SSL centos6.3
查看openssl 版本
[root@aa-mysql-02 ~]# openssl version
OpenSSL 1.0.0-fips 29 Mar 2010
openssl 配置文件
[root@aa-mysql-02 ~]# openssl ca
Using configuration from /etc/pki/tls/openssl.cnf
Error opening CA private key /etc/pki/CA/private/cakey.pem
140060094265160:error:02001002:system library:fopen:No such file or directory:bss_file.c:355:fopen('/etc/pki/CA/private/cakey.pem','r')
140060094265160:error:20074002:BIO routines:FILE_CTRL:system lib:bss_file.c:357:
unable to load CA private key
显示版本与编译参数
[root@aa-mysql-02 ~]# openssl version -a
OpenSSL 1.0.0-fips 29 Mar 2010
built on: Tue May 29 18:16:48 BST 2012
platform: linux-x86_64
options: bn(64,64) md2(int) rc4(16x,int) des(idx,cisc,16,int) blowfish(idx)
compiler: gcc -fPIC -DOPENSSL_PIC -DZLIB -DOPENSSL_THREADS -D_REENTRANT -DDSO_DLFCN -DHAVE_DLFCN_H -DKRB5_MIT -m64 -DL_ENDIAN -DTERMIO -Wall -O2 -g -pipe -Wall -Wp,-D_FORTIFY_SOURCE=2 -fexceptions -fstack-protector --param=ssp-buffer-size=4 -m64 -mtune=generic -Wa,--noexecstack -DMD32_REG_T=int -DOPENSSL_IA32_SSE2 -DOPENSSL_BN_ASM_MONT -DSHA1_ASM -DSHA256_ASM -DSHA512_ASM -DMD5_ASM -DAES_ASM -DWHIRLPOOL_ASM
OPENSSLDIR: "/etc/pki/tls"
engines: aesni dynamic
创建RSA 密钥
[root@aa-mysql-02 ~]# openssl genrsa -out lab.key 1024
Generating RSA private key, 1024 bit long modulus
............................................................++++++
.............................++++++
e is 65537 (0x10001)
查看
[root@aa-mysql-02 ~]# cat lab.key
-----BEGIN RSA PRIVATE KEY-----
MIICXQIBAAKBgQC4Xi4m1+EkQ7jU/GoMvTiSJ+cvvB1OWI0hdzpOKusJr+xqzETg
mk79l6TscyLOPkgjIAD1juFnl4YW93ccRm2jMoAfcIXKMi64dQwqkLprKfKbnQZ3
OhPBlgO8xXB3hW6GLL8xeWamAJZquFC3HEBDQP9SA0AO1QB5uBeTD4p2WwIDAQAB
AoGABB5WeZeo995rapaY59/yO5GYoIBbRzzDKlQ3gTeEOJstdNVLVJkd2pxgmseX
p3PMuLwmSVX/wwinfivZBVCtckYZzV5xnLToEYwYLuTGGzYhIPjruahX/gv/xSln
8pUFv45X+R6zJqDCcOrwJn+hSxDYUugCJMfiBbCWHSNO34ECQQDrSsfC8oS8OYaG
CvYe/hmeDWhAnHImsIf2N1sQ1+samX3/QBzEkMAcwNMi0G9iXk0DpSDc87b47vYW
zmUb6vXJAkEAyJgO5E+SqOHhd8uGHO1IaZAGPNEWjM3SzlgRwxcm07FCN17/9HA+
vHper+TAEgzbSVmJOP/2+w297Y+F1YttAwJBAJ3pgkgEG7F3qiEsGiKSxv6cYOt8
E+CDebx1SljzkIY5naZBkQ0bWNPzVcB3w0lxoJ5hpLyllJddSSvlOVaTSoECQQCX
OtSXWkqGmm1CxKUir93VAClDtpsaop4YxRr3C0BRfyUd27h6kBksPdGfKIWJ1jmI
7kDfQVLx6WVUcc0Dtu8DAkBwgNGxPRL1yEoTPS6sY099S1Y0wvdV/Ja87Swf5M9S
TqZ8gglsGEesdhlRTBmRokNPttQyZMvcKT3YK71lUMod
-----END RSA PRIVATE KEY-----
取出RSA 公钥
[root@aa-mysql-02 ~]# openssl rsa -in lab.key -pubout -out lab.pubkey
writing RSA key
[root@aa-mysql-02 ~]# ls
anaconda-ks.cfg install.log install.log.syslog lab.key lab.pubkey
查看公钥
[root@aa-mysql-02 ~]# cat lab.pubkey
-----BEGIN PUBLIC KEY-----
MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQC4Xi4m1+EkQ7jU/GoMvTiSJ+cv
vB1OWI0hdzpOKusJr+xqzETgmk79l6TscyLOPkgjIAD1juFnl4YW93ccRm2jMoAf
cIXKMi64dQwqkLprKfKbnQZ3OhPBlgO8xXB3hW6GLL8xeWamAJZquFC3HEBDQP9S
A0AO1QB5uBeTD4p2WwIDAQAB
-----END PUBLIC KEY-----
RSA签名证书
[root@aa-mysql-02 ~]# openssl req -new -x509 -key lab.key -out lab.crt
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [XX]:CN
State or Province Name (full name) []:lab.com
Locality Name (eg, city) [Default City]:Shanghai
Organization Name (eg, company) [Default Company Ltd]:lab
Organizational Unit Name (eg, section) []:lab
