openssl建立证书,非常详细配置ssl+apache

一,什么是ssl

SSL证书通过在客户端浏览器和Web服务器之间建立一条SSL安全通道(Secure socket layer(SSL)安全协议是由Netscape Communication公司设计开发。该安全协议主要用来提供对用户和服务器的认证;对传送的数据进行加密和隐藏;确保数据在传送中不被改变,即数据的完整性,现已成为该领域中全球化的标准。由于SSL技术已建立到所有主要的浏览器和WEB服务器程序中,因此,仅需安装服务器证书就可以激活该功能了)。即通过它可以激活SSL协议,实现数据信息在客户端和服务器之间的加密传输,可以防止数据信息的泄露。保证了双方传递信息的安全性,而且用户可以通过服务器证书验证他所访问的网站是否是真实可靠。

安全套接字层 (SSL) 技术通过加密信息和提供鉴权,保护您的网站安全。一份 SSL 证书包括一个公共密钥和一个私用密钥。公共密钥用于加密信息,私用密钥用于解译加密的信息。浏览器指向一个安全域时,SSL 同步确认服务器和客户端,并创建一种加密方式和一个唯一的会话密钥。它们可以启动一个保证消息的隐私性和完整性的安全会话。

首先要有一个主证书,然后用主证书来签发服务器证书和客户证书,服务器证书和客户证书是平级关系,SSL所使用的证书可以自己生成,也可以通过一个商业性CA(如Verisign 或 Thawte)签署证书。签发证书的问题:如果使用的是商业证书,具体的签署方法请查看相关销售商的说明;如果是知己签发的证书,可以使用openssl 自带的CA.sh脚本工具。如果不为单独的客户端签发证书,客户端证书可以不用生成,客户端与服务器端使用相同的证书。

二,安装所要的软件

openssl :wget http://www.openssl.org/source/openssl-1.0.0a.tar.gz

apache:  wget http://www.apache.org/dist/httpd/httpd-2.2.16.tar.gz

三,安装

在正式安装前,请不要直接看下面的安装,请看最后一部分,那是我安装时候所遇到的问题,这样可以使你少走不少弯路,我安装的时候,就走了不少弯路。

1,安装openssl

tar zxvf openssl-1.0.0a.tar.gz
cd openssl-1.0.0a
./config --prefix=/usr/local/openssl
make && make install

2,安装apache

如果你已经安装了apache,你又不想重新编译的话,请参考mod_ssl模块的安装,也就是添加ssl模块而已。

tar zxvf httpd-2.2.16.tar.gz
cd httpd-2.2.16
./configure --prefix=/usr/local/apache  --enable-ssl   --enable-rewrite  --enable-so   --with-ssl=/usr/local/openssl
make && make install

如果你是yum install  ,apt-get,pacman这样的软件管理工具进行安装的话,上面的二步可以省掉。

3,创建主证书

在/usr/local/apache/conf/下面建个目录ssl

3.1,mkdir ssl

3.2,cp /openssl的安装目录/ssl/misc/CA.sh /usr/local/apache/conf/ssl/

3.3 用CA.sh来创建证书

查看
复制
打印
?

  1. [[email protected] ssl]# ./CA.sh -newca   //建立主证书
  2. CA certificate filename (or enter to create)
  3. Making CA certificate ...
  4. Generating a 1024 bit RSA private key
  5. ............++++++
  6. ......++++++
  7. writing new private key to ‘./demoCA/private/./cakey.pem‘
  8. Enter PEM pass phrase:
  9. Verifying - Enter PEM pass phrase:
  10. Verify failure
  11. Enter PEM pass phrase:
  12. Verifying - Enter PEM pass phrase:
  13. -----
  14. You are about to be asked to enter information that will be incorporated
  15. into your certificate request.
  16. What you are about to enter is what is called a Distinguished Name or a DN.
  17. There are quite a few fields but you can leave some blank
  18. For some fields there will be a default value,
  19. If you enter ‘.‘, the field will be left blank.
  20. -----
  21. Country Name (2 letter code) [AU]:cn
  22. State or Province Name (full name) [Some-State]:cn
  23. Locality Name (eg, city) []:cn
  24. Organization Name (eg, company) [Internet Widgits Pty Ltd]:cn
  25. Organizational Unit Name (eg, section) []:cn
  26. Common Name (eg, YOUR name) []:localhost
  27. Email Address []:[email protected]
  28. Please enter the following ‘extra‘ attributes
  29. to be sent with your certificate request
  30. A challenge password []:******************
  31. An optional company name []:
  32. Using configuration from /etc/ssl/openssl.cnf
  33. Enter pass phrase for ./demoCA/private/./cakey.pem:       //填的是上面的PEM密码
  34. Check that the request matches the signature
  35. Signature ok
  36. Certificate Details:
  37. Serial Number:
  38. 89:11:9f:a6:ca:03:63:ab
  39. Validity
  40. Not Before: Aug  7 12:35:28 2010 GMT
  41. Not After : Aug  6 12:35:28 2013 GMT
  42. Subject:
  43. countryName               = cn
  44. stateOrProvinceName       = cn
  45. organizationName          = cn
  46. organizationalUnitName    = cn
  47. commonName                = localhost
  48. emailAddress              = [email protected]
  49. X509v3 extensions:
  50. X509v3 Subject Key Identifier:
  51. 26:09:F3:D5:26:13:00:1F:3E:CC:86:1D:E4:EE:37:06:65:15:4E:76
  52. X509v3 Authority Key Identifier:
  53. keyid:26:09:F3:D5:26:13:00:1F:3E:CC:86:1D:E4:EE:37:06:65:15:4E:76
  54. DirName:/C=cn/ST=cn/O=cn/OU=cn/CN=localhost/[email protected]
  55. serial:89:11:9F:A6:CA:03:63:AB
  56. X509v3 Basic Constraints:
  57. CA:TRUE
  58. Certificate is to be certified until Aug  6 12:35:28 2013 GMT (1095 days)
  59. Write out database with 1 new entries
  60. Data Base Updated
[[email protected] ssl]# ./CA.sh -newca   //建立主证书
CA certificate filename (or enter to create)

