SSL 实例 centos6.3

 

SSL centos6.3

 

 

查看openssl 版本

[root@aa-mysql-02 ~]# openssl version

OpenSSL 1.0.0-fips 29 Mar 2010

openssl 配置文件

[root@aa-mysql-02 ~]# openssl ca

Using configuration from /etc/pki/tls/openssl.cnf

Error opening CA private key /etc/pki/CA/private/cakey.pem

140060094265160:error:02001002:system library:fopen:No such file or directory:bss_file.c:355:fopen('/etc/pki/CA/private/cakey.pem','r')

140060094265160:error:20074002:BIO routines:FILE_CTRL:system lib:bss_file.c:357:

unable to load CA private key

 

显示版本与编译参数

[root@aa-mysql-02 ~]# openssl version -a

OpenSSL 1.0.0-fips 29 Mar 2010

built on: Tue May 29 18:16:48 BST 2012

platform: linux-x86_64

options: bn(64,64) md2(int) rc4(16x,int) des(idx,cisc,16,int) blowfish(idx)

compiler: gcc -fPIC -DOPENSSL_PIC -DZLIB -DOPENSSL_THREADS -D_REENTRANT -DDSO_DLFCN -DHAVE_DLFCN_H -DKRB5_MIT -m64 -DL_ENDIAN -DTERMIO -Wall -O2 -g -pipe -Wall -Wp,-D_FORTIFY_SOURCE=2 -fexceptions -fstack-protector --param=ssp-buffer-size=4 -m64 -mtune=generic -Wa,--noexecstack -DMD32_REG_T=int -DOPENSSL_IA32_SSE2 -DOPENSSL_BN_ASM_MONT -DSHA1_ASM -DSHA256_ASM -DSHA512_ASM -DMD5_ASM -DAES_ASM -DWHIRLPOOL_ASM

OPENSSLDIR: "/etc/pki/tls"

engines: aesni dynamic

 

 

创建RSA 密钥

[root@aa-mysql-02 ~]# openssl genrsa -out lab.key 1024

Generating RSA private key, 1024 bit long modulus

............................................................++++++

.............................++++++

e is 65537 (0x10001)

 

查看

[root@aa-mysql-02 ~]# cat lab.key

-----BEGIN RSA PRIVATE KEY-----

MIICXQIBAAKBgQC4Xi4m1+EkQ7jU/GoMvTiSJ+cvvB1OWI0hdzpOKusJr+xqzETg

mk79l6TscyLOPkgjIAD1juFnl4YW93ccRm2jMoAfcIXKMi64dQwqkLprKfKbnQZ3

OhPBlgO8xXB3hW6GLL8xeWamAJZquFC3HEBDQP9SA0AO1QB5uBeTD4p2WwIDAQAB

AoGABB5WeZeo995rapaY59/yO5GYoIBbRzzDKlQ3gTeEOJstdNVLVJkd2pxgmseX

p3PMuLwmSVX/wwinfivZBVCtckYZzV5xnLToEYwYLuTGGzYhIPjruahX/gv/xSln

8pUFv45X+R6zJqDCcOrwJn+hSxDYUugCJMfiBbCWHSNO34ECQQDrSsfC8oS8OYaG

CvYe/hmeDWhAnHImsIf2N1sQ1+samX3/QBzEkMAcwNMi0G9iXk0DpSDc87b47vYW

zmUb6vXJAkEAyJgO5E+SqOHhd8uGHO1IaZAGPNEWjM3SzlgRwxcm07FCN17/9HA+

vHper+TAEgzbSVmJOP/2+w297Y+F1YttAwJBAJ3pgkgEG7F3qiEsGiKSxv6cYOt8

E+CDebx1SljzkIY5naZBkQ0bWNPzVcB3w0lxoJ5hpLyllJddSSvlOVaTSoECQQCX

OtSXWkqGmm1CxKUir93VAClDtpsaop4YxRr3C0BRfyUd27h6kBksPdGfKIWJ1jmI

7kDfQVLx6WVUcc0Dtu8DAkBwgNGxPRL1yEoTPS6sY099S1Y0wvdV/Ja87Swf5M9S

TqZ8gglsGEesdhlRTBmRokNPttQyZMvcKT3YK71lUMod

-----END RSA PRIVATE KEY-----

 

