一. 安装OpenSSL
tar zxvf openssl-0.9.7g.tar.gz
cd openssl-0.9.7g
./config
make
make install
二. 安装Apache
tar zxvf httpd-2.2.8.tar.gz
./configure --prefix=/opt/apache2 --enable-ssl=static --with-ssl=/usr/local/ssl
make
make install
三、 配置ca服务器(注意:为了安全起见,不让密码混淆,所有密码全部都是用123456)
1、配置ca服务器,生成ca自己的公钥,私钥ca对自己进行证书自签名
vi /etc/pki/tls/openssl.cnf
178行
注释basicConstraints=CA:FALSE
basicConstraints=CA:TRUE //自签署证书可以使用
2、制作CA证书
cd /etc/pki/CA/
/etc/pki/tls/misc/CA -newca
CA certificate filename (or enter to create)//按确定键
Making CA certificate ...
Generating a 1024 bit RSA private key
..............++++++
............................................++++++
writing new private key to '../../CA/private/./cakey.pem' //私钥
Enter PEM pass phrase:123456 //键入密码
Verifying - Enter PEM pass phrase:123456 //键入密码
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [GB]:cn //身份信息
State or Province Name (full name) [Berkshire]:bj
Locality Name (eg, city) [Newbury]:bj
Organization Name (eg, company) [My Company Ltd]:abcd
Organizational Unit Name (eg, section) []:it
Common Name (eg, your name or your server's hostname) []:abcd.com
Email Address []:[email protected]
Please enter the following 'extra' attributes
to be sent with your certificate request
A challenge password []:123456
An optional company name []:123456
Using configuration from /etc/pki/tls/openssl.cnf
Enter pass phrase for ../../CA/private/./cakey.pem: //使用私钥自签名
Check that the request matches the signature
Signature ok
Certificate Details:
Serial Number: 0 (0x0)
Validity
Not Before: Aug 26 09:34:27 2013 GMT
Not After : Aug 25 09:34:27 2016 GMT
Subject:
countryName = cn
stateOrProvinceName = bj
organizationName = abcd
organizationalUnitName = it
commonName = abcd.com
emailAddress = [email protected]
X509v3 extensions:
X509v3 Basic Constraints:
CA:TRUE
Netscape Comment:
OpenSSL Generated Certificate
X509v3 Subject Key Identifier:
3B:E9:78:DC:EB:CB:4A:41:EB:6B:40:CE:E0:D6:10:63:2D:D5:C5:C8
X509v3 Authority Key Identifier:
keyid:3B:E9:78:DC:EB:CB:4A:41:EB:6B:40:CE:E0:D6:10:63:2D:D5:C5:C8
Certificate is to be certified until Aug 25 09:34:27 2016 GMT (1095 days)
Write out database with 1 new entries
Data Base Updated
3、制作完成,可以获得以下证书:
/etc/CA/private/cakey.pem //私钥
/etc/CA/cacert.pem //根证书
/etc/CA/careq.pem //证书请求
四、 配置web服务器
1、web服务器生成自己的私钥
cd /opt/apache2/conf/
openssl genrsa -des3 -out server.key
Generating RSA private key, 512 bit long modulus
...............++++++++++++
...............++++++++++++
e is 65537 (0x10001)
Enter pass phrase for server.key:123456 //键入密码
Verifying - Enter pass phrase for server.key:123456 //键入密码
(执行完此命令之后会在当前目录下生成server.key,此文件是web服务器的私钥。)
2、生成服务器证书请求文件
openssl req -new -key server.key > server.csr
Enter pass phrase for server.key:123456
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
--------------------------------------------------------------------
Country Name (2 letter code) [GB]:cn
State or Province Name (full name) [Berkshire]:bj
Locality Name (eg, city) [Newbury]:bj //这部分信息要求与ca一致
Organization Name (eg, company) [My Company Ltd]:abcd
Organizational Unit Name (eg, section) []:it
Common Name (eg, your name or your server's hostname) []:abcd.com
Email Address []:[email protected]
----------------------------------------------------------------------
Please enter the following 'extra' attributes
to be sent with your certificate request
A challenge password []:123456
An optional company name []:123456
完成后当前目录下会生成一个server.csr的文件
3、ca服务器对证书请求进行数字签名
cd /etc/pki/CA/