Making CA certificate ...
Generating a 1024 bit RSA private key
............++++++
......++++++
writing new private key to ‘./demoCA/private/./cakey.pem‘
Enter PEM pass phrase:
Verifying - Enter PEM pass phrase:
Verify failure
Enter PEM pass phrase:
Verifying - Enter PEM pass phrase:
-----
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter ‘.‘, the field will be left blank.
-----
Country Name (2 letter code) [AU]:cn
State or Province Name (full name) [Some-State]:cn
Locality Name (eg, city) []:cn
Organization Name (eg, company) [Internet Widgits Pty Ltd]:cn
Organizational Unit Name (eg, section) []:cn
Common Name (eg, YOUR name) []:localhost
Email Address []:[email protected]

Please enter the following ‘extra‘ attributes
to be sent with your certificate request
A challenge password []:******************
An optional company name []:
Using configuration from /etc/ssl/openssl.cnf
Enter pass phrase for ./demoCA/private/./cakey.pem:       //填的是上面的PEM密码
Check that the request matches the signature
Signature ok
Certificate Details:
 Serial Number:
 89:11:9f:a6:ca:03:63:ab
 Validity
 Not Before: Aug  7 12:35:28 2010 GMT
 Not After : Aug  6 12:35:28 2013 GMT
 Subject:
 countryName               = cn
 stateOrProvinceName       = cn
 organizationName          = cn
 organizationalUnitName    = cn
 commonName                = localhost
 emailAddress              = [email protected]
 X509v3 extensions:
 X509v3 Subject Key Identifier:
 26:09:F3:D5:26:13:00:1F:3E:CC:86:1D:E4:EE:37:06:65:15:4E:76
 X509v3 Authority Key Identifier:
 keyid:26:09:F3:D5:26:13:00:1F:3E:CC:86:1D:E4:EE:37:06:65:15:4E:76
 DirName:/C=cn/ST=cn/O=cn/OU=cn/CN=localhost/[email protected]
 serial:89:11:9F:A6:CA:03:63:AB

 X509v3 Basic Constraints:
 CA:TRUE
Certificate is to be certified until Aug  6 12:35:28 2013 GMT (1095 days)

Write out database with 1 new entries
Data Base Updated

安装成功的话,会在ssl目录下面产生一个文件夹demoCA

4 生成服务器私钥和服务器证书

查看
复制
打印
?

