我們的項目都是基于https協議訪問的,由于費用問題,在開發、測試環境中使了一個過期證書。所以每天得面對瀏覽器提示證書過期問題,若只是頁面訪問,多確認一下就完了,但遇到系統間的頁面跳轉、互相調用,就玩不轉了。沒折,干脆自已做證書。
通過Openssl建立根證書和服務器證書,并用根證書對服務器證書進行簽名。
1、使用Openssl的CA腳本來建立根證書(/usr/share/ssl/misc/CA)
運行CA -newca,Openssl會找CA自己的私有密鑰密碼文件。如果沒有這個文件?按回車會自動創建,輸入密碼來保護這個密碼文件。之后會提示你輸入公司信息來做CA.crt文件。最后,在當前目錄下多了一個demoCA目錄,demoCA/private/cakey.pem就是CA的key文件了,而demoCA/cacert.pem就是CA的crt文件了。具體如下:
[root@xplan-dev8 ca]# ./CA -newca
CA certificate filename (or enter to create)
Making CA certificate 
Generating a 1024 bit RSA private key
.++++++
++++++
writing new private key to './demoCA/private/./cakey.pem'
Enter PEM pass phrase:
Verifying - Enter PEM pass phrase:
-----
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [GB]:CN
State or Province Name (full name) [Berkshire]:Zhejiang
Locality Name (eg, city) [Newbury]:Hangzhou
Organization Name (eg, company) [My Company Ltd]:Mysoft.com corpration
Organizational Unit Name (eg, section) []:Mysoft.com
Common Name (eg, your name or your server's hostname) []:Mysoft.com
Email Address []:
2、生成服務器證書
生成服務器私鑰Key文件,openssl genrsa -des3 -out server.key 1024,并輸入保護密碼:
[root@xplan-dev8 ca]# openssl genrsa -des3 -out server.key 1024
Generating RSA private key, 1024 bit long modulus
..++++++
..++++++
e is 65537 (0x10001)
Enter pass phrase for server.key:
Verifying - Enter pass phrase for server.key:
生成服務器證書(注:輸入Common Name一項時,若需對泛域名支持證書時,需用*.mysoft.com):
[root@xplan-dev8 ca]# openssl req -new -key server.key -out server.csr -days 365
Enter pass phrase for server.key:
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [GB]:CN
State or Province Name (full name) [Berkshire]:Zhejiang
Locality Name (eg, city) [Newbury]:Hangzhou
Organization Name (eg, company) [My Company Ltd]:Mysoft.com
Organizational Unit Name (eg, section) []:Mysoft.com
Common Name (eg, your name or your server's hostname) []:*.mysoft.com
Email Address []:
Please enter the following 'extra' attributes
to be sent with your certificate request
A challenge password []:
An optional company name []:
3、用根證書對服務器證書進行簽名
把server.crt文件重命名成newreq.pem,然后用CA腳本進行簽名,期間會提示要求輸入cakey.pem的保護密碼。
[root@xplan-dev8 ca]# mv server.csr newreq.pem
[root@xplan-dev8 ca]# ./CA -sign
Using configuration from /usr/share/ssl/openssl.cnf
Enter pass phrase for ./demoCA/private/cakey.pem:
Check that the request matches the signature
Signature ok
Certificate Details:
Serial Number: 1 (0x1)
Validity
Not Before: Dec 8 12:27:14 2008 GMT
Not After : Dec 8 12:27:14 2009 GMT
Subject:
countryName = CN
stateOrProvinceName = Zhejiang
localityName = Hangzhou
organizationName = Mysoft.com
organizationalUnitName = Mysoft.com
commonName = *.mysoft.com
