[Linux]
post by 后山一根蔥 / 2010-6-12 16:36 Saturday
內(nèi)容:使用openssl自己生成證書
環(huán)境:ubuntu 9.10
來源:后山一根蔥
這兩天在配置一個(gè)SSL環(huán)境,也發(fā)了些時(shí)間���。下面是我自己在配置中的一個(gè)流水過程��,有需要朋友可以參考����,如有不對(duì)的地方還望指出�����。
安裝openssl
sudo apt-get install openssl
按照 OpenSSL 的默認(rèn)配置建立 一個(gè)目錄ssl(eg. mkdir /home/jecks/ssl) ����,需要在ssl下建立相應(yīng)的目錄結(jié)構(gòu)。相關(guān)的配置內(nèi)容一般位于/etc/ssl/openssl.cnf 內(nèi)�。在終端中使用如下命令建立目錄結(jié)構(gòu):
$ mkdir -p ./demoCA/{private,newcerts}
$ touch ./demoCA/index.txt
$ touch ./demoCA/serial
注:在文件serial中寫入01,index.txt為空文件����。
進(jìn)入/hone/jecks/ssl/下面�����,執(zhí)行命令
[root@~/ssl]# pwd
/home/jecks/ssl
[root@~/ssl]# ls
demoCA
1.首先要生成服務(wù)器端的私鑰(key文件):
[root@~/ssl]#openssl genrsa -des3 -out server.key 1024
運(yùn)行時(shí)會(huì)提示輸入密碼,此密碼用于加密key文件(參數(shù)des3便是指加密算法,當(dāng)然也可以選用其他你認(rèn)為安全的算法.),以后每當(dāng)需讀取此文件(通過openssl提供的命令或API)都需輸入口令.如果覺得不方便,也可以去除這個(gè)口令,但一定要采取其他的保護(hù)措施!
去除key文件口令的命令:
[root@~/ssl]#openssl rsa -in server.key -out server.key
2.用server.key生成一個(gè)證書:
[root@~/ssl]#openssl req -new -key server.key -out server.csr
Enter pass phrase for server.key:12345
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [AU]:CN
State or Province Name (full name) [Some-State]:china
Locality Name (eg, city) []:Zhuhai
Organization Name (eg, company) [Internet Widgits Pty Ltd]:xxxx Ltd....
Organizational Unit Name (eg, section) []:jecks
Common Name (eg, YOUR name) []:www.qiuicai.com
Email Address []:xxx@
Please enter the following 'extra' attributes
to be sent with your certificate request
A challenge password []:12345
An optional company name []:xxx@
生成Certificate Signing Request(CSR),生成的csr文件交給CA簽名后形成服務(wù)端自己的證書.屏幕上將有提示,依照其指示一步一步輸入要求的個(gè)人信息即可.
3.對(duì)客戶端也作同樣的命令生成key及csr文件(在這兩步寫在一起):
A: [root@~/ssl]#openssl genrsa -des3 -out client.key 1024
Generating RSA private key, 1024 bit long modulus
...........++++++
..++++++
e is 65537 (0x10001)
Enter pass phrase for client.key:12345
Verifying - Enter pass phrase for client.key:12345
B: [root@~/ssl]# openssl req -new -key client.key -out client.csr
Enter pass phrase for client.key:12345
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [AU]:CN
State or Province Name (full name) [Some-State]:china
Locality Name (eg, city) []:Zhuhai
Organization Name (eg, company) [Internet Widgits Pty Ltd]:xxxx Ltd....
Organizational Unit Name (eg, section) []:jecks
Common Name (eg, YOUR name) []:www.qiuicai.com
Email Address []:xxx@
Please enter the following 'extra' attributes
to be sent with your certificate request
A challenge password []:12345
An optional company name []:xxx@
4.生成的CSR證書文件必須有CA的簽名才可形成證書.這時(shí)生成一個(gè)KEY文件ca.key 和根證書ca.crt
[root@~/ssl]# openssl req -new -x509 -keyout ca.key -out ca.crt
Generating a 1024 bit RSA private key
...++++++
...................++++++
writing new private key to 'ca.key'
Enter PEM pass phrase:12345
Verifying - Enter PEM pass phrase:
-----
Country Name (2 letter code) [AU]:CN
State or Province Name (full name) [Some-State]:china
Locality Name (eg, city) []:Zhuhai
Organization Name (eg, company) [Internet Widgits Pty Ltd]:xxxx Ltd....