  1. [[email protected] ssl]# openssl genrsa -des3 -out server.key 1024    //产生服务器私钥
  2. Generating RSA private key, 1024 bit long modulus
  3. .....................++++++
  4. .........++++++
  5. e is 65537 (0x10001)
  6. Enter pass phrase for server.key:
  7. Verifying - Enter pass phrase for server.key:
  8. [[email protected] ssl]# openssl req -new -key server.key -out server.csr      //生成服务器证书
  9. Enter pass phrase for server.key:
  10. You are about to be asked to enter information that will be incorporated
  11. into your certificate request.
  12. What you are about to enter is what is called a Distinguished Name or a DN.
  13. There are quite a few fields but you can leave some blank
  14. For some fields there will be a default value,
  15. If you enter ‘.‘, the field will be left blank.
  16. -----
  17. Country Name (2 letter code) [AU]:cn
  18. State or Province Name (full name) [Some-State]:cn
  19. Locality Name (eg, city) []:cn
  20. Organization Name (eg, company) [Internet Widgits Pty Ltd]:cn
  21. Organizational Unit Name (eg, section) []:cn
  22. Common Name (eg, YOUR name) []:localhost     //要填全域名
  23. Email Address []:[email protected]
  24. Please enter the following ‘extra‘ attributes
  25. to be sent with your certificate request
  26. A challenge password []:*****************
  27. An optional company name []:
[[email protected] ssl]# openssl genrsa -des3 -out server.key 1024    //产生服务器私钥
Generating RSA private key, 1024 bit long modulus
.....................++++++
.........++++++
e is 65537 (0x10001)
Enter pass phrase for server.key:
Verifying - Enter pass phrase for server.key:
[[email protected] ssl]# openssl req -new -key server.key -out server.csr      //生成服务器证书
Enter pass phrase for server.key:
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter ‘.‘, the field will be left blank.
-----
Country Name (2 letter code) [AU]:cn
State or Province Name (full name) [Some-State]:cn
Locality Name (eg, city) []:cn
Organization Name (eg, company) [Internet Widgits Pty Ltd]:cn
Organizational Unit Name (eg, section) []:cn
Common Name (eg, YOUR name) []:localhost     //要填全域名
Email Address []:[email protected]

Please enter the following ‘extra‘ attributes
to be sent with your certificate request
A challenge password []:*****************
An optional company name []:

4.1 对产生的服务器证书进行签证

cp server.csr newseq.pem

查看
复制
打印
?