X509v3 extensions:
X509v3 Basic Constraints:
CA:FALSE
Netscape Comment:
OpenSSL Generated Certificate
X509v3 Subject Key Identifier:
0F:0C:46:82:EB:68:61:CE:6F:06:10:78:BC:7B:2F:10:F8:96:7E:09
X509v3 Authority Key Identifier:
keyid:E0:01:2C:50:62:87:8D:10:7A:17:6D:AB:2C:43:0A:79:EB:5F:26:0C
DirName:/C=CN/ST=Zhejiang/L=Hangzhou/O=Mysoft.com corpration/OU=Mysoft.com/CN=Mysoft.com
serial:00
Certificate is to be certified until Dec 8 12:27:14 2009 GMT (365 days)
Sign the certificate? [y/n]:y
1 out of 1 certificate requests certified, commit? [y/n]y
Write out database with 1 new entries
Data Base Updated
Certificate:
Data:
Version: 3 (0x2)
Serial Number: 1 (0x1)
Signature Algorithm: md5WithRSAEncryption
Issuer: C=CN, ST=Zhejiang, L=Hangzhou, O=Mysoft.com corpration, OU=Mysoft.com, CN=Mysoft.com
Validity
Not Before: Dec 8 12:27:14 2008 GMT
Not After : Dec 8 12:27:14 2009 GMT
Subject: C=CN, ST=Zhejiang, L=Hangzhou, O=Mysoft.com, OU=Mysoft.com, CN=*.mysoft.com
Subject Public Key Info:
Public Key Algorithm: rsaEncryption
RSA Public Key: (1024 bit)
Modulus (1024 bit):
00:f0:46:a7:a3:9d:8d:ce:09:da:f1:02:a0:fd:1f:
5c:df:a5:08:66:ea:13:0d:17:ac:49:92:9f:65:21:
cf:ec:f8:79:73:a1:73:0a:3e:d6:d0:c3:a4:d4:36:
22:b8:4c:82:51:fe:5d:e1:13:22:99:5f:4c:ef:c6:
65:3a:5d:de:1f:83:f2:17:a5:2b:f3:03:94:9a:31:
bc:09:c8:1c:9e:4d:ad:3b:90:2d:dc:65:0c:e3:04:
9b:8a:d5:c2:93:b7:51:8e:fe:92:1d:ee:55:6e:a0:
77:25:e1:a1:24:7f:55:7a:b4:4d:f4:84:83:13:56:
8d:62:be:2d:db:f8:1a:de:35
Exponent: 65537 (0x10001)
X509v3 extensions:
X509v3 Basic Constraints:
CA:FALSE
Netscape Comment:
OpenSSL Generated Certificate
X509v3 Subject Key Identifier:
0F:0C:46:82:EB:68:61:CE:6F:06:10:78:BC:7B:2F:10:F8:96:7E:09
X509v3 Authority Key Identifier:
keyid:E0:01:2C:50:62:87:8D:10:7A:17:6D:AB:2C:43:0A:79:EB:5F:26:0C
DirName:/C=CN/ST=Zhejiang/L=Hangzhou/O=Mysoft.com corpration/OU=Mysoft.com/CN=Mysoft.com
serial:00
Signature Algorithm: md5WithRSAEncryption
0b:dc:15:f3:87:5c:e0:07:23:0e:78:47:af:56:fb:43:31:4b:
0d:12:76:57:95:cd:d7:2a:75:00:01:21:96:9d:d4:bf:9d:e9:
b6:26:cc:70:98:95:fd:ca:af:ad:68:fb:10:79:09:05:32:20:
02:7a:84:53:2f:e0:d5:cd:ed:4d:42:e7:d5:9d:90:78:9a:2e:
d8:72:cb:7f:f7:29:30:24:25:f2:0f:2d:b4:9d:a2:b3:24:00:
b4:f7:e9:de:5c:1a:50:d3:59:a4:9c:1d:03:15:04:17:6d:c2:
ab:95:a8:1f:28:e5:ad:3c:a9:a8:c8:30:3a:09:3f:75:5d:70:
2e:af
-----BEGIN CERTIFICATE-----
MIIDfDCCAuWgAwIBAgIBATANBgkqhkiG9w0BAQQFADCBgDELMAkGA1UEBhMCQ04x
ETAPBgNVBAgTCFpoZWppYW5nMREwDwYDVQQHEwhIYW5nemhvdTEfMB0GA1UEChMW
QWxpc29mdC5jb20gY29ycHJhdGlvbjEUMBIGA1UECxMLQWxpc29mdC5jb20xFDAS
BgNVBAMTC0FsaXNvZnQuY29tMB4XDTA4MTIwODEyMjcxNFoXDTA5MTIwODEyMjcx
