Chinaunix首页 | 论坛 | 博客
  • 博客访问: 100996
  • 博文数量: 18
  • 博客积分: 1575
  • 博客等级: 上尉
  • 技术积分: 189
  • 用 户 组: 普通用户
  • 注册时间: 2010-01-14 15:36
文章分类
文章存档

2012年(1)

2011年(5)

2010年(12)

我的朋友

分类: LINUX

2010-12-21 11:37:31

Normal 0 7.8 磅 0 2 false false false MicrosoftInternetExplorer4 st1\:*{behavior:url(#ieooui) } /* Style Definitions */ table.MsoNormalTable {mso-style-name:普通表格; mso-tstyle-rowband-size:0; mso-tstyle-colband-size:0; mso-style-noshow:yes; mso-style-parent:""; mso-padding-alt:0cm 5.4pt 0cm 5.4pt; mso-para-margin:0cm; mso-para-margin-bottom:.0001pt; mso-pagination:widow-orphan; font-size:10.0pt; font-family:"Times New Roman"; mso-ansi-language:#0400; mso-fareast-language:#0400; mso-bidi-language:#0400;}

自签发证书实现过程:

1.       首先要生成服务器端的私钥(key文件):

Shell#openssl genrsa -des3 -out server.key 2048

运行时会提示输入密码,此密码用于加密key文件(参数des3便是指加密算法,当然也可以选用其他你认为安全的算法.),以后每当需读取此文件(通过openssl提供的命令或API)都需输入口令.如果觉得不方便,也可以去除这个口令,但一定要采取其他的保护措施!

去除key文件口令的命令:
#openssl rsa -in server.key -out server.key

2.       server.key生成一个证书:

[root@mail ssl]# openssl req -new -key server.key -out server.csr

Enter pass phrase for server.key:

You are about to be asked to enter information that will be incorporated

into your certificate request.

What you are about to enter is what is called a Distinguished Name or a DN.

There are quite a few fields but you can leave some blank

For some fields there will be a default value,

If you enter '.', the field will be left blank.

-----

Country Name (2 letter code) [GB]:cn

State or Province Name (full name) [Berkshire]:cn

Locality Name (eg, city) [Newbury]:bj

Organization Name (eg, company) [My Company Ltd]:sfn

Organizational Unit Name (eg, section) []:sfn

Common Name (eg, your name or your server's hostname) []:mail.sfn.cn

Email Address []:

 

Please enter the following 'extra' attributes

to be sent with your certificate request

A challenge password []:123456

An optional company name []:sfn

生成Certificate Signing RequestCSR,生成的csr文件交给CA签名后形成服务端自己的证书.按照提示提供服务器证书基本信息

 

3.       对客户端也作同样的命令生成keycsr文件

[root@mail ssl]# openssl genrsa -des3 -out client.key 2048

[root@mail ssl]# openssl req -new -key client.key -out client.csr

Enter pass phrase for client.key:

You are about to be asked to enter information that will be incorporated

into your certificate request.

What you are about to enter is what is called a Distinguished Name or a DN.

There are quite a few fields but you can leave some blank

For some fields there will be a default value,

If you enter '.', the field will be left blank.

-----

Country Name (2 letter code) [GB]:cn

State or Province Name (full name) [Berkshire]:cn

Locality Name (eg, city) [Newbury]:bj

Organization Name (eg, company) [My Company Ltd]:sfn

Organizational Unit Name (eg, section) []:sfn

Common Name (eg, your name or your server's hostname) []:client1.sfn.cn

Email Address []:test4@sfn.cn

 

Please enter the following 'extra' attributes

to be sent with your certificate request

A challenge password []:123456

An optional company name []:sfn

 

4.       生成的CSR证书文件必须有CA的签名才可形成证书.这里制作自己的CA 这时生成一个KEY文件ca.key 和根证书ca.crt

 [root@mail ssl]# openssl req -new -x509 -keyout ca.key -out ca.crt

Generating a 1024 bit RSA private key

.............++++++

...........++++++

writing new private key to 'sfnca.key'

Enter PEM pass phrase:

Verifying - Enter PEM pass phrase:

-----

You are about to be asked to enter information that will be incorporated

into your certificate request.