  1. [[email protected] ssl]# ./CA.sh -sign     //为服务器证书签名
  2. Using configuration from /etc/ssl/openssl.cnf
  3. Enter pass phrase for ./demoCA/private/cakey.pem:
  4. Check that the request matches the signature
  5. Signature ok
  6. Certificate Details:
  7. Serial Number:
  8. 89:11:9f:a6:ca:03:63:ac
  9. Validity
  10. Not Before: Aug  7 12:39:41 2010 GMT
  11. Not After : Aug  7 12:39:41 2011 GMT
  12. Subject:
  13. countryName               = cn
  14. stateOrProvinceName       = cn
  15. localityName              = cn
  16. organizationName          = cn
  17. organizationalUnitName    = cn
  18. commonName                = localhost
  19. emailAddress              = [email protected]
  20. X509v3 extensions:
  21. X509v3 Basic Constraints:
  22. CA:FALSE
  23. Netscape Comment:
  24. OpenSSL Generated Certificate
  25. X509v3 Subject Key Identifier:
  26. FE:20:56:04:8E:B6:BE:3E:3A:E1:DA:A6:4A:3A:E1:16:93:1D:3F:81
  27. X509v3 Authority Key Identifier:
  28. keyid:26:09:F3:D5:26:13:00:1F:3E:CC:86:1D:E4:EE:37:06:65:15:4E:76
  29. Certificate is to be certified until Aug  7 12:39:41 2011 GMT (365 days)
  30. Sign the certificate? [y/n]:y
  31. 1 out of 1 certificate requests certified, commit? [y/n]y
  32. Write out database with 1 new entries
  33. Data Base Updated
  34. Certificate:
  35. Data:
  36. Version: 3 (0x2)
  37. Serial Number:
  38. 89:11:9f:a6:ca:03:63:ac
  39. Signature Algorithm: sha1WithRSAEncryption
  40. Issuer: C=cn, ST=cn, O=cn, OU=cn, CN=localhost/[email protected]
  41. Validity
  42. Not Before: Aug  7 12:39:41 2010 GMT
  43. Not After : Aug  7 12:39:41 2011 GMT
  44. Subject: C=cn, ST=cn, L=cn, O=cn, OU=cn, CN=localhost/[email protected]
  45. Subject Public Key Info:
  46. Public Key Algorithm: rsaEncryption
  47. Public-Key: (1024 bit)
  48. Modulus:
  49. 00:ce:d5:a8:df:d1:e7:ee:92:d1:d1:78:20:a9:6d:
  50. 0a:1b:f6:09:dd:13:29:ef:72:1d:17:54:dd:1c:8d:
  51. 28:27:69:fe:70:3b:fa:2b:a3:45:40:80:ea:0e:5b:
  52. a7:bd:40:d0:cd:bc:2c:74:03:8b:f7:6c:5e:1f:09:
  53. 5d:c6:8a:05:ea:b8:72:fc:79:8b:62:62:38:0b:42:
  54. 28:7e:0d:fc:e7:bb:b0:87:66:6a:b2:35:92:91:b9:
  55. 78:9c:b6:76:01:0b:2a:74:df:5f:a1:8b:31:61:90:
  56. 93:f9:20:db:46:59:12:2e:9b:59:c0:32:4e:92:14:
  57. a1:7e:52:7b:cc:02:5e:e2:45
  58. Exponent: 65537 (0x10001)
  59. X509v3 extensions:
  60. X509v3 Basic Constraints:
  61. CA:FALSE
  62. Netscape Comment:
  63. OpenSSL Generated Certificate
  64. X509v3 Subject Key Identifier:
  65. FE:20:56:04:8E:B6:BE:3E:3A:E1:DA:A6:4A:3A:E1:16:93:1D:3F:81
  66. X509v3 Authority Key Identifier:
  67. keyid:26:09:F3:D5:26:13:00:1F:3E:CC:86:1D:E4:EE:37:06:65:15:4E:76
  68. Signature Algorithm: sha1WithRSAEncryption
  69. 09:a0:16:43:a2:93:11:a7:ab:f5:17:b7:36:35:84:9f:3b:37:
  70. 32:33:3f:93:63:b0:4c:bb:d1:b4:9b:4f:37:78:62:f4:ac:ff:
  71. 28:b0:63:71:2e:9a:7c:f4:40:2e:b1:5f:ae:49:e7:e2:6f:de:
  72. cf:30:cc:9a:08:26:26:24:c5:00:03:32:20:48:41:b1:29:8f:
  73. 5d:3d:2a:78:54:0e:a8:76:07:6c:7f:23:42:75:c2:fb:83:1d:
  74. 70:44:5e:8c:90:cf:b4:23:b7:23:5b:06:05:32:58:e3:af:1c:
  75. be:1d:50:7b:fd:37:66:ba:9c:ec:bb:af:ee:b6:04:f7:c5:2e:
  76. 59:22
  77. -----BEGIN CERTIFICATE-----
  78. MIIC2jCCAkOgAwIBAgIJAIkRn6bKA2OsMA0GCSqGSIb3DQEBBQUAMGoxCzAJBgNV
  79. BAYTAmNuMQswCQYDVQQIEwJjbjELMAkGA1UEChMCY24xCzAJBgNVBAsTAmNuMRIw
  80. EAYDVQQDEwlsb2NhbGhvc3QxIDAeBgkqhkiG9w0BCQEWEXh0YXlpbmdAZ21haWwu
  81. Y29tMB4XDTEwMDgwNzEyMzk0MVoXDTExMDgwNzEyMzk0MVowdzELMAkGA1UEBhMC
  82. Y24xCzAJBgNVBAgMAmNuMQswCQYDVQQHDAJjbjELMAkGA1UECgwCY24xCzAJBgNV
  83. BAsMAmNuMRIwEAYDVQQDDAlsb2NhbGhvc3QxIDAeBgkqhkiG9w0BCQEWEXh0YXlp
  84. bmdAZ21haWwuY29tMIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQDO1ajf0efu
  85. ktHReCCpbQob9gndEynvch0XVN0cjSgnaf5wO/oro0VAgOoOW6e9QNDNvCx0A4v3
  86. bF4fCV3GigXquHL8eYtiYjgLQih+Dfznu7CHZmqyNZKRuXictnYBCyp031+hizFh
  87. kJP5INtGWRIum1nAMk6SFKF+UnvMAl7iRQIDAQABo3sweTAJBgNVHRMEAjAAMCwG
  88. CWCGSAGG+EIBDQQfFh1PcGVuU1NMIEdlbmVyYXRlZCBDZXJ0aWZpY2F0ZTAdBgNV
  89. HQ4EFgQU/iBWBI62vj464dqmSjrhFpMdP4EwHwYDVR0jBBgwFoAUJgnz1SYTAB8+
  90. zIYd5O43BmUVTnYwDQYJKoZIhvcNAQEFBQADgYEACaAWQ6KTEaer9Re3NjWEnzs3
  91. MjM/k2OwTLvRtJtPN3hi9Kz/KLBjcS6afPRALrFfrknn4m/ezzDMmggmJiTFAAMy
  92. IEhBsSmPXT0qeFQOqHYHbH8jQnXC+4MdcERejJDPtCO3I1sGBTJY468cvh1Qe/03
  93. Zrqc7Luv7rYE98UuWSI=
  94. -----END CERTIFICATE-----
  95. Signed certificate is in newcert.pem
[[email protected] ssl]# ./CA.sh -sign     //为服务器证书签名
Using configuration from /etc/ssl/openssl.cnf
Enter pass phrase for ./demoCA/private/cakey.pem:
Check that the request matches the signature
Signature ok
Certificate Details:
 Serial Number:
 89:11:9f:a6:ca:03:63:ac
 Validity
 Not Before: Aug  7 12:39:41 2010 GMT
 Not After : Aug  7 12:39:41 2011 GMT
 Subject:
 countryName               = cn
 stateOrProvinceName       = cn
 localityName              = cn
 organizationName          = cn
 organizationalUnitName    = cn
 commonName                = localhost
 emailAddress              = [email protected]
 X509v3 extensions:
 X509v3 Basic Constraints:
 CA:FALSE
 Netscape Comment:
 OpenSSL Generated Certificate
 X509v3 Subject Key Identifier:
 FE:20:56:04:8E:B6:BE:3E:3A:E1:DA:A6:4A:3A:E1:16:93:1D:3F:81
 X509v3 Authority Key Identifier:
 keyid:26:09:F3:D5:26:13:00:1F:3E:CC:86:1D:E4:EE:37:06:65:15:4E:76

