Chinaunix首页 | 论坛 | 博客
  • 博客访问: 488465
  • 博文数量: 82
  • 博客积分: 3003
  • 博客等级: 中校
  • 技术积分: 1285
  • 用 户 组: 普通用户
  • 注册时间: 2007-09-11 15:27
文章分类

全部博文(82)

文章存档

2011年(1)

2010年(5)

2009年(63)

2008年(13)

我的朋友

分类: LINUX

2008-11-10 10:50:54

文件:基于Red Hat Enterprise Linux 5 update 2 搭建SSL安全网站认证服务器(CA)以及SSL安全网站实验笔记(全工具有疑问不保险无理论内部最新版).pdf
大小:508KB
下载:下载


基于Red Hat Enterprise Linux 5 update 2 搭建SSL安全网站认证服务器(CA)以及SSL安全网站实验笔记

(全工具有疑问不保险无理论内部最新版)




撰写者信息:

Alin Fang (Fang Yunlin)

MSN:

G Talk:

Blog: http://www.alinblog.cn/


修改日期:

10 Nov, 2008

1次修改



版权:

GNU


声明:

本人实验笔记,非权威文档。如有错误请告知。十分感谢!



特别说明:

本实验全部采用RHEL5所带相关rpm包的脚本进行操作。openssl相关操作均由脚本完成,无须手工干预。

实验环境:

OS: Red Hat Enterprise Linux 5 update 2


hostname: ca.alin

ip: 192.168.8.3

作为HTTPS安全认证服务器


hostname: server.alin

ip: 192.168.8.4

作为https网页服务器


hostname: client.alin

ip: 192.168.8.5

通过浏览器访问server.alin


这个是所有主机的host配置:

127.0.0.1 localhost.localdomain localhost

192.168.8.3 ca.alin

192.168.8.4 server.alin


实验步骤


ca.alin上操作

[root@localhost ~]# yum install -y httpd mod_ssl


[root@localhost pki]# pwd

/etc/pki

[root@localhost pki]# tree

.

|-- CA

| `-- private

|-- nssdb

| |-- cert8.db

| |-- key3.db

| `-- secmod.db

|-- rpm-gpg

| |-- RPM-GPG-KEY-fedora

| |-- RPM-GPG-KEY-fedora-test

| |-- RPM-GPG-KEY-redhat-auxiliary

| |-- RPM-GPG-KEY-redhat-beta

| |-- RPM-GPG-KEY-redhat-former

| |-- RPM-GPG-KEY-redhat-release

| `-- RPM-GPG-KEY-redhat-rhx

`-- tls

|-- cert.pem -> certs/ca-bundle.crt

|-- certs

| |-- Makefile

| |-- ca-bundle.crt

| |-- localhost.crt

| `-- make-dummy-cert

|-- misc

| |-- CA

| |-- c_hash

| |-- c_info

| |-- c_issuer

| `-- c_name

|-- openssl.cnf

`-- private

`-- localhost.key

8 directories, 22 files

[root@localhost pki]#

ca以及HTTPS要用的东西都在里面了。

[root@localhost misc]# ./CA -?

建立密钥对并自签证书


[root@localhost misc]# ./CA -?

usage: CA -newcert|-newreq|-newca|-sign|-verify

[root@localhost misc]# ./CA -newca

mkdir: cannot create directory `../../CA': File exists

mkdir: cannot create directory `../../CA/private': File exists

CA certificate filename (or enter to create)


Making CA certificate ...

Generating a 1024 bit RSA private key

..............................++++++

...++++++

writing new private key to '../../CA/private/./cakey.pem'

Enter PEM pass phrase:

Verifying - Enter PEM pass phrase:

-----

You are about to be asked to enter information that will be incorporated

into your certificate request.

What you are about to enter is what is called a Distinguished Name or a DN.

There are quite a few fields but you can leave some blank

For some fields there will be a default value,

If you enter '.', the field will be left blank.

