SSL证书通过在客户端浏览器和Web服务器之间建立一条SSL安全通道(Secure socket layer(SSL)安全协议是由Netscape Communication公司设计开发。该安全协议主要用来提供对用户和服务器的认证;对传送的数据进行加密和隐藏;确保数据在传送中不被改变,即数据的完整性,现已成为该领域中全球化的标准。由于SSL技术已建立到所有主要的浏览器和WEB服务器程序中,因此,仅需安装服务器证书就可以激活该功能了)。即通过它可以激活SSL协议,实现数据信息在客户端和服务器之间的加密传输,可以防止数据信息的泄露。保证了双方传递信息的安全性,而且用户可以通过服务器证书验证他所访问的网站是否是真实可靠。
安全套接字层 (SSL) 技术通过加密信息和提供鉴权,保护您的网站安全。一份 SSL 证书包括一个公共密钥和一个私用密钥。公共密钥用于加密信息,私用密钥用于解译加密的信息。浏览器指向一个安全域时,SSL 同步确认服务器和客户端,并创建一种加密方式和一个唯一的会话密钥。它们可以启动一个保证消息的隐私性和完整性的安全会话。
首先要有一个主证书,然后用主证书来签发服务器证书和客户证书,服务器证书和客户证书是平级关系,SSL所使用的证书可以自己生成,也可以通过一个商业性CA(如Verisign 或 Thawte)签署证书。签发证书的问题:如果使用的是商业证书,具体的签署方法请查看相关销售商的说明;如果是知己签发的证书,可以使用openssl 自带的CA.sh脚本工具。如果不为单独的客户端签发证书,客户端证书可以不用生成,客户端与服务器端使用相同的证书。
二,安装所要的软件
openssl :wget http://www.openssl.org/source/openssl-1.0.0a.tar.gz
apache: wget http://www.apache.org/dist/httpd/httpd-2.2.22.tar.gz
三,安装
在正式安装前,请不要直接看下面的安装,请看最后一部分,那是我安装时候所遇到的问题,这样可以使你少走不少弯路,我安装的时候,就走了不少弯路。
1,安装openssl
tar zxvf openssl-1.0.0a.tar.gz
cd openssl-1.0.0a
./config --prefix=/usr/local/openssl
make && make install
2,安装apache
如果你已经安装了apache,你又不想重新编译的话,请参考mod_ssl模块的安装,也就是添加ssl模块而已。
tar zxvf httpd-2.2.22.tar.gz
cd httpd-2.2.22
./configure --prefix=/usr/local/apache –enable-ssl –enable-rewrite –enable-so –with-ssl=/usr/local/openssl
make && make install
如果你是yum install ,apt-get,pacman这样的软件管理工具进行安装的话,上面的二步可以省掉。
3,创建主证书
在/usr/local/apache/conf/下面建个目录ssl
3.1,mkdir ssl
3.2,cp /openssl的安装目录/ssl/misc/CA.sh /usr/local/apache/conf/ssl/
3.3 用CA.sh来创建证书
1
[root@BlackGhost ssl]# ./CA.sh -newca //建立主证书
2
CA certificate filename (
or
enter
to create)
3
4
Making CA certificate ...
5
Generating a
1024
bit RSA private key
6
............++++++
7
......++++++
8
writing new private key to
'
./demoCA/private/./cakey.pem
'
9
Enter
PEM pass
phrase:
10
Verifying -
Enter
PEM pass
phrase:
11
Verify failure
12
Enter
PEM pass
phrase:
13
Verifying -
Enter
PEM pass
phrase:
14
-----
15
You are about to be asked to
enter
information that will be incorporated
16
into
your certificate request.
17
What you are about to
enter
is what is called a Distinguished Name
or
a DN.
18
There are quite a few fields but you can
leave
some blank
19
For some fields there will be a default value,
20
If you
enter
'
.
'
, the field will be left blank.