Certificate is to be certified until Aug  7 12:39:41 2011 GMT (365 days)
Sign the certificate? [y/n]:y

1 out of 1 certificate requests certified, commit? [y/n]y
Write out database with 1 new entries
Data Base Updated
Certificate:
 Data:
 Version: 3 (0x2)
 Serial Number:
 89:11:9f:a6:ca:03:63:ac
 Signature Algorithm: sha1WithRSAEncryption
 Issuer: C=cn, ST=cn, O=cn, OU=cn, CN=localhost/[email protected]
 Validity
 Not Before: Aug  7 12:39:41 2010 GMT
 Not After : Aug  7 12:39:41 2011 GMT
 Subject: C=cn, ST=cn, L=cn, O=cn, OU=cn, CN=localhost/emailAddr[email protected]
 Subject Public Key Info:
 Public Key Algorithm: rsaEncryption
 Public-Key: (1024 bit)
 Modulus:
 00:ce:d5:a8:df:d1:e7:ee:92:d1:d1:78:20:a9:6d:
 0a:1b:f6:09:dd:13:29:ef:72:1d:17:54:dd:1c:8d:
 28:27:69:fe:70:3b:fa:2b:a3:45:40:80:ea:0e:5b:
 a7:bd:40:d0:cd:bc:2c:74:03:8b:f7:6c:5e:1f:09:
 5d:c6:8a:05:ea:b8:72:fc:79:8b:62:62:38:0b:42:
 28:7e:0d:fc:e7:bb:b0:87:66:6a:b2:35:92:91:b9:
 78:9c:b6:76:01:0b:2a:74:df:5f:a1:8b:31:61:90:
 93:f9:20:db:46:59:12:2e:9b:59:c0:32:4e:92:14:
 a1:7e:52:7b:cc:02:5e:e2:45
 Exponent: 65537 (0x10001)
 X509v3 extensions:
 X509v3 Basic Constraints:
 CA:FALSE
 Netscape Comment:
 OpenSSL Generated Certificate
 X509v3 Subject Key Identifier:
 FE:20:56:04:8E:B6:BE:3E:3A:E1:DA:A6:4A:3A:E1:16:93:1D:3F:81
 X509v3 Authority Key Identifier:
 keyid:26:09:F3:D5:26:13:00:1F:3E:CC:86:1D:E4:EE:37:06:65:15:4E:76