-----

Country Name (2 letter code) [GB]:CN

State or Province Name (full name) [Berkshire]:BJ

Locality Name (eg, city) [Newbury]:BJ

Organization Name (eg, company) [My Company Ltd]:Red Hat

Organizational Unit Name (eg, section) []:GSS

Common Name (eg, your name or your server's hostname) []:ca.alin

Email Address []:cst05001@gmail.com


Please enter the following 'extra' attributes

to be sent with your certificate request

A challenge password []:

An optional company name []:

Using configuration from /etc/pki/tls/openssl.cnf

Enter pass phrase for ../../CA/private/./cakey.pem:

Check that the request matches the signature

Signature ok

Certificate Details:

Serial Number: 0 (0x0)

Validity

Not Before: Nov 9 21:24:00 2008 GMT

Not After : Nov 9 21:24:00 2011 GMT

Subject:

countryName = CN

stateOrProvinceName = BJ

organizationName = Red Hat

organizationalUnitName = GSS

commonName = ca.alin

emailAddress = cst05001@gmail.com

X509v3 extensions:

X509v3 Basic Constraints:

CA:FALSE

Netscape Comment:

OpenSSL Generated Certificate

X509v3 Subject Key Identifier:

E3:6D:E2:71:A2:44:EF:F2:38:59:BF:1B:37:CE:90:D4:B8:E4:C9:A7

X509v3 Authority Key Identifier:

keyid:E3:6D:E2:71:A2:44:EF:F2:38:59:BF:1B:37:CE:90:D4:B8:E4:C9:A7


Certificate is to be certified until Nov 9 21:24:00 2011 GMT (1095 days)


Write out database with 1 new entries

Data Base Updated

[root@localhost misc]#



大家可以看到,/etc/pki/CA文件夹下多了一些东西。

[root@localhost misc]# tree /etc/pki/

/etc/pki/

|-- CA

| |-- cacert.pem

| |-- careq.pem

| |-- certs

| |-- crl

| |-- index.txt

| |-- index.txt.attr

| |-- index.txt.old

| |-- newcerts

| | `-- 00.pem

| |-- private

| | `-- cakey.pem

| |-- serial

| `-- serial.old

|-- nssdb

| |-- cert8.db

| |-- key3.db

| `-- secmod.db

|-- rpm-gpg

| |-- RPM-GPG-KEY-fedora

| |-- RPM-GPG-KEY-fedora-test

| |-- RPM-GPG-KEY-redhat-auxiliary

| |-- RPM-GPG-KEY-redhat-beta

| |-- RPM-GPG-KEY-redhat-former

| |-- RPM-GPG-KEY-redhat-release

| `-- RPM-GPG-KEY-redhat-rhx

`-- tls

|-- cert.pem -> certs/ca-bundle.crt

|-- certs

| |-- Makefile

| |-- ca-bundle.crt

| |-- localhost.crt

| `-- make-dummy-cert

|-- misc

| |-- CA

| |-- c_hash

| |-- c_info

| |-- c_issuer

| `-- c_name

|-- openssl.cnf

`-- private

`-- localhost.key


11 directories, 31 files

[root@localhost misc]#



server.alin操作

[root@localhost ~]# yum install -y httpd mod_ssl


制作https需要的私钥

[root@localhost ~]# cd /etc/pki/tls/

cert.pem certs/ misc/ openssl.cnf private/

[root@localhost ~]# cd /etc/pki/tls/certs

[root@localhost certs]# ls

ca-bundle.crt localhost.crt make-dummy-cert Makefile

[root@localhost certs]# make

This makefile allows you to create:

o public/private key pairs

o SSL certificate signing requests (CSRs)

o self-signed SSL test certificates


To create a key pair, run "make SOMETHING.key".

To create a CSR, run "make SOMETHING.csr".

To create a test certificate, run "make SOMETHING.crt".

To create a key and a test certificate in one file, run "make SOMETHING.pem".


To create a key for use with Apache, run "make genkey".

To create a CSR for use with Apache, run "make certreq".

To create a test certificate for use with Apache, run "make testcert".