21
-----
22
Country Name (
2
letter code) [AU]:cn
23
State
or
Province Name (full name) [Some-State]:cn
24
Locality Name (eg, city) []:cn
25
Organization Name (eg, company) [Internet Widgits Pty Ltd]:cn
26
Organizational Unit Name (eg, section) []:cn
27
Common Name (eg, YOUR name) []:localhost
28
Email Address []:xtaying@gmail.com
29
30
Please
enter
the following
'
extra
'
attributes
31
to be sent with your certificate request
32
A challenge password []:******************
33
An optional company name []:
34
Using configuration from /etc/ssl/openssl.cnf
35
Enter
pass phrase for ./demoCA/private/./cakey.
pem:
//填的是上面的PEM密码
36
Check that the request matches the signature
37
Signature ok
38
Certificate
Details:
39
Serial
Number:
40
89
:
11
:9
f:a6:ca:
03
:
63
:ab
41
Validity
42
Not
Before:
Aug
7
12
:
35
:
28
2010
GMT
43
Not
After : Aug
6
12
:
35
:
28
2013
GMT
44
Subject:
45
countryName = cn
46
stateOrProvinceName = cn
47
organizationName = cn
48
organizationalUnitName = cn
49
commonName = localhost
50
emailAddress = xtaying@gmail.com
51
X509v3
extensions:
52
X509v3 Subject Key
Identifier:
53
26
:
09
:
F3:D5:
26
:
13
:
00
:1
F:
3
E:CC:
86
:1
D:E4:EE:
37
:
06
:
65
:
15
:4
E:
76
54
X509v3 Authority Key
Identifier:
55
keyid:
26
:
09
:
F3:D5:
26
:
13
:
00
:1
F:
3
E:CC:
86
:1
D:E4:EE:
37
:
06
:
65
:
15
:4
E:
76
56
DirName:
/C=cn/ST=cn/O=cn/OU=cn/CN=localhost/emailAddress=xtaying@gmail.com
57
serial:
89
:
11
:9
F:A6:CA:
03
:
63
:AB
58
59
X509v3 Basic
Constraints:
60
CA:
TRUE
61
Certificate is to be certified until Aug
6
12
:
35
:
28
2013
GMT (
1095
days)
62
63
Write
out
database with
1
new entries
64
Data Base Updated
安装成功的话,会在ssl目录下面产生一个文件夹demoCA
4 生成服务器私钥和服务器证书
1
[root@BlackGhost ssl]# openssl genrsa -des3 -
out
server.key
1024
//产生服务器私钥
2
Generating RSA private key,
1024
bit long modulus
3
.....................++++++
4
.........++++++
5
e is
65537
(0x10001)
6
Enter
pass phrase for server.
key:
7
Verifying -
Enter
pass phrase for server.
key:
8
[root@BlackGhost ssl]# openssl req -new -key server.key -
out
server.csr //生成服务器证书
9
Enter
pass phrase for server.
key:
10
You are about to be asked to
enter
information that will be incorporated
11
into
your certificate request.
12
What you are about to
enter
is what is called a Distinguished Name
or
a DN.
13
There are quite a few fields but you can
leave
some blank
14
For some fields there will be a default value,
15
If you
enter
'
.
'
, the field will be left blank.
16
-----
17
Country Name (
2
letter code) [AU]:cn
18
State
or
Province Name (full name) [Some-State]:cn
19
Locality Name (eg, city) []:cn
20
Organization Name (eg, company) [Internet Widgits Pty Ltd]:cn
21
Organizational Unit Name (eg, section) []:cn
22
Common Name (eg, YOUR name) []:localhost //要填全域名
23
Email Address []:xtaying@gmail.com
24
25
Please
enter
the following
'
extra
'
attributes
26
to be sent with your certificate request
27
A challenge password []:*****************
28
An optional company name []:
29
4
.
1
对产生的服务器证书进行签证
30
31
cp server.csr newreq.pem
32
33
查看复制打印?
34
[root@BlackGhost ssl]# ./CA.sh -sign //为服务器证书签名
35
Using configuration from /etc/ssl/openssl.cnf
36
Enter
pass phrase for ./demoCA/private/cakey.
