl
[root@localhost ca]# mkdir private
[root@localhost ca]# mkdir requests
[root@localhost ca]# mkdir newcerts
[root@localhost ca]# touch index.txt
[root@localhost ca]# echo "0">serial
[root@localhost ca]# ll
总计 24
drwxr-xr-x 2 root root 4096 03-13 13:50 certs
drwxr-xr-x 2 root root 4096 03-13 13:50 crl
-rw-r--r-- 1 root root 0 03-13 13:51 index.txt
drwxr-xr-x 2 root root 4096 03-13 13:51 newcerts
drwxr-xr-x 2 root root 4096 03-13 13:51 private
drwxr-xr-x 2 root root 4096 03-13 13:51 requests
-rw-r--r-- 1 root root 2 03-13 13:51 serial
2、复制一份openssl.cnf到ca目录下,并修改openssl.cnf,把CA_default部分修改成如下形式:
[ CA_default ]
dir = . # Where everything is kept
certs = $dir/certs # Where the issued certs are kept
crl_dir = $dir/crl # Where the issued crl are kept
database = $dir/index.txt # database index file.
#unique_subject = no # Set to 'no' to allow creation of
# several ctificates with same subject.
new_certs_dir = $dir/newcerts # default place for new certs.
certificate = $dir/ca.crt # The CA certificate
serial = $dir/serial # The current serial number
crlnumber = $dir/crlnumber # the current crl number
# must be commented out to leave a V1 CRL
crl = $dir/crl.pem # The current CRL
private_key = $dir/private/ca.key # The private key
RANDFILE = $dir/private/.rand # private random number file
在[ usr_cert ]一行上面增加如下的代码:
[ ssl_server ]
basicConstraints = CA:FALSE
nsCertType = server
keyUsage = digitalsignature, keyEncipherment
extendedKeyUsage = serverAuth, nsSGC, msSGC
nsComment = "OpenSSL Certificate for SSL Web Server"
[ ssl_client ]
basicConstraints = CA:FALSE
nsCertType = client
keyUsage = digitalsignature, keyEncipherment
extendedkeyUsage = clientAuth
nsComment = "OpenSSL Certificate for SSL Web Client"
3、执行生成证书命令(创建CA):
openssl req -config ./openssl.cnf -new -x509 -days 3000 -sha1 -newkey rsa:1024 -keyout ./private/ca.key -out ./ca.crt -subj '/O=SSLDemo/OU=My Root CA'
把ca.crt证书拷贝到客户端,并导入到浏览器中。
二、在web server上操作。
1、下面的操作生成server.key(私钥)和请求证书request.pem,放在conf/ssl.key目录下,并且要把request.pem拷贝到CA服务器
openssl req -new -sha1 -newkey rsa:1024 -nodes(不加密) -keyout server.key -out request.pem -subj '/O=My Web/OU=My Web/CN=www.ssldemo.com'
2、拷贝request.pem到CA服务器的CA/requests目录下,用CA的私钥对request.pem进行加密,产生signed.pem,执行以下命令:
openssl ca -config ./openssl.cnf -policy policy_anything -extensions ssl_server -out requests/signed.pem -infiles requests/request.pem
执行上述命令遇到下面的错误:
[root@localhost ca]# openssl ca -config ./openssl.cnf -policy policy_anything -extensions ssl_server -out requests/signed.pem -infiles requests/request.pem
Using configuration from ./openssl.cnf
Enter pass phrase for ./private/ca.key:
Error Loading extension section ssl_server
10277:error:0E06D06C:configuration file routines:NCONF_get_string:no value:conf_lib.c:329:group= name=unique_subject
10277:error:0E06D06C:configuration file routines:NCONF_get_string:no value:conf_lib.c:329:group=CA_default name=email_in_dn
解决方式(修改openssl.cnf,填写正确的CA policy信息):
# For the CA policy
[ policy_match ]
countryName = CN
stateOrProvinceName = GD
organizationName = COSCO
organizationalUnitName = NETWORK
commonName = cosconetwork
emailAddress = giianhui@qq.com
3、签名成功后,把signed.pem转换成x509格式
openssl x509 -in signed.pem -out server.crt
执行成功后,把server.crt拷贝到web server上的ssl.key目录下。
4、修改httpd-ssl.cnf文件
增加下面一段,限制通过只能通过https登录
<Directory />
SSLRequireSSL
</Directory>
修改:SSLCertificateFile "/usr/local/apache2/conf/ssl.key/server.crt"
SSLCertificateKeyFile "/usr/local/apache2/conf/ssl.key/server.key"
5、验证测试
重启httpd服务:service httpd restart
在客户端电脑上修改hosts文件,增加172.25.6.249 www.ssldemo.com
打开已经导入证书的浏览器,输入https://www.ssldemo.com