我们的项目都是基于https协议访问的,由于费用问题,在开发、测试环境中使了一个过期证书。所以每天得面对浏览器提示证书过期问题,若只是页面访问,多确认一下就完了,但遇到系统间的页面跳转、互相调用,就玩不转了。没折,干脆自已做证书。
通过Openssl建立根证书和服务器证书,并用根证书对服务器证书进行签名。
1、使用Openssl的CA脚本来建立根证书(/usr/share/ssl/misc/CA)
运行CA -newca,Openssl会找CA自己的私有密钥密码文件。如果没有这个文件?按回车会自动创建,输入密码来保护这个密码文件。之后会提示你输入公司信息来做CA.crt文件。最后,在当前目录下多了一个demoCA目录,demoCA/private/cakey.pem就是CA的key文件了,而demoCA/cacert.pem就是CA的crt文件了。具体如下:
[root@xplan-dev8 ca]# ./CA -newca
CA certificate filename (or enter to create)
Making CA certificate
Generating a 1024 bit RSA private key
.++++++
++++++
writing new private key to './demoCA/private/./cakey.pem'
Enter PEM pass phrase:
Verifying - Enter PEM pass phrase:
-----
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [GB]:CN
State or Province Name (full name) [Berkshire]:Zhejiang
Locality Name (eg, city) [Newbury]:Hangzhou
Organization Name (eg, company) [My Company Ltd]:Mysoft.com corpration
Organizational Unit Name (eg, section) []:Mysoft.com
Common Name (eg, your name or your server's hostname) []:Mysoft.com
Email Address []:
2、生成服务器证书
生成服务器私钥Key文件,openssl genrsa -des3 -out server.key 1024,并输入保护密码:
[root@xplan-dev8 ca]# openssl genrsa -des3 -out server.key 1024
Generating RSA private key, 1024 bit long modulus
..++++++
..++++++
e is 65537 (0x10001)
Enter pass phrase for server.key:
Verifying - Enter pass phrase for server.key:
生成服务器证书(注:输入Common Name一项时,若需对泛域名支持证书时,需用*.mysoft.com):
[root@xplan-dev8 ca]# openssl req -new -key server.key -out server.csr -days 365
Enter pass phrase for server.key:
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [GB]:CN
State or Province Name (full name) [Berkshire]:Zhejiang
Locality Name (eg, city) [Newbury]:Hangzhou
Organization Name (eg, company) [My Company Ltd]:Mysoft.com
Organizational Unit Name (eg, section) []:Mysoft.com
Common Name (eg, your name or your server's hostname) []:*.mysoft.com
Email Address []:
Please enter the following 'extra' attributes
to be sent with your certificate request
A challenge password []:
An optional company name []:
3、用根证书对服务器证书进行签名
把server.crt文件重命名成newreq.pem,然后用CA脚本进行签名,期间会提示要求输入cakey.pem的保护密码。
[root@xplan-dev8 ca]# mv server.csr newreq.pem
[root@xplan-dev8 ca]# ./CA -sign
Using configuration from /usr/share/ssl/openssl.cnf
Enter pass phrase for ./demoCA/private/cakey.pem:
Check that the request matches the signature
Signature ok
Certificate Details:
Serial Number: 1 (0x1)
Validity
Not Before: Dec 8 12:27:14 2008 GMT
Not After : Dec 8 12:27:14 2009 GMT
Subject:
countryName = CN
stateOrProvinceName = Zhejiang
localityName = Hangzhou
organizationName = Mysoft.com
organizationalUnitName = Mysoft.com
commonName = *.mysoft.com
X509v3 extensions:
X509v3 Basic Constraints:
CA:FALSE
Netscape Comment:
OpenSSL Generated Certificate
X509v3 Subject Key Identifier:
0F:0C:46:82:EB:68:61:CE:6F:06:10:78:BC:7B:2F:10:F8:96:7E:09
