模板
教程
环境
性能
功能
管理
Apache 2.0上 HTTPS 实现CA认证, 不是HTPASSWD的那种.
发表于:2007-05-25来源:作者:点击数:
标签:
每次总来CU找资料,想想也应该做点贡献.呵呵.这篇文章似乎没人做过.我就把它补上吧.转载时注明来源是CU's小黄就可以了.:D 系统 LINUX 8 用rpm-aq查一下是否这些装上 openssl095a-0.9.5a-16 openssl-devel-0.9.6b-29 mod_ssl-2.0.40-8 openssl-0.9.6b-29 opens
每次总来CU找资料,想想也应该做点贡献. 呵呵. 这篇文章似乎没人做过.我就把它补上吧. 转载时注明来源是CU's 小黄就可以了. :D
系统 LINUX 8
用rpm -aq查一下是否这些装上
openssl095a-0.9.5a-16
openssl-devel-0.9.6b-29
mod_ssl-2.0.40-8
openssl-0.9.6b-29
openssl096-0.9.6-11
当然还有apache 2.0
openssl095a-0.9.5a-16
openssl-devel-0.9.6b-29
mod_ssl-2.0.40-8
openssl-0.9.6b-29
openssl096-0.9.6-11
第一步实现传统的http, 如果不知道,在精华贴里找.
第二步要实现https, 精华贴里也有,不过我重复一些这里:
主要是这个文件
/etc/httpd/conf.d/ssl.conf:
SSLCertficateFile /path/to/this/server.crt
SSLCertificateKeyFile /path/to/this/server.key
这两行要打开.
怎么产生server.crt 和 server.key, 用法如下:
cd /etc/httpd/conf/ssl.key
openssl genrsa -des3 -out server.key 1024
cd /etc/httpd/conf/ssl.crt
openssl x509 -req -days 3650 -in server.csr -signkey ../ssl.key/server.key –out server.crt
(这个是自己给自己认证,你也可以先产生这个server.csr, 然后去verisign 用它30天免费的server.crt
到此,你的HTTPS应该可以起来.如果看见一些错误.error 98 mod_socket之类的. 多数是httpd.conf 文件中, 要有Include conf.d/*.conf
Include conf.d/*.conf
而同时使用port 443, 与 /etc/httpd/conf.d/ssl.conf文件中port 443重复使用了. 基本上httpd.conf不用改,而只改ssl.conf就可以了. (折腾了我好一会这里,:-( )
现在你的https可以起来, 但人人可以去,我们最终的目的是只有你签发的certificate的用户才可以,所以接着走...
第三步https的CA认证:
ssl.conf 文件中要:
SSLCACertificateFile /etc/httpd/conf/ssl.crt/myca.crt
SSLVerifyClient require
SSLVerifyDepth 1
在 cd /etc/httpd/conf/ssl.crt/
openssl genrsa -des3 -out myca.key 1024
openssl req -new -x509 -days 3650 -key myca.key -out myca.crt
现在我们有了这个myca.crt, 这个CERT相当与一个图章,用这个图章盖过的请求才可以访问你的HTTPS, 这才是目的.
在你的机器上重新用普通用户登陆,假设用户名为client1, home为/home/client1.
cd /home/client1
openssl req –new > client.csr
用户产生了一个请求CSR文件. 用图章盖过印的CSR请求, 产生一个cert才有效,这就是这个目的.
重新用ROOT登陆,
cd /etc/httpd/conf/ssl.crt/
这下面应该有你刚才产生的myca.key & myca.crt
openssl x509 -req -in /home/client1/client.csr -out /home/client1/client.crt -signkey myca.key -CA myca.crt -CAkey myca.key -CAcreateserial -days 3650
在这个/home/client1下面,应该产生了client.crt 这个文件. 也就是一个盖过章的certificate.