取出RSA 公钥

 

[root@aa-mysql-02 ~]# openssl rsa -in lab.key -pubout -out lab.pubkey

writing RSA key

[root@aa-mysql-02 ~]# ls

anaconda-ks.cfg install.log install.log.syslog lab.key lab.pubkey

 

 

查看公钥

[root@aa-mysql-02 ~]# cat lab.pubkey

-----BEGIN PUBLIC KEY-----

MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQC4Xi4m1+EkQ7jU/GoMvTiSJ+cv

vB1OWI0hdzpOKusJr+xqzETgmk79l6TscyLOPkgjIAD1juFnl4YW93ccRm2jMoAf

cIXKMi64dQwqkLprKfKbnQZ3OhPBlgO8xXB3hW6GLL8xeWamAJZquFC3HEBDQP9S

A0AO1QB5uBeTD4p2WwIDAQAB

-----END PUBLIC KEY-----

 

RSA签名证书

[root@aa-mysql-02 ~]# openssl req -new -x509 -key lab.key -out lab.crt

You are about to be asked to enter information that will be incorporated

into your certificate request.

What you are about to enter is what is called a Distinguished Name or a DN.

There are quite a few fields but you can leave some blank

For some fields there will be a default value,

If you enter '.', the field will be left blank.

-----

Country Name (2 letter code) [XX]:CN

State or Province Name (full name) []:lab.com

Locality Name (eg, city) [Default City]:Shanghai

Organization Name (eg, company) [Default Company Ltd]:lab

Organizational Unit Name (eg, section) []:lab

Common Name (eg, your name or your server's hostname) []:henry

Email Address []:[email protected]

[root@aa-mysql-02 ~]# ls

anaconda-ks.cfg install.log install.log.syslog lab.crt lab.key lab.pubkey

 

