分类: LINUX
2009-11-02 00:28:45
Apache+SSL的实现
Author: Jaylin Zhou
Date: 10/31/2009
环境:一台安装Red Hat Enterprise 5 update 3的机器作为DNS服务器、Apache服务器和CA。
一台客户端通过Firefox访问Apache服务器。
首先配置作为CA的部分
修改/etc/pki/tls/openssl.cnf文件中下面的部分:
dir = /etc/pki/CA
certificate = $dir/my-ca.crt
private_key = $dir/private/my-ca.key
countryName_default = CN
stateOrProvinceName_default = Beijing
localityName_default = Beijing
0.organizationName_default = My Company Ltd
commonName =
在/etc/pki/CA/目录下创建certs,newcerts,crl三个目录和index.txt,serial两个文件,并向serial文件里写“01”序列号。
进入/etc/pki/CA/目录下,进行下面的操作:
# openssl genrsa -out private/my-ca.key -des3 2048
Generating RSA private key, 2048 bit long modulus
.........+++
............+++
e is 65537 (0x10001)
Enter pass phrase for private/my-ca.key:redhat
Verifying - Enter pass phrase for private/my-ca.key:redhat
为了安全起见,可以将my-ca.key文件的权限改为600。
这里使用了DES3对称加密的方法来保护生产的密钥,即使别人得到了密钥,也不容易读取其中的数据。当然也可以不使用DES3对称加密。也可以去掉保护密钥的这一层钥匙:
# openssl rsa -in my-ca.key -out my-ca.key
Enter pass phrase for my-ca.key:redhat
writing RSA key
下一步,用生成的key创建证书:
# openssl req -x509 -new -key private/my-ca.key -days 365 -out my-ca.crt
Enter pass phrase for private/my-ca.key:redhat
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [CN]:
State or Province Name (full name) [Beijing]:
Locality Name (eg, city) [Beijing]:
Organization Name (eg, company) [My Company Ltd]:
Organizational Unit Name (eg, section) [Jaylin Ltd.]:
[]:
Email Address []:admin@jaylin.com
查看my-ca.crt文件的内容:
# openssl x509 -in my-ca.crt -noout -text
Certificate:
Data:
Version: 3 (0x2)
Serial Number:
d8:70:a3:d0:8e:2a:e0:0c
Signature Algorithm: sha1WithRSAEncryption
Issuer: C=CN, ST=Beijing, L=Beijing, O=My Company Ltd, OU=Jaylin Ltd., CN=/emailAddress=admin@jaylin.com
Validity
Not Before: Oct 31 01:42:06 2009 GMT
Not After : Oct 31 01:42:06 2010 GMT
Subject: C=CN, ST=Beijing, L=Beijing, O=My Company Ltd, OU=Jaylin Ltd., CN=/emailAddress=admin@jaylin.com
Subject Public Key Info:
Public Key Algorithm: rsaEncryption
RSA Public Key: (2048 bit)
Modulus (2048 bit):
00:da:6a:80:32:16:36:19:44:50:9b:3a:00:8e:8f:
c6:93:11:6d:24:f5:93:bd:9a:bc:40:09:5b:48:62:
8a:b8:f9:2f:37:67:74:1d:7f:6f:54:37:eb:a5:c2:
53:84:3a:0d:e1:d2:9d:0b:93:fa:07:cb:8e:b6:84:
53:42:36:60:c5:f3:86:f5:f8:f5:f9:10:d0:81:b0:
a3:ac:d2:59:41:a1:6e:da:6b:07:f7:d7:51:22:71:
34:85:bf:fc:25:39:1e:43:0e:d3:71:9c:69:a6:e9:
84:13:3b:42:cb:92:16:b6:c1:89:f9:c2:e3:5d:51:
40:11:58:c7:c9:be:5a:52:fe:54:0f:bb:ec:27:d9:
6d:41:a1:08:85:94:95:c7:1a:1f:af:9c:33:ea:72:
6f:8f:5e:b8:16:64:8f:4c:e9:19:07:40:7e:69:f7:
17:48:5e:df:91:a6:50:7f:67:a4:b9:a4:aa:31:6a:
54:ac:c5:28:06:4d:67:38:34:dc:ef:57:24:78:87:
55:fe:8f:f6:c6:0d:46:56:9d:1d:af:30:08:c9:f4:
87:66:a4:36:2b:ee:a4:c3:77:e5:cc:95:24:25:7d:
e6:04:27:04:74:c7:fd:dd:07:b7:1e:ce:c1:6f:0a:
ec:bc:5a:15:e5:9d:93:3f:d7:e2:c1:a1:f7:76:c1:
06:97
Exponent: 65537 (0x10001)
X509v3 extensions:
X509v3 Subject Key Identifier:
C0:41:75:01:92:5A:9C:D8:81:07:DA:E0:39:2A:19:16:15:60:8F:A8
X509v3 Authority Key Identifier:
keyid:C0:41:75:01:92:5A:9C:D8:81:07:DA:E0:39:2A:19:16:15:60:8F:A8
DirName:/C=CN/ST=Beijing/L=Beijing/O=My Company Ltd/OU=Jaylin Ltd./CN=/emailAddress=admin@jaylin.com
serial:D8:70:A3:D0:8E:2A:E0:0C
X509v3 Basic Constraints:
CA:TRUE
Signature Algorithm: sha1WithRSAEncryption
c5:17:7f:b9:c9:78:9a:3a:a9:32:65:06:ff:41:ce:cb:bb:7e:
cb:2c:23:cd:ec:8d:c7:e4:4f:e9:4b:ba:6f:41:2a:a6:0c:f0:
04:fa:7b:cd:c5:b7:d7:c0:7c:94:8c:a3:87:2d:07:5e:78:d2:
74:12:65:b4:95:f2:70:ae:c8:58:de:be:7a:2e:c1:52:87:67:
b6:4c:54:ca:dd:2f:1e:53:b4:97:a1:e1:7e:59:bb:6d:3f:c7:
52:e1:8b:cc:90:14:9e:2c:d3:05:23:a1:0f:9c:7b:23:7c:36:
d2:97:17:3c:07:29:2b:63:9b:ff:0c:41:a3:7b:58:27:84:17:
ed:32:80:4a:0e:95:d2:8f:d4:3b:cc:9b:b0:c6:c6:df:03:d6:
84:dc:af:fd:1d:d1:20:24:92:ca:d2:bc:fe:bf:c9:9a:a9:55:
d0:e3:85:f2:db:a1:38:6d:5a:cd:35:05:7b:86:d8:20:22:ba:
b7:66:85:93:01:20:41:0d:d1:9e:a3:72:af:aa:05:f8:8f:ab:
18:0c:d0:ad:a4:d5:0b:d3:a8:f6:5f:57:e7:ac:4c:43:20:97:
e0:14:f6:6b:fe:fc:6b:84:94:db:a1:41:51:d5:03:f6:2b:bb:
3a:d3:23:8e:03:f5:84:d3:bb:fa:2a:2b:4f:9a:e3:ed:cf:06:
f0:5d:79:8d
这时候CA/目录的结构为:
# tree
.