NFowdzELMAkGA1UEBhMCQ04xETAPBgNVBAgTCFpoZWppYW5nMREwDwYDVQQHEwhI
YW5nemhvdTEUMBIGA1UEChMLQWxpc29mdC5jb20xFDASBgNVBAsTC0FsaXNvZnQu
Y29tMRYwFAYDVQQDFA0qLmFsaXNvZnQuY29tMIGfMA0GCSqGSIb3DQEBAQUAA4GN
ADCBiQKBgQDwRqejnY3OCdrxAqD9H1zfpQhm6hMNF6xJkp9lIc/s+HlzoXMKPtbQ
w6TUNiK4TIJR/l3hEyKZX0zvxmU6Xd4fg/IXpSvzA5SaMbwJyByeTa07kC3cZQzj
BJuK1cKTt1GO/pId7lVuoHcl4aEkf1V6tE30hIMTVo1ivi3b+BreNQIDAQABo4IB
DDCCAQgwCQYDVR0TBAIwADAsBglghkgBhvhCAQ0EHxYdT3BlblNTTCBHZW5lcmF0
ZWQgQ2VydGlmaWNhdGUwHQYDVR0OBBYEFA8MRoLraGHObwYQeLx7LxD4ln4JMIGt
BgNVHSMEgaUwgaKAFOABLFBih40QehdtqyxDCnnrXyYMoYGGpIGDMIGAMQswCQYD
VQQGEwJDTjERMA8GA1UECBMIWmhlamlhbmcxETAPBgNVBAcTCEhhbmd6aG91MR8w
HQYDVQQKExZBbGlzb2Z0LmNvbSBjb3JwcmF0aW9uMRQwEgYDVQQLEwtBbGlzb2Z0
LmNvbTEUMBIGA1UEAxMLQWxpc29mdC5jb22CAQAwDQYJKoZIhvcNAQEEBQADgYEA
C9wV84dc4AcjDnhHr1b7QzFLDRJ2V5XN1yp1AAEhlp3Uv53ptibMcJiV/cqvrWj7
EHkJBTIgAnqEUy/g1c3tTULn1Z2QeJou2HLLf/cpMCQl8g8ttJ2isyQAtPfp3lwa
UNNZpJwdAxUEF23Cq5WoHyjlrTypqMgwOgk/dV1wLq8=
-----END CERTIFICATE-----
Signed certificate is in newcert.pem
這樣就生成了server的證書newcert.pem,把newcert.pem 重命名為server.crt。
4、配置apache
NameVirtualHost *:443
<VirtualHost *:443>
ServerAdmin sa@mysoft.com
ServerName xplan.mysoft.com
DocumentRoot /home/admin/project/htdocs
SSLEngine on
SSLCipherSuite ALL:!ADH:!EXPORT56:RC4+RSA:+HIGH:+MEDIUM:+LOW:+SSLv2:+SSLv3:+EXP:+eNULL
SSLCertificateFile /home/admin/modules/crt/server.crt
SSLCertificateKeyFile /home/admin/modules/crt/server.key
SSLProxyEngine on
RewriteEngine on
RewriteRule ^/$ /xplan/user/login!login.jspa [L,P]
</VirtualHost>
重啟apache時,會提示要求輸入服務端證書的密碼。如下:
[root@localhost]# bin/apachectl restart
httpd not running, trying to start
Apache/2.2.0 mod_ssl/2.2.0 (Pass Phrase Dialog)
Some of your private key files are encrypted for security reasons.
In order to read them you have to provide the pass phrases.
Server xplan.mysoft.com:443 (RSA)
Enter pass phrase:
OK: Pass Phrase Dialog successful.
5、客戶端(IE)導入根證書(ca.cert)
在"選項"->"內容"->"證書"->"受信任根證書頒發機構"中點擊"導入",選中"ca.crt",完成導入。或者,直接在點ca.crt文件右鍵,選擇安裝即可。
6、重啟apache,要求輸入密碼的問題解決
1)、去掉bin/apachectl start啟動的pass phrase,用空pass phrase啟動apache
(while preserving the original file):
[root@xplan-dev8 ca]$ cp server.key server.key.org
[root@xplan-dev8 ca]$ openssl rsa -in server.key.org -out server.key
確認server.key 文件為root可讀
[root@xplan-dev8 ca]$ chmod 400 server.key
2、編輯
[root@xplan-dev8 ca]$ vi conf/extra/httpd-ssl.conf
注釋SSLPassPhraseDialog builtin
在后添加:SSLPassPhraseDialog exec:/usr/local/apache2/conf/apache_pass.sh
[root@xplan-dev8 ca]$ vi conf/apache_pass.sh
#!/bin/sh
echo "密碼"
[root@xplan-dev8 ca]$ chmod +x /usr/local/apache2/conf/apache_pass.sh
posted on 2008-12-08 21:19
josson 閱讀(2652)
評論(1) 編輯 收藏 所屬分類:
大雜燴