 Signature Algorithm: sha1WithRSAEncryption
 09:a0:16:43:a2:93:11:a7:ab:f5:17:b7:36:35:84:9f:3b:37:
 32:33:3f:93:63:b0:4c:bb:d1:b4:9b:4f:37:78:62:f4:ac:ff:
 28:b0:63:71:2e:9a:7c:f4:40:2e:b1:5f:ae:49:e7:e2:6f:de:
 cf:30:cc:9a:08:26:26:24:c5:00:03:32:20:48:41:b1:29:8f:
 5d:3d:2a:78:54:0e:a8:76:07:6c:7f:23:42:75:c2:fb:83:1d:
 70:44:5e:8c:90:cf:b4:23:b7:23:5b:06:05:32:58:e3:af:1c:
 be:1d:50:7b:fd:37:66:ba:9c:ec:bb:af:ee:b6:04:f7:c5:2e:
 59:22
-----BEGIN CERTIFICATE-----
MIIC2jCCAkOgAwIBAgIJAIkRn6bKA2OsMA0GCSqGSIb3DQEBBQUAMGoxCzAJBgNV
BAYTAmNuMQswCQYDVQQIEwJjbjELMAkGA1UEChMCY24xCzAJBgNVBAsTAmNuMRIw
EAYDVQQDEwlsb2NhbGhvc3QxIDAeBgkqhkiG9w0BCQEWEXh0YXlpbmdAZ21haWwu
Y29tMB4XDTEwMDgwNzEyMzk0MVoXDTExMDgwNzEyMzk0MVowdzELMAkGA1UEBhMC
Y24xCzAJBgNVBAgMAmNuMQswCQYDVQQHDAJjbjELMAkGA1UECgwCY24xCzAJBgNV
BAsMAmNuMRIwEAYDVQQDDAlsb2NhbGhvc3QxIDAeBgkqhkiG9w0BCQEWEXh0YXlp
bmdAZ21haWwuY29tMIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQDO1ajf0efu
ktHReCCpbQob9gndEynvch0XVN0cjSgnaf5wO/oro0VAgOoOW6e9QNDNvCx0A4v3
bF4fCV3GigXquHL8eYtiYjgLQih+Dfznu7CHZmqyNZKRuXictnYBCyp031+hizFh
kJP5INtGWRIum1nAMk6SFKF+UnvMAl7iRQIDAQABo3sweTAJBgNVHRMEAjAAMCwG
CWCGSAGG+EIBDQQfFh1PcGVuU1NMIEdlbmVyYXRlZCBDZXJ0aWZpY2F0ZTAdBgNV
HQ4EFgQU/iBWBI62vj464dqmSjrhFpMdP4EwHwYDVR0jBBgwFoAUJgnz1SYTAB8+
zIYd5O43BmUVTnYwDQYJKoZIhvcNAQEFBQADgYEACaAWQ6KTEaer9Re3NjWEnzs3
MjM/k2OwTLvRtJtPN3hi9Kz/KLBjcS6afPRALrFfrknn4m/ezzDMmggmJiTFAAMy
IEhBsSmPXT0qeFQOqHYHbH8jQnXC+4MdcERejJDPtCO3I1sGBTJY468cvh1Qe/03
Zrqc7Luv7rYE98UuWSI=
-----END CERTIFICATE-----
Signed certificate is in newcert.pem

cp newcert.pem server.crt

5,产生客户端证书

生成客户私钥:
openssl genrsa -des3 -out client.key 1024

生成客户证书
openssl req -new -key client.key -out client.csr

签证:
openssl ca -in client.csr -out client.crt

转换成pkcs12格式,为客户端安装所用
openssl pkcs12 -export -clcerts -in client.crt -inkey client.key -out client.pfx

这一步根安装服务器的证书差不多,不同的是签证,最后安装的时候,client.pfx的密码要记住,在客户端安装的时候要用到的。

[[email protected] ssl]# openssl pkcs12 -export -clcerts   -in client.crt -inkey client.key -out client.pfx
Enter pass phrase for client.key:
Enter Export Password:
Verifying - Enter Export Password:

客户端和服务器端都可以使用服务器端证书,所以这一步不做也行。

6,集中所以证书和私私钥到一起

#cp demoCA/cacert.pem cacert.pem

同时复制一份证书,更名为ca.crt
#cp cacert.pem ca.crt

7,apache配置

vi /usr/local/apache/conf/extra/ssl.conf

查看
复制
打印
?

  1. ssl开启
  2. SSLEngine on
  3. 指定服务器证书位置
  4. SSLCertificateFile /usr/local/apache/conf/ssl/server.crt
  5. 指定服务器证书key位置
  6. SSLCertificateKeyFile /usr/local/apache/conf/ssl/server.key
  7. 证书目录
  8. SSLCACertificatePath /usr/local/apache/conf/ssl
  9. 根证书位置
  10. SSLCACertificateFile /usr/local/apache/conf/ssl/cacert.pem
  11. 要求客户拥有证书
  12. SSLVerifyClient require
  13. SSLVerifyDepth  1
  14. SSLOptions +StdEnvVars
  15. 记录log
  16. CustomLog "/usr/local/apache/logs/ssl_request_log" \
  17. "%t %h %{SSL_PROTOCOL}x %{SSL_CIPHER}x \"%r\" %b"
ssl开启
SSLEngine on

指定服务器证书位置
SSLCertificateFile /usr/local/apache/conf/ssl/server.crt

指定服务器证书key位置
SSLCertificateKeyFile /usr/local/apache/conf/ssl/server.key

证书目录
SSLCACertificatePath /usr/local/apache/conf/ssl

根证书位置
SSLCACertificateFile /usr/local/apache/conf/ssl/cacert.pem

要求客户拥有证书
SSLVerifyClient require
SSLVerifyDepth  1
SSLOptions +StdEnvVars

记录log
CustomLog "/usr/local/apache/logs/ssl_request_log"           "%t %h %{SSL_PROTOCOL}x %{SSL_CIPHER}x \"%r\" %b"

vi /usr/local/apache/conf/extra/httpd_vhosts.conf

查看
复制
打印
?

