基于SSL的电子证书配置
折腾了两天,基本完成,但是其实现原理,我还是不太了解,因此不敢长篇大论的来说SSL如何,电子证书如何。
而且我现在也还不知道我现在完成的目标是不是真的就是可以用在实际项目的要求,也不知道采取USB-KEY的方式能否验证通过(经过实验,已经通过)。
因此,仅记录我的实验步骤。
1)创建root CA
如果你有自己的CA(Certificate Authority),或者打算购买商业CA证书,那么这个步骤可以省略了,后面的步骤也会不同,但是不管如何,我们假定现在我们得到的CA私钥名字是rootca.key。
现在我们自己来创建自己的root CA
第一步,创建root CA的私钥,为了安全,我们采取2048bit加密方式,设置的密码也应该足够复杂
Generating RSA private key, 2048 bit long modulus
………………………………..+++
……+++
e is 65537 (0×10001)
Enter pass phrase: <------输入自己的密码,最好足够复杂
Verifying - Enter pass phrase: <----- 再次输入密码
这样就创建root CA的密钥。
解析来我们用这个私钥对CA的证书做自认证(self-certificte)签名
# openssl req -new -x509 -key caroot.key -days 3650 -out caroot.cert
Enter pass phrase for caroot.key: <----输入私钥的密码
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [CN]:
State or Province Name (full name) [HuNan]:
Locality Name (eg, city) [ChangSha]:
Organization Name (eg, company) [RedFlag Software]:
Organizational Unit Name (eg, section) [Technical Support Depart]:
Common Name (eg, your name or your server's hostname) [wgzhao-demo.rflinux.com]:
Email Address []:
现在我们创建存放CA证书的路径和一些必要文件
mkdir -p /etc/pki/CA/{certs,newcerts,private}
touch /etc/pki/CA/index.txt
echo “01″ >/etc/pki/CA/serial
将生成的证书拷贝到对应的位置
cp rootca.key /etc/pki/CA/private/cakey.pem
cp rootca.cert /etc/pki/CA/rootca.cert
第二步:创建服务端证书
首先创建服务端私钥
# openssl genrsa -des3 2048 >server.key
Generating RSA private key, 2048 bit long modulus
……………………………………………………..+++
………………….+++
e is 65537 (0×10001)
Enter pass phrase:
Verifying – Enter pass phrase:
由密钥产生认证的申请文件
#openssl req -days 3650 -key server.key -new -out server.csr
Enter pass phrase for server.key: <---- 输入服务端私钥的密码
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [CN]:
State or Province Name (full name) [HuNan]:
Locality Name (eg, city) [ChangSha]:
Organization Name (eg, company) [RedFlag Software]:
Organizational Unit Name (eg, section) [Technical Support Depart]:
Common Name (eg, your name or your server's hostname) [wgzhao-demo.rflinux.com]:
Email Address []:
Please enter the following 'extra' attributes
to be sent with your certificate request
A challenge password []:
An optional company name []:
上面需要提供的信息中,最关键的是Common Name字段,这里要填写的是用过是FQDN(Full Quality Domain Name),也应该和你将来访问的域名一致,否则访问域名的时候,SSL会报错。
接着使用root CA给申请文件签名产生证书文件
# openssl ca -out server.cert -days 3650 -infiles server.csr
Using configuration from /etc/pki/tls/openssl.cnf
Enter pass phrase for ../../CA/private/cakey.pem: <---输入root CA的私钥密码
Check that the request matches the signature
Signature ok
Certificate Details:
Serial Number:
ab:0d:d5:fe:d0:d3:eb:22
Validity
Not Before: Jun 23 04:26:40 2008 GMT
Not After : Jun 21 04:26:40 2018 GMT
Subject:
countryName = CN
stateOrProvinceName = HuNan
organizationName = RedFlag Software
organizationalUnitName = Technical Support Depart
commonName = wgzhao-demo.rflinux.com
X509v3 extensions:
X509v3 Basic Constraints:
CA:FALSE
Netscape Comment:
OpenSSL Generated Certificate
X509v3 Subject Key Identifier:
EB:77:E0:22:DB:6C:A0:95:54:A9:90:BB:41:B5:DE:3F:AA:BA:EA:9A
X509v3 Authority Key Identifier:
keyid:80:8D:F3:90:A2:D0:3E:C2:B7:70:7B:A8:D3:A9:31:DA:5A:01:C2:63
Certificate is to be certified until Jun 21 04:26:40 2018 GMT (3650 days)
Sign the certificate? [y/n]:y
1 out of 1 certificate requests certified, commit? [y/n]y
Write out database with 1 new entries
Data Base Updated
你可以把服务端私钥和证书合并,也可以分开,取决于ssl.conf配置文件的写法,后面会提到。
第三步,从安全角度考虑,我们单独给客户端生成有一个密钥
步骤和第二步生成服务端证书一样,只是在生成csr文件的时候,对Common Name没有要求。
假定你已经生成了client.key,client.csr,client.cert文件。
接着我们需要制作一张可便于携带的证书,即PKCS#12格式
# openssl pkcs12 -export -in client.cert -inkey client.key -out client.pfx
Enter pass phrase for client.key: <---客户端私钥密码
Enter Export Password: <---导出密码,在导入的时候需要用到
Verifying - Enter Export Password:
这样,我们就生成了一张可导入到浏览器的证书。
第四步 配置Apache
主要是配置/etc/httpd/conf.d/ssl.conf
要配置的主要是下面几行:
SSLCertificateFile /etc/pki/tls/certs/server.cert
SSLCertificateKeyFile /etc/pki/tls/certs/server.key
SSLCACertificateFile /etc/pki/CA/rootca.cert
SSLCACertificatePath /etc/pki/CA
SSLVerifyClient require
SSLVerifyDepth 1
上面的配置可以分为三个部分,第一步分最开始两行,配置服务端的证书
如果在第二个步骤的时候,你已经把私钥和证书综合到了一起(cat server.key server.cert >server.pem),那么就只需要第一行就可以了,后面指向综合在一起的文件(这里是server.pem)。否则你可以像第二行那样指定私钥的位置。
接下来的两行是配置root CA的,其实,只要配置第一行就可以了。
最后两行很重要,SSLVerifyClient表示需要验证客户端,是参数是none,那就不验证客户端了,客户端和服务器端通信仅仅是通过SSL,但是谁也知道要通讯的对方是不是就是你需要的对方。
SSLVerifyDepth是验证深度,默认是10,改成1。这个参数的具体含义,我还是不太了解。
另外,你还需要把ssl.conf的虚拟主机配置成你填写Common Name时的域名,总而言之如果你Common Name填写的是yourdomin,那么浏览器访问的时候就只能是https://yourdomain,其他的否会报错。
配置完成后,重启Apache服务
# /etc/init.d/httpd start
Apache/2.2.3 mod_ssl/2.2.3 (Pass Phrase Dialog)
Some of your private key files are encrypted for security reasons.
In order to read them you have to provide the pass phrases.
Server wgzhao-demo.rflinux.com:443 (RSA)
Enter pass phrase:
移动设备访问
Flickr Photos
近期评论