openssl ca -keyfile /etc/pki/CA/private/cakey.pem -cert /etc/pki/CA/cacert.pem -in /opt/apache2/conf/server.csr -out /opt/apache2/conf/server.crt
sing configuration from /etc/pki/tls/openssl.cnf
Enter pass phrase for /etc/CA/private/cakey.pem:
Check that the request matches the signature
Signature ok
Certificate Details:
Serial Number: 1 (0x1)
Validity
Not Before: Aug 27 07:20:17 2013 GMT
Not After : Aug 27 07:20:17 2014 GMT
Subject:
countryName = cn
stateOrProvinceName = bj
organizationName = abcd
organizationalUnitName = it
commonName = abcd.com
emailAddress = root@root.com
X509v3 extensions:
X509v3 Basic Constraints:
CA:TRUE
Netscape Comment:
OpenSSL Generated Certificate
X509v3 Subject Key Identifier:
BE:FE:86:46:AA:5E:CC:54:39:5E:62:C4:99:BC:0E:34:A6:E6:01:B2
X509v3 Authority Key Identifier:
keyid:96:B6:29:B1:79:0B:18:60:08:B6:08:D3:15:38:87:69:63:BA:81:CA
Certificate is to be certified until Aug 27 07:20:17 2014 GMT (365 days)
Sign the certificate? [y/n]:y
1 out of 1 certificate requests certified, commit? [y/n]y
Write out database with 1 new entries
Data Base Updated
完成后,会在/opt/apache2/conf目录下生成server.crt文件
若报错openssl生成CA的时候出错:TXT_DB error number 2 解决:
修改demoCA下 index.txt.attr
将
unique_subject = yes
改为
unique_subject = no
删除demoCA下的index.txt,并再touch下
rm index.txt
touch index.txt
4、修改配置文件
cp /etc/pki/CA/cacert.pem /opt/apache2/conf/
vim /opt/apache2/conf/httpd.conf
ServerName localhost:80
Include conf/extra/httpd-ssl.conf //解注释
vim /opt/apache2/conf/extra/httpd-ssl.conf
Listen 443 //可以改成其他端口
SSLPassPhraseDialog builtin //每次重启Apache时需要输入密码
SSLSessionCache shmcb:/var/cache/mod_ssl/scache(512000)
SSLSessionCacheTimeout 300
SSLMutex default
SSLRandomSeed startup builtin
SSLRandomSeed connect builtin
<VirtualHost _default_:443>
ServerName localhost:443
SSLEngine on
SSLCertificateFile /opt/apache2/conf/ssl.crt/server.crt //证书文件
SSLCertificateKeyFile /opt/apache2/conf/ssl.crt/server.key //私钥文件
SSLCACertificateFile /opt/apache2/conf/ssl.crt/ca.crt //证书链文件
</VirtualHost>
可以按照如下方式重新导入KEY文件,则可以不用每次重启Apache都需要输入KEY文件密码
openssl rsa -in server.key -out server2.key
mv server.key server.key.originalkey
mv server2.key server.key
五、客户端浏览器导入证书
IE为例:
将服务器中的证书到处到客户端----打开浏览器------【工具】--》【internet选项】--》【内容】--》【证书】--》【受信任的根证书颁发机构】r--》【导入】,导入server.crt
六、验证
打开浏览器,输入https://IP 可以打开与http同样的页面则表示SSL证书生效。
七、强制https跳转
a) 检查Apache有没有编译rewrite_module模块
ls /opt/httpd/modules
是否存在mod_rewrite.so
并且httpd.conf 是否有LoadModule …….mod_rewrite.so语句
若有一处不存在则需增加mod_rewrite模块:
1. find / -name mod_rewrite.c
//在apache的源码安装目录中寻找mod_rewrite.c文件
2. 进入搜索到的目录
3. /opt/httpd/bin/apxs -c mod_rewrite.c
4. /opt/httpd/bin/apxs -i -a -n mod_rewrite mod_rewrite.la
5. vim /opt/httpd/conf/httpd.conf
修改LoadModule …….mod_rewrite.so为
LoadModule rewrite_module modules/mod_rewrite.so
保存退出。
b) 配置 httpd.conf
对应以下位置作添加或修改:
# Options FileInfo AuthConfig Limit
AllowOverride All
Order allow,deny
Allow from all
RewriteEngine on
RewriteCond %{SERVER_PORT} !^443$
RewriteRule ^(.*)?$ https://cccb.com:443/$1 [L,R]
保存退出
c) 验证
在浏览器输入http域名,会跳转到https域名则配置成功。
注:
单、向双认证区别在http://blog.csdn.net/chenboblog/article/details/53835856有详细介绍(在此鸣谢chenboblog的博文)
八、补充
以上为SSL双向验证的配置方法,服务端与客户端都需要证书验证,
如果使用单向验证就不必这么繁琐,只需要在服务端配置证书即可,客户端无需导入证书。
单向验证证书配置方法:
进入apache安装目录,将所有证书生成在此目录下cd /opt/apache2/conf/
1) 生成密钥:openssl genrsa 1024 > server.key
说明:这是用128位rsa算法生成密钥,得到server.key文件
2) 生成证书请求文件:openssl req -new -key server.key > server.csr
说明:这是用步骤1的密钥生成证书请求文件server.csr,
3) 生成证书:openssl req -x509 -days 365 -key server.key -in server.csr > server.crt
说明:这是用步骤1,2的的密钥和证书请求生成证书server.crt,-days参数指明证书有效期,单位为天
然后修改相应配置文件证书路径(此处生成的单向认证证书名与双向认证证书文件名一致,所以只需从起httpd即会生效)