To create a test certificate with serial number other than zero, add SERIAL=num


Examples:

make server.key

make server.csr

make server.crt

make stunnel.pem

make genkey

make certreq

make testcert

make server.crt SERIAL=1

make stunnel.pem SERIAL=2

make testcert SERIAL=3


通过Makefile脚本,可以看书make *.key的话,脚本会制作* 为名的私钥。


[root@localhost certs]# make server.key

umask 77 ; \

/usr/bin/openssl genrsa -des3 1024 > server.key

Generating RSA private key, 1024 bit long modulus

.++++++

.......................++++++

e is 65537 (0x10001)

Enter pass phrase:

Verifying - Enter pass phrase:

[root@localhost certs]#


制作给CA的签署请求

通过Makefile脚本,可以看出make *.src的话,脚本会自动对*.key制作签署请求。


[root@localhost certs]# make server.csr

umask 77 ; \

/usr/bin/openssl req -utf8 -new -key server.key -out server.csr

Enter pass phrase for server.key:

You are about to be asked to enter information that will be incorporated

into your certificate request.

What you are about to enter is what is called a Distinguished Name or a DN.

There are quite a few fields but you can leave some blank

For some fields there will be a default value,

If you enter '.', the field will be left blank.

-----

Country Name (2 letter code) [GB]:CN

State or Province Name (full name) [Berkshire]:BJ

Locality Name (eg, city) [Newbury]:BJ

Organization Name (eg, company) [My Company Ltd]:Red Hat

Organizational Unit Name (eg, section) []:GSS

Common Name (eg, your name or your server's hostname) []:server.alin

Email Address []:cst05001@gmail.com


Please enter the following 'extra' attributes

to be sent with your certificate request

A challenge password []:

An optional company name []:

[root@localhost certs]# ls

ca-bundle.crt localhost.crt make-dummy-cert Makefile server.csr server.key

[root@localhost certs]#


CA服务器提交证书签署申请

[root@localhost certs]# scp server.csr ca.alin:/etc/pki/tls/misc/newreq.pem

root@ca.alin's password:

server.csr 100% 684 0.7KB/s 00:00

[root@localhost certs]#


ca.alin操作


根据CA脚本,可以看出, -sign功能会在当前目录下,根据newreq.csr这个签署请求进行签署,并且把签署过的文件保存为newcert.pem

[root@localhost misc]# cd /etc/pki/tls/misc/

[root@localhost misc]# ./CA -sign

Using configuration from /etc/pki/tls/openssl.cnf

Enter pass phrase for ../../CA/private/cakey.pem:

Check that the request matches the signature

Signature ok

Certificate Details:

Serial Number: 1 (0x1)

Validity

Not Before: Nov 9 21:36:20 2008 GMT

Not After : Nov 9 21:36:20 2009 GMT

Subject:

countryName = CN

stateOrProvinceName = BJ

localityName = BJ

organizationName = Red Hat

organizationalUnitName = GSS

commonName = server.alin

emailAddress = cst05001@gmail.com

X509v3 extensions:

X509v3 Basic Constraints:

CA:FALSE

Netscape Comment:

OpenSSL Generated Certificate

X509v3 Subject Key Identifier:

A9:B1:30:2F:79:E1:9B:59:6A:87:0E:CA:CD:BD:7A:31:01:FE:18:F5

X509v3 Authority Key Identifier:

keyid:E3:6D:E2:71:A2:44:EF:F2:38:59:BF:1B:37:CE:90:D4:B8:E4:C9:A7


Certificate is to be certified until Nov 9 21:36:20 2009 GMT (365 days)

Sign the certificate? [y/n]:y



1 out of 1 certificate requests certified, commit? [y/n]y

Write out database with 1 new entries

Data Base Updated

Certificate:

Data:

Version: 3 (0x2)

Serial Number: 1 (0x1)

Signature Algorithm: sha1WithRSAEncryption

Issuer: C=CN, ST=BJ, O=Red Hat, OU=GSS, CN=ca.alin/emailAddress=cst05001@gmail.com