Common Name (eg, your name or your server's hostname) []:henry
[root@aa-mysql-02 ~]# ls
anaconda-ks.cfg install.log install.log.syslog lab.crt lab.key lab.pubkey
查看证书
[root@aa-mysql-02 ~]# cat lab.crt
-----BEGIN CERTIFICATE-----
MIICzDCCAjWgAwIBAgIJAPcvNMGFZHdzMA0GCSqGSIb3DQEBBQUAMH8xCzAJBgNV
BAYTAkNOMRAwDgYDVQQIDAdsYWIuY29tMREwDwYDVQQHDAhTaGFuZ2hhaTEMMAoG
A1UECgwDbGFiMQwwCgYDVQQLDANsYWIxDjAMBgNVBAMMBWhlbnJ5MR8wHQYJKoZI
hvcNAQkBFhAxMjA4MDc3MTJAcXEuY29tMB4XDTEzMDQwODE0MTk0M1oXDTEzMDUw
ODE0MTk0M1owfzELMAkGA1UEBhMCQ04xEDAOBgNVBAgMB2xhYi5jb20xETAPBgNV
BAcMCFNoYW5naGFpMQwwCgYDVQQKDANsYWIxDDAKBgNVBAsMA2xhYjEOMAwGA1UE
AwwFaGVucnkxHzAdBgkqhkiG9w0BCQEWEDEyMDgwNzcxMkBxcS5jb20wgZ8wDQYJ
KoZIhvcNAQEBBQADgY0AMIGJAoGBALheLibX4SRDuNT8agy9OJIn5y+8HU5YjSF3
Ok4q6wmv7GrMROCaTv2XpOxzIs4+SCMgAPWO4WeXhhb3dxxGbaMygB9whcoyLrh1
DCqQumsp8pudBnc6E8GWA7zFcHeFboYsvzF5ZqYAlmq4ULccQENA/1IDQA7VAHm4
F5MPinZbAgMBAAGjUDBOMB0GA1UdDgQWBBRsQ9TnTeftdt3hZOSFkRzhjbiykDAf
BgNVHSMEGDAWgBRsQ9TnTeftdt3hZOSFkRzhjbiykDAMBgNVHRMEBTADAQH/MA0G
CSqGSIb3DQEBBQUAA4GBAGyYIAiHZswBkQApS9j+WhVt0TvC8m4hitVHcAaX0+7L
5G97kiLoWobORmTOfMus/QNeGIYKpahsGEFMi7rr9kUHkbcqQIpXJ2Id1t6rfspS
7DarmqZt3enNP+tU+wYo/R/ODWJGHDvqJtrMczv4WD+b375z8IQDbtIu5ftbGvbn
-----END CERTIFICATE-----
[root@aa-mysql-02 ~]#
配置apache虚拟目录
[root@aa-mysql-02 ~]#cat webdeploy.conf
LoadModule ssl_module modules/mod_ssl.so
Listen 443
SSLPassPhraseDialog builtin
SSLSessionCache
shmcb:/var/cache/mod_ssl/scache(512000)
SSLSessionCacheTimeout 300
SSLMutex default
SSLRandomSeed startup file:/dev/urandom 256
SSLRandomSeed connect builtin
SSLCryptoDevice builtin
<VirtualHost _default_:443>
Include conf.d/columbus.auth
ErrorLog logs/ssl_error_log
TransferLog logs/ssl_access_log
LogLevel warn
SSLEngine on
SSLProtocol all -SSLv2
SSLCipherSuite ALL:!ADH:!EXPORT:!SSLv2:RC4+RSA:+HIGH:+MEDIUM:+LOW
#certificate
SSLCertificateFile /etc/httpd/conf.d/wildcard.columbus2050.com.crt
#key
SSLCertificateKeyFile /etc/httpd/conf.d/wildcard.columbus2050.com.key
<Files ~ "\.(cgi|shtml|phtml|php3?)$">
SSLOptions +StdEnvVars
</Files>
<Directory "/var/www/cgi-bin">
SSLOptions +StdEnvVars
</Directory>
SetEnvIf User-Agent ".*MSIE.*" \
nokeepalive ssl-unclean-shutdown \
downgrade-1.0 force-response-1.0
CustomLog logs/ssl_request_log \
"%t %h %{SSL_PROTOCOL}x %{SSL_CIPHER}x \"%r\" %b"
SSLProxyEngine On
ProxyPass
/ http://127.0.0.1:8080/ timeout=300 retry=300
ProxyPassReverse / http://127.0.0.1:8080/
ProxyRequests
Off
# Hudson uses http-auth headers internally to manage users. In order to allow httaccess + hudson user management one has to reset those headers after the
# htaccess authorizatoin. Otherwise one is unable to log into hudson since it tries to log in with those information.
RequestHeader unset Authorization
</VirtualHost>
关于证书:
一, 证书就是数字化的文件
二, 常用的证书是采用X.509结构
三, 包含实体(网站,个人等)的公共密钥和其他属性,如名称等:
1, 最简单的证书:证书拥有者的名字;证书拥有者的公钥
2, X.509 证书: 证书拥有者名字;证书拥有者公钥;证书过期的deadline;证书颁发机构名称;证书序列号;证书颁发机构(ca)的签名信息;其他可选信息
四,公共密钥只属于某一个特定的实体,作用防止一个实体假装成另外一个实体
五, 证书用来保证不对称加密算法的合理性。
关于CA(certification authority):
1, CA 是一个可信任的第三方机构
2,CA 也是一个实体,它也有自己的公钥和私钥
3,通过检查证书里面的CA名字和CA的签名,以确定证书是哪个CA签发的
4,CA自己有一个庞大的publickey数据库,用来颁发给不同的实体
5,CA是分级:最高级别的CA叫rootCAs,其他子集的CA证书由它来颁发和签名;只要RootCAs是可信任的;没有更高级别的CA给RootCAs签名,它们自己签名