查看证书

[root@aa-mysql-02 ~]# cat lab.crt

-----BEGIN CERTIFICATE-----

MIICzDCCAjWgAwIBAgIJAPcvNMGFZHdzMA0GCSqGSIb3DQEBBQUAMH8xCzAJBgNV

BAYTAkNOMRAwDgYDVQQIDAdsYWIuY29tMREwDwYDVQQHDAhTaGFuZ2hhaTEMMAoG

A1UECgwDbGFiMQwwCgYDVQQLDANsYWIxDjAMBgNVBAMMBWhlbnJ5MR8wHQYJKoZI

hvcNAQkBFhAxMjA4MDc3MTJAcXEuY29tMB4XDTEzMDQwODE0MTk0M1oXDTEzMDUw

ODE0MTk0M1owfzELMAkGA1UEBhMCQ04xEDAOBgNVBAgMB2xhYi5jb20xETAPBgNV

BAcMCFNoYW5naGFpMQwwCgYDVQQKDANsYWIxDDAKBgNVBAsMA2xhYjEOMAwGA1UE

AwwFaGVucnkxHzAdBgkqhkiG9w0BCQEWEDEyMDgwNzcxMkBxcS5jb20wgZ8wDQYJ

KoZIhvcNAQEBBQADgY0AMIGJAoGBALheLibX4SRDuNT8agy9OJIn5y+8HU5YjSF3

Ok4q6wmv7GrMROCaTv2XpOxzIs4+SCMgAPWO4WeXhhb3dxxGbaMygB9whcoyLrh1

DCqQumsp8pudBnc6E8GWA7zFcHeFboYsvzF5ZqYAlmq4ULccQENA/1IDQA7VAHm4

F5MPinZbAgMBAAGjUDBOMB0GA1UdDgQWBBRsQ9TnTeftdt3hZOSFkRzhjbiykDAf

BgNVHSMEGDAWgBRsQ9TnTeftdt3hZOSFkRzhjbiykDAMBgNVHRMEBTADAQH/MA0G

CSqGSIb3DQEBBQUAA4GBAGyYIAiHZswBkQApS9j+WhVt0TvC8m4hitVHcAaX0+7L

5G97kiLoWobORmTOfMus/QNeGIYKpahsGEFMi7rr9kUHkbcqQIpXJ2Id1t6rfspS

7DarmqZt3enNP+tU+wYo/R/ODWJGHDvqJtrMczv4WD+b375z8IQDbtIu5ftbGvbn

-----END CERTIFICATE-----

[root@aa-mysql-02 ~]#

配置apache虚拟目录

[root@aa-mysql-02 ~]#cat webdeploy.conf

LoadModule ssl_module modules/mod_ssl.so

 

Listen 443

 

SSLPassPhraseDialog builtin                                                                                                                                                                                                                    

SSLSessionCache          shmcb:/var/cache/mod_ssl/scache(512000)

SSLSessionCacheTimeout 300                                                                                                                                                                                                                      

SSLMutex default

SSLRandomSeed startup file:/dev/urandom 256

SSLRandomSeed connect builtin

SSLCryptoDevice builtin

 

<VirtualHost _default_:443>

Include conf.d/columbus.auth

 

ErrorLog logs/ssl_error_log

TransferLog logs/ssl_access_log

LogLevel warn

 

SSLEngine on

SSLProtocol all -SSLv2

SSLCipherSuite ALL:!ADH:!EXPORT:!SSLv2:RC4+RSA:+HIGH:+MEDIUM:+LOW

#certificate

SSLCertificateFile /etc/httpd/conf.d/wildcard.columbus2050.com.crt

 

#key

SSLCertificateKeyFile /etc/httpd/conf.d/wildcard.columbus2050.com.key

 

<Files ~ "\.(cgi|shtml|phtml|php3?)$">

    SSLOptions +StdEnvVars

</Files>

<Directory "/var/www/cgi-bin">

    SSLOptions +StdEnvVars

</Directory>

 

SetEnvIf User-Agent ".*MSIE.*" \

         nokeepalive ssl-unclean-shutdown \

         downgrade-1.0 force-response-1.0

 

CustomLog logs/ssl_request_log \

          "%t %h %{SSL_PROTOCOL}x %{SSL_CIPHER}x \"%r\" %b"

 

SSLProxyEngine On

ProxyPass          / http://127.0.0.1:8080/ timeout=300 retry=300

ProxyPassReverse / http://127.0.0.1:8080/

ProxyRequests     Off

 

# Hudson uses http-auth headers internally to manage users. In order to allow httaccess + hudson user management one has to reset those headers after the

# htaccess authorizatoin. Otherwise one is unable to log into hudson since it tries to log in with those information.

 

RequestHeader unset Authorization

</VirtualHost>

 

 

关于证书：

一， 证书就是数字化的文件

二， 常用的证书是采用X.509结构

三， 包含实体（网站，个人等）的公共密钥和其他属性，如名称等：

1， 最简单的证书：证书拥有者的名字；证书拥有者的公钥

2， X.509 证书： 证书拥有者名字；证书拥有者公钥；证书过期的deadline;证书颁发机构名称；证书序列号；证书颁发机构(ca)的签名信息；其他可选信息

 

四，公共密钥只属于某一个特定的实体，作用防止一个实体假装成另外一个实体

五， 证书用来保证不对称加密算法的合理性。

 

 

关于CA（certification authority）:

1, CA 是一个可信任的第三方机构

2，CA 也是一个实体，它也有自己的公钥和私钥

3，通过检查证书里面的CA名字和CA的签名，以确定证书是哪个CA签发的

4，CA自己有一个庞大的publickey数据库，用来颁发给不同的实体

5，CA是分级：最高级别的CA叫rootCAs,其他子集的CA证书由它来颁发和签名；只要RootCAs是可信任的；没有更高级别的CA给RootCAs签名，它们自己签名