分类: 系统运维
2012-09-12 16:04:53
1.我安装的是Wampserver
2.2.11, d:\wamp目录
2.本机操作系统Win7 32位
3.D:\wamp\bin\apache\Apache2.2.11\bin 下有
openssl.exe
4.D:\wamp\bin\apache\Apache2.2.11\conf 下有 openssl.cnf
5.D:\wamp\bin\apache\Apache2.2.11\conf\extra 下有
httpd-ssl.conf
6.本机地址 192.168.111.1
7.wamp apache 开启 mod_ssl
8.httpd-ssl.conf内容(去除注释后)
Listen 443
AddType application/x-x509-ca-cert .crt
AddType application/x-pkcs7-crl .crl
SSLPassPhraseDialog builtin
SSLSessionCache "shmcb:D:/wamp/bin/apache/Apache2.2.11/logs/ssl_scache(512000)"
SSLSessionCacheTimeout 300
SSLMutex default
DocumentRoot "D:\wamp\www"
ServerName 192.168.111.1:443
ServerAdmin me@localhost
ErrorLog "D:/wamp/bin/apache/Apache2.2.11/logs/error.log"
TransferLog "D:/wamp/bin/apache/Apache2.2.11/logs/access.log"
SSLEngine on
SSLCipherSuite ALL:!ADH:!EXPORT56:RC4+RSA:+HIGH:+MEDIUM:+LOW:+SSLv2:+EXP:+eNULL
SSLCertificateFile "D:/wamp/bin/apache/Apache2.2.11/bin/server.crt"
SSLCertificateKeyFile "D:/wamp/bin/apache/Apache2.2.11/bin/server.key"
SSLCertificateChainFile "D:/wamp/bin/apache/Apache2.2.11/bin/root.key"
SSLCACertificateFile "D:/wamp/bin/apache/Apache2.2.11/bin/root.crt"
SSLVerifyClient require
SSLVerifyDepth 10
SSLOptions +StdEnvVars
SSLOptions +StdEnvVars
BrowserMatch ".*MSIE.*" \
nokeepalive ssl-unclean-shutdown \
downgrade-1.0 force-response-1.0
CustomLog "D:/wamp/bin/apache/Apache2.2.11/logs/ssl_request.log" \
"%t %h %{SSL_PROTOCOL}x %{SSL_CIPHER}x \"%r\" %b"
以上主要注意
a.路径问题
b.ServerName 这个要注意,一定是本机地址或域名,另外在命令行时,也要多次用到
c.如果是单向认证,34行的值修改成 none 同时把所有 client 字样的行注释掉即可(用#)
8.根证书用 root 表示 , 服务端证书 server , 客户端证书 client
9.openssl.cnf 内容(去除注释后)(只贴出有可能修改过的地方)
dir = ./ca
# Where everything is kept
certs = $dir/certs
# Where the issued certs are kept
crl_dir = $dir/crl
# Where the issued crl are kept
database = $dir/index.txt # database index
file.
# several ctificates with same subject.
new_certs_dir = $dir/newcerts
# default place for new certs.
certificate = $dir/cacert.pem # The CA
certificate
serial = $dir/serial
# The current serial number
crlnumber = $dir/crlnumber # the current
crl number
# must be commented out to leave a V1 CRL
crl = $dir/crl.pem
# The current CRL
private_key = $dir/private/cakey.pem# The private key
RANDFILE = $dir/private/.rand # private
random number file
以上要建立几个目录,bin/ca/,
bin/ca/newcerts/,bin/ca/private/ 也不知道是否都用上了,反正有这些足够了.
还要建立几个文件
a. bin/ca/index.txt 一个0字节的空文件
b.bin/ca/serial (注意 无后缀),内容写 2个(0-9,A-F)的字符即可,随意.
10.下面说操作了,
进入命令行,进入
D:\wamp\bin\apache\Apache2.2.11\bin 这个目录,反正我是在这里操作的.
set
OPENSSL_CONF=../conf/openssl.cnf
这是指明配置文件的
openssl genrsa
>root.key
生成根密钥(未加保护密码)(openssl genrsa
-des3 -out root.key 1024 这个是加保护密码的命令) 我以下都没加保护密码
openssl genrsa >server.key 生成服务端密钥
openssl genrsa >client.key 生成客户端密钥
openssl req -x509 -new -key root.key >root.crt 生成自签名的根证书 (CRT即PEM格式)
openssl req -new -key server.key -out server.csr 生成服务端签名请求文件CSR
openssl req -new -key client.key -out client.csr 生成客户端签名请求文件
以上如果要求输入一些信息,注意 domain 处,必须是本机域名或IP地址 ,我是写的 192.168.111.1 (我本机IP)
使用根证书为服务端及客户端签名
openssl ca -in server.csr -cert root.crt -keyfile root.key -out server.crt
openssl ca -in client.csr -cert root.crt -keyfile root.key -out client.crt
客户端证书转换成PFX格式
openssl pkcs12 -export -clcerts -in client.crt -inkey client.key -out client.pfx
把root.crt client.pfx 复制到客户机(随便哪台电脑了)
双击导入 ( root 导入到 可信任的根证书签发机构,client导入到个人/您的证书)
重启服务器Apache OVER
以上可能有所遗漏,可参考我的前几篇博客,那些是我参考过的文章.
如果实在不行,QQ我:31008088
