因为公司需要最近一直研究apache双向认证的问题,公司只有一台服务器,这台服务器上部署着wiki知识库,owncloud私有云,phpmyadmin,zendaopms。现在想实现owncloud需要证书认证的方式才能访问,其他三个可以通过http访问。想要实现这样的环境需要用到apache双向ssl的配置还有apache虚拟主机的知识。
软件环境
Apache Httpd 2.2.16
openssl-1.0.0e.tar.gz
SSL-Tools(http://www.openssl.org/contrib/ssl.ca-0.1.tar.gz )
1、 安装openssl
#tar zxvf openssl-1.0.0e.tar.gz
#cd openssl-1.0.0e.tar.gz
#./config �Cprefix=/usr/local/openssl
#make
#make install
2、 Httpd的安装
#tar zxvf httpd-2.2.16.tar.gz
#cd httpd-2.2.16
#./configure --prefix=/usr/local/apache2 --with-included-apr --enable-mods-shared=most --enable-ssl --enable-rewrite --enable-so --with-ssl=/usr/local/openssl
#make
#make install
此步骤在/apache/httpd目录中安装httpd服务(通过参数--prefix指定),同时使用--with-ssl指定刚才所安装OpenSSL的路径,用于将mod_ssl静态的编译到httpd服务中。
3.制作证书
我们必须手工来生成SSL用到的证书,对证书不熟悉的人,有一个工具可以使用:http://www.openssl.org/contrib/ssl.ca-0.1.tar.gz 。下面是如何通过这个工具来生成证书的过程:
#cpssl.ca-0.1.tar.gz /usr/local/apache/httpd/conf
#cd/usr/local/apache/conf
#tar zxvfssl.ca-0.1.tar.gz
#cd ssl.ca-0.1
#./new-root-ca.sh (生成根证书)
No Root CA keyround. Generating one
Generating RSAprivate key, 1024 bit long modulus
...........................++++++
....++++++
e is 65537(0x10001)
Enter pass phrasefor ca.key: (输入一个密码)
Verifying - Enterpass phrase for ca.key: (再输入一次密码)
......
Self-sign the rootCA... (签署根证书)
Enter pass phrasefor ca.key: (输入刚刚设置的密码)
........
........ (下面开始签署)
Country Name (2letter code) [MY]:CN
State or ProvinceName (full name) [Perak]:Beijing//随你喜欢
Locality Name (eg,city) [Sitiawan]:Beijing//随你喜欢
Organization Name(eg, company) [My Directory Sdn Bhd]:chosen//随你喜欢
Organizational UnitName (eg, section) [Certification Services Division]:tech//随你喜欢
Common Name (eg, MDRoot CA) []:tech//随你喜欢
Email Address []:[email protected]//随你喜欢
这样就生成了ca.key和ca.crt两个文件,下面还要为我们的服务器生成一个证书:
#./new-server-cert.sh server (这个证书的名字是server)
......
......
Country Name (2letter code) [MY]:CN
State or ProvinceName (full name) [Perak]:Beijing
Locality Name (eg,city) [Sitiawan]: Beijing
Organization Name(eg, company) [My Directory Sdn Bhd]:chosen
Organizational UnitName (eg, section) [Secure Web Server]:tech
Common Name (eg,www.domain.com) []:tech
Email Address []:[email protected]
这样就生成了server.csr和server.key这两个文件。
还需要签署一下才能使用的:
#./sign-server-cert.sh server
CA signing:server.csr -> server.crt:
Using configurationfrom ca.config
Enter pass phrasefor ./ca.key: (输入上面设置的根证书密码)
Check that therequest matches the signature
Signature ok
The Subject'sDistinguished Name is as follows
countryName:PRINTABLE:'CN'
stateOrProvinceName:PRINTABLE:'Beijing'
localityName:PRINTABLE:’Beijing’
organizationName:PRINTABLE:'chosen'
organizationalUnitName:PRINTABLE:'chosen'
commonName:PRINTABLE:'tech'
emailAddress:IA5STRING:' [email protected] '
Certificate is tobe certified until Jan 19 21:59:46 2011 GMT (365 days)
Sign thecertificate? [y/n]:y
1 out of 1certificate requests certified, commit? [y/n]y
Write out databasewith 1 new entries
Data Base Updated
CA verifying:server.crt <-> CA cert
server.crt: OK
4、配置证书相关权限和路径:
# cd /usr/local/apache2/conf/ssl.ca-0.1
# chmod 644 server.key server.crt ca.crt
5、SSL双向认证配置
为客户端生成一个证书:
# /usr/local/apache2/conf/ssl.ca-0.1
# ./new-user-cert.sh client1
-----------------------------------------
No client1.key round. Generating one
Generating RSA private key, 1024 bit long modulus
...........++++++
...++++++
e is 65537 (0x10001)
Fill in certificate data
You are about to be asked to enter information that will beincorporated
into your certificate request.
What you are about to enter is what is called a DistinguishedName or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Common Name (eg, John Doe) []:client1
Email Address []:[email protected]
You may now run ./sign-user-cert.sh to get it signed
-------------------------------------------
签署该证书:
# ./sign-user-cert.sh client1
--------------------------------------
CA signing: client1.csr -> client1.crt:
Using configuration from ca.config
Enter pass phrase for ./ca.key: (输入ca根认证密码)
Check that the request matches the signature
Signature ok
The Subject's Distinguished Name is as follows
commonName :PRINTABLE:'client1'
emailAddress :IA5STRING:'[email protected]'
Certificate is to be certified until Aug 8 08:41:512014 GMT (365 days)
Sign the certificate? [y/n]:y
1 out of 1 certificate requests certified, commit? [y/n]y
Write out database with 1 new entries
Data Base Updated
CA verifying: client1.crt <-> CA cert
client1.crt: OK
------------------------------------
将该客户端证书转换成浏览器可识别的.p12格式
# ./p12.sh client1
-------------------------------------
Enter Export Password: (输入ca根认证密码)
Verifying - Enter Export Password: (确认)
The certificate for client1 has been collected into a pkcs12file.
You can download to your browser and import it.
--------------------------------------
# ll client1.p12
--------------------------------------
-rw-r--r-- 1 root root 2601 8月 8 16:44 client1.p12
--------------------------------------
将该p12文件分发给可信任的客户端,实现双向证书加密功能
注:此处将该文件传送到本机作为示例,实际线上可以利用程序实现证书认证下载
配置https实现SSL虚拟主机双向加密
# vi /usr/local/apache2/conf/extra/httpd-vhosts.conf
添加如下内容:
----------------------------
<VirtualHost *:443>
DocumentRoot"/usr/local/apache2/htdocs"
ServerAliashttps://10.10.10.1
SSLEngine on
SSLCertificateFile"/usr/local/ssl.ca/server.crt"
SSLCertificateKeyFile "/usr/local/ssl.ca/server.key"
SSLCACertificateFile "/usr/local/ssl.ca/ca.crt"
SSLVerifyClient require
SSLVerifyDepth 10
</VirtualHost>----------------------------
6、测试结果
1).使用Chrome浏览器输入 https://10.10.10.1/owncloud
未导入客户端证书,提示SSL连接出错
2).SO导入证书:
a.windows下运行该证书文件
b.进入证书导入向导,一路下一步即可完成操作
重新使用Chrome浏览器输入 http://10.10.10.1/owncloud
提示
参考资料:
http://blog.csdn.net/passwordport/article/details/8005292 apache2 ssl 双向认证
http://honghuihun.iteye.com/blog/1137204 linux下apache-ssl配置