这个certificate是BASE64形式的,要转成PKCS12才能装到IE,/NETSCAPE上.所以你要:
cd /etc/httpd/conf/ssl.crt/
openssl pkcs12 -export –in /home/client.crt -inkey myca.key -out client.pfx
到此为止,基本上大功告成. 把这个client.pfx 装到你的IE下,证书下.用default 安装,不用变革路经.
重起HTTPS, 在用有certificate的IE去访问. -------- 如果一切顺利,是不是心情很爽?
----写在后面的话.希望大家多写些心得, 把CU办的更好.
| yhuang95411 回复于:2004-12-19 10:53:02 | ||||||||||||||
| libghttp-devel-1.0.9-5
httpd-devel-2.0.40-8 httpd-manual-2.0.40-8 httpd-2.0.40-8 libghttp-1.0.9-5 | ||||||||||||||
| yhuang95411 回复于:2004-12-19 11:12:15 | ||||||||||||||
| 澄清一下:
所用系统为Red Hat Linux 8.0. 若使用其它Linux, rpm 版本会有些差别, 但步骤都是一样的. | ||||||||||||||
| FunBSD 回复于:2005-01-05 09:35:36 | ||||||||||||||
| 我帮你顶一下 | ||||||||||||||
| wingger 回复于:2005-01-05 13:21:18 | ||||||||||||||
| Make sure OpenSSL is really installed and in your PATH. But some commands even work ok when you just run the ``openssl'' program from within the OpenSSL source tree as ``./apps/openssl''.
Create a RSA private key for your Apache server (will be Triple-DES encrypted and PEM formatted): [code:1:ba56aab0e6]$ openssl genrsa -des3 -out server.key 1024[/code:1:ba56aab0e6] Please backup this server.key file and remember the pass-phrase you had to enter at a secure location. You can see the details of this RSA private key via the command: [code:1:ba56aab0e6]$ openssl rsa -noout -text -in server.key[/code:1:ba56aab0e6] And you could create a decrypted PEM version (not recommended) of this RSA private key via: [code:1:ba56aab0e6]$ openssl rsa -in server.key -out server.key.unsecure[/code:1:ba56aab0e6] Create a Certificate Signing Request (CSR) with the server RSA private key (output will be PEM formatted): [code:1:ba56aab0e6]$ openssl req -new -key server.key -out server.csr[/code:1:ba56aab0e6] Make sure you enter the FQDN ("Fully Qualified Domain Name") of the server when OpenSSL prompts you for the "CommonName", i.e. when you generate a CSR for a website which will be later aclearcase/" target="_blank" >ccessed via https://www.foo.dom/, enter "www.foo.dom" here. You can see the details of this CSR via the command [code:1:ba56aab0e6]$ openssl req -noout -text -in server.csr[/code:1:ba56aab0e6] 其它一样,在REDHAT linux 9下通过,呵呵, 这些都是用系统默认的apache,openssl,mod_ssl装的 | ||||||||||||||
| wingger 回复于:2005-01-05 13:25:33 | ||||||||||||||
| 停止 httpd:[失败]
启动 httpd:Apache/2.0.40 mod_ssl/2.0.40 (Pass Phrase Dialog) Some of your private key files are encrypted for security reasons. In order to read them you have to provide us with the pass phrases. Server new.host.name:443 (RSA) Enter pass phrase: Ok: Pass Phrase Dialog successful. [失败] 为什么会这样? | ||||||||||||||
| wingger 回复于:2005-01-05 13:38:19 | ||||||||||||||
| 刚才没修改ssl.conf文件,修改后启动如下错误
启动 httpd:Apache/2.0.40 mod_ssl/2.0.40 (Pass Phrase Dialog) Some of your private key files are encrypted for security reasons. In order to read them you have to provide us with the pass phrases. Server new.host.name:443 (RSA)#错误的输入密码 Enter pass phrase: Apache:mod_ssl:Error: Pass phrase incorrect (5 more retries permitted). Enter pass phrase:#密码错误 1077372096:error:0D094068:asn1 encoding routines:d2i_ASN1_SET:bad tag:a_set.c:179: 1077372096:error:0D0680A8:asn1 encoding routines:ASN1_CHECK_TLEN:wrong tag:tasn_dec.c:939: 1077372096:error:0D07803A:asn1 encoding routines:ASN1_ITEM_EX_D2I:nested asn1 error:tasn_dec.c:304:Type=RSA 1077372096:error:0D09A00D:asn1 encoding routines:d2i_PrivateKey:ASN1 lib:d2i_pr.c:96: Apache:mod_ssl:Error: Pass phrase incorrect (4 more retries permitted). Enter pass phrase:#正解的密码 [失败] | ||||||||||||||
| Yarco 回复于:2005-01-07 13:22:50 | ||||||||||||||
| 这个我试过.就是有些问题不明白.