  1. listen 443 https
  2. NameVirtualHost *:443
  3. <VirtualHost _default_:443>
  4. DocumentRoot "/home/zhangy/www/metbee/trunk/src/web"
  5. ServerName  *:443
  6. ErrorLog "/home/zhangy/apache/www.metbee.com-error.log"
  7. CustomLog "/home/zhangy/apache/www.metbee.com-access.log" common
  8. Include conf/extra/ssl.conf
  9. </VirtualHost>
listen 443 https
 NameVirtualHost *:443
 <VirtualHost _default_:443>

 DocumentRoot "/home/zhangy/www/metbee/trunk/src/web"
 ServerName  *:443
 ErrorLog "/home/zhangy/apache/www.metbee.com-error.log"
 CustomLog "/home/zhangy/apache/www.metbee.com-access.log" common
 Include conf/extra/ssl.conf

 </VirtualHost>

vi /usr/local/apache/conf/httpd.conf把Include conf/extra/httpd-vhosts.conf前面的注释去掉

启动 /usr/local/apache/bin/apachectl -D SSL -k start

Server *:10000 (RSA)
Enter pass phrase:输入的是server的密钥

OK: Pass Phrase Dialog successful.

8,安装客户端证书

把ca.crt和client.pfx  copy到客户端,双击client.pfx就会进入证书的安装向导,下一步就行了,中间会让你输入密码

四,安装所遇到的问题

1,生成的密码很多,一会让输入密码,会忘得,并且主证书的密码和下面的证书的密码不能重得,会报错的,所以要搞个文本记下来。

2,升级openssl引发的问题

httpd: Syntax error on line 56 of /usr/local/apache/conf/httpd.conf: Cannot load /usr/local/apache/modules/libphp5.so into server: libssl.so.0.9.8: cannot open shared object file: No such file or directory

httpd: Syntax error on line 56 of /usr/local/apache/conf/httpd.conf: Cannot load /usr/local/apache/modules/libphp5.so into server: libcrypto.so.0.9.8: cannot open shared object file: No such file or directory

用ln -s来建立软链接,就可以了。不过这种方法不是万能的,比如我把libpng从1.2升到1.4,libjpeg从7.0升到8.0结果是系统差点崩掉,用软链接不管用,我把他们弄掉,从网上下的低版本重装。

3,证书的国家名称,省名要相同不然生成空证书,

The countryName field needed to be the same in the
CA certificate (cn) and the request (sh)

4,提示CommonName时,要添写全域名,会提示警告

RSA server certificate CommonName (CN) `cn‘ does NOT match server name!?

5,相同的证书不能生成二次,名字不一样也不行,也就是说server.cst和client.csr信息不能完相同,不然会报

failed to update database
TXT_DB error number 2

6,页面浏览时,会看到提示,你的证书是不可信的,是因为我配置的不对,还是自己建的证书就是不要信的呢?

7,当我加了SSLVerifyClient require SSLVerifyDepth 1 这二个配置时,在windows下面,要你输入证书后,就可以看到页面了,但在用firefox就是不行呢?看下面的ssl_request_log日志,192.168.18.3是用windows的IE浏览器

[09/Aug/2010:22:02:21 +0800] 127.0.0.1 TLSv1 DHE-RSA-CAMELLIA256-SHA "GET /robots.txt HTTP/1.1" 208
[09/Aug/2010:22:02:21 +0800] 127.0.0.1 TLSv1 DHE-RSA-CAMELLIA256-SHA "GET /robots.txt HTTP/1.1" 208
[09/Aug/2010:22:02:21 +0800] 127.0.0.1 TLSv1 DHE-RSA-CAMELLIA256-SHA "GET /robots.txt HTTP/1.1" 208
[09/Aug/2010:22:02:55 +0800] 192.168.18.3 TLSv1 RC4-MD5 "GET / HTTP/1.1" 1505
[09/Aug/2010:22:02:55 +0800] 192.168.18.3 TLSv1 RC4-MD5 "GET / HTTP/1.1" 1505
[09/Aug/2010:22:02:55 +0800] 192.168.18.3 TLSv1 RC4-MD5 "GET / HTTP/1.1" 1505

遇到肯定不止这几个,有的想不起来了。关于6,7,还请高手指教。谢谢

apache ssl

3

转载请注明
作者:海底苍鹰
地址:http://blog.51yip.com/apachenginx/958.html

时间: 2024-10-14 11:38:15

openssl建立证书,非常详细配置ssl+apache的相关文章

centos7 php开发环境安装--配置SSL(Apache为例)