pem:
37
Check that the request matches the signature
38
Signature ok
39
Certificate
Details:
40
Serial
Number:
41
89
:
11
:9
f:a6:ca:
03
:
63
:ac
42
Validity
43
Not
Before:
Aug
7
12
:
39
:
41
2010
GMT
44
Not
After : Aug
7
12
:
39
:
41
2011
GMT
45
Subject:
46
countryName = cn
47
stateOrProvinceName = cn
48
localityName = cn
49
organizationName = cn
50
organizationalUnitName = cn
51
commonName = localhost
52
emailAddress = xtaying@gmail.com
53
X509v3
extensions:
54
X509v3 Basic
Constraints:
55
CA:
FALSE
56
Netscape
Comment:
57
OpenSSL Generated Certificate
58
X509v3 Subject Key
Identifier:
59
FE:
20
:
56
:
04
:8
E:B6:BE:
3
E:
3
A:E1:DA:A6:
4
A:
3
A:E1:
16
:
93
:1
D:
3
F:
81
60
X509v3 Authority Key
Identifier:
61
keyid:
26
:
09
:
F3:D5:
26
:
13
:
00
:1
F:
3
E:CC:
86
:1
D:E4:EE:
37
:
06
:
65
:
15
:4
E:
76
62
63
Certificate is to be certified until Aug
7
12
:
39
:
41
2011
GMT (
365
days)
64
Sign the certificate? [y/n]:y
65
66
1
out
of
1
certificate requests certified, commit? [y/n]y
67
Write
out
database with
1
new entries
68
Data Base Updated
69
Certificate:
70
Data:
71
Version:
3
(0x2)
72
Serial
Number:
73
89
:
11
:9
f:a6:ca:
03
:
63
:ac
74
Signature
Algorithm:
sha1WithRSAEncryption
75
Issuer:
C=cn, ST=cn, O=cn, OU=cn, CN=localhost/emailAddress=xtaying@gmail.com
76
Validity
77
Not
Before:
Aug
7
12
:
39
:
41
2010
GMT
78
Not
After : Aug
7
12
:
39
:
41
2011
GMT
79
Subject:
C=cn, ST=cn, L=cn, O=cn, OU=cn, CN=localhost/emailAddress=xtaying@gmail.com
80
Subject Public Key
Info:
81
Public Key
Algorithm:
rsaEncryption
82
Public-
Key:
(
1024
bit)
83
Modulus:
84
00
:
ce:d5:a8:df:d1:e7:ee:
92
:
d1:d1:
78
:
20
:
a9:
6
d:
85
0a
:1
b:f6:
09
:
dd:
13
:
29
:
ef:
72
:1
d:
17
:
54
:
dd:
1
c:
8
d:
86
28
:
27
:
69
:
fe:
70
:3
b:fa:
2
b:a3:
45
:
40
:
80
:
ea:
0e
:5
b:
87
a7:bd:
40
:
d0:cd:bc:
2
c:
74
:
03
:8
b:f7:
6
c:
5
e:
1
f:
09
:
88
5
d:c6:
8
a:
05
:
ea:b8:
72
:
fc:
79
:8
b:
62
:
62
:
38
:
0b
:
42
:
89
28
:7
e:
0d
:
fc:e7:bb:b0:
87
:
66
:6
a:b2:
35
:
92
:
91
:
b9:
90
78
:9
c:b6:
76
:
01
:
0b
:2
a:
74
:
df:
5
f:a1:
8
b:
31
:
61
:
90
:
91
93
:
f9:
20
:
db:
46
:
59
:
12
:2
e:
9
b:
59
:
c0:
32
:4
e:
92
:
14
:
92
a1:
7
e:
52
:7
b:cc:
02
:5
e:e2:
45
93
Exponent:
65537
(0x10001)
94
X509v3
extensions:
95
X509v3 Basic
Constraints:
96
CA:
FALSE
97
Netscape
Comment:
98
OpenSSL Generated Certificate
99
X509v3 Subject Key
Identifier:
100
FE:
20
:
56
:
04
:8
E:B6:BE:
3
E:
3
A:E1:DA:A6:
4
A:
3
A:E1:
16
:
93
:1
D:
3
F:
81
101
X509v3 Authority Key
Identifier:
102
keyid:
26
:
09
:
F3:D5:
26
:
13
:
00
:1
F:
3
E:CC:
86
:1
D:E4:EE:
37
:
06
:
65
:
15
:4
E:
76
103
104
Signature
Algorithm:
sha1WithRSAEncryption
105
09
:
a0:
16
:
43
:
a2:
93
:
11
:
a7:ab:f5:
17
:
b7:
36
:
35
:
84
:9
f:
3
b:
37
:
106
32
:
33
:3
f:
93
:
63
:
b0:
4
c:bb:d1:b4:
9
b:
4
f:
37
:
78
:
62
:
f4:ac:ff:
107
28
:
b0:
63
:
71
:2
e:
9
a:
7
c:f4:
40
:2
e:b1:
5
f:ae:
49
:
e7:e2:
6
f:de:
108
cf:
30
:
cc:
9
a:
08
:
26
:
26
:
24
:
c5:
00
:
03
:
32
:
20
:
48
:
41
:
b1:
29
:8
f:
109
5
d:
3
d:
2
a:
78
:
54
:
0e
:
a8:
76
:
07
:6