Organizational Unit Name (eg, section) []:jecks
Common Name (eg, YOUR name) []:www.qiuicai.com
Email Address []:xxx@
Please enter the following 'extra' attributes
to be sent with your certificate request
A challenge password []:12345
An optional company name []:xxx@
5.用生成的CA的證書為剛才生成的server.csr,client.csr文件簽名(這也是兩寫在一起):
A: [root@~/ssl]# openssl ca -in server.csr -out server.crt -cert ca.crt -keyfile ca.key
Using configuration from openssl.cnf
Enter pass phrase for ca.key:
Check that the request matches the signature
Signature ok
Certificate Details:
Serial Number: 1 (0x1)
Validity
Not Before: Feb 26 04:15:02 2010 GMT
Not After : Feb 26 04:15:02 2011 GMT
Subject:
countryName = CN
stateOrProvinceName = china
organizationName = xxx.Ltd.C
organizationalUnitName = jecks
commonName = www.
X509v3 extensions:
X509v3 Basic Constraints:
CA:FALSE
Netscape Comment:
OpenSSL Generated Certificate
X509v3 Subject Key Identifier:
30:70:D2:EB:9B:73:AE:7B:0E:8E:F6:94:33:7C:53:5B:EF:93:FC:38
X509v3 Authority Key Identifier:
keyid:DB:D6:83:BB:7F:28:C2:A9:40:6A:D8:32:FC:01:E0:5C:48:27:51:19
Certificate is to be certified until Feb 26 04:15:02 2010 GMT (365 days)
Sign the certificate? [y/n]:y
1 out of 1 certificate requests certified, commit? [y/n]y
Write out database with 1 new entries
Data Base Updated
B: [root@~/ssl]#openssl ca -in client.csr -out client.crt -cert ca.crt -keyfile ca.key
[root@airwaySSL bin]# openssl ca -in client.csr -out client.crt -cert ca.crt -keyfile ca.key -config openssl.cnf
Using configuration from openssl.cnf
Enter pass phrase for ca.key:
Check that the request matches the signature
Signature ok
The countryName field needed to be the same in the
CA certificate (CN) and the request (cn)
..................
另外����,這個(gè)certificate是BASE64形式的,要轉(zhuǎn)成PKCS12才能裝到IE,/NETSCAPE上.所以還要:
[root@~/ssl]# openssl pkcs12 -export -in client.pem -inkey client.key -out client.pfx
Enter pass phrase for client.key:
Enter Export Password: # 設(shè)置client.pfx密碼
Verifying - Enter Export Password:
現(xiàn)在我們所需的全部文件便生成了.
另:
client使用的文件有:ca.crt,client.crt,client.key,client.pfx
server使用的文件有:ca.crt,server.crt,server.key
6.最后
編輯/etc/apache2/sites-enabled/000-default
NameVirtualHost *:443
<VirtualHost *:443>
ServerSignature
OnSSLEngine On
SSLCertificateFile /usr/local/apache/conf/ssl.crt/server.crt #指定服務(wù)器證書位置
SSLCertificateKeyFile /usr/local/apache/conf/ssl.crt/server.key #指定服務(wù)器證書key位置
SSLCACertificatePath /usr/local/apache/conf/ssl.crt #證書目錄
SSLCACertificateFile /usr/local/apache/conf/ssl.crt/ca.csr #根證書位置
#開啟客戶端SSL請(qǐng)求
SSLVerifyClient require
SSLVerifyDepth 1
ServerAdmin webmaster@localhost
ServerName www.
DocumentRoot /var/www/test
ErrorDocument 404 http://www./err.php
<Directory />
Options FollowSymLinks
AllowOverride None
</Directory>
<Directory /var/www/test/>
Options Indexes FollowSymLinks MultiViews
AllowOverride None
Order allow,deny
allow from all
</Directory>
</VirtualHOst>
證書安裝及使用
把剛才生成的證書:根證書ca.crt和客戶證書client.crt(client.pfx)安裝到客戶端�����, ca.crt安裝到信任的機(jī)構(gòu)����,client.crt直接在windows安裝或安裝到個(gè)人證書位置,然后用IP訪問HTTP和https服務(wù)器�����。在IE中我們一般導(dǎo)入client.pfx證書�,導(dǎo)入時(shí)會(huì)提示上面設(shè)置的密碼。