|-- certs
|-- crl
|-- index.txt
|-- my-ca.crt
|-- newcerts
|-- private
| `-- my-ca.key
|-- serial
配置httpd的SSL部分
安装mod_ssl包时会生成一个/etc/httpd/conf.d/ssl.conf文件。
修改/etc/httpd/conf.d/ssl.cnfg文件的下面三行:
SSLCertificateFile /etc/pki/tls/certs/httpd.crt
SSLCertificateKeyFile /etc/pki/tls/private/httpd.key
SSLCACertificateFile /etc/pki/tls/certs/my-ca.crt
上面的三个文件一个都不能少,而且位置要和真正的文件对应。
进入/etc/pki/tls/private/目录
# openssl genrsa -out httpd.key -des3 1024
Generating RSA private key, 1024 bit long modulus
......................++++++
..............++++++
e is 65537 (0x10001)
Enter pass phrase for httpd.key:redhat
Verifying - Enter pass phrase for httpd.key:redhat
# openssl req -new -key httpd.key -out httpd.csr
Enter pass phrase for httpd.key:redhat
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [CN]:
State or Province Name (full name) [Beijing]:
Locality Name (eg, city) [Beijing]:
Organization Name (eg, company) [My Company Ltd]:
Organizational Unit Name (eg, section) [Jaylin Ltd.]:
[]:
Email Address []:admin@jaylin.com
Please enter the following 'extra' attributes
to be sent with your certificate request
A challenge password []:
An optional company name []:
进入/etc/pki/tls/certs/目录
# openssl ca -in httpd.csr -out httpd.crt
Using configuration from /etc/pki/tls/openssl.cnf
Enter pass phrase for /etc/pki/CA/private/my-ca.key:
Check that the request matches the signature
Signature ok
Certificate Details:
Serial Number: 2 (0x2)
Validity
Not Before: Oct 31 01:45:30 2009 GMT
Not After : Oct 31 01:45:30 2010 GMT
Subject:
countryName = CN
stateOrProvinceName = Beijing
organizationName = My Company Ltd
organizationalUnitName = Jaylin Ltd.
commonName =
emailAddress = admin@jaylin.com
X509v3 extensions:
X509v3 Basic Constraints:
CA:FALSE
Netscape Comment:
OpenSSL Generated Certificate
X509v3 Subject Key Identifier:
92:BC:C8:07:CC:0B:44:81:10:B6:7E:8C:64:7D:65:9F:08:CD:ED:FF
X509v3 Authority Key Identifier:
keyid:C0:41:75:01:92:5A:9C:D8:81:07:DA:E0:39:2A:19:16:15:60:8F:A8
Certificate is to be certified until Oct 31 01:45:30 2010 GMT (365 days)
Sign the certificate? [y/n]:y
1 out of 1 certificate requests certified, commit? [y/n]y
Write out database with 1 new entries
Data Base Updated
将CA的my-ca.crt文件拷贝到/etc/pki/tls/certs/目录下。
重新启动httpd服务,查看443端口是否打开。
# service httpd restart
Stopping httpd: [ OK ]
Starting httpd: Apache/2.2.3 mod_ssl/2.2.3 (Pass Phrase Dialog)
Some of your private key files are encrypted for security reasons.
In order to read them you have to provide the pass phrases.
Server :443 (RSA)
Enter pass phrase:redhat
OK: Pass Phrase Dialog successful.
[ OK ]
# netstat -nlp | grep 443
tcp 0 0 :::443 :::* LISTEN 2800/httpd
在客户端上测试
打开Firefox,在地址栏输入https://
会弹出这个对话框:
添加例外
注意:即使443端口打开了,80端口还是可以正常访问的。
Trouble-shooting:
1.如果启动httpd服务出现这样的warning:
Starting httpd: httpd: apr_sockaddr_info_get() failed for dddd
httpd: Could not reliably determine the server's fully qualified domain name, using 127.0.0.1 for ServerName
很可能是hostname和DNS中的不一致。
2.创建.crt文件时会有几条交互式的提示,需要输入一些值,可以在配置文件openssl.cnf里设置,但是commonName这一项一定要输入。否则后生成httpd.crt时会出错。