Chinaunix首页 | 论坛 | 博客
  • 博客访问: 6269843
  • 博文数量: 2759
  • 博客积分: 1021
  • 博客等级: 中士
  • 技术积分: 4091
  • 用 户 组: 普通用户
  • 注册时间: 2012-03-11 14:14
文章分类

全部博文(2759)

文章存档

2019年(1)

2017年(84)

2016年(196)

2015年(204)

2014年(636)

2013年(1176)

2012年(463)

分类: 系统运维

2014-08-21 03:18:33

原文地址:OpenSSL的安装和使用 作者:woaimaidong

1,安装openssl

tar zxvf openssl-1.0.0a.tar.gz
cd openssl-1.0.0a
./config --prefix=/usr/local/openssl
make && make install

2,安装apache

tar zxvf httpd-2.2.16.tar.gz
cd httpd-2.2.16
./configure --prefix=/usr/local/apache --enable-ssl --enable-rewrite --enable-so --with-ssl=/usr/local/openssl
make && make install

如果你是yum install ,apt-get,pacman这样的软件管理工具进行安装的话,上面的二步可以省掉。

3,创建主证书

/usr/local/apache/conf/下面建个目录ssl

3.1mkdir ssl

3.2cp /openssl的安装目录/ssl/misc/CA.sh /usr/local/apache/conf/ssl/

3.3 CA.sh来创建证书

查看复制打印?

1.  [root@BlackGhost ssl]# ./CA.sh -newca //建立主证书

2.  CA certificate filename (or enter to create)

3.   

4.  Making CA certificate ...

5.  Generating a 1024 bit RSA private key

6.  ............++++++

7.  ......++++++

8.  writing new private key to './demoCA/private/./cakey.pem'

9.  Enter PEM pass phrase:

10. Verifying - Enter PEM pass phrase:

11. Verify failure

12. Enter PEM pass phrase:

13. Verifying - Enter PEM pass phrase:

14. -----

15. You are about to be asked to enter information that will be incorporated

16. into your certificate request.

17. What you are about to enter is what is called a Distinguished Name or a DN.

18. There are quite a few fields but you can leave some blank

19. For some fields there will be a default value,

20. If you enter '.', the field will be left blank.

21. -----

22. Country Name (2 letter code) [AU]:cn

23. State or Province Name (full name) [Some-State]:cn

24. Locality Name (eg, city) []:cn

25. Organization Name (eg, company) [Internet Widgits Pty Ltd]:cn

26. Organizational Unit Name (eg, section) []:cn

27. Common Name (eg, YOUR name) []:localhost

28. Email Address []:xtaying@gmail.com

29.  

30. Please enter the following 'extra' attributes

31. to be sent with your certificate request

32. A challenge password []:******************

33. An optional company name []:

34. Using configuration from /etc/ssl/openssl.cnf

35. Enter pass phrase for ./demoCA/private/./cakey.pem: //填的是上面的PEM密码

36. Check that the request matches the signature

37. Signature ok

38. Certificate Details:

39. Serial Number:

40. 89:11:9f:a6:ca:03:63:ab

41. Validity

42. Not Before: Aug 7 12:35:28 2010 GMT

43. Not After : Aug 6 12:35:28 2013 GMT

44. Subject:

45. countryName = cn

46. stateOrProvinceName = cn

47. organizationName = cn

48. organizationalUnitName = cn

49. commonName = localhost

50. emailAddress = xtaying@gmail.com

51. X509v3 extensions:

52. X509v3 Subject Key Identifier:

53. 26:09:F3:D5:26:13:00:1F:3E:CC:86:1D:E4:EE:37:06:65:15:4E:76

54. X509v3 Authority Key Identifier:

55. keyid:26:09:F3:D5:26:13:00:1F:3E:CC:86:1D:E4:EE:37:06:65:15:4E:76

56. DirName:/C=cn/ST=cn/O=cn/OU=cn/CN=localhost/emailAddress=xtaying@gmail.com

57. serial:89:11:9F:A6:CA:03:63:AB

58.  

59. X509v3 Basic Constraints:

60. CA:TRUE

61. Certificate is to be certified until Aug 6 12:35:28 2013 GMT (1095 days)

62.  

63. Write out database with 1 new entries

64. Data Base Updated

[root@BlackGhost ssl]# ./CA.sh -newca   //建立主证书

CA certificate filename (or enter to create)

 

Making CA certificate ...

Generating a 1024 bit RSA private key

............++++++

......++++++

writing new private key to './demoCA/private/./cakey.pem'

Enter PEM pass phrase:

Verifying - Enter PEM pass phrase:

Verify failure

Enter PEM pass phrase:

Verifying - Enter PEM pass phrase:

-----

You are about to be asked to enter information that will be incorporated

into your certificate request.

What you are about to enter is what is called a Distinguished Name or a DN.

There are quite a few fields but you can leave some blank

For some fields there will be a default value,

If you enter '.', the field will be left blank.

-----

Country Name (2 letter code) [AU]:cn

State or Province Name (full name) [Some-State]:cn

Locality Name (eg, city) []:cn

Organization Name (eg, company) [Internet Widgits Pty Ltd]:cn

Organizational Unit Name (eg, section) []:cn

Common Name (eg, YOUR name) []:localhost

Email Address []:xtaying@gmail.com

 

Please enter the following 'extra' attributes

to be sent with your certificate request

A challenge password []:******************

An optional company name []:

Using configuration from /etc/ssl/openssl.cnf

Enter pass phrase for ./demoCA/private/./cakey.pem:       //填的是上面的PEM密码

Check that the request matches the signature

Signature ok

Certificate Details:

 Serial Number:

 89:11:9f:a6:ca:03:63:ab

 Validity

 Not Before: Aug  7 12:35:28 2010 GMT

 Not After : Aug  6 12:35:28 2013 GMT

 Subject:

 countryName               = cn

 stateOrProvinceName       = cn

 organizationName          = cn

 organizationalUnitName    = cn

 commonName                = localhost

 emailAddress              = xtaying@gmail.com

 X509v3 extensions:

 X509v3 Subject Key Identifier:

 26:09:F3:D5:26:13:00:1F:3E:CC:86:1D:E4:EE:37:06:65:15:4E:76

 X509v3 Authority Key Identifier:

 keyid:26:09:F3:D5:26:13:00:1F:3E:CC:86:1D:E4:EE:37:06:65:15:4E:76

 DirName:/C=cn/ST=cn/O=cn/OU=cn/CN=localhost/emailAddress=xtaying@gmail.com

 serial:89:11:9F:A6:CA:03:63:AB

 

 X509v3 Basic Constraints:

 CA:TRUE

Certificate is to be certified until Aug  6 12:35:28 2013 GMT (1095 days)

 

Write out database with 1 new entries

Data Base Updated

安装成功的话,会在ssl目录下面产生一个文件夹demoCA

4 生成服务器私钥和服务器证书

查看复制打印?

1.  [root@BlackGhost ssl]# openssl genrsa -des3 -out server.key 1024 //产生服务器私钥

2.  Generating RSA private key, 1024 bit long modulus

3.  .....................++++++

4.  .........++++++

5.  e is 65537 (0x10001)

6.  Enter pass phrase for server.key:

7.  Verifying - Enter pass phrase for server.key:

8.  [root@BlackGhost ssl]# openssl req -new -key server.key -out server.csr //生成服务器证书

9.  Enter pass phrase for server.key:

10. You are about to be asked to enter information that will be incorporated

11. into your certificate request.

12. What you are about to enter is what is called a Distinguished Name or a DN.

13. There are quite a few fields but you can leave some blank

14. For some fields there will be a default value,

15. If you enter '.', the field will be left blank.

16. -----

17. Country Name (2 letter code) [AU]:cn

18. State or Province Name (full name) [Some-State]:cn

19. Locality Name (eg, city) []:cn

20. Organization Name (eg, company) [Internet Widgits Pty Ltd]:cn

21. Organizational Unit Name (eg, section) []:cn

22. Common Name (eg, YOUR name) []:localhost //要填全域名

23. Email Address []:xtaying@gmail.com

24.  

25. Please enter the following 'extra' attributes

26. to be sent with your certificate request

27. A challenge password []:*****************

28. An optional company name []:

[root@BlackGhost ssl]# openssl genrsa -des3 -out server.key 1024    //产生服务器私钥

Generating RSA private key, 1024 bit long modulus

.....................++++++

.........++++++

e is 65537 (0x10001)

Enter pass phrase for server.key:

Verifying - Enter pass phrase for server.key:

[root@BlackGhost ssl]# openssl req -new -key server.key -out server.csr      //生成服务器证书

Enter pass phrase for server.key:

You are about to be asked to enter information that will be incorporated

into your certificate request.

What you are about to enter is what is called a Distinguished Name or a DN.

There are quite a few fields but you can leave some blank

For some fields there will be a default value,

If you enter '.', the field will be left blank.

-----

Country Name (2 letter code) [AU]:cn

State or Province Name (full name) [Some-State]:cn

Locality Name (eg, city) []:cn

Organization Name (eg, company) [Internet Widgits Pty Ltd]:cn

Organizational Unit Name (eg, section) []:cn

Common Name (eg, YOUR name) []:localhost     //要填全域名

Email Address []:xtaying@gmail.com

 

Please enter the following 'extra' attributes

to be sent with your certificate request

A challenge password []:*****************

An optional company name []:

4.1 对产生的服务器证书进行签证

cp server.csr newseq.pem

查看复制打印?

1.  [root@BlackGhost ssl]# ./CA.sh -sign //为服务器证书签名

2.  Using configuration from /etc/ssl/openssl.cnf

3.  Enter pass phrase for ./demoCA/private/cakey.pem:

4.  Check that the request matches the signature

5.  Signature ok

6.  Certificate Details:

7.  Serial Number:

8.  89:11:9f:a6:ca:03:63:ac

9.  Validity

10. Not Before: Aug 7 12:39:41 2010 GMT

11. Not After : Aug 7 12:39:41 2011 GMT

12. Subject:

13. countryName = cn

14. stateOrProvinceName = cn

15. localityName = cn

16. organizationName = cn

17. organizationalUnitName = cn

18. commonName = localhost

19. emailAddress = xtaying@gmail.com

20. X509v3 extensions:

21. X509v3 Basic Constraints:

22. CA:FALSE

23. Netscape Comment:

24. OpenSSL Generated Certificate

25. X509v3 Subject Key Identifier:

26. FE:20:56:04:8E:B6:BE:3E:3A:E1:DA:A6:4A:3A:E1:16:93:1D:3F:81

27. X509v3 Authority Key Identifier:

28. keyid:26:09:F3:D5:26:13:00:1F:3E:CC:86:1D:E4:EE:37:06:65:15:4E:76

29.  

30. Certificate is to be certified until Aug 7 12:39:41 2011 GMT (365 days)

31. Sign the certificate? [y/n]:y

32.  

33. 1 out of 1 certificate requests certified, commit? [y/n]y

34. Write out database with 1 new entries

35. Data Base Updated

36. Certificate:

37. Data:

38. Version: 3 (0x2)

39. Serial Number:

40. 89:11:9f:a6:ca:03:63:ac

41. Signature Algorithm: sha1WithRSAEncryption

42. Issuer: C=cn, ST=cn, O=cn, OU=cn, CN=localhost/emailAddress=xtaying@gmail.com

43. Validity

44. Not Before: Aug 7 12:39:41 2010 GMT

45. Not After : Aug 7 12:39:41 2011 GMT

46. Subject: C=cn, ST=cn, L=cn, O=cn, OU=cn, CN=localhost/emailAddress=xtaying@gmail.com

47. Subject Public Key Info:

48. Public Key Algorithm: rsaEncryption

49. Public-Key: (1024 bit)

50. Modulus:

51. 00:ce:d5:a8:df:d1:e7:ee:92:d1:d1:78:20:a9:6d:

52. 0a:1b:f6:09:dd:13:29:ef:72:1d:17:54:dd:1c:8d:

53. 28:27:69:fe:70:3b:fa:2b:a3:45:40:80:ea:0e:5b:

54. a7:bd:40:d0:cd:bc:2c:74:03:8b:f7:6c:5e:1f:09:

55. 5d:c6:8a:05:ea:b8:72:fc:79:8b:62:62:38:0b:42:

56. 28:7e:0d:fc:e7:bb:b0:87:66:6a:b2:35:92:91:b9:

57. 78:9c:b6:76:01:0b:2a:74:df:5f:a1:8b:31:61:90:

58. 93:f9:20:db:46:59:12:2e:9b:59:c0:32:4e:92:14:

59. a1:7e:52:7b:cc:02:5e:e2:45

60. Exponent: 65537 (0x10001)

61. X509v3 extensions:

62. X509v3 Basic Constraints:

63. CA:FALSE

64. Netscape Comment:

65. OpenSSL Generated Certificate

66. X509v3 Subject Key Identifier:

67. FE:20:56:04:8E:B6:BE:3E:3A:E1:DA:A6:4A:3A:E1:16:93:1D:3F:81

68. X509v3 Authority Key Identifier:

69. keyid:26:09:F3:D5:26:13:00:1F:3E:CC:86:1D:E4:EE:37:06:65:15:4E:76

70.  

71. Signature Algorithm: sha1WithRSAEncryption

72. 09:a0:16:43:a2:93:11:a7:ab:f5:17:b7:36:35:84:9f:3b:37:

73. 32:33:3f:93:63:b0:4c:bb:d1:b4:9b:4f:37:78:62:f4:ac:ff:

74. 28:b0:63:71:2e:9a:7c:f4:40:2e:b1:5f:ae:49:e7:e2:6f:de:

75. cf:30:cc:9a:08:26:26:24:c5:00:03:32:20:48:41:b1:29:8f:

76. 5d:3d:2a:78:54:0e:a8:76:07:6c:7f:23:42:75:c2:fb:83:1d:

77. 70:44:5e:8c:90:cf:b4:23:b7:23:5b:06:05:32:58:e3:af:1c:

78. be:1d:50:7b:fd:37:66:ba:9c:ec:bb:af:ee:b6:04:f7:c5:2e:

79. 59:22

80. -----BEGIN CERTIFICATE-----

81. MIIC2jCCAkOgAwIBAgIJAIkRn6bKA2OsMA0GCSqGSIb3DQEBBQUAMGoxCzAJBgNV

82. BAYTAmNuMQswCQYDVQQIEwJjbjELMAkGA1UEChMCY24xCzAJBgNVBAsTAmNuMRIw

83. EAYDVQQDEwlsb2NhbGhvc3QxIDAeBgkqhkiG9w0BCQEWEXh0YXlpbmdAZ21haWwu

84. Y29tMB4XDTEwMDgwNzEyMzk0MVoXDTExMDgwNzEyMzk0MVowdzELMAkGA1UEBhMC

85. Y24xCzAJBgNVBAgMAmNuMQswCQYDVQQHDAJjbjELMAkGA1UECgwCY24xCzAJBgNV

86. BAsMAmNuMRIwEAYDVQQDDAlsb2NhbGhvc3QxIDAeBgkqhkiG9w0BCQEWEXh0YXlp

87. bmdAZ21haWwuY29tMIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQDO1ajf0efu

88. ktHReCCpbQob9gndEynvch0XVN0cjSgnaf5wO/oro0VAgOoOW6e9QNDNvCx0A4v3

89. bF4fCV3GigXquHL8eYtiYjgLQih+Dfznu7CHZmqyNZKRuXictnYBCyp031+hizFh

90. kJP5INtGWRIum1nAMk6SFKF+UnvMAl7iRQIDAQABo3sweTAJBgNVHRMEAjAAMCwG

91. CWCGSAGG+EIBDQQfFh1PcGVuU1NMIEdlbmVyYXRlZCBDZXJ0aWZpY2F0ZTAdBgNV

92. HQ4EFgQU/iBWBI62vj464dqmSjrhFpMdP4EwHwYDVR0jBBgwFoAUJgnz1SYTAB8+

93. zIYd5O43BmUVTnYwDQYJKoZIhvcNAQEFBQADgYEACaAWQ6KTEaer9Re3NjWEnzs3

94. MjM/k2OwTLvRtJtPN3hi9Kz/KLBjcS6afPRALrFfrknn4m/ezzDMmggmJiTFAAMy

95. IEhBsSmPXT0qeFQOqHYHbH8jQnXC+4MdcERejJDPtCO3I1sGBTJY468cvh1Qe/03

96. Zrqc7Luv7rYE98UuWSI=

97. -----END CERTIFICATE-----

98. Signed certificate is in newcert.pem

[root@BlackGhost ssl]# ./CA.sh -sign     //为服务器证书签名

Using configuration from /etc/ssl/openssl.cnf

Enter pass phrase for ./demoCA/private/cakey.pem:

Check that the request matches the signature

Signature ok

Certificate Details:

 Serial Number:

 89:11:9f:a6:ca:03:63:ac

 Validity

 Not Before: Aug  7 12:39:41 2010 GMT

 Not After : Aug  7 12:39:41 2011 GMT

 Subject:

 countryName               = cn

 stateOrProvinceName       = cn

 localityName              = cn

 organizationName          = cn

 organizationalUnitName    = cn

 commonName                = localhost

 emailAddress              = xtaying@gmail.com

 X509v3 extensions:

 X509v3 Basic Constraints:

 CA:FALSE

 Netscape Comment:

 OpenSSL Generated Certificate

 X509v3 Subject Key Identifier:

 FE:20:56:04:8E:B6:BE:3E:3A:E1:DA:A6:4A:3A:E1:16:93:1D:3F:81

 X509v3 Authority Key Identifier:

 keyid:26:09:F3:D5:26:13:00:1F:3E:CC:86:1D:E4:EE:37:06:65:15:4E:76

 

Certificate is to be certified until Aug  7 12:39:41 2011 GMT (365 days)

Sign the certificate? [y/n]:y

 

1 out of 1 certificate requests certified, commit? [y/n]y

Write out database with 1 new entries

Data Base Updated

Certificate:

 Data:

 Version: 3 (0x2)

 Serial Number:

 89:11:9f:a6:ca:03:63:ac

 Signature Algorithm: sha1WithRSAEncryption

 Issuer: C=cn, ST=cn, O=cn, OU=cn, CN=localhost/emailAddress=xtaying@gmail.com

 Validity

 Not Before: Aug  7 12:39:41 2010 GMT

 Not After : Aug  7 12:39:41 2011 GMT

 Subject: C=cn, ST=cn, L=cn, O=cn, OU=cn, CN=localhost/emailAddress=xtaying@gmail.com

 Subject Public Key Info:

 Public Key Algorithm: rsaEncryption

 Public-Key: (1024 bit)

 Modulus:

 00:ce:d5:a8:df:d1:e7:ee:92:d1:d1:78:20:a9:6d:

 0a:1b:f6:09:dd:13:29:ef:72:1d:17:54:dd:1c:8d:

 28:27:69:fe:70:3b:fa:2b:a3:45:40:80:ea:0e:5b:

 a7:bd:40:d0:cd:bc:2c:74:03:8b:f7:6c:5e:1f:09:

 5d:c6:8a:05:ea:b8:72:fc:79:8b:62:62:38:0b:42:

 28:7e:0d:fc:e7:bb:b0:87:66:6a:b2:35:92:91:b9:

 78:9c:b6:76:01:0b:2a:74:df:5f:a1:8b:31:61:90:

 93:f9:20:db:46:59:12:2e:9b:59:c0:32:4e:92:14:

 a1:7e:52:7b:cc:02:5e:e2:45

 Exponent: 65537 (0x10001)

 X509v3 extensions:

 X509v3 Basic Constraints:

 CA:FALSE

 Netscape Comment:

 OpenSSL Generated Certificate

 X509v3 Subject Key Identifier:

 FE:20:56:04:8E:B6:BE:3E:3A:E1:DA:A6:4A:3A:E1:16:93:1D:3F:81

 X509v3 Authority Key Identifier:

 keyid:26:09:F3:D5:26:13:00:1F:3E:CC:86:1D:E4:EE:37:06:65:15:4E:76

 

 Signature Algorithm: sha1WithRSAEncryption

 09:a0:16:43:a2:93:11:a7:ab:f5:17:b7:36:35:84:9f:3b:37:

 32:33:3f:93:63:b0:4c:bb:d1:b4:9b:4f:37:78:62:f4:ac:ff:

 28:b0:63:71:2e:9a:7c:f4:40:2e:b1:5f:ae:49:e7:e2:6f:de:

 cf:30:cc:9a:08:26:26:24:c5:00:03:32:20:48:41:b1:29:8f:

 5d:3d:2a:78:54:0e:a8:76:07:6c:7f:23:42:75:c2:fb:83:1d:

 70:44:5e:8c:90:cf:b4:23:b7:23:5b:06:05:32:58:e3:af:1c:

 be:1d:50:7b:fd:37:66:ba:9c:ec:bb:af:ee:b6:04:f7:c5:2e:

 59:22

-----BEGIN CERTIFICATE-----

MIIC2jCCAkOgAwIBAgIJAIkRn6bKA2OsMA0GCSqGSIb3DQEBBQUAMGoxCzAJBgNV

BAYTAmNuMQswCQYDVQQIEwJjbjELMAkGA1UEChMCY24xCzAJBgNVBAsTAmNuMRIw

EAYDVQQDEwlsb2NhbGhvc3QxIDAeBgkqhkiG9w0BCQEWEXh0YXlpbmdAZ21haWwu

Y29tMB4XDTEwMDgwNzEyMzk0MVoXDTExMDgwNzEyMzk0MVowdzELMAkGA1UEBhMC

Y24xCzAJBgNVBAgMAmNuMQswCQYDVQQHDAJjbjELMAkGA1UECgwCY24xCzAJBgNV

BAsMAmNuMRIwEAYDVQQDDAlsb2NhbGhvc3QxIDAeBgkqhkiG9w0BCQEWEXh0YXlp

bmdAZ21haWwuY29tMIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQDO1ajf0efu

ktHReCCpbQob9gndEynvch0XVN0cjSgnaf5wO/oro0VAgOoOW6e9QNDNvCx0A4v3

bF4fCV3GigXquHL8eYtiYjgLQih+Dfznu7CHZmqyNZKRuXictnYBCyp031+hizFh

kJP5INtGWRIum1nAMk6SFKF+UnvMAl7iRQIDAQABo3sweTAJBgNVHRMEAjAAMCwG

CWCGSAGG+EIBDQQfFh1PcGVuU1NMIEdlbmVyYXRlZCBDZXJ0aWZpY2F0ZTAdBgNV

HQ4EFgQU/iBWBI62vj464dqmSjrhFpMdP4EwHwYDVR0jBBgwFoAUJgnz1SYTAB8+

zIYd5O43BmUVTnYwDQYJKoZIhvcNAQEFBQADgYEACaAWQ6KTEaer9Re3NjWEnzs3

MjM/k2OwTLvRtJtPN3hi9Kz/KLBjcS6afPRALrFfrknn4m/ezzDMmggmJiTFAAMy

IEhBsSmPXT0qeFQOqHYHbH8jQnXC+4MdcERejJDPtCO3I1sGBTJY468cvh1Qe/03

Zrqc7Luv7rYE98UuWSI=

-----END CERTIFICATE-----

Signed certificate is in newcert.pem

cp newcert.pem server.crt

5,产生客户端证书

生成客户私钥:
openssl genrsa -des3 -out client.key 1024

生成客户证书
openssl req -new -key client.key -out client.csr

签证:
openssl ca -in client.csr -out client.crt

转换成pkcs12格式,为客户端安装所用
openssl pkcs12 -export -clcerts -in client.crt -inkey client.key -out client.pfx

这一步根安装服务器的证书差不多,不同的是签证,最后安装的时候,client.pfx的密码要记住,在客户端安装的时候要用到的。

[root@BlackGhost ssl]# openssl pkcs12 -export -clcerts -in client.crt -inkey client.key -out client.pfx
Enter pass phrase for client.key:
Enter Export Password:
Verifying - Enter Export Password:

客户端和服务器端都可以使用服务器端证书,所以这一步不做也行。

6,集中所以证书和私私钥到一起

#cp demoCA/cacert.pem cacert.pem

同时复制一份证书,更名为ca.crt
#cp cacert.pem ca.crt

7apache配置

vi /usr/local/apache/conf/extra/ssl.conf

查看复制打印?

1.  ssl开启

2.  SSLEngine on

3.   

4.  指定服务器证书位置

5.  SSLCertificateFile /usr/local/apache/conf/ssl/server.crt

6.   

7.  指定服务器证书key位置

8.  SSLCertificateKeyFile /usr/local/apache/conf/ssl/server.key

9.   

10. 证书目录

11. SSLCACertificatePath /usr/local/apache/conf/ssl

12.  

13. 根证书位置

14. SSLCACertificateFile /usr/local/apache/conf/ssl/cacert.pem

15.  

16. 要求客户拥有证书

17. SSLVerifyClient require

18. SSLVerifyDepth 1

19. SSLOptions +StdEnvVars

20.  

21. 记录log

22. CustomLog "/usr/local/apache/logs/ssl_request_log" \

23. "%t %h %{SSL_PROTOCOL}x %{SSL_CIPHER}x \"%r\" %b"

ssl开启

SSLEngine on

 

指定服务器证书位置

SSLCertificateFile /usr/local/apache/conf/ssl/server.crt

 

指定服务器证书key位置

SSLCertificateKeyFile /usr/local/apache/conf/ssl/server.key

 

证书目录

SSLCACertificatePath /usr/local/apache/conf/ssl

 

根证书位置

SSLCACertificateFile /usr/local/apache/conf/ssl/cacert.pem

 

要求客户拥有证书

SSLVerifyClient require

SSLVerifyDepth  1

SSLOptions +StdEnvVars

 

记录log

CustomLog "/usr/local/apache/logs/ssl_request_log" \

          "%t %h %{SSL_PROTOCOL}x %{SSL_CIPHER}x \"%r\" %b"

vi /usr/local/apache/conf/extra/httpd_vhosts.conf

查看复制打印?

1.  listen 443 https

2.  NameVirtualHost *:443

3. 

4.   

5.  DocumentRoot "/home/zhangy/www/metbee/trunk/src/web"

6.  ServerName *:443

7.  ErrorLog "/home/zhangy/apache/"

8.  CustomLog "/home/zhangy/apache/" common

9.  Include conf/extra/ssl.conf

10.  

11.

listen 443 https

 NameVirtualHost *:443

 

 

 DocumentRoot "/home/zhangy/www/metbee/trunk/src/web"

 ServerName  *:443

 ErrorLog "/home/zhangy/apache/"

 CustomLog "/home/zhangy/apache/" common

 Include conf/extra/ssl.conf

 

 

vi /usr/local/apache/conf/httpd.confInclude conf/extra/httpd-vhosts.conf前面的注释去掉

启动 /usr/local/apache/bin/apachectl -D SSL -k start

Server *:10000 (RSA)
Enter pass phrase:
输入的是server的密钥

OK: Pass Phrase Dialog successful.

8,安装客户端证书

ca.crtclient.pfx copy到客户端,双击client.pfx就会进入证书的安装向导,下一步就行了,中间会让你输入密码

四,安装所遇到的问题

1,生成的密码很多,一会让输入密码,会忘得,并且主证书的密码和下面的证书的密码不能重得,会报错的,所以要搞个文本记下来。

2,升级openssl引发的问题

httpd: Syntax error on line 56 of /usr/local/apache/conf/httpd.conf: Cannot load /usr/local/apache/modules/libphp5.so into server: libssl.so.0.9.8: cannot open shared object file: No such file or directory

httpd: Syntax error on line 56 of /usr/local/apache/conf/httpd.conf: Cannot load /usr/local/apache/modules/libphp5.so into server: libcrypto.so.0.9.8: cannot open shared object file: No such file or directory

ln -s来建立软链接,就可以了。不过这种方法不是万能的,比如我把libpng1.2升到1.4libjpeg7.0升到8.0结果是系统差点崩掉,用软链接不管用,我把他们弄掉,从网上下的低版本重装。

3,证书的国家名称,省名要相同不然生成空证书,

The countryName field needed to be the same in the
CA certificate (cn) and the request (sh)

4,提示CommonName时,要添写全域名,会提示警告

RSA server certificate CommonName (CN) `cn' does NOT match server name!?

5,相同的证书不能生成二次,名字不一样也不行,也就是说server.cstclient.csr信息不能完相同,不然会报

failed to update database
TXT_DB error number 2

6,页面浏览时,会看到提示,你的证书是不可信的,是因为我配置的不对,还是自己建的证书就是不要信的呢?

7,当我加了SSLVerifyClient require SSLVerifyDepth 1 这二个配置时,在windows下面,要你输入证书后,就可以看到页面了,但在用firefox就是不行呢?看下面的ssl_request_log日志,192.168.18.3是用windowsIE浏览器

[09/Aug/2010:22:02:21 +0800] 127.0.0.1 TLSv1 DHE-RSA-CAMELLIA256-SHA "GET /robots.txt HTTP/1.1" 208
[09/Aug/2010:22:02:21 +0800] 127.0.0.1 TLSv1 DHE-RSA-CAMELLIA256-SHA "GET /robots.txt HTTP/1.1" 208
[09/Aug/2010:22:02:21 +0800] 127.0.0.1 TLSv1 DHE-RSA-CAMELLIA256-SHA "GET /robots.txt HTTP/1.1" 208
[09/Aug/2010:22:02:55 +0800] 192.168.18.3 TLSv1 RC4-MD5 "GET / HTTP/1.1" 1505
[09/Aug/2010:22:02:55 +0800] 192.168.18.3 TLSv1 RC4-MD5 "GET / HTTP/1.1" 1505
[09/Aug/2010:22:02:55 +0800] 192.168.18.3 TLSv1 RC4-MD5 "GET / HTTP/1.1" 1505

 

 

 

加密解密

传统加密(对称加密)

openssl enc ciphername(加密算法) k password(口令) –in file(被加密的算法) -out (输出文件)file

解密

openssl enc ciphername k password -d in file -out file

 

加密算法有:base64,des,des3,rc2,rc5,aes256

 

例如:

/bin/openssl enc des3 k boobooke in pt.txt out ct.bin           //加密

 

/bin/openssl enc des3 d k boobooke in ct.bin out pt1.txt      //解密

 

 

非对称加密

 

Generate the private/public key

Openssl genrsa out file 1024 

例如:

Openssl genrsa out priv.key 1024      //rsa算法生成私钥(priv.key)     

 

Openssl rsa in file pubout

例如:         

Openssl rsa in priv.key pubout>pub.key      //用私钥priv.key生成公钥,并重定向到pub.key这个文件里面

 

Encrypt the file with public key

Openssl rsautl in file out file inkey file pubin encrypt

例如:

Openssl rsautl in test.txt out test.bin inkey pub.key pubin encrypt      //利用公钥文件(pub.key)对text.txt文件进行加密,生成加密后的文件text.bin

 

Decrypt the file the private key

Openssl rsautl in file out file inkey file decrypt

例如:

Openssl rsautl in text.bin out text1.txt inkey priv.key decrypt     //利用私钥priv.key对公钥加密的text.bin进行加密的文件进行解密,生成解密后的文件是text1.txt

 

 

Use openssl sign/verify functions(数字签名)

 

Generate the private/public key

生成密钥对

Openssl genrsa out file 1024 

Openssl rsa in file pubout

 

Sign the file with the private key

Openssl rsautl in file out file inkey file sign

例如:

Openssl rsatul in test.txt out test.sig inkey priv.key sign     //利用私钥对test.txt 进行加密也就是签名

Openssl rsautl in file out file inkey file pubin verify

例如:

Openssl rsautl in test.sig out test2.txt inkey pub.key pubin verify //利用公钥对私钥加密后的文件(test.sig)进行解密或是认证

 

Hash functionshash函数)……MD5 SHA1

作用:主要是验证文件的完整性,没有被别人篡改!

Generate the md5 hash result

Openssl dgst md5 file

Md5sum file

例如:

Openssl dgst md5 openssl.tar.gz       //生成MD5

Md5sum openssl.tar.gz

 

Generate the sha1 hash result

Openssl dgst sha1file

Sha1sum file

例如:

Openssl dgst sha1 openssl.tar.gz        //生成sha1

 

Install apache

Configure the environment

tar zxvf httpd-2.0.63.tar.gz

cd httpd-2.0.63

./configure prefix=/usr/local/apache enable-ssl with-ssl=/usr/local/openssl

make

make install

 

Configure ssl in apache

openssl req -new -x509 -days 30 -keyout server.key -out server.crt -subj '/CN=Test Only Certifiecate'

或者

Openssl req new x509 days 365 sha1 nodes newkey rsa:1024 keyout server.key out server.crt subj /O=Seccure/OU=Seccure Labs/CN=

 

Cpy the .key and .crt file to the proper directory      //一般都是存放在apacheconf 目录下面,具体存放路径是在apache的配置文件中定义的

 

Vi httpd.conf

Include conf/ssl.conf           //ssl 的配置文件被包含在conf/ssl.conf

 

Vi conf/ssl.conf

 

SSLCertificateKeyFile /usr/local/apache/conf/ssl.crt/server.key     //server.key存放路径

SSLCertificateFile /usr/local/apache/conf/ssl.crt/server.crt            //server.crt 存放路径

 

Apache2.2直接启动apache服务就可以启动SSL

Apache2.0启动sslapachectl startssl                           //端口号为443端口

 

 

Vi conf/ssl.conf

SSLRequireSSL                               //此目录只允许使用https协议访问

 

       

SSLRequireSSL  

                                    //ssldemo这个目录必须使用https协议访

                                    问,应为利用ssl安全访问存在着密钥的

                                    加密解密以及传送,所以访问会很慢,所

                                    以一般都是把一些需要中到https协议访

                                    访问的程序放在一个目录中,而其他的站

                                    点依然用http协议访问

 

 

一、安装 Openssl

?
下载 openssl 源代码:

? wget openssl-0.9.8k.tar.gz

?
解压缩:

? tar zxvf openssl-0.9.8k.tar.gz

?
设定Openssl 安装,( --prefix )参数为欲安装之目录,也就是安装后的档案会出现在该目录下:

? cd openssl-0.9.8k

? ./config --prefix=/root/openssl

?
编译 Openssl:

? make

?
安装 Openssl:

? make install

?
修改配置文件:

? cat ~/openssl/ssl/openssl.cnf

?
修改其中的配置内容

1) dir= /home/blave/openssl/ssl/misc/demoCA #
设定存取凭证的路径, 并将blave 改成您自己

2) default_days= 3650 #
设定凭证可使用之天数

3) default_bits = 2048 #
设定密钥长度(bits)



二、产生 CA 凭证

?
我们所产生的 CA 凭证,将放置在 ~/openssl/ssl/misc/demoCA下,以下我们将介绍怎样产生出最上层的 CA 凭证。

?
执行CA 凭证产生程式:

? cd ~/openssl/ssl/misc

? ./CA.sh -newca

?
确定CA 凭证及密钥是否产生:

? cd ~/openssl/ssl/misc/demoCA

? ls

? cacert.pem certs crl index.txt newcerts private serial

?
可见「cacert.pem」即是CA 之凭证,而「private」目录即是存放CA 私钥之处。

?
CA 证书请求进行签名:

u openssl ca -selfsign -in careq.pem -out cacert.pem

?
设定CA 凭证之存取权限,仅允许本人能存取,他人必须限制其存取权限:

? chmod -R 660 ~/openssl/ssl/misc/ demoCA



三、以 CA 产生次级凭证

?
CA 凭证产生完之后,我们便能够产生使用者或公司所需要之凭证,此次级凭证产生后,使用者便可应用于Email 签章加密或https ssl 传输加密。

?
产生使用者之密钥档及CSR (Certificate Signing Request)

? cd ~/openssl/ssl/misc/demoCA

? openssl req -nodes -new -keyout test_key.pem /-out test_req.pem -days 3650 -config ~/openssl/ssl/openssl.cnf

?
此处「-keyout 」即为产生Private key 之文档名,这里以「test_key.pem」为例,您可自行设定。而「-out 」则产生CSR 档,我们以「test_req.pem」为例。