1.检查是否安装OpenSSL 1.1 查看是否安装 openssl version 1.2 编译安装: https://www.cnblogs.com/rxbook/p/9367725.html 1.3  yum安装 yum install openssl yum install openssl-devel 1.4 在线升级 yum -y update openssl 2.配置证书上传目录 在Apache安装目录中新建cert目录,并将下载的Apache证书. 证书链文件和秘钥文件拷贝到cer

ssl证书 以及phpstudy配置ssl证书

首先,确保你的Apache编译了SSL模块,这是支持SSL证书必要的条件(如果没有,请编译,[打开phpstudy]>[其他选项菜单]>[PHP扩展]>[php-openssl]前面勾选上). 在Apache的安装目录下创建cert目录,并且将下载的全部文件拷贝到cert目录中. 打开 Apache 安装目录下 conf 目录中的 httpd.conf 文件,找到以下内容并去掉前面的"#"注释符,使得SSL模块生效(如果该模块已去掉注释,请不用操作). 接着搜索以下内

window下为apache配置ssl证书

转载自 子非鱼 的博客稍作修改 第一步:依赖 配置Apache服务器支持https协议和SSL证书,最基本的要求是Apache包含openssl模块.还好apache/bin目录下有libeay32.dll.openssl.exe.ssleay32.dll,自带了ssl模块,若没有该模块,需自行下载单独的openssl. 第二步:启动模块 启动模块比较简单,打开apache的配置文件conf/httpd.conf,去掉ssl模块前面的# LoadModule ssl_module modules

Nginx配置SSL证书部署HTTPS网站

一.什么是 SSL 证书,什么是 HTTPSSSL 证书是一种数字证书,它使用 Secure Socket Layer 协议在浏览器和 Web 服务器之间建立一条安全通道,从而实现:1.数据信息在客户端和服务器之间的加密传输,保证双方传递信息的安全性,不可被第三方窃听:2.用户可以通过服务器证书验证他所访问的网站是否真实可靠. HTTPS 是以安全为目标的 HTTP 通道,即 HTTP 下加入 SSL 加密层.HTTPS 不同于 HTTP 的端口,HTTP默认端口为80,HTTPS默认端口为44

Nginx自签ssl证书创建及配置方法

场景: Nginx使用自签ssl证书实现https连接. 方法: 第一步:使用OpenSSL创建证书 #建立服务器私钥(过程需要输入密码,请记住这个密码)生成RSA密钥 >openssl genrsa -des3 -out server.key 1024 #生成一个证书请求     >openssl req -new -key server.key -out server.csr #需要依次输入国家,地区,组织,email.最重要的是有一个common name,可以写你的名字或者域名.如果为

Windows下Apache配置SSL以支持https及出错的解决办法

步骤一:安装apache,使其支持SSL,并安装php 1.安装配有SSL模块的apache,apache_2.2.8-win32-x86-openssl-0.9.8g 2.配置apache以支持SSL: 1)打开apache的配置文件conf/httpd.conf LoadModule ssl_module modules/mod_ssl.so Include conf/extra/httpd-ssl.conf 去掉两行前面的# 2)注意修改httpd-ssl.conf 文件里的两个字段: S

Apache配置SSL 实现https访问

本次坏境:CA和apache为同一台主机 先使本机作为CA服务端: [[email protected]~]#yum -y install openssl openssl-devel [[email protected]~]#vi /etc/pki/tls/openssl.cnf [ CA_default ] dir = ../../CA 改为: [ CA_default ] dir= /etc/pki/CA 为了减少不必要的重复操作,可以预先定义[ req_distinguished_name

Ubuntu下使用openssl为apache2配置ssl

安装apache2 sudo apt-get install apache2 安装openssl 一般系统自带,可以通过openssl version查看,如果没有, sudo apt-get install openssl 创建目录 创建一个名为ssl的目录 sudo mkdir /etc/apache2/ssl 创建一个自签名凭证 sudo openssl req -x509 -nodes -days 365 -newkey rsa:2048 -keyout /etc/apache2/ssl

Apache OpenSSL生成证书使用

最近在学习SSL协议,这次是基于Apache服务器自带的openssl来实现的 TLS:传输层安全协议 SSL:安全套接字层 KEY:私钥 CSR:证书签名请求,即公钥,生成证书时需要将此提交给证书机构,生成 X509 数字证书前,一般先由用户提交证书申请文件,然后由 CA 来签发证书 CRT:即证书,一般服务器证书server.crt和客户端证书client.crt都需要通过CA证书ca.crt进行签名 1.进行CA签名获取证书时,需要注意国家.省.单位需要与CA证书相同,否则会报: