全部博文(2759)
分类: 系统运维
2014-08-21 03:18:33
原文地址:OpenSSL的安装和使用 作者:woaimaidong
1,安装openssl
tar zxvf openssl-1.0.0a.tar.gz
cd openssl-1.0.0a
./config --prefix=/usr/local/openssl
make && make install
2,安装apache
tar zxvf httpd-2.2.16.tar.gz
cd httpd-2.2.16
./configure --prefix=/usr/local/apache --enable-ssl --enable-rewrite
--enable-so --with-ssl=/usr/local/openssl
make && make install
如果你是yum install ,apt-get,pacman这样的软件管理工具进行安装的话,上面的二步可以省掉。
3,创建主证书
在/usr/local/apache/conf/下面建个目录ssl
3.1,mkdir ssl
3.2,cp /openssl的安装目录/ssl/misc/CA.sh /usr/local/apache/conf/ssl/
3.3 用CA.sh来创建证书
1. [root@BlackGhost ssl]# ./CA.sh -newca //建立主证书
2. CA certificate filename (or enter to create)
3.
4. Making CA certificate ...
5. Generating a 1024 bit RSA private key
6. ............++++++
7. ......++++++
8. writing new private key to './demoCA/private/./cakey.pem'
9. Enter PEM pass phrase:
10. Verifying - Enter PEM pass phrase:
11. Verify failure
12. Enter PEM pass phrase:
13. Verifying - Enter PEM pass phrase:
14. -----
15. You are about to be asked to enter information that will be incorporated
16. into your certificate request.
17. What you are about to enter is what is called a Distinguished Name or a DN.
18. There are quite a few fields but you can leave some blank
19. For some fields there will be a default value,
20. If you enter '.', the field will be left blank.
21. -----
22. Country Name (2 letter code) [AU]:cn
23. State or Province Name (full name) [Some-State]:cn
24. Locality Name (eg, city) []:cn
25. Organization Name (eg, company) [Internet Widgits Pty Ltd]:cn
26. Organizational Unit Name (eg, section) []:cn
27. Common Name (eg, YOUR name) []:localhost
28. Email Address []:xtaying@gmail.com
29.
30. Please enter the following 'extra' attributes
31. to be sent with your certificate request
32. A challenge password []:******************
33. An optional company name []:
34. Using configuration from /etc/ssl/openssl.cnf
35. Enter pass phrase for ./demoCA/private/./cakey.pem: //填的是上面的PEM密码
36. Check that the request matches the signature
37. Signature ok
38. Certificate Details:
39. Serial Number:
40. 89:11:9f:a6:ca:03:63:ab
41. Validity
42. Not Before: Aug 7 12:35:28 2010 GMT
43. Not After : Aug 6 12:35:28 2013 GMT
44. Subject:
45. countryName = cn
46. stateOrProvinceName = cn
47. organizationName = cn
48. organizationalUnitName = cn
49. commonName = localhost
50. emailAddress = xtaying@gmail.com
51. X509v3 extensions:
52. X509v3 Subject Key Identifier:
53. 26:09:F3:D5:26:13:00:1F:3E:CC:86:1D:E4:EE:37:06:65:15:4E:76
54. X509v3 Authority Key Identifier:
55. keyid:26:09:F3:D5:26:13:00:1F:3E:CC:86:1D:E4:EE:37:06:65:15:4E:76
56. DirName:/C=cn/ST=cn/O=cn/OU=cn/CN=localhost/emailAddress=xtaying@gmail.com
57. serial:89:11:9F:A6:CA:03:63:AB
58.
59. X509v3 Basic Constraints:
60. CA:TRUE
61. Certificate is to be certified until Aug 6 12:35:28 2013 GMT (1095 days)
62.
63. Write out database with 1 new entries
64. Data Base Updated
[root@BlackGhost ssl]# ./CA.sh -newca //建立主证书
CA certificate filename (or enter to create)
Making CA certificate ...
Generating a 1024 bit RSA private key
............++++++
......++++++
writing new private key to './demoCA/private/./cakey.pem'
Enter PEM pass phrase:
Verifying - Enter PEM pass phrase:
Verify failure
Enter PEM pass phrase:
Verifying - Enter PEM pass phrase:
-----
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [AU]:cn
State or Province Name (full name) [Some-State]:cn
Locality Name (eg, city) []:cn
Organization Name (eg, company) [Internet Widgits Pty Ltd]:cn
Organizational Unit Name (eg, section) []:cn
Common Name (eg, YOUR name) []:localhost
Email Address []:xtaying@gmail.com
Please enter the following 'extra' attributes
to be sent with your certificate request
A challenge password []:******************
An optional company name []:
Using configuration from /etc/ssl/openssl.cnf
Enter pass phrase for ./demoCA/private/./cakey.pem: //填的是上面的PEM密码
Check that the request matches the signature
Signature ok
Certificate Details:
Serial Number:
89:11:9f:a6:ca:03:63:ab
Validity
Not Before: Aug 7 12:35:28 2010 GMT
Not After : Aug 6 12:35:28 2013 GMT
Subject:
countryName = cn
stateOrProvinceName = cn
organizationName = cn
organizationalUnitName = cn
commonName = localhost
emailAddress = xtaying@gmail.com
X509v3 extensions:
X509v3 Subject Key Identifier:
26:09:F3:D5:26:13:00:1F:3E:CC:86:1D:E4:EE:37:06:65:15:4E:76
X509v3 Authority Key Identifier:
keyid:26:09:F3:D5:26:13:00:1F:3E:CC:86:1D:E4:EE:37:06:65:15:4E:76
DirName:/C=cn/ST=cn/O=cn/OU=cn/CN=localhost/emailAddress=xtaying@gmail.com
serial:89:11:9F:A6:CA:03:63:AB
X509v3 Basic Constraints:
CA:TRUE
Certificate is to be certified until Aug 6 12:35:28 2013 GMT (1095 days)
Write out database with 1 new entries
Data Base Updated
安装成功的话,会在ssl目录下面产生一个文件夹demoCA
4 生成服务器私钥和服务器证书
1. [root@BlackGhost ssl]# openssl genrsa -des3 -out server.key 1024 //产生服务器私钥
2. Generating RSA private key, 1024 bit long modulus
3. .....................++++++
4. .........++++++
5. e is 65537 (0x10001)
6. Enter pass phrase for server.key:
7. Verifying - Enter pass phrase for server.key:
8. [root@BlackGhost ssl]# openssl req -new -key server.key -out server.csr //生成服务器证书
9. Enter pass phrase for server.key:
10. You are about to be asked to enter information that will be incorporated
11. into your certificate request.
12. What you are about to enter is what is called a Distinguished Name or a DN.
13. There are quite a few fields but you can leave some blank
14. For some fields there will be a default value,
15. If you enter '.', the field will be left blank.
16. -----
17. Country Name (2 letter code) [AU]:cn
18. State or Province Name (full name) [Some-State]:cn
19. Locality Name (eg, city) []:cn
20. Organization Name (eg, company) [Internet Widgits Pty Ltd]:cn
21. Organizational Unit Name (eg, section) []:cn
22. Common Name (eg, YOUR name) []:localhost //要填全域名
23. Email Address []:xtaying@gmail.com
24.
25. Please enter the following 'extra' attributes
26. to be sent with your certificate request
27. A challenge password []:*****************
28. An optional company name []:
[root@BlackGhost ssl]# openssl genrsa -des3 -out server.key 1024 //产生服务器私钥
Generating RSA private key, 1024 bit long modulus
.....................++++++
.........++++++
e is 65537 (0x10001)
Enter pass phrase for server.key:
Verifying - Enter pass phrase for server.key:
[root@BlackGhost ssl]# openssl req -new -key server.key -out server.csr //生成服务器证书
Enter pass phrase for server.key:
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [AU]:cn
State or Province Name (full name) [Some-State]:cn
Locality Name (eg, city) []:cn
Organization Name (eg, company) [Internet Widgits Pty Ltd]:cn
Organizational Unit Name (eg, section) []:cn
Common Name (eg, YOUR name) []:localhost //要填全域名
Email Address []:xtaying@gmail.com
Please enter the following 'extra' attributes
to be sent with your certificate request
A challenge password []:*****************
An optional company name []:
4.1 对产生的服务器证书进行签证
cp server.csr newseq.pem
1. [root@BlackGhost ssl]# ./CA.sh -sign //为服务器证书签名
2. Using configuration from /etc/ssl/openssl.cnf
3. Enter pass phrase for ./demoCA/private/cakey.pem:
4. Check that the request matches the signature
5. Signature ok
6. Certificate Details:
7. Serial Number:
8. 89:11:9f:a6:ca:03:63:ac
9. Validity
10. Not Before: Aug 7 12:39:41 2010 GMT
11. Not After : Aug 7 12:39:41 2011 GMT
12. Subject:
13. countryName = cn
14. stateOrProvinceName = cn
15. localityName = cn
16. organizationName = cn
17. organizationalUnitName = cn
18. commonName = localhost
19. emailAddress = xtaying@gmail.com
20. X509v3 extensions:
21. X509v3 Basic Constraints:
22. CA:FALSE
23. Netscape Comment:
24. OpenSSL Generated Certificate
25. X509v3 Subject Key Identifier:
26. FE:20:56:04:8E:B6:BE:3E:3A:E1:DA:A6:4A:3A:E1:16:93:1D:3F:81
27. X509v3 Authority Key Identifier:
28. keyid:26:09:F3:D5:26:13:00:1F:3E:CC:86:1D:E4:EE:37:06:65:15:4E:76
29.
30. Certificate is to be certified until Aug 7 12:39:41 2011 GMT (365 days)
31. Sign the certificate? [y/n]:y
32.
33. 1 out of 1 certificate requests certified, commit? [y/n]y
34. Write out database with 1 new entries
35. Data Base Updated
36. Certificate:
37. Data:
38. Version: 3 (0x2)
39. Serial Number:
40. 89:11:9f:a6:ca:03:63:ac
41. Signature Algorithm: sha1WithRSAEncryption
42. Issuer: C=cn, ST=cn, O=cn, OU=cn, CN=localhost/emailAddress=xtaying@gmail.com
43. Validity
44. Not Before: Aug 7 12:39:41 2010 GMT
45. Not After : Aug 7 12:39:41 2011 GMT
46. Subject: C=cn, ST=cn, L=cn, O=cn, OU=cn, CN=localhost/emailAddress=xtaying@gmail.com
47. Subject Public Key Info:
48. Public Key Algorithm: rsaEncryption
49. Public-Key: (1024 bit)
50. Modulus:
51. 00:ce:d5:a8:df:d1:e7:ee:92:d1:d1:78:20:a9:6d:
52. 0a:1b:f6:09:dd:13:29:ef:72:1d:17:54:dd:1c:8d:
53. 28:27:69:fe:70:3b:fa:2b:a3:45:40:80:ea:0e:5b:
54. a7:bd:40:d0:cd:bc:2c:74:03:8b:f7:6c:5e:1f:09:
55. 5d:c6:8a:05:ea:b8:72:fc:79:8b:62:62:38:0b:42:
56. 28:7e:0d:fc:e7:bb:b0:87:66:6a:b2:35:92:91:b9:
57. 78:9c:b6:76:01:0b:2a:74:df:5f:a1:8b:31:61:90:
58. 93:f9:20:db:46:59:12:2e:9b:59:c0:32:4e:92:14:
59. a1:7e:52:7b:cc:02:5e:e2:45
60. Exponent: 65537 (0x10001)
61. X509v3 extensions:
62. X509v3 Basic Constraints:
63. CA:FALSE
64. Netscape Comment:
65. OpenSSL Generated Certificate
66. X509v3 Subject Key Identifier:
67. FE:20:56:04:8E:B6:BE:3E:3A:E1:DA:A6:4A:3A:E1:16:93:1D:3F:81
68. X509v3 Authority Key Identifier:
69. keyid:26:09:F3:D5:26:13:00:1F:3E:CC:86:1D:E4:EE:37:06:65:15:4E:76
70.
71. Signature Algorithm: sha1WithRSAEncryption
72. 09:a0:16:43:a2:93:11:a7:ab:f5:17:b7:36:35:84:9f:3b:37:
73. 32:33:3f:93:63:b0:4c:bb:d1:b4:9b:4f:37:78:62:f4:ac:ff:
74. 28:b0:63:71:2e:9a:7c:f4:40:2e:b1:5f:ae:49:e7:e2:6f:de:
75. cf:30:cc:9a:08:26:26:24:c5:00:03:32:20:48:41:b1:29:8f:
76. 5d:3d:2a:78:54:0e:a8:76:07:6c:7f:23:42:75:c2:fb:83:1d:
77. 70:44:5e:8c:90:cf:b4:23:b7:23:5b:06:05:32:58:e3:af:1c:
78. be:1d:50:7b:fd:37:66:ba:9c:ec:bb:af:ee:b6:04:f7:c5:2e:
79. 59:22
80. -----BEGIN CERTIFICATE-----
81. MIIC2jCCAkOgAwIBAgIJAIkRn6bKA2OsMA0GCSqGSIb3DQEBBQUAMGoxCzAJBgNV
82. BAYTAmNuMQswCQYDVQQIEwJjbjELMAkGA1UEChMCY24xCzAJBgNVBAsTAmNuMRIw
83. EAYDVQQDEwlsb2NhbGhvc3QxIDAeBgkqhkiG9w0BCQEWEXh0YXlpbmdAZ21haWwu
84. Y29tMB4XDTEwMDgwNzEyMzk0MVoXDTExMDgwNzEyMzk0MVowdzELMAkGA1UEBhMC
85. Y24xCzAJBgNVBAgMAmNuMQswCQYDVQQHDAJjbjELMAkGA1UECgwCY24xCzAJBgNV
86. BAsMAmNuMRIwEAYDVQQDDAlsb2NhbGhvc3QxIDAeBgkqhkiG9w0BCQEWEXh0YXlp
87. bmdAZ21haWwuY29tMIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQDO1ajf0efu
88. ktHReCCpbQob9gndEynvch0XVN0cjSgnaf5wO/oro0VAgOoOW6e9QNDNvCx0A4v3
89. bF4fCV3GigXquHL8eYtiYjgLQih+Dfznu7CHZmqyNZKRuXictnYBCyp031+hizFh
90. kJP5INtGWRIum1nAMk6SFKF+UnvMAl7iRQIDAQABo3sweTAJBgNVHRMEAjAAMCwG
91. CWCGSAGG+EIBDQQfFh1PcGVuU1NMIEdlbmVyYXRlZCBDZXJ0aWZpY2F0ZTAdBgNV
92. HQ4EFgQU/iBWBI62vj464dqmSjrhFpMdP4EwHwYDVR0jBBgwFoAUJgnz1SYTAB8+
93. zIYd5O43BmUVTnYwDQYJKoZIhvcNAQEFBQADgYEACaAWQ6KTEaer9Re3NjWEnzs3
94. MjM/k2OwTLvRtJtPN3hi9Kz/KLBjcS6afPRALrFfrknn4m/ezzDMmggmJiTFAAMy
95. IEhBsSmPXT0qeFQOqHYHbH8jQnXC+4MdcERejJDPtCO3I1sGBTJY468cvh1Qe/03
96. Zrqc7Luv7rYE98UuWSI=
97. -----END CERTIFICATE-----
98. Signed certificate is in newcert.pem
[root@BlackGhost ssl]# ./CA.sh -sign //为服务器证书签名
Using configuration from /etc/ssl/openssl.cnf
Enter pass phrase for ./demoCA/private/cakey.pem:
Check that the request matches the signature
Signature ok
Certificate Details:
Serial Number:
89:11:9f:a6:ca:03:63:ac
Validity
Not Before: Aug 7 12:39:41 2010 GMT
Not After : Aug 7 12:39:41 2011 GMT
Subject:
countryName = cn
stateOrProvinceName = cn
localityName = cn
organizationName = cn
organizationalUnitName = cn
commonName = localhost
emailAddress = xtaying@gmail.com
X509v3 extensions:
X509v3 Basic Constraints:
CA:FALSE
Netscape Comment:
OpenSSL Generated Certificate
X509v3 Subject Key Identifier:
FE:20:56:04:8E:B6:BE:3E:3A:E1:DA:A6:4A:3A:E1:16:93:1D:3F:81
X509v3 Authority Key Identifier:
keyid:26:09:F3:D5:26:13:00:1F:3E:CC:86:1D:E4:EE:37:06:65:15:4E:76
Certificate is to be certified until Aug 7 12:39:41 2011 GMT (365 days)
Sign the certificate? [y/n]:y
1 out of 1 certificate requests certified, commit? [y/n]y
Write out database with 1 new entries
Data Base Updated
Certificate:
Data:
Version: 3 (0x2)
Serial Number:
89:11:9f:a6:ca:03:63:ac
Signature Algorithm: sha1WithRSAEncryption
Issuer: C=cn, ST=cn, O=cn, OU=cn, CN=localhost/emailAddress=xtaying@gmail.com
Validity
Not Before: Aug 7 12:39:41 2010 GMT
Not After : Aug 7 12:39:41 2011 GMT
Subject: C=cn, ST=cn, L=cn, O=cn, OU=cn, CN=localhost/emailAddress=xtaying@gmail.com
Subject Public Key Info:
Public Key Algorithm: rsaEncryption
Public-Key: (1024 bit)
Modulus:
00:ce:d5:a8:df:d1:e7:ee:92:d1:d1:78:20:a9:6d:
0a:1b:f6:09:dd:13:29:ef:72:1d:17:54:dd:1c:8d:
28:27:69:fe:70:3b:fa:2b:a3:45:40:80:ea:0e:5b:
a7:bd:40:d0:cd:bc:2c:74:03:8b:f7:6c:5e:1f:09:
5d:c6:8a:05:ea:b8:72:fc:79:8b:62:62:38:0b:42:
28:7e:0d:fc:e7:bb:b0:87:66:6a:b2:35:92:91:b9:
78:9c:b6:76:01:0b:2a:74:df:5f:a1:8b:31:61:90:
93:f9:20:db:46:59:12:2e:9b:59:c0:32:4e:92:14:
a1:7e:52:7b:cc:02:5e:e2:45
Exponent: 65537 (0x10001)
X509v3 extensions:
X509v3 Basic Constraints:
CA:FALSE
Netscape Comment:
OpenSSL Generated Certificate
X509v3 Subject Key Identifier:
FE:20:56:04:8E:B6:BE:3E:3A:E1:DA:A6:4A:3A:E1:16:93:1D:3F:81
X509v3 Authority Key Identifier:
keyid:26:09:F3:D5:26:13:00:1F:3E:CC:86:1D:E4:EE:37:06:65:15:4E:76
Signature Algorithm: sha1WithRSAEncryption
09:a0:16:43:a2:93:11:a7:ab:f5:17:b7:36:35:84:9f:3b:37:
32:33:3f:93:63:b0:4c:bb:d1:b4:9b:4f:37:78:62:f4:ac:ff:
28:b0:63:71:2e:9a:7c:f4:40:2e:b1:5f:ae:49:e7:e2:6f:de:
cf:30:cc:9a:08:26:26:24:c5:00:03:32:20:48:41:b1:29:8f:
5d:3d:2a:78:54:0e:a8:76:07:6c:7f:23:42:75:c2:fb:83:1d:
70:44:5e:8c:90:cf:b4:23:b7:23:5b:06:05:32:58:e3:af:1c:
be:1d:50:7b:fd:37:66:ba:9c:ec:bb:af:ee:b6:04:f7:c5:2e:
59:22
-----BEGIN CERTIFICATE-----
MIIC2jCCAkOgAwIBAgIJAIkRn6bKA2OsMA0GCSqGSIb3DQEBBQUAMGoxCzAJBgNV
BAYTAmNuMQswCQYDVQQIEwJjbjELMAkGA1UEChMCY24xCzAJBgNVBAsTAmNuMRIw
EAYDVQQDEwlsb2NhbGhvc3QxIDAeBgkqhkiG9w0BCQEWEXh0YXlpbmdAZ21haWwu
Y29tMB4XDTEwMDgwNzEyMzk0MVoXDTExMDgwNzEyMzk0MVowdzELMAkGA1UEBhMC
Y24xCzAJBgNVBAgMAmNuMQswCQYDVQQHDAJjbjELMAkGA1UECgwCY24xCzAJBgNV
BAsMAmNuMRIwEAYDVQQDDAlsb2NhbGhvc3QxIDAeBgkqhkiG9w0BCQEWEXh0YXlp
bmdAZ21haWwuY29tMIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQDO1ajf0efu
ktHReCCpbQob9gndEynvch0XVN0cjSgnaf5wO/oro0VAgOoOW6e9QNDNvCx0A4v3
bF4fCV3GigXquHL8eYtiYjgLQih+Dfznu7CHZmqyNZKRuXictnYBCyp031+hizFh
kJP5INtGWRIum1nAMk6SFKF+UnvMAl7iRQIDAQABo3sweTAJBgNVHRMEAjAAMCwG
CWCGSAGG+EIBDQQfFh1PcGVuU1NMIEdlbmVyYXRlZCBDZXJ0aWZpY2F0ZTAdBgNV
HQ4EFgQU/iBWBI62vj464dqmSjrhFpMdP4EwHwYDVR0jBBgwFoAUJgnz1SYTAB8+
zIYd5O43BmUVTnYwDQYJKoZIhvcNAQEFBQADgYEACaAWQ6KTEaer9Re3NjWEnzs3
MjM/k2OwTLvRtJtPN3hi9Kz/KLBjcS6afPRALrFfrknn4m/ezzDMmggmJiTFAAMy
IEhBsSmPXT0qeFQOqHYHbH8jQnXC+4MdcERejJDPtCO3I1sGBTJY468cvh1Qe/03
Zrqc7Luv7rYE98UuWSI=
-----END CERTIFICATE-----
Signed certificate is in newcert.pem
cp newcert.pem server.crt
5,产生客户端证书
生成客户私钥:
openssl genrsa -des3 -out client.key 1024
生成客户证书
openssl req -new -key client.key -out client.csr
签证:
openssl ca -in client.csr -out client.crt
转换成pkcs12格式,为客户端安装所用
openssl pkcs12 -export -clcerts -in client.crt -inkey client.key -out
client.pfx
这一步根安装服务器的证书差不多,不同的是签证,最后安装的时候,client.pfx的密码要记住,在客户端安装的时候要用到的。
[root@BlackGhost ssl]# openssl pkcs12 -export -clcerts -in client.crt
-inkey client.key -out client.pfx
Enter pass phrase for client.key:
Enter Export Password:
Verifying - Enter Export Password:
客户端和服务器端都可以使用服务器端证书,所以这一步不做也行。
6,集中所以证书和私私钥到一起
#cp demoCA/cacert.pem cacert.pem
同时复制一份证书,更名为ca.crt
#cp cacert.pem ca.crt
7,apache配置
vi /usr/local/apache/conf/extra/ssl.conf
1. ssl开启
2. SSLEngine on
3.
4. 指定服务器证书位置
5. SSLCertificateFile /usr/local/apache/conf/ssl/server.crt
6.
7. 指定服务器证书key位置
8. SSLCertificateKeyFile /usr/local/apache/conf/ssl/server.key
9.
10. 证书目录
11. SSLCACertificatePath /usr/local/apache/conf/ssl
12.
13. 根证书位置
14. SSLCACertificateFile /usr/local/apache/conf/ssl/cacert.pem
15.
16. 要求客户拥有证书
17. SSLVerifyClient require
18. SSLVerifyDepth 1
19. SSLOptions +StdEnvVars
20.
21. 记录log
22. CustomLog "/usr/local/apache/logs/ssl_request_log" \
23. "%t %h %{SSL_PROTOCOL}x %{SSL_CIPHER}x \"%r\" %b"
ssl开启
SSLEngine on
指定服务器证书位置
SSLCertificateFile /usr/local/apache/conf/ssl/server.crt
指定服务器证书key位置
SSLCertificateKeyFile /usr/local/apache/conf/ssl/server.key
证书目录
SSLCACertificatePath /usr/local/apache/conf/ssl
根证书位置
SSLCACertificateFile /usr/local/apache/conf/ssl/cacert.pem
要求客户拥有证书
SSLVerifyClient require
SSLVerifyDepth 1
SSLOptions +StdEnvVars
记录log
CustomLog "/usr/local/apache/logs/ssl_request_log" \
"%t %h %{SSL_PROTOCOL}x %{SSL_CIPHER}x \"%r\" %b"
vi /usr/local/apache/conf/extra/httpd_vhosts.conf
1. listen 443 https
2. NameVirtualHost *:443
3.
4.
5. DocumentRoot "/home/zhangy/www/metbee/trunk/src/web"
6. ServerName *:443
7. ErrorLog "/home/zhangy/apache/"
8. CustomLog "/home/zhangy/apache/" common
9. Include conf/extra/ssl.conf
10.