?
产生使用者之凭证:

? openssl ca -config ~/openssl/ssl/openssl.cnf /-policy policy_anything –out test_cert.pem -infiles test_req.pem

?
检查凭证是否产生:

? cd ~/openssl/ssl/misc/demoCA

? ls

?
当前目录内容:cacert.pem

crl index.txt.attr test_cert.pem test_req.pem

private serial.old certs index.txt

index.txt.old test_key.pem newcerts serial

?
以上可见,test_cert.pemtest_req.pemtest_key.pem分别为刚刚所产生出来的凭证、CSR Private Key

四、 Openssl 应用

?
cacert 验证产生出来的使用者cert

? openssl verify -CApath . /-CAfile cacert.pem test_cert.pem

?
检查产生的序号:

? openssl x509 -noout -serial -in test_cert.pem

?
检查发行者资讯:

? openssl x509 -noout -issuer -in test_cert.pem

?
检查凭证起始及终止日期时间:

? openssl x509 -noout -in test_cert.pem -dates

?
检查个人凭证资讯subject

? openssl x509 -noout -in test_cert.pem -subject

?
检查MD5 fingerprint SHA-1 fingerprint

? openssl x509 -noout -in islab_cert.pem -fingerprint -md5/-sha1

?
PEM 转至PKCS12 Microsoft Outlook Express 使用PKCS12 格式,因此欲使用Microsoft Outlook Express 寄出签章信件,只要将产生出来的“*.p12 ”文档安装在Windows 即可使用:

? openssl pkcs12 -export -in test_cert.pem -out test_cert.p12 -name "My Certificate" -inkey test_key.pem

?
PKCS12 转至PEM:

? openssl pkcs12 -in test_cert.p12 -out test_key2.pem

?
再由Private Key 产生凭证:

? openssl x509 -in test_key2.pem -text /-out test_cert2.pem

?
文档加密: test_cert.pem 」为个人凭证,能够公开给大家,因此某人欲加密传送一文档给我,便能够依下列方式加密。编辑一个纯文字档,在此我们预设档名为「document.txt 」,而经加密码之档名为「document.enc 」:

? echo "This is a text file." > document.txt

? cat document.txt

? openssl smime -encrypt -in document.txt /-out document.enc islab_cert.pem

? cat document.enc

?
文档解密: 倘若我们收到了某人传送的「document.enc」,我们便能使用Private Key 来进行解密:

? openssl smime -decrypt -in document.enc /-recip test_cert.pem –inkey test_key.pem

?
文档签章: 为文档签章可证实文档的来源为本人无误,并且能够验证文档是否被篡改。我们依前例,为一纯文字档「document.txt」签章,签章后文档名为「document.sig:

? openssl smime -sign -inkey test_key.pem /-signer test_cert.pem -in document.txt -out document.sig

?
文档签章验证: 当某人收到这份文档时,可利用我们的凭证(test_cert.pem) 连同CA 凭证(cacert.pem) 来验证文档:

? openssl smime -verify -in document.sig /-signer islab_cert.pem -out document.txt -CAfile cacert.pem

?
因此我们能够知道,验证方必须事先取得 CA 凭证( cacert.pem ) 方可验证文档。

?
文档加密并签章:我们已知怎样加解密连同签章验证的方法了,因此要将文档加密并签章实非难事。我们必须先将文档进行签章再加密,而收方则以相反步骤进行解密再验证即可。

 

 

 

 

 

 

LinuxOpenssl的安装全过程

1、下载地址: 下一个新版本的OpenSSL,我下的版本是:openssl-1.0.0e.tar.gz

2、在下载的GZ目录中,用命令执行:tar -xzf openssl-openssl-1.0.0e.tar.gz

3、进入解压的目录:openssl-1.0.0e [.......]#cd openssl-1.0.0e

4[.....openssl-1.0.0e]# ./config --prefix=/usr/local/openssl

5[...../openssl-1.0.0e]# ./config -t

6[...../openssl-1.0.0e]# make depend

7[...../openssl-1.0.0e]# cd /usr/local

8/usr/local]# ln -s openssl ssl

9/etc/ld.so.conf文件的最后面,添加如下内容:

/usr/local/openssl/lib

10...]# ldconfig

11添加OPESSL的环境变量:

etc/的profile的最后一行,添加:

export OPENSSL=/usr/local/openssl/bin

export PATH=$OPENSSL:$PATH:$HOME/bin

12退出命令界面,再从新登录。

13、以上OPENSSL就安装完毕,下面进行一些检查。

14依次如下执行:

[root@localhost /]# cd /usr/local

[root@localhost local]# ldd /usr/local/openssl/bin/openssl

会出现类似如下信息:

linux-vdso.so.1 => (0x00007fff3bc73000)
libdl.so.2 => /lib64/libdl.so.2 (0x00007fc5385d7000)
libc.so.6 => /lib64/libc.so.6 (0x00007fc538279000)
/lib64/ld-linux-x86-64.so.2 (0x00007fc5387db000)
15
查看路径

...]# which openssl

/usr/local/openssl/bin/openssl

16查看版本

...]# openssl version

OpenSSL 1.0.0e 6 Sep 2011

阅读(10191) | 评论(0) | 转发(0) |
给主人留下些什么吧!~~