制作SSL自签证书及Apache配置

一. 安装OpenSSL

tar zxvf openssl-0.9.7g.tar.gz
cd openssl-0.9.7g
./config
make
make install

二. 安装Apache

tar zxvf httpd-2.2.8.tar.gz 
./configure --prefix=/opt/apache2 --enable-ssl=static --with-ssl=/usr/local/ssl
make 
make install

三、 配置ca服务器(注意:为了安全起见,不让密码混淆,所有密码全部都是用123456)

1、配置ca服务器,生成ca自己的公钥,私钥ca对自己进行证书自签名

vi /etc/pki/tls/openssl.cnf
178行
注释basicConstraints=CA:FALSE
basicConstraints=CA:TRUE        //自签署证书可以使用

2、制作CA证书

cd /etc/pki/CA/
 /etc/pki/tls/misc/CA -newca 
CA certificate filename (or enter to create)//按确定键
Making CA certificate ...
Generating a 1024 bit RSA private key
..............++++++
............................................++++++
writing new private key to '../../CA/private/./cakey.pem'   //私钥
Enter PEM pass phrase:123456    //键入密码
Verifying - Enter PEM pass phrase:123456    //键入密码

You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [GB]:cn    //身份信息
State or Province Name (full name) [Berkshire]:bj
Locality Name (eg, city) [Newbury]:bj
Organization Name (eg, company) [My Company Ltd]:abcd
Organizational Unit Name (eg, section) []:it
Common Name (eg, your name or your server's hostname) []:abcd.com
Email Address []:[email protected]
Please enter the following 'extra' attributes
to be sent with your certificate request
A challenge password []:123456
An optional company name []:123456
Using configuration from /etc/pki/tls/openssl.cnf
Enter pass phrase for ../../CA/private/./cakey.pem: //使用私钥自签名
Check that the request matches the signature
Signature ok
Certificate Details:
Serial Number: 0 (0x0)
Validity
Not Before: Aug 26 09:34:27 2013 GMT
Not After : Aug 25 09:34:27 2016 GMT
Subject:
countryName               = cn
stateOrProvinceName       = bj
organizationName          = abcd
organizationalUnitName    = it
commonName                = abcd.com
emailAddress              = [email protected]
X509v3 extensions:
X509v3 Basic Constraints:
CA:TRUE
Netscape Comment:
OpenSSL Generated Certificate
X509v3 Subject Key Identifier:
3B:E9:78:DC:EB:CB:4A:41:EB:6B:40:CE:E0:D6:10:63:2D:D5:C5:C8
X509v3 Authority Key Identifier:
keyid:3B:E9:78:DC:EB:CB:4A:41:EB:6B:40:CE:E0:D6:10:63:2D:D5:C5:C8
Certificate is to be certified until Aug 25 09:34:27 2016 GMT (1095 days)
Write out database with 1 new entries
Data Base Updated

3、制作完成,可以获得以下证书:

         /etc/CA/private/cakey.pem      //私钥
        /etc/CA/cacert.pem      //根证书
        /etc/CA/careq.pem       //证书请求

四、 配置web服务器
1、web服务器生成自己的私钥

 cd /opt/apache2/conf/
openssl genrsa -des3 -out server.key
Generating RSA private key, 512 bit long modulus
...............++++++++++++
...............++++++++++++
e is 65537 (0x10001)
Enter pass phrase for server.key:123456  //键入密码
Verifying - Enter pass phrase for server.key:123456  //键入密码
(执行完此命令之后会在当前目录下生成server.key,此文件是web服务器的私钥。)

2、生成服务器证书请求文件

 openssl req -new -key server.key > server.csr
Enter pass phrase for server.key:123456
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
--------------------------------------------------------------------
Country Name (2 letter code) [GB]:cn
State or Province Name (full name) [Berkshire]:bj
Locality Name (eg, city) [Newbury]:bj       //这部分信息要求与ca一致
Organization Name (eg, company) [My Company Ltd]:abcd
Organizational Unit Name (eg, section) []:it
Common Name (eg, your name or your server's hostname) []:abcd.com
Email Address []:[email protected]
----------------------------------------------------------------------
Please enter the following 'extra' attributes
to be sent with your certificate request
A challenge password []:123456

An optional company name []:123456

完成后当前目录下会生成一个server.csr的文件

3、ca服务器对证书请求进行数字签名

 cd /etc/pki/CA/
 openssl ca -keyfile /etc/pki/CA/private/cakey.pem -cert /etc/pki/CA/cacert.pem -in /opt/apache2/conf/server.csr -out   /opt/apache2/conf/server.crt
sing configuration from /etc/pki/tls/openssl.cnf
Enter pass phrase for /etc/CA/private/cakey.pem:
Check that the request matches the signature
Signature ok
Certificate Details:
        Serial Number: 1 (0x1)
        Validity
            Not Before: Aug 27 07:20:17 2013 GMT
            Not After : Aug 27 07:20:17 2014 GMT
        Subject:
            countryName               = cn
            stateOrProvinceName       = bj
            organizationName          = abcd
            organizationalUnitName    = it
            commonName                = abcd.com
            emailAddress              = root@root.com
        X509v3 extensions:
            X509v3 Basic Constraints: 
                CA:TRUE
            Netscape Comment: 
                OpenSSL Generated Certificate
            X509v3 Subject Key Identifier: 
                BE:FE:86:46:AA:5E:CC:54:39:5E:62:C4:99:BC:0E:34:A6:E6:01:B2
            X509v3 Authority Key Identifier: 
                keyid:96:B6:29:B1:79:0B:18:60:08:B6:08:D3:15:38:87:69:63:BA:81:CA