11.
listen 443 https
NameVirtualHost *:443
DocumentRoot "/home/zhangy/www/metbee/trunk/src/web"
ServerName *:443
ErrorLog "/home/zhangy/apache/"
CustomLog "/home/zhangy/apache/" common
Include conf/extra/ssl.conf
vi /usr/local/apache/conf/httpd.conf把Include conf/extra/httpd-vhosts.conf前面的注释去掉
启动 /usr/local/apache/bin/apachectl -D SSL -k start
Server *:10000 (RSA)
Enter pass phrase:输入的是server的密钥
OK: Pass Phrase Dialog successful.
8,安装客户端证书
把ca.crt和client.pfx copy到客户端,双击client.pfx就会进入证书的安装向导,下一步就行了,中间会让你输入密码
四,安装所遇到的问题
1,生成的密码很多,一会让输入密码,会忘得,并且主证书的密码和下面的证书的密码不能重得,会报错的,所以要搞个文本记下来。
2,升级openssl引发的问题
httpd: Syntax error on line 56 of /usr/local/apache/conf/httpd.conf: Cannot load /usr/local/apache/modules/libphp5.so into server: libssl.so.0.9.8: cannot open shared object file: No such file or directory
httpd: Syntax error on line 56 of /usr/local/apache/conf/httpd.conf: Cannot load /usr/local/apache/modules/libphp5.so into server: libcrypto.so.0.9.8: cannot open shared object file: No such file or directory
用ln -s来建立软链接,就可以了。不过这种方法不是万能的,比如我把libpng从1.2升到1.4,libjpeg从7.0升到8.0结果是系统差点崩掉,用软链接不管用,我把他们弄掉,从网上下的低版本重装。
3,证书的国家名称,省名要相同不然生成空证书,
The countryName field needed to be the same in the
CA certificate (cn) and the request (sh)
4,提示CommonName时,要添写全域名,会提示警告
RSA server certificate CommonName (CN) `cn' does NOT match server name!?
5,相同的证书不能生成二次,名字不一样也不行,也就是说server.cst和client.csr信息不能完相同,不然会报
failed to update database
TXT_DB error number 2
6,页面浏览时,会看到提示,你的证书是不可信的,是因为我配置的不对,还是自己建的证书就是不要信的呢?
7,当我加了SSLVerifyClient require SSLVerifyDepth 1 这二个配置时,在windows下面,要你输入证书后,就可以看到页面了,但在用firefox就是不行呢?看下面的ssl_request_log日志,192.168.18.3是用windows的IE浏览器
[09/Aug/2010:22:02:21 +0800] 127.0.0.1 TLSv1 DHE-RSA-CAMELLIA256-SHA
"GET /robots.txt HTTP/1.1" 208
[09/Aug/2010:22:02:21 +0800] 127.0.0.1 TLSv1 DHE-RSA-CAMELLIA256-SHA "GET
/robots.txt HTTP/1.1" 208
[09/Aug/2010:22:02:21 +0800] 127.0.0.1 TLSv1 DHE-RSA-CAMELLIA256-SHA "GET
/robots.txt HTTP/1.1" 208
[09/Aug/2010:22:02:55 +0800] 192.168.18.3 TLSv1 RC4-MD5 "GET /
HTTP/1.1" 1505
[09/Aug/2010:22:02:55 +0800] 192.168.18.3 TLSv1 RC4-MD5 "GET /
HTTP/1.1" 1505
[09/Aug/2010:22:02:55 +0800] 192.168.18.3 TLSv1 RC4-MD5 "GET /
HTTP/1.1" 1505
加密解密
传统加密(对称加密)
openssl enc –ciphername(加密算法) –k password(口令) –in file(被加密的算法) -out (输出文件)file
解密
openssl enc –ciphername –k password -d –in file -out file
加密算法有:base64,des,des3,rc2,rc5,aes256
例如:
/bin/openssl enc –des3 –k boobooke –in pt.txt –out ct.bin //加密
/bin/openssl enc –des3 –d –k boobooke –in ct.bin –out pt1.txt //解密
非对称加密
Generate the private/public key
Openssl genrsa –out file 1024
例如:
Openssl genrsa –out priv.key 1024 //用rsa算法生成私钥(priv.key)
Openssl rsa –in file –pubout
例如:
Openssl rsa –in priv.key –pubout>pub.key //用私钥priv.key生成公钥,并重定向到pub.key这个文件里面
Encrypt the file with public key
Openssl rsautl –in file –out file –inkey file –pubin –encrypt
例如:
Openssl rsautl –in test.txt –out test.bin –inkey pub.key –pubin –encrypt //利用公钥文件(pub.key)对text.txt文件进行加密,生成加密后的文件text.bin
Decrypt the file the private key
Openssl rsautl –in file –out file –inkey file –decrypt
例如:
Openssl rsautl –in text.bin –out text1.txt –inkey priv.key –decrypt //利用私钥priv.key对公钥加密的text.bin进行加密的文件进行解密,生成解密后的文件是text1.txt
Use openssl sign/verify functions(数字签名)
Generate the private/public key
生成密钥对
Openssl genrsa –out file 1024
Openssl rsa –in file –pubout
Sign the file with the private key
Openssl rsautl –in file –out file –inkey file –sign
例如:
Openssl rsatul –in test.txt –out test.sig –inkey priv.key –sign //利用私钥对test.txt 进行加密也就是签名
Openssl rsautl –in file –out file –inkey file –pubin –verify
例如:
Openssl rsautl –in test.sig –out test2.txt –inkey pub.key –pubin –verify //利用公钥对私钥加密后的文件(test.sig)进行解密或是认证
Hash functions(hash函数)……MD5 SHA1
作用:主要是验证文件的完整性,没有被别人篡改!