What you are about to enter is what is called a Distinguished Name or a DN.

There are quite a few fields but you can leave some blank

For some fields there will be a default value,

If you enter '.', the field will be left blank.

-----

Country Name (2 letter code) [GB]:cn

State or Province Name (full name) [Berkshire]:cn

Locality Name (eg, city) [Newbury]:bj

Organization Name (eg, company) [My Company Ltd]:ca

Organizational Unit Name (eg, section) []:ca

Common Name (eg, your name or your server's hostname) []:mail.ca.cn

Email Address []:admin@ca.cn

签署证书准备工作:

[root@mail ssl]# vim /etc/pki/tls/openssl.cnf

#dir            = ../../CA      //修改如下

dir             = /etc/pki/CA

[root@mail ssl]# touch /etc/pki/CA/{index.txt,serial} //根据openssl.cnf生成配置文件

[root@mail ssl]#echo 01 > /etc/pki/CA/serial

5.       用生成的CA的证书(ca.crt)为刚才生成的server.csr,client.csr文件签名

[root@mail ssl]# openssl ca -in server.csr -out server.crt -cert ca.crt -keyfile ca.key

Using configuration from /etc/pki/tls/openssl.cnf

Enter pass phrase for ca.key:

Check that the request matches the signature

Signature ok

Certificate Details:

        Serial Number: 3 (0x3)

        Validity

            Not Before: Nov 29 03:48:44 2010 GMT

            Not After : Nov 29 03:48:44 2011 GMT

        Subject:

            countryName               = cn

            stateOrProvinceName       = cn

            organizationName          = sfn

            organizationalUnitName    = sfn

            commonName                = mail.sfn.cn

        X509v3 extensions:

            X509v3 Basic Constraints:

                CA:FALSE

            Netscape Comment:

                OpenSSL Generated Certificate

            X509v3 Subject Key Identifier:

                02:B3:76:13:64:EB:04:D2:6C:9E:72:86:F5:A3:CE:84:19:EA:C6:DB

            X509v3 Authority Key Identifier:

                keyid:25:F6:E6:C4:5D:AD:02:DA:76:9F:74:FF:E4:0F:CC:45:55:CC:06:A7

 

Certificate is to be certified until Nov 29 03:48:44 2011 GMT (365 days)

Sign the certificate? [y/n]:y

 

 

1 out of 1 certificate requests certified, commit? [y/n]y

Write out database with 1 new entries

Data Base Updated

 

[root@mail ssl]# openssl ca -in client.csr -out client.crt -cert ca.crt -keyfile ca.key  //签署步骤同上

 

另外,这个certificateBASE64形式的,要转成PKCS12才能装到IE,/NETSCAPE.转换如下:

[root@mail ssl]# openssl pkcs12 -export -in client.crt -inkey client.key -out  client.pfx

Enter pass phrase for client.key:      //客户端私钥密码

Enter Export Password:             //pfx文件导入要求的密码

Verifying - Enter Export Password:

 

client使用的文件有:ca.crt,client.crt,client.key,client.pfx

server使用的文件有:ca.crt, server.crt,server.key

 

配置nginx如下:

ssl on;

ssl_certificate ssl/server.crt;

ssl_certificate_key ssl/server.key;

#ssl_client_certificate ssl/client/client.crt ;

ssl_client_certificate ssl/ca.crt ;              //CA证书

ssl_verify_client on;                         //开启客户端双向认证

#ssl_protocols  SSLv2 SSLv3 TLSv1;

#ssl_ciphers  ALL:!ADH:!EXPORT56:RC4+RSA:+HIGH:+MEDIUM:+LOW:+SSLv2:+EXP;

#ssl_prefer_server_ciphers   on;

证书安装及使用把刚才生成的证书:根证书ca.crt和客户证书client.crt(client.pfx)安装到客户端,
ca.crt
安装到信任的机构,client.crt直接在windows安装或安装到个人证书位置,
然后用
IP访问HTTPhttps服务器。在IE中我们一般导入client.pfx证书,
导入时会提示上面设置的密码。
 

 

阅读(6743) | 评论(0) | 转发(0) |
0

上一篇:linux pfx证书使用

下一篇:squid digest auth

给主人留下些什么吧!~~