分类: LINUX
2008-11-10 10:50:54
|
基于Red Hat Enterprise Linux 5 update 2 搭建SSL安全网站认证服务器(CA)以及SSL安全网站实验笔记
(全工具有疑问不保险无理论内部最新版)
Alin Fang (Fang Yunlin)
MSN:
G Talk:
Blog: http://www.alinblog.cn/
10 Nov, 2008
第1次修改
GNU
本人实验笔记,非权威文档。如有错误请告知。十分感谢!
本实验全部采用RHEL5所带相关rpm包的脚本进行操作。openssl相关操作均由脚本完成,无须手工干预。
OS: Red Hat Enterprise Linux 5 update 2
hostname: ca.alin
ip: 192.168.8.3
作为HTTPS安全认证服务器
hostname: server.alin
ip: 192.168.8.4
作为https网页服务器
hostname: client.alin
ip: 192.168.8.5
通过浏览器访问server.alin
这个是所有主机的host配置:
127.0.0.1 localhost.localdomain localhost
192.168.8.3 ca.alin
192.168.8.4 server.alin
[root@localhost ~]# yum install -y httpd mod_ssl
[root@localhost pki]# pwd
/etc/pki
[root@localhost pki]# tree
.
|-- CA
| `-- private
|-- nssdb
| |-- cert8.db
| |-- key3.db
| `-- secmod.db
|-- rpm-gpg
| |-- RPM-GPG-KEY-fedora
| |-- RPM-GPG-KEY-fedora-test
| |-- RPM-GPG-KEY-redhat-auxiliary
| |-- RPM-GPG-KEY-redhat-beta
| |-- RPM-GPG-KEY-redhat-former
| |-- RPM-GPG-KEY-redhat-release
| `-- RPM-GPG-KEY-redhat-rhx
`-- tls
|-- cert.pem -> certs/ca-bundle.crt
|-- certs
| |-- Makefile
| |-- ca-bundle.crt
| |-- localhost.crt
| `-- make-dummy-cert
|-- misc
| |-- CA
| |-- c_hash
| |-- c_info
| |-- c_issuer
| `-- c_name
|-- openssl.cnf
`-- private
`-- localhost.key
8 directories, 22 files
[root@localhost pki]#
ca以及HTTPS要用的东西都在里面了。
[root@localhost misc]# ./CA -?
[root@localhost misc]# ./CA -?
usage: CA -newcert|-newreq|-newca|-sign|-verify
[root@localhost misc]# ./CA -newca
mkdir: cannot create directory `../../CA': File exists
mkdir: cannot create directory `../../CA/private': File exists
CA certificate filename (or enter to create)
Making CA certificate ...
Generating a 1024 bit RSA private key
..............................++++++
...++++++
writing new private key to '../../CA/private/./cakey.pem'
Enter PEM pass phrase:
Verifying - Enter PEM pass phrase:
-----
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [GB]:CN
State or Province Name (full name) [Berkshire]:BJ
Locality Name (eg, city) [Newbury]:BJ
Organization Name (eg, company) [My Company Ltd]:Red Hat
Organizational Unit Name (eg, section) []:GSS
Common Name (eg, your name or your server's hostname) []:ca.alin
Email Address []:cst05001@gmail.com
Please enter the following 'extra' attributes
to be sent with your certificate request
A challenge password []:
An optional company name []:
Using configuration from /etc/pki/tls/openssl.cnf
Enter pass phrase for ../../CA/private/./cakey.pem:
Check that the request matches the signature
Signature ok
Certificate Details:
Serial Number: 0 (0x0)
Validity
Not Before: Nov 9 21:24:00 2008 GMT
Not After : Nov 9 21:24:00 2011 GMT
Subject:
countryName = CN
stateOrProvinceName = BJ
organizationName = Red Hat
organizationalUnitName = GSS
commonName = ca.alin
emailAddress = cst05001@gmail.com
X509v3 extensions:
X509v3 Basic Constraints:
CA:FALSE
Netscape Comment:
OpenSSL Generated Certificate
X509v3 Subject Key Identifier:
E3:6D:E2:71:A2:44:EF:F2:38:59:BF:1B:37:CE:90:D4:B8:E4:C9:A7