Generate the md5 hash result
Openssl dgst –md5 file 或
Md5sum file
例如:
Openssl dgst –md5 openssl.tar.gz //生成MD5值
Md5sum openssl.tar.gz
Generate the sha1 hash result
Openssl dgst –sha1file 或
Sha1sum file
例如:
Openssl –dgst –sha1 openssl.tar.gz //生成sha1值
Install apache
Configure the environment
tar –zxvf httpd-2.0.63.tar.gz
cd httpd-2.0.63
./configure –prefix=/usr/local/apache –enable-ssl –with-ssl=/usr/local/openssl
make
make install
Configure ssl in apache
openssl req -new -x509 -days 30 -keyout server.key -out server.crt -subj '/CN=Test Only Certifiecate'
或者
Openssl req –new –x509 –days 365 –sha1 –nodes –newkey rsa:1024 keyout server.key –out server.crt –subj ‘/O=Seccure/OU=Seccure Labs/CN=’
Cpy the .key and .crt file to the proper directory //一般都是存放在apache的conf 目录下面,具体存放路径是在apache的配置文件中定义的
Vi httpd.conf
Include conf/ssl.conf //ssl 的配置文件被包含在conf/ssl.conf
Vi conf/ssl.conf
SSLCertificateKeyFile /usr/local/apache/conf/ssl.crt/server.key //server.key存放路径
SSLCertificateFile /usr/local/apache/conf/ssl.crt/server.crt //server.crt 存放路径
Apache2.2直接启动apache服务就可以启动SSL
Apache2.0启动ssl:apachectl startssl //端口号为443端口
Vi conf/ssl.conf
SSLRequireSSL //此目录只允许使用https协议访问
SSLRequireSSL
//ssldemo这个目录必须使用https协议访
问,应为利用ssl安全访问存在着密钥的
加密解密以及传送,所以访问会很慢,所
以一般都是把一些需要中到https协议访
访问的程序放在一个目录中,而其他的站
点依然用http协议访问
一、安装 Openssl
? 下载 openssl 源代码:
? wget
openssl-0.9.8k.tar.gz
? 解压缩:
? tar zxvf
openssl-0.9.8k.tar.gz
? 设定Openssl 安装,( --prefix )参数为欲安装之目录,也就是安装后的档案会出现在该目录下:
? cd openssl-0.9.8k
? ./config
--prefix=/root/openssl
? 编译 Openssl:
? make
? 安装 Openssl:
? make install
? 修改配置文件:
? cat ~/openssl/ssl/openssl.cnf
? 修改其中的配置内容
1) dir=
/home/blave/openssl/ssl/misc/demoCA # 设定存取凭证的路径, 并将blave 改成您自己
2) default_days= 3650 # 设定凭证可使用之天数
3) default_bits = 2048 # 设定密钥长度(bits)
二、产生 CA 凭证
? 我们所产生的 CA 凭证,将放置在 ~/openssl/ssl/misc/demoCA下,以下我们将介绍怎样产生出最上层的 CA 凭证。
? 执行CA 凭证产生程式:
? cd ~/openssl/ssl/misc
? ./CA.sh -newca
? 确定CA 凭证及密钥是否产生:
? cd
~/openssl/ssl/misc/demoCA
? ls
? cacert.pem certs crl
index.txt newcerts private serial
? 可见「cacert.pem」即是CA 之凭证,而「private」目录即是存放CA 私钥之处。
? 对 CA 证书请求进行签名:
u openssl ca -selfsign
-in careq.pem -out cacert.pem
? 设定CA 凭证之存取权限,仅允许本人能存取,他人必须限制其存取权限:
? chmod -R 660
~/openssl/ssl/misc/ demoCA
三、以 CA 产生次级凭证
? 在CA 凭证产生完之后,我们便能够产生使用者或公司所需要之凭证,此次级凭证产生后,使用者便可应用于Email 签章加密或https 等ssl 传输加密。
? 产生使用者之密钥档及CSR 档(Certificate
Signing Request) :
? cd
~/openssl/ssl/misc/demoCA
? openssl req -nodes
-new -keyout test_key.pem /-out test_req.pem -days 3650 -config
~/openssl/ssl/openssl.cnf
? 此处「-keyout 」即为产生Private
key 之文档名,这里以「test_key.pem」为例,您可自行设定。而「-out 」则产生CSR 档,我们以「test_req.pem」为例。
? 产生使用者之凭证:
? openssl ca -config
~/openssl/ssl/openssl.cnf /-policy policy_anything –out test_cert.pem -infiles
test_req.pem
? 检查凭证是否产生:
? cd
~/openssl/ssl/misc/demoCA
? ls
? 当前目录内容:cacert.pem
crl index.txt.attr test_cert.pem test_req.pem
private serial.old certs index.txt
index.txt.old test_key.pem newcerts serial