c:
7
f:
23
:
42
:
75
:
c2:fb:
83
:1
d:
110
70
:
44
:5
e:
8
c:
90
:
cf:b4:
23
:
b7:
23
:5
b:
06
:
05
:
32
:
58
:
e3:af:
1
c:
111
be:
1
d:
50
:7
b:fd:
37
:
66
:
ba:
9
c:ec:bb:af:ee:b6:
04
:
f7:c5:
2
e:
112
59
:
22
113
-----BEGIN CERTIFICATE-----
114
MIIC2jCCAkOgAwIBAgIJAIkRn6bKA2OsMA0GCSqGSIb3DQEBBQUAMGoxCzAJBgNV
115
BAYTAmNuMQswCQYDVQQIEwJjbjELMAkGA1UEChMCY24xCzAJBgNVBAsTAmNuMRIw
116
EAYDVQQDEwlsb2NhbGhvc3QxIDAeBgkqhkiG9w0BCQEWEXh0YXlpbmdAZ21haWwu
117
Y29tMB4XDTEwMDgwNzEyMzk0MVoXDTExMDgwNzEyMzk0MVowdzELMAkGA1UEBhMC
118
Y24xCzAJBgNVBAgMAmNuMQswCQYDVQQHDAJjbjELMAkGA1UECgwCY24xCzAJBgNV
119
BAsMAmNuMRIwEAYDVQQDDAlsb2NhbGhvc3QxIDAeBgkqhkiG9w0BCQEWEXh0YXlp
120
bmdAZ21haWwuY29tMIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQDO1ajf0efu
121
ktHReCCpbQob9gndEynvch0XVN0cjSgnaf5wO/oro0VAgOoOW6e9QNDNvCx0A4v3
122
bF4fCV3GigXquHL8eYtiYjgLQih+Dfznu7CHZmqyNZKRuXictnYBCyp031+hizFh
123
kJP5INtGWRIum1nAMk6SFKF+UnvMAl7iRQIDAQABo3sweTAJBgNVHRMEAjAAMCwG
124
CWCGSAGG+EIBDQQfFh1PcGVuU1NMIEdlbmVyYXRlZCBDZXJ0aWZpY2F0ZTAdBgNV
125
HQ4EFgQU/iBWBI62vj464dqmSjrhFpMdP4EwHwYDVR0jBBgwFoAUJgnz1SYTAB8+
126
zIYd5O43BmUVTnYwDQYJKoZIhvcNAQEFBQADgYEACaAWQ6KTEaer9Re3NjWEnzs3
127
MjM/k2OwTLvRtJtPN3hi9Kz/KLBjcS6afPRALrFfrknn4m/ezzDMmggmJiTFAAMy
128
IEhBsSmPXT0qeFQOqHYHbH8jQnXC+4MdcERejJDPtCO3I1sGBTJY468cvh1Qe/
03
129
Zrqc7Luv7rYE98UuWSI=
130
-----END CERTIFICATE-----
131
Signed certificate is
in
newcert.pem
cp newcert.pem server.crt
5,产生客户端证书
生成客户私钥:
openssl genrsa -des3 -out client.key 1024
生成客户证书
openssl req -new -key client.key -out client.csr
签证:
openssl ca -in client.csr -out client.crt
转换成pkcs12格式,为客户端安装所用
openssl pkcs12 -export -clcerts -in client.crt -inkey client.key -out client.pfx(切记:设置最好和服务证书有点不同,但是前面是cn,后面必须是cn,可以邮箱不同)
这一步根安装服务器的证书差不多,不同的是签证,最后安装的时候,client.pfx的密码要记住,在客户端安装的时候要用到的。
[root@BlackGhost ssl]# openssl pkcs12 -export -clcerts -in client.crt -inkey client.key -out client.pfx
Enter pass phrase for client.key:
Enter Export Password:
Verifying – Enter Export Password:
客户端和服务器端都可以使用服务器端证书,所以这一步不做也行。
6,集中所以证书和私私钥到一起
#cp demoCA/cacert.pem cacert.pem
同时复制一份证书,更名为ca.crt
#cp cacert.pem ca.crt
7,apache配置
vi /usr/local/apache/conf/extra/http-ssl.conf
1
ssl开启
2
SSLEngine on
3
4
指定服务器证书位置
5
SSLCertificateFile /usr/local/apache/conf/ssl/server.crt
6
7
指定服务器证书key位置
8
SSLCertificateKeyFile /usr/local/apache/conf/ssl/server.key
9
10
证书目录
11
SSLCACertificatePath /usr/local/apache/conf/ssl
12
13
根证书位置
14
SSLCACertificateFile /usr/local/apache/conf/ssl/cacert.pem
15
16
要求客户拥有证书
17
SSLVerifyClient require
18
SSLVerifyDepth
1
19
SSLOptions +StdEnvVars
20
21
记录log
22
CustomLog
"
/usr/local/apache/logs/ssl_request_log
"
\
23
"
%t %h %{SSL_PROTOCOL}x %{SSL_CIPHER}x \
"
%r\
"
%b
"
24
vi /usr/local/apache/conf/extra/httpd_vhosts.conf
vi /usr/local/apache/conf/extra/ssl.conf
vi /usr/local/apache/conf/httpd.conf把Include conf/extra/httpd-ssl.conf前面的注释去掉
启动 /usr/local/apache/bin/apachectl -D SSL -k start
Server *:10000 (RSA)
Enter pass phrase:输入的是server的密钥
OK: Pass Phrase Dialog successful.