X509v3 Authority Key Identifier:
keyid:E3:6D:E2:71:A2:44:EF:F2:38:59:BF:1B:37:CE:90:D4:B8:E4:C9:A7
Certificate is to be certified until Nov 9 21:24:00 2011 GMT (1095 days)
Write out database with 1 new entries
Data Base Updated
[root@localhost misc]#
大家可以看到,/etc/pki/CA文件夹下多了一些东西。
[root@localhost misc]# tree /etc/pki/
/etc/pki/
|-- CA
| |-- cacert.pem
| |-- careq.pem
| |-- certs
| |-- crl
| |-- index.txt
| |-- index.txt.attr
| |-- index.txt.old
| |-- newcerts
| | `-- 00.pem
| |-- private
| | `-- cakey.pem
| |-- serial
| `-- serial.old
|-- nssdb
| |-- cert8.db
| |-- key3.db
| `-- secmod.db
|-- rpm-gpg
| |-- RPM-GPG-KEY-fedora
| |-- RPM-GPG-KEY-fedora-test
| |-- RPM-GPG-KEY-redhat-auxiliary
| |-- RPM-GPG-KEY-redhat-beta
| |-- RPM-GPG-KEY-redhat-former
| |-- RPM-GPG-KEY-redhat-release
| `-- RPM-GPG-KEY-redhat-rhx
`-- tls
|-- cert.pem -> certs/ca-bundle.crt
|-- certs
| |-- Makefile
| |-- ca-bundle.crt
| |-- localhost.crt
| `-- make-dummy-cert
|-- misc
| |-- CA
| |-- c_hash
| |-- c_info
| |-- c_issuer
| `-- c_name
|-- openssl.cnf
`-- private
`-- localhost.key
11 directories, 31 files
[root@localhost misc]#
[root@localhost ~]# yum install -y httpd mod_ssl
[root@localhost ~]# cd /etc/pki/tls/
cert.pem certs/ misc/ openssl.cnf private/
[root@localhost ~]# cd /etc/pki/tls/certs
[root@localhost certs]# ls
ca-bundle.crt localhost.crt make-dummy-cert Makefile
[root@localhost certs]# make
This makefile allows you to create:
o public/private key pairs
o SSL certificate signing requests (CSRs)
o self-signed SSL test certificates
To create a key pair, run "make SOMETHING.key".
To create a CSR, run "make SOMETHING.csr".
To create a test certificate, run "make SOMETHING.crt".
To create a key and a test certificate in one file, run "make SOMETHING.pem".
To create a key for use with Apache, run "make genkey".
To create a CSR for use with Apache, run "make certreq".
To create a test certificate for use with Apache, run "make testcert".
To create a test certificate with serial number other than zero, add SERIAL=num
Examples:
make server.key
make server.csr
make server.crt
make stunnel.pem
make genkey
make certreq
make testcert
make server.crt SERIAL=1
make stunnel.pem SERIAL=2
make testcert SERIAL=3
通过Makefile脚本,可以看书make *.key的话,脚本会制作* 为名的私钥。
[root@localhost certs]# make server.key
umask 77 ; \
/usr/bin/openssl genrsa -des3 1024 > server.key
Generating RSA private key, 1024 bit long modulus
.++++++
.......................++++++
e is 65537 (0x10001)
Enter pass phrase:
Verifying - Enter pass phrase:
[root@localhost certs]#
制作给CA的签署请求
通过Makefile脚本,可以看出make *.src的话,脚本会自动对*.key制作签署请求。
[root@localhost certs]# make server.csr
umask 77 ; \
/usr/bin/openssl req -utf8 -new -key server.key -out server.csr
Enter pass phrase for server.key:
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [GB]:CN
State or Province Name (full name) [Berkshire]:BJ
Locality Name (eg, city) [Newbury]:BJ
Organization Name (eg, company) [My Company Ltd]:Red Hat
Organizational Unit Name (eg, section) []:GSS