? 以上可见,test_cert.pem、test_req.pem及test_key.pem分别为刚刚所产生出来的凭证、CSR 及Private
Key 。
四、 Openssl 应用
? 以cacert 验证产生出来的使用者cert :
? openssl verify -CApath
. /-CAfile cacert.pem test_cert.pem
? 检查产生的序号:
? openssl x509 -noout
-serial -in test_cert.pem
? 检查发行者资讯:
? openssl x509 -noout
-issuer -in test_cert.pem
? 检查凭证起始及终止日期时间:
? openssl x509 -noout
-in test_cert.pem -dates
? 检查个人凭证资讯subject :
? openssl x509 -noout
-in test_cert.pem -subject
? 检查MD5
fingerprint 或SHA-1
fingerprint :
? openssl x509 -noout
-in islab_cert.pem -fingerprint -md5/-sha1
? 由PEM 转至PKCS12 。Microsoft
Outlook Express 使用PKCS12 格式,因此欲使用Microsoft
Outlook Express 寄出签章信件,只要将产生出来的“*.p12
”文档安装在Windows 即可使用:
? openssl pkcs12 -export
-in test_cert.pem -out test_cert.p12 -name "My Certificate" -inkey
test_key.pem
? 由PKCS12 转至PEM:
? openssl pkcs12 -in
test_cert.p12 -out test_key2.pem
? 再由Private
Key 产生凭证:
? openssl x509 -in
test_key2.pem -text /-out test_cert2.pem
? 文档加密: 「test_cert.pem 」为个人凭证,能够公开给大家,因此某人欲加密传送一文档给我,便能够依下列方式加密。编辑一个纯文字档,在此我们预设档名为「document.txt 」,而经加密码之档名为「document.enc 」:
? echo "This is a
text file." > document.txt
? cat document.txt
? openssl smime -encrypt
-in document.txt /-out document.enc islab_cert.pem
? cat document.enc
? 文档解密: 倘若我们收到了某人传送的「document.enc」,我们便能使用Private
Key 来进行解密:
? openssl smime -decrypt
-in document.enc /-recip test_cert.pem –inkey test_key.pem
? 文档签章: 为文档签章可证实文档的来源为本人无误,并且能够验证文档是否被篡改。我们依前例,为一纯文字档「document.txt」签章,签章后文档名为「document.sig」:
? openssl smime -sign
-inkey test_key.pem /-signer test_cert.pem -in document.txt -out document.sig
? 文档签章验证: 当某人收到这份文档时,可利用我们的凭证(test_cert.pem) 连同CA 凭证(cacert.pem) 来验证文档:
? openssl smime -verify
-in document.sig /-signer islab_cert.pem -out document.txt -CAfile cacert.pem
? 因此我们能够知道,验证方必须事先取得 CA 凭证( cacert.pem ) 方可验证文档。
? 文档加密并签章:我们已知怎样加解密连同签章验证的方法了,因此要将文档加密并签章实非难事。我们必须先将文档进行签章再加密,而收方则以相反步骤进行解密再验证即可。
Linux下Openssl的安装全过程
1、下载地址: 下一个新版本的OpenSSL,我下的版本是:openssl-1.0.0e.tar.gz
2、在下载的GZ目录中,用命令执行:tar -xzf openssl-openssl-1.0.0e.tar.gz
3、进入解压的目录:openssl-1.0.0e [.......]#cd openssl-1.0.0e
4、[.....openssl-1.0.0e]# ./config --prefix=/usr/local/openssl
5[...../openssl-1.0.0e]# ./config -t
6[...../openssl-1.0.0e]# make depend
7[...../openssl-1.0.0e]# cd /usr/local
8/usr/local]# ln -s openssl ssl
9在/etc/ld.so.conf文件的最后面,添加如下内容:
/usr/local/openssl/lib
10...]# ldconfig
11添加OPESSL的环境变量:
在etc/的profile的最后一行,添加:
export OPENSSL=/usr/local/openssl/bin
export PATH=$OPENSSL:$PATH:$HOME/bin
12退出命令界面,再从新登录。
13、以上OPENSSL就安装完毕,下面进行一些检查。
14依次如下执行:
[root@localhost /]# cd /usr/local
[root@localhost local]# ldd /usr/local/openssl/bin/openssl
会出现类似如下信息:
linux-vdso.so.1 => (0x00007fff3bc73000)
libdl.so.2 => /lib64/libdl.so.2 (0x00007fc5385d7000)
libc.so.6 => /lib64/libc.so.6 (0x00007fc538279000)
/lib64/ld-linux-x86-64.so.2 (0x00007fc5387db000)
15查看路径
...]# which openssl
/usr/local/openssl/bin/openssl
16查看版本
...]# openssl version
OpenSSL 1.0.0e 6 Sep 2011