8,安装客户端证书
把ca.crt和client.pfx copy到客户端,双击client.pfx就会进入证书的安装向导,下一步就行了,中间会让你输入密码
四,安装所遇到的问题
1,生成的密码很多,一会让输入密码,会忘得,并且主证书的密码和下面的证书的密码不能重得,会报错的,所以要搞个文本记下来。
2,升级openssl引发的问题
httpd: Syntax error on line 56 of /usr/local/apache/conf/httpd.conf: Cannot load /usr/local/apache/modules/libphp5.so into server: libssl.so.0.9.8: cannot open shared object file: No such file or directory
httpd: Syntax error on line 56 of /usr/local/apache/conf/httpd.conf: Cannot load /usr/local/apache/modules/libphp5.so into server: libcrypto.so.0.9.8: cannot open shared object file: No such file or directory
用ln -s来建立软链接,就可以了。不过这种方法不是万能的,比如我把libpng从1.2升到1.4,libjpeg从7.0升到8.0结果是系统差点崩掉,用软链接不管用,我把他们弄掉,从网上下的低版本重装。
3,证书的国家名称,省名要相同不然生成空证书,
The countryName field needed to be the same in the
CA certificate (cn) and the request (sh)
4,提示CommonName时,要添写全域名,会提示警告
RSA server certificate CommonName (CN) `cn’ does NOT match server name!?
5,相同的证书不能生成二次,名字不一样也不行,也就是说server.cst和client.csr信息不能完相同,不然会报
failed to update database
TXT_DB error number 2
6,页面浏览时,会看到提示,你的证书是不可信的,是因为我配置的不对,还是自己建的证书就是不要信的呢?
7,当我加了SSLVerifyClient require SSLVerifyDepth 1 这二个配置时,在windows下面,要你输入证书后,就可以看到页面了,但在用firefox就是不行呢?看下面的ssl_request_log日志,192.168.18.3是用windows的IE浏览器
[09/Aug/2010:22:02:21 +0800] 127.0.0.1 TLSv1 DHE-RSA-CAMELLIA256-SHA “GET /robots.txt HTTP/1.1″ 208
[09/Aug/2010:22:02:21 +0800] 127.0.0.1 TLSv1 DHE-RSA-CAMELLIA256-SHA “GET /robots.txt HTTP/1.1″ 208
[09/Aug/2010:22:02:21 +0800] 127.0.0.1 TLSv1 DHE-RSA-CAMELLIA256-SHA “GET /robots.txt HTTP/1.1″ 208
[09/Aug/2010:22:02:55 +0800] 192.168.18.3 TLSv1 RC4-MD5 “GET / HTTP/1.1″ 1505
[09/Aug/2010:22:02:55 +0800] 192.168.18.3 TLSv1 RC4-MD5 “GET / HTTP/1.1″ 1505
[09/Aug/2010:22:02:55 +0800] 192.168.18.3 TLSv1 RC4-MD5 “GET / HTTP/1.1″ 1505
遇到肯定不止这几个,有的想不起来了。关于6,7,还请高手指教。谢谢
1361
被折叠的 条评论
为什么被折叠?
到【灌水乐园】发言