Certificate is to be certified until Aug 27 07:20:17 2014 GMT (365 days)
Sign the certificate? [y/n]:y
1 out of 1 certificate requests certified, commit? [y/n]y
Write out database with 1 new entries
Data Base Updated
完成后,会在/opt/apache2/conf目录下生成server.crt文件

若报错openssl生成CA的时候出错:TXT_DB error number 2 解决:
修改demoCA下 index.txt.attr

unique_subject = yes
改为
unique_subject = no

删除demoCA下的index.txt,并再touch下
rm index.txt
touch index.txt

4、修改配置文件

cp /etc/pki/CA/cacert.pem /opt/apache2/conf/
vim /opt/apache2/conf/httpd.conf
ServerName localhost:80   
Include conf/extra/httpd-ssl.conf //解注释

vim /opt/apache2/conf/extra/httpd-ssl.conf

Listen 443 //可以改成其他端口
SSLPassPhraseDialog builtin //每次重启Apache时需要输入密码
SSLSessionCache shmcb:/var/cache/mod_ssl/scache(512000)
SSLSessionCacheTimeout 300
SSLMutex default
SSLRandomSeed startup builtin
SSLRandomSeed connect builtin

<VirtualHost _default_:443>

ServerName localhost:443 
SSLEngine on
SSLCertificateFile /opt/apache2/conf/ssl.crt/server.crt          //证书文件
SSLCertificateKeyFile /opt/apache2/conf/ssl.crt/server.key        //私钥文件
SSLCACertificateFile /opt/apache2/conf/ssl.crt/ca.crt           //证书链文件

</VirtualHost>

可以按照如下方式重新导入KEY文件,则可以不用每次重启Apache都需要输入KEY文件密码

openssl rsa -in server.key -out server2.key
mv server.key server.key.originalkey
mv server2.key server.key

五、客户端浏览器导入证书

IE为例:
将服务器中的证书到处到客户端----打开浏览器------【工具】--》【internet选项】--》【内容】--》【证书】--》【受信任的根证书颁发机构】r--》【导入】,导入server.crt

六、验证

打开浏览器,输入https://IP  可以打开与http同样的页面则表示SSL证书生效。

七、强制https跳转

a) 检查Apache有没有编译rewrite_module模块

ls /opt/httpd/modules 

是否存在mod_rewrite.so
并且httpd.conf 是否有LoadModule …….mod_rewrite.so语句

若有一处不存在则需增加mod_rewrite模块:
1. find / -name mod_rewrite.c
//在apache的源码安装目录中寻找mod_rewrite.c文件
2. 进入搜索到的目录
3. /opt/httpd/bin/apxs -c mod_rewrite.c
4. /opt/httpd/bin/apxs -i -a -n mod_rewrite mod_rewrite.la
5. vim /opt/httpd/conf/httpd.conf
修改LoadModule …….mod_rewrite.so为
LoadModule rewrite_module modules/mod_rewrite.so
保存退出。

b) 配置 httpd.conf
对应以下位置作添加或修改:

    #   Options FileInfo AuthConfig Limit
        AllowOverride All
        Order allow,deny
        Allow from all
            RewriteEngine on
        RewriteCond %{SERVER_PORT} !^443$
        RewriteRule ^(.*)?$ https://cccb.com:443/$1 [L,R]
保存退出

c) 验证
在浏览器输入http域名,会跳转到https域名则配置成功。

注:
    单、向双认证区别在http://blog.csdn.net/chenboblog/article/details/53835856有详细介绍(在此鸣谢chenboblog的博文)

八、补充

以上为SSL双向验证的配置方法,服务端与客户端都需要证书验证,
如果使用单向验证就不必这么繁琐,只需要在服务端配置证书即可,客户端无需导入证书。
单向验证证书配置方法:

进入apache安装目录,将所有证书生成在此目录下cd /opt/apache2/conf/
    1)  生成密钥:openssl genrsa 1024 > server.key
            说明:这是用128位rsa算法生成密钥,得到server.key文件
    2)  生成证书请求文件:openssl req -new -key server.key > server.csr  
            说明:这是用步骤1的密钥生成证书请求文件server.csr, 

    3)  生成证书:openssl req -x509 -days 365 -key server.key -in server.csr > server.crt
        说明:这是用步骤1,2的的密钥和证书请求生成证书server.crt,-days参数指明证书有效期,单位为天

然后修改相应配置文件证书路径(此处生成的单向认证证书名与双向认证证书文件名一致,所以只需从起httpd即会生效)

你可能感兴趣的:(制作SSL自签证书及Apache配置)