Validity

Not Before: Nov 9 21:36:20 2008 GMT

Not After : Nov 9 21:36:20 2009 GMT

Subject: C=CN, ST=BJ, L=BJ, O=Red Hat, OU=GSS, CN=server.alin/emailAddress=cst05001@gmail.com

Subject Public Key Info:

Public Key Algorithm: rsaEncryption

RSA Public Key: (1024 bit)

Modulus (1024 bit):

00:b0:fb:1c:e5:7c:d5:3e:59:c8:ce:49:80:ca:40:

b6:28:87:16:5a:f5:bb:49:e0:7f:aa:60:58:2b:09:

59:ad:46:42:83:32:a3:a6:55:60:d9:9d:63:2d:cd:

3d:b7:cb:40:49:4f:8a:f8:6e:45:45:44:3a:8b:5d:

a1:9d:97:99:3b:7f:a2:30:04:8d:1e:12:f1:01:1a:

93:9e:2b:a6:99:2f:9a:ec:5f:2b:39:1e:70:f6:3d:

c2:9d:48:b4:3b:50:95:3c:60:1c:55:39:ea:84:eb:

76:11:7b:95:8b:29:b6:01:42:0c:b1:7e:d2:b8:39:

12:66:c1:14:1c:74:66:32:9b

Exponent: 65537 (0x10001)

X509v3 extensions:

X509v3 Basic Constraints:

CA:FALSE

Netscape Comment:

OpenSSL Generated Certificate

X509v3 Subject Key Identifier:

A9:B1:30:2F:79:E1:9B:59:6A:87:0E:CA:CD:BD:7A:31:01:FE:18:F5

X509v3 Authority Key Identifier:

keyid:E3:6D:E2:71:A2:44:EF:F2:38:59:BF:1B:37:CE:90:D4:B8:E4:C9:A7


Signature Algorithm: sha1WithRSAEncryption

9d:2b:da:fc:6a:09:40:d3:bb:9b:17:41:d6:d8:9c:89:7c:ff:

89:ae:73:72:69:5f:65:f9:fd:6f:80:00:36:e4:d7:8e:f5:1a:

1b:53:d9:9f:6d:05:62:d0:f4:1f:4c:9c:2e:42:6e:8b:2d:3e:

ff:59:82:ba:36:4e:65:e6:b4:f8:a0:9a:9d:9a:c8:4a:ea:86:

a6:16:4a:3a:d8:cf:69:6b:26:c5:14:84:13:67:95:d0:ac:e5:

3c:ed:78:f3:1e:57:f1:eb:1f:3b:f8:6d:cb:39:fd:a2:a1:9d:

e2:b2:d8:18:df:92:f8:7d:fa:89:4b:ad:8b:7e:da:64:82:39:

c5:c5

-----BEGIN CERTIFICATE-----

MIIC4TCCAkqgAwIBAgIBATANBgkqhkiG9w0BAQUFADBvMQswCQYDVQQGEwJDTjEL

MAkGA1UECBMCQkoxEDAOBgNVBAoTB1JlZCBIYXQxDDAKBgNVBAsTA0dTUzEQMA4G

A1UEAxMHY2EuYWxpbjEhMB8GCSqGSIb3DQEJARYSY3N0MDUwMDFAZ21haWwuY29t

MB4XDTA4MTEwOTIxMzYyMFoXDTA5MTEwOTIxMzYyMFowgYAxCzAJBgNVBAYTAkNO

MQswCQYDVQQIEwJCSjELMAkGA1UEBxMCQkoxEDAOBgNVBAoTB1JlZCBIYXQxDDAK

BgNVBAsTA0dTUzEUMBIGA1UEAxMLc2VydmVyLmFsaW4xITAfBgkqhkiG9w0BCQEW

EmNzdDA1MDAxQGdtYWlsLmNvbTCBnzANBgkqhkiG9w0BAQEFAAOBjQAwgYkCgYEA

sPsc5XzVPlnIzkmAykC2KIcWWvW7SeB/qmBYKwlZrUZCgzKjplVg2Z1jLc09t8tA

SU+K+G5FRUQ6i12hnZeZO3+iMASNHhLxARqTniummS+a7F8rOR5w9j3CnUi0O1CV

PGAcVTnqhOt2EXuViym2AUIMsX7SuDkSZsEUHHRmMpsCAwEAAaN7MHkwCQYDVR0T

BAIwADAsBglghkgBhvhCAQ0EHxYdT3BlblNTTCBHZW5lcmF0ZWQgQ2VydGlmaWNh

dGUwHQYDVR0OBBYEFKmxMC954ZtZaocOys29ejEB/hj1MB8GA1UdIwQYMBaAFONt

4nGiRO/yOFm/GzfOkNS45MmnMA0GCSqGSIb3DQEBBQUAA4GBAJ0r2vxqCUDTu5sX

QdbYnIl8/4muc3JpX2X5/W+AADbk1471GhtT2Z9tBWLQ9B9MnC5CbostPv9Zgro2

TmXmtPigmp2ayErqhqYWSjrYz2lrJsUUhBNnldCs5TztePMeV/HrHzv4bcs5/aKh

neKy2Bjfkvh9+olLrYt+2mSCOcXF

-----END CERTIFICATE-----

Signed certificate is in newcert.pem

[root@localhost misc]#


把经过签署的证书发还给server.alin


[root@localhost misc]# ls

CA c_hash c_info c_issuer c_name newcert.pem newreq.pem

[root@localhost misc]# scp newcert.pem server.alin:/etc/httpd/conf/server.crt

root@server.alin's password:

newcert.pem 100% 3188 3.1KB/s 00:00

[root@localhost misc]#


server.alin上操作


apache指定https所用的私钥和证书

[root@localhost certs]# pwd

/etc/pki/tls/certs

[root@localhost certs]# ls

ca-bundle.crt localhost.crt make-dummy-cert Makefile server.csr server.key

[root@localhost certs]# cp server.key /etc/httpd/conf/

[root@localhost certs]# cd /etc/httpd/conf/

[root@localhost conf]# ls

httpd.conf magic server.crt server.key

[root@localhost conf]# vim ../conf.d/ssl.conf


修改两行配置参数,指定对应的私钥和证书

SSLCertificateFile /etc/httpd/conf/server.crt

SSLCertificateKeyFile /etc/httpd/conf/server.key


然后重新加载apache配置即可。

[root@localhost conf]# service httpd restart

Stopping httpd: [FAILED]

Starting httpd: Apache/2.2.3 mod_ssl/2.2.3 (Pass Phrase Dialog)

Some of your private key files are encrypted for security reasons.

In order to read them you have to provide the pass phrases.


Server localhost.localdomain:443 (RSA)

Enter pass phrase:


OK: Pass Phrase Dialog successful.

[ OK ]

[root@localhost conf]#




ca.alin 操作

添加浏览器里面的CA认证机构列表

ca自签证书发送给浏览器端

[root@localhost CA]# pwd

/etc/pki/CA

[root@localhost CA]# ls

cacert.pem certs index.txt index.txt.attr.old newcerts serial

careq.pem crl index.txt.attr index.txt.old private serial.old

[root@localhost CA]# scp cacert.pem 192.168.8.5:/root

root@192.168.8.5's password:

cacert.pem 100% 3154 3.1KB/s 00:00

[root@localhost CA]#



在浏览器里面添加这个证书。














然后用浏览器访问server.alin




添加例外









疑问

1) 虽然搭建了CA服务器,但是第一次从client去访问server的时候,还是会出现警告,说CA不可信任(虽然我已经把CA的自签证书加入了浏览器)。是否能做到第一次从client访问server,浏览器不会出现安全警告?


2) client访问server时,clientserver到底是否会对CA进行通信?


阅读(4453) | 评论(0) | 转发(0) |
给主人留下些什么吧!~~