1.CA证书如何制作. 似乎单纯用openssl无法制作自签名的CA证书.我看了很多网上的资料,说是apache附带有一个sign.sh的脚本.但我找来找去找不到. 2.如何让服务器重新启动的时候,不输入密码Pass Phrase 因为默认的https似乎不需要输入密码的. 想来重启apache应该有什么方法不需要输入密码才对... | ||||||||||||||
| wingger 回复于:2005-01-07 13:28:04 | ||||||||||||||
| sign.sh是mod_ssl自带的,但www.modssl.org上的mod_ssl只支持apache1的,我这里有一个sign.sh文件,如何你要的话,我可以贴出来,我用过sign.sh,不过签不了证书,至少我没签成功过 | ||||||||||||||
| Yarco 回复于:2005-01-07 14:05:02 | ||||||||||||||
| 晕...害我啊
[quote:3414839e85]不过签不了证书,至少我没签成功过[/quote:3414839e85] 签不了也给我.:) | ||||||||||||||
| ghostwx 回复于:2005-01-07 14:06:18 | ||||||||||||||
| 用openssl可以的
openssl genrsa -des3 -rand file1:file2:file3 -out yourca.key file1-3 是随意任何文件 openssl req -new -key yourca.key -out yourca.csr 产生证书请求 openssl x509 -req -days 30 -in yourca.csr -signkey yourca.key -out yourca.cert 产生证书 note:你需要有一个openssl.cnf文件,如果没有创建一个,用-config 指明,具体格式可以自己到www.openssl.org看看 | ||||||||||||||
| wingger 回复于:2005-01-07 14:19:58 | ||||||||||||||
| openssl的参数-signkey就可签证,不需sign.sh呵呵 | ||||||||||||||
| ataman 回复于:2005-03-23 23:36:06 | ||||||||||||||
| 我的https成功了,能上;ca认证什么的也成功了。但最不爽最关键的是:
客户端登陆网站时证书验证不通过!我基本上都是按照楼主和其他资料作的。 我是在自己的机器上做试验的,服务器客户都在一台机器上。作了好几个pfs的证书,登录网站时没一个能登上的。 winxp pro sp2, apache 2.0.53 ,openssl 0.97e(mod_ssl,openssl.cnf都有) 国家我都是cn,所有的域名都是www.xxx.com 邮箱xxx@xxx.com,部门都是ga,小部门都是rs.....所有文件所要填的信息都相同。我都是按照楼主的步骤来的,可能是什么问题呢? 我自始至终都是用1个用户登陆的windows。 | ||||||||||||||
| ioly 回复于:2005-04-28 08:52:12 | ||||||||||||||
| 我也出现了
停止 httpd:[失败] 启动 httpd:Apache/2.0.40 mod_ssl/2.0.40 (Pass Phrase Dialog) Some of your private key files are encrypted for security reasons. In order to read them you have to provide us with the pass phrases. Server new.host.name:443 (RSA) Enter pass phrase: Ok: Pass Phrase Dialog successful. [失败] 的错误,求助! | ||||||||||||||
| squall1 回复于:2005-04-30 23:37:13 | ||||||||||||||
???还是不要用系统自带的那些包好。我的一切正常。
|
| |||||||||||||
