Chinaunix首页 | 论坛 | 博客
  • 博客访问: 87849
  • 博文数量: 20
  • 博客积分: 1926
  • 博客等级: 上尉
  • 技术积分: 210
  • 用 户 组: 普通用户
  • 注册时间: 2009-08-16 17:21
文章分类
文章存档

2011年(1)

2009年(19)

分类: LINUX

2009-11-02 00:28:45

Apache+SSL的实现


Author: Jaylin Zhou

Date: 10/31/2009


环境:一台安装Red Hat Enterprise 5 update 3的机器作为DNS服务器、Apache服务器和CA

一台客户端通过Firefox访问Apache服务器。

 

首先配置作为CA的部分

修改/etc/pki/tls/openssl.cnf文件中下面的部分:

dir =  /etc/pki/CA

certificate  =  $dir/my-ca.crt

private_key  =  $dir/private/my-ca.key

countryName_default  =  CN

stateOrProvinceName_default  =  Beijing

localityName_default  =  Beijing

0.organizationName_default  =  My Company Ltd

commonName  = 

 

/etc/pki/CA/目录下创建certsnewcertscrl三个目录和index.txtserial两个文件,并向serial文件里写“01”序列号。

 

进入/etc/pki/CA/目录下,进行下面的操作:

# openssl genrsa -out private/my-ca.key -des3 2048

Generating RSA private key, 2048 bit long modulus

.........+++

............+++

e is 65537 (0x10001)

Enter pass phrase for private/my-ca.key:redhat

Verifying - Enter pass phrase for private/my-ca.key:redhat

为了安全起见,可以将my-ca.key文件的权限改为600

 

这里使用了DES3对称加密的方法来保护生产的密钥,即使别人得到了密钥,也不容易读取其中的数据。当然也可以不使用DES3对称加密。也可以去掉保护密钥的这一层钥匙:

# openssl rsa -in my-ca.key -out my-ca.key 

Enter pass phrase for my-ca.key:redhat

writing RSA key

 

下一步,用生成的key创建证书:

# openssl req -x509 -new -key private/my-ca.key -days 365 -out my-ca.crt

Enter pass phrase for private/my-ca.key:redhat

You are about to be asked to enter information that will be incorporated

into your certificate request.

What you are about to enter is what is called a Distinguished Name or a DN.

There are quite a few fields but you can leave some blank

For some fields there will be a default value,

If you enter '.', the field will be left blank.

-----

Country Name (2 letter code) [CN]:

State or Province Name (full name) [Beijing]:

Locality Name (eg, city) [Beijing]:

Organization Name (eg, company) [My Company Ltd]:

Organizational Unit Name (eg, section) [Jaylin Ltd.]:

 []:

Email Address []:admin@jaylin.com

 

查看my-ca.crt文件的内容:

# openssl x509 -in my-ca.crt -noout -text

Certificate:

    Data:

        Version: 3 (0x2)

        Serial Number:

            d8:70:a3:d0:8e:2a:e0:0c

        Signature Algorithm: sha1WithRSAEncryption

        Issuer: C=CN, ST=Beijing, L=Beijing, O=My Company Ltd, OU=Jaylin Ltd., CN=/emailAddress=admin@jaylin.com

        Validity

            Not Before: Oct 31 01:42:06 2009 GMT

            Not After : Oct 31 01:42:06 2010 GMT

        Subject: C=CN, ST=Beijing, L=Beijing, O=My Company Ltd, OU=Jaylin Ltd., CN=/emailAddress=admin@jaylin.com

        Subject Public Key Info:

            Public Key Algorithm: rsaEncryption

            RSA Public Key: (2048 bit)

                Modulus (2048 bit):

                    00:da:6a:80:32:16:36:19:44:50:9b:3a:00:8e:8f:

                    c6:93:11:6d:24:f5:93:bd:9a:bc:40:09:5b:48:62:

                    8a:b8:f9:2f:37:67:74:1d:7f:6f:54:37:eb:a5:c2:

                    53:84:3a:0d:e1:d2:9d:0b:93:fa:07:cb:8e:b6:84:

                    53:42:36:60:c5:f3:86:f5:f8:f5:f9:10:d0:81:b0:

                    a3:ac:d2:59:41:a1:6e:da:6b:07:f7:d7:51:22:71:

                    34:85:bf:fc:25:39:1e:43:0e:d3:71:9c:69:a6:e9:

                    84:13:3b:42:cb:92:16:b6:c1:89:f9:c2:e3:5d:51:

                    40:11:58:c7:c9:be:5a:52:fe:54:0f:bb:ec:27:d9:

                    6d:41:a1:08:85:94:95:c7:1a:1f:af:9c:33:ea:72:

                    6f:8f:5e:b8:16:64:8f:4c:e9:19:07:40:7e:69:f7:

                    17:48:5e:df:91:a6:50:7f:67:a4:b9:a4:aa:31:6a:

                    54:ac:c5:28:06:4d:67:38:34:dc:ef:57:24:78:87:

                    55:fe:8f:f6:c6:0d:46:56:9d:1d:af:30:08:c9:f4:

                    87:66:a4:36:2b:ee:a4:c3:77:e5:cc:95:24:25:7d:

                    e6:04:27:04:74:c7:fd:dd:07:b7:1e:ce:c1:6f:0a:

                    ec:bc:5a:15:e5:9d:93:3f:d7:e2:c1:a1:f7:76:c1:

                    06:97

                Exponent: 65537 (0x10001)

        X509v3 extensions:

            X509v3 Subject Key Identifier: 

                C0:41:75:01:92:5A:9C:D8:81:07:DA:E0:39:2A:19:16:15:60:8F:A8

            X509v3 Authority Key Identifier: 

                keyid:C0:41:75:01:92:5A:9C:D8:81:07:DA:E0:39:2A:19:16:15:60:8F:A8

                DirName:/C=CN/ST=Beijing/L=Beijing/O=My Company Ltd/OU=Jaylin Ltd./CN=/emailAddress=admin@jaylin.com

                serial:D8:70:A3:D0:8E:2A:E0:0C

            X509v3 Basic Constraints: 

                CA:TRUE

    Signature Algorithm: sha1WithRSAEncryption

        c5:17:7f:b9:c9:78:9a:3a:a9:32:65:06:ff:41:ce:cb:bb:7e:

        cb:2c:23:cd:ec:8d:c7:e4:4f:e9:4b:ba:6f:41:2a:a6:0c:f0:

        04:fa:7b:cd:c5:b7:d7:c0:7c:94:8c:a3:87:2d:07:5e:78:d2:

        74:12:65:b4:95:f2:70:ae:c8:58:de:be:7a:2e:c1:52:87:67:

        b6:4c:54:ca:dd:2f:1e:53:b4:97:a1:e1:7e:59:bb:6d:3f:c7:

        52:e1:8b:cc:90:14:9e:2c:d3:05:23:a1:0f:9c:7b:23:7c:36:

        d2:97:17:3c:07:29:2b:63:9b:ff:0c:41:a3:7b:58:27:84:17:

        ed:32:80:4a:0e:95:d2:8f:d4:3b:cc:9b:b0:c6:c6:df:03:d6:

        84:dc:af:fd:1d:d1:20:24:92:ca:d2:bc:fe:bf:c9:9a:a9:55:

        d0:e3:85:f2:db:a1:38:6d:5a:cd:35:05:7b:86:d8:20:22:ba:

        b7:66:85:93:01:20:41:0d:d1:9e:a3:72:af:aa:05:f8:8f:ab:

        18:0c:d0:ad:a4:d5:0b:d3:a8:f6:5f:57:e7:ac:4c:43:20:97:

        e0:14:f6:6b:fe:fc:6b:84:94:db:a1:41:51:d5:03:f6:2b:bb:

        3a:d3:23:8e:03:f5:84:d3:bb:fa:2a:2b:4f:9a:e3:ed:cf:06:

        f0:5d:79:8d

 

这时候CA/目录的结构为:

# tree

.

|-- certs

|-- crl

|-- index.txt

|-- my-ca.crt

|-- newcerts

|-- private

|   `-- my-ca.key

|-- serial

 

配置httpdSSL部分

安装mod_ssl包时会生成一个/etc/httpd/conf.d/ssl.conf文件。

 

修改/etc/httpd/conf.d/ssl.cnfg文件的下面三行:

SSLCertificateFile /etc/pki/tls/certs/httpd.crt

SSLCertificateKeyFile /etc/pki/tls/private/httpd.key

SSLCACertificateFile /etc/pki/tls/certs/my-ca.crt

上面的三个文件一个都不能少,而且位置要和真正的文件对应。

 

进入/etc/pki/tls/private/目录

# openssl genrsa -out httpd.key -des3 1024

Generating RSA private key, 1024 bit long modulus

......................++++++

..............++++++

e is 65537 (0x10001)

Enter pass phrase for httpd.key:redhat

Verifying - Enter pass phrase for httpd.key:redhat

 

# openssl req -new -key httpd.key -out httpd.csr

Enter pass phrase for httpd.key:redhat

You are about to be asked to enter information that will be incorporated

into your certificate request.

What you are about to enter is what is called a Distinguished Name or a DN.

There are quite a few fields but you can leave some blank

For some fields there will be a default value,

If you enter '.', the field will be left blank.

-----

Country Name (2 letter code) [CN]:

State or Province Name (full name) [Beijing]:

Locality Name (eg, city) [Beijing]:

Organization Name (eg, company) [My Company Ltd]:

Organizational Unit Name (eg, section) [Jaylin Ltd.]:

 []:

Email Address []:admin@jaylin.com

Please enter the following 'extra' attributes

to be sent with your certificate request

A challenge password []:

An optional company name []:

 

进入/etc/pki/tls/certs/目录

# openssl ca -in httpd.csr -out httpd.crt

Using configuration from /etc/pki/tls/openssl.cnf

Enter pass phrase for /etc/pki/CA/private/my-ca.key:

Check that the request matches the signature

Signature ok

Certificate Details:

        Serial Number: 2 (0x2)

        Validity

            Not Before: Oct 31 01:45:30 2009 GMT

            Not After : Oct 31 01:45:30 2010 GMT

        Subject:

            countryName               = CN

            stateOrProvinceName       = Beijing

            organizationName          = My Company Ltd

            organizationalUnitName    = Jaylin Ltd.

            commonName                = 

            emailAddress              = admin@jaylin.com

        X509v3 extensions:

            X509v3 Basic Constraints: 

                CA:FALSE

            Netscape Comment: 

                OpenSSL Generated Certificate

            X509v3 Subject Key Identifier: 

                92:BC:C8:07:CC:0B:44:81:10:B6:7E:8C:64:7D:65:9F:08:CD:ED:FF

            X509v3 Authority Key Identifier: 

                keyid:C0:41:75:01:92:5A:9C:D8:81:07:DA:E0:39:2A:19:16:15:60:8F:A8

Certificate is to be certified until Oct 31 01:45:30 2010 GMT (365 days)

Sign the certificate? [y/n]:y

1 out of 1 certificate requests certified, commit? [y/n]y

Write out database with 1 new entries

Data Base Updated

 

CAmy-ca.crt文件拷贝到/etc/pki/tls/certs/目录下。

 

重新启动httpd服务,查看443端口是否打开。

# service httpd restart

Stopping httpd:                                            [  OK  ]

Starting httpd: Apache/2.2.3 mod_ssl/2.2.3 (Pass Phrase Dialog)

Some of your private key files are encrypted for security reasons.

In order to read them you have to provide the pass phrases.

Server :443 (RSA)

Enter pass phrase:redhat

OK: Pass Phrase Dialog successful.

                                                           [  OK  ]

# netstat -nlp | grep 443

tcp        0      0 :::443       :::*                        LISTEN      2800/httpd

 

在客户端上测试

打开Firefox,在地址栏输入https://

会弹出这个对话框:

添加例外

注意:即使443端口打开了,80端口还是可以正常访问的。

 

Trouble-shooting:

1.如果启动httpd服务出现这样的warning

Starting httpd: httpd: apr_sockaddr_info_get() failed for dddd

httpd: Could not reliably determine the server's fully qualified domain name, using 127.0.0.1 for ServerName

很可能是hostnameDNS中的不一致。

2.创建.crt文件时会有几条交互式的提示,需要输入一些值,可以在配置文件openssl.cnf里设置,但是commonName这一项一定要输入。否则后生成httpd.crt时会出错。

阅读(2418) | 评论(0) | 转发(0) |
给主人留下些什么吧!~~