全部博文(107)
分类: LINUX
2009-05-19 14:58:02
文件:
apache ssl.pdf
大小:
714KB
下载:
下载
在这里 opemssl 和 apache 的安装步骤就不具体解释了。
一、启动mod_ssl 模块的配置
1. 首先把apache里面的ssl模块启动(去掉前面的#)
2. 引用 apache 里面 conf.d 的ssl的 ssl.conf (不一样的环境可能配置文件不一样)
二、服务器端证书的生成和使用
使用openssl 命令生成服务器端证书
|
[root@localhost ssl.crt]# openssl req -new -out server.csr |
|
[root@localhost ssl.crt]# openssl rsa -in privkey.pem -out server.key |
|
[root@localhost ssl.crt]# openssl x509 -in server.csr -out server.crt -req –signkey server.key -days 365 |
修改apache下面的ssl.Conf
|
[root@localhost ssl.crt]# vi /etc/httpd/conf.d/ssl.conf 107 # Server Certificate: 108 # Point SSLCertificateFile at a PEM encoded certificate. If 109 # the certificate is encrypted, then you will be prompted for a 110 # pass phrase. Note that a kill -HUP will prompt again. A new 111 # certificate can be generated using the genkey(1) command. 112 #SSLCertificateFile /etc/pki/tls/certs/localhost.crt 113 SSLCertificateFile /etc/httpd/conf/ssl.crt/server.crt 114 115 # Server Private Key: 116 # If the key is not combined with the certificate, use this 117 # directive to point at the key file. Keep in mind that if 118 # you've both a RSA and a DSA private key you can configure 119 # both in parallel (to also allow the use of DSA ciphers, etc.) 120 #SSLCertificateKeyFile /etc/pki/tls/private/localhost.key 121 SSLCertificateKeyFile /etc/httpd/conf/ssl.crt/server.key |
红体字为所要添加或修改的地方 后面的目录为服务器证书与密钥所在目录
重启apache
|
[root@localhost ssl.crt]# service httpd restart |
这是点击“安装证书”,再“下一步”,这时进入“证书导入向导”,选择“将所有的证书放入下列的储存区”,“浏览”选择“受信任的根证书颁发机构”,“确定”。
再一次游览网站的时候
这就说明服务器端证书成功!
三、使用证书进行客户端用户的身份验证
我们在配置一下客户端证书
生成客户端证书
|
[root@localhost ssl.crt]# openssl req -new -out ca.csr -keyout cakey.pem |
|
[root@localhost ssl.crt]# openssl x509 -req -in ca.csr -out ca.pem -CA server.crt –CAkey server.key -CAcreateserial -days 365 -outform PEM |
|
[root@localhost ssl.crt]# openssl pkcs12 -export -in ca.pem -out bjyeeu.p12 -inkey cakey.pem -name "bjyeeu's Cret" |
修改apache下面的ssl.Conf
|
[root@localhost ssl.crt]# vi /etc/httpd/conf.d/ssl.conf 132 # Certificate Authority (CA): 133 # Set the CA certificate verification path where to find CA 134 # certificates for client authentication or alternatively one 135 # huge file containing all of them (file must be PEM encoded) 136 #SSLCACertificateFile /etc/pki/tls/certs/ca-bundle.crt 137 SSLCACertificatePath /etc/httpd/conf/ssl.crt 138 SSLCACertificateFile /etc/httpd/conf/ssl.crt/server.crt 139 140 # Client Authentication (Type): 141 # Client certificate verification type and depth. Types are 142 # none, optional, require and optional_no_ca. Depth is a 143 # number which specifies how deeply to verify the certificate 144 # issuer chain before deciding the certificate is not valid. 145 SSLVerifyClient require 146 SSLVerifyDepth 1 |
红体字为所要添加或修改的地方 后面的目录为服务器证书与密钥所在目录
重启apache
|
[root@localhost ssl.crt]# service httpd restart |
从新进入浏览器页面,会出现“选择数据证书”对话框,
这时把所生成的“bjyeeu.p
chinaunix网友2009-05-22 14:17:05
好服月租型IT服务台登录中国,诚邀阁下莅临体验! 月租型ITSM软件,注册即可使用! 详情请登录官方网站:http://www.servicezon.com