Common Name (eg, your name or your server's hostname) []:server.alin
Email Address []:cst05001@gmail.com
Please enter the following 'extra' attributes
to be sent with your certificate request
A challenge password []:
An optional company name []:
[root@localhost certs]# ls
ca-bundle.crt localhost.crt make-dummy-cert Makefile server.csr server.key
[root@localhost certs]#
[root@localhost certs]# scp server.csr ca.alin:/etc/pki/tls/misc/newreq.pem
root@ca.alin's password:
server.csr 100% 684 0.7KB/s 00:00
[root@localhost certs]#
在ca.alin操作
根据CA脚本,可以看出, -sign功能会在当前目录下,根据newreq.csr这个签署请求进行签署,并且把签署过的文件保存为newcert.pem。
[root@localhost misc]# cd /etc/pki/tls/misc/
[root@localhost misc]# ./CA -sign
Using configuration from /etc/pki/tls/openssl.cnf
Enter pass phrase for ../../CA/private/cakey.pem:
Check that the request matches the signature
Signature ok
Certificate Details:
Serial Number: 1 (0x1)
Validity
Not Before: Nov 9 21:36:20 2008 GMT
Not After : Nov 9 21:36:20 2009 GMT
Subject:
countryName = CN
stateOrProvinceName = BJ
localityName = BJ
organizationName = Red Hat
organizationalUnitName = GSS
commonName = server.alin
emailAddress = cst05001@gmail.com
X509v3 extensions:
X509v3 Basic Constraints:
CA:FALSE
Netscape Comment:
OpenSSL Generated Certificate
X509v3 Subject Key Identifier:
A9:B1:30:2F:79:E1:9B:59:6A:87:0E:CA:CD:BD:7A:31:01:FE:18:F5
X509v3 Authority Key Identifier:
keyid:E3:6D:E2:71:A2:44:EF:F2:38:59:BF:1B:37:CE:90:D4:B8:E4:C9:A7
Certificate is to be certified until Nov 9 21:36:20 2009 GMT (365 days)
Sign the certificate? [y/n]:y
1 out of 1 certificate requests certified, commit? [y/n]y
Write out database with 1 new entries
Data Base Updated
Certificate:
Data:
Version: 3 (0x2)
Serial Number: 1 (0x1)
Signature Algorithm: sha1WithRSAEncryption
Issuer: C=CN, ST=BJ, O=Red Hat, OU=GSS, CN=ca.alin/emailAddress=cst05001@gmail.com
Validity
Not Before: Nov 9 21:36:20 2008 GMT
Not After : Nov 9 21:36:20 2009 GMT
Subject: C=CN, ST=BJ, L=BJ, O=Red Hat, OU=GSS, CN=server.alin/emailAddress=cst05001@gmail.com
Subject Public Key Info:
Public Key Algorithm: rsaEncryption
RSA Public Key: (1024 bit)
Modulus (1024 bit):
00:b0:fb:1c:e5:7c:d5:3e:59:c8:ce:49:80:ca:40:
b6:28:87:16:5a:f5:bb:49:e0:7f:aa:60:58:2b:09:
59:ad:46:42:83:32:a3:a6:55:60:d9:9d:63:2d:cd:
3d:b7:cb:40:49:4f:8a:f8:6e:45:45:44:3a:8b:5d:
a1:9d:97:99:3b:7f:a2:30:04:8d:1e:12:f1:01:1a:
93:9e:2b:a6:99:2f:9a:ec:5f:2b:39:1e:70:f6:3d:
c2:9d:48:b4:3b:50:95:3c:60:1c:55:39:ea:84:eb:
76:11:7b:95:8b:29:b6:01:42:0c:b1:7e:d2:b8:39:
12:66:c1:14:1c:74:66:32:9b
Exponent: 65537 (0x10001)
X509v3 extensions:
X509v3 Basic Constraints:
CA:FALSE
Netscape Comment:
OpenSSL Generated Certificate
X509v3 Subject Key Identifier:
A9:B1:30:2F:79:E1:9B:59:6A:87:0E:CA:CD:BD:7A:31:01:FE:18:F5
X509v3 Authority Key Identifier:
keyid:E3:6D:E2:71:A2:44:EF:F2:38:59:BF:1B:37:CE:90:D4:B8:E4:C9:A7
Signature Algorithm: sha1WithRSAEncryption
9d:2b:da:fc:6a:09:40:d3:bb:9b:17:41:d6:d8:9c:89:7c:ff:
89:ae:73:72:69:5f:65:f9:fd:6f:80:00:36:e4:d7:8e:f5:1a:
1b:53:d9:9f:6d:05:62:d0:f4:1f:4c:9c:2e:42:6e:8b:2d:3e:
ff:59:82:ba:36:4e:65:e6:b4:f8:a0:9a:9d:9a:c8:4a:ea:86:
a6:16:4a:3a:d8:cf:69:6b:26:c5:14:84:13:67:95:d0:ac:e5:
3c:ed:78:f3:1e:57:f1:eb:1f:3b:f8:6d:cb:39:fd:a2:a1:9d:
e2:b2:d8:18:df:92:f8:7d:fa:89:4b:ad:8b:7e:da:64:82:39:
c5:c5
-----BEGIN CERTIFICATE-----
MIIC4TCCAkqgAwIBAgIBATANBgkqhkiG9w0BAQUFADBvMQswCQYDVQQGEwJDTjEL
MAkGA1UECBMCQkoxEDAOBgNVBAoTB1JlZCBIYXQxDDAKBgNVBAsTA0dTUzEQMA4G
A1UEAxMHY2EuYWxpbjEhMB8GCSqGSIb3DQEJARYSY3N0MDUwMDFAZ21haWwuY29t
MB4XDTA4MTEwOTIxMzYyMFoXDTA5MTEwOTIxMzYyMFowgYAxCzAJBgNVBAYTAkNO
MQswCQYDVQQIEwJCSjELMAkGA1UEBxMCQkoxEDAOBgNVBAoTB1JlZCBIYXQxDDAK
BgNVBAsTA0dTUzEUMBIGA1UEAxMLc2VydmVyLmFsaW4xITAfBgkqhkiG9w0BCQEW
EmNzdDA1MDAxQGdtYWlsLmNvbTCBnzANBgkqhkiG9w0BAQEFAAOBjQAwgYkCgYEA
sPsc5XzVPlnIzkmAykC2KIcWWvW7SeB/qmBYKwlZrUZCgzKjplVg2Z1jLc09t8tA
SU+K+G5FRUQ6i12hnZeZO3+iMASNHhLxARqTniummS+a7F8rOR5w9j3CnUi0O1CV
PGAcVTnqhOt2EXuViym2AUIMsX7SuDkSZsEUHHRmMpsCAwEAAaN7MHkwCQYDVR0T
BAIwADAsBglghkgBhvhCAQ0EHxYdT3BlblNTTCBHZW5lcmF0ZWQgQ2VydGlmaWNh
dGUwHQYDVR0OBBYEFKmxMC954ZtZaocOys29ejEB/hj1MB8GA1UdIwQYMBaAFONt
4nGiRO/yOFm/GzfOkNS45MmnMA0GCSqGSIb3DQEBBQUAA4GBAJ0r2vxqCUDTu5sX
QdbYnIl8/4muc3JpX2X5/W+AADbk1471GhtT2Z9tBWLQ9B9MnC5CbostPv9Zgro2
TmXmtPigmp2ayErqhqYWSjrYz2lrJsUUhBNnldCs5TztePMeV/HrHzv4bcs5/aKh
neKy2Bjfkvh9+olLrYt+2mSCOcXF
-----END CERTIFICATE-----
Signed certificate is in newcert.pem
[root@localhost misc]#
[root@localhost misc]# ls
CA c_hash c_info c_issuer c_name newcert.pem newreq.pem
[root@localhost misc]# scp newcert.pem server.alin:/etc/httpd/conf/server.crt
root@server.alin's password:
newcert.pem 100% 3188 3.1KB/s 00:00
[root@localhost misc]#
[root@localhost certs]# pwd
/etc/pki/tls/certs
[root@localhost certs]# ls
ca-bundle.crt localhost.crt make-dummy-cert Makefile server.csr server.key
[root@localhost certs]# cp server.key /etc/httpd/conf/
[root@localhost certs]# cd /etc/httpd/conf/
[root@localhost conf]# ls
httpd.conf magic server.crt server.key
[root@localhost conf]# vim ../conf.d/ssl.conf
SSLCertificateFile /etc/httpd/conf/server.crt
SSLCertificateKeyFile /etc/httpd/conf/server.key
然后重新加载apache配置即可。
[root@localhost conf]# service httpd restart
Stopping httpd: [FAILED]
Starting httpd: Apache/2.2.3 mod_ssl/2.2.3 (Pass Phrase Dialog)
Some of your private key files are encrypted for security reasons.
In order to read them you have to provide the pass phrases.
Server localhost.localdomain:443 (RSA)
Enter pass phrase:
OK: Pass Phrase Dialog successful.
[ OK ]
[root@localhost conf]#
把 ca自签证书发送给浏览器端
[root@localhost CA]# pwd
/etc/pki/CA
[root@localhost CA]# ls
cacert.pem certs index.txt index.txt.attr.old newcerts serial
careq.pem crl index.txt.attr index.txt.old private serial.old
[root@localhost CA]# scp cacert.pem 192.168.8.5:/root
root@192.168.8.5's password:
cacert.pem 100% 3154 3.1KB/s 00:00
[root@localhost CA]#
在浏览器里面添加这个证书。
然后用浏览器访问server.alin
添加例外
疑问
1) 虽然搭建了CA服务器,但是第一次从client去访问server的时候,还是会出现警告,说CA不可信任(虽然我已经把CA的自签证书加入了浏览器)。是否能做到第一次从client访问server,浏览器不会出现安全警告?
2) client访问server时,client和server到底是否会对CA进行通信?