X509v3 Authority Key Identifier:
keyid:E0:01:2C:50:62:87:8D:10:7A:17:6D:AB:2C:43:0A:79:EB:5F:26:0C
DirName:/C=CN/ST=Zhejiang/L=Hangzhou/O=Mysoft.com corpration/OU=Mysoft.com/CN=Mysoft.com
serial:00
Certificate is to be certified until Dec 8 12:27:14 2009 GMT (365 days)
Sign the certificate? [y/n]:y
1 out of 1 certificate requests certified, commit? [y/n]y
Write out database with 1 new entries
Data Base Updated
Certificate:
Data:
Version: 3 (0x2)
Serial Number: 1 (0x1)
Signature Algorithm: md5WithRSAEncryption
Issuer: C=CN, ST=Zhejiang, L=Hangzhou, O=Mysoft.com corpration, OU=Mysoft.com, CN=Mysoft.com
Validity
Not Before: Dec 8 12:27:14 2008 GMT
Not After : Dec 8 12:27:14 2009 GMT
Subject: C=CN, ST=Zhejiang, L=Hangzhou, O=Mysoft.com, OU=Mysoft.com, CN=*.mysoft.com
Subject Public Key Info:
Public Key Algorithm: rsaEncryption
RSA Public Key: (1024 bit)
Modulus (1024 bit):
00:f0:46:a7:a3:9d:8d:ce:09:da:f1:02:a0:fd:1f:
5c:df:a5:08:66:ea:13:0d:17:ac:49:92:9f:65:21:
cf:ec:f8:79:73:a1:73:0a:3e:d6:d0:c3:a4:d4:36:
22:b8:4c:82:51:fe:5d:e1:13:22:99:5f:4c:ef:c6:
65:3a:5d:de:1f:83:f2:17:a5:2b:f3:03:94:9a:31:
bc:09:c8:1c:9e:4d:ad:3b:90:2d:dc:65:0c:e3:04:
9b:8a:d5:c2:93:b7:51:8e:fe:92:1d:ee:55:6e:a0:
77:25:e1:a1:24:7f:55:7a:b4:4d:f4:84:83:13:56:
8d:62:be:2d:db:f8:1a:de:35
Exponent: 65537 (0x10001)
X509v3 extensions:
X509v3 Basic Constraints:
CA:FALSE
Netscape Comment:
OpenSSL Generated Certificate
X509v3 Subject Key Identifier:
0F:0C:46:82:EB:68:61:CE:6F:06:10:78:BC:7B:2F:10:F8:96:7E:09
X509v3 Authority Key Identifier:
keyid:E0:01:2C:50:62:87:8D:10:7A:17:6D:AB:2C:43:0A:79:EB:5F:26:0C
DirName:/C=CN/ST=Zhejiang/L=Hangzhou/O=Mysoft.com corpration/OU=Mysoft.com/CN=Mysoft.com
serial:00
Signature Algorithm: md5WithRSAEncryption
0b:dc:15:f3:87:5c:e0:07:23:0e:78:47:af:56:fb:43:31:4b:
0d:12:76:57:95:cd:d7:2a:75:00:01:21:96:9d:d4:bf:9d:e9:
b6:26:cc:70:98:95:fd:ca:af:ad:68:fb:10:79:09:05:32:20:
02:7a:84:53:2f:e0:d5:cd:ed:4d:42:e7:d5:9d:90:78:9a:2e:
d8:72:cb:7f:f7:29:30:24:25:f2:0f:2d:b4:9d:a2:b3:24:00:
b4:f7:e9:de:5c:1a:50:d3:59:a4:9c:1d:03:15:04:17:6d:c2:
ab:95:a8:1f:28:e5:ad:3c:a9:a8:c8:30:3a:09:3f:75:5d:70:
2e:af
-----BEGIN CERTIFICATE-----
MIIDfDCCAuWgAwIBAgIBATANBgkqhkiG9w0BAQQFADCBgDELMAkGA1UEBhMCQ04x
ETAPBgNVBAgTCFpoZWppYW5nMREwDwYDVQQHEwhIYW5nemhvdTEfMB0GA1UEChMW
QWxpc29mdC5jb20gY29ycHJhdGlvbjEUMBIGA1UECxMLQWxpc29mdC5jb20xFDAS
BgNVBAMTC0FsaXNvZnQuY29tMB4XDTA4MTIwODEyMjcxNFoXDTA5MTIwODEyMjcx
NFowdzELMAkGA1UEBhMCQ04xETAPBgNVBAgTCFpoZWppYW5nMREwDwYDVQQHEwhI
YW5nemhvdTEUMBIGA1UEChMLQWxpc29mdC5jb20xFDASBgNVBAsTC0FsaXNvZnQu
Y29tMRYwFAYDVQQDFA0qLmFsaXNvZnQuY29tMIGfMA0GCSqGSIb3DQEBAQUAA4GN
ADCBiQKBgQDwRqejnY3OCdrxAqD9H1zfpQhm6hMNF6xJkp9lIc/s+HlzoXMKPtbQ
w6TUNiK4TIJR/l3hEyKZX0zvxmU6Xd4fg/IXpSvzA5SaMbwJyByeTa07kC3cZQzj
BJuK1cKTt1GO/pId7lVuoHcl4aEkf1V6tE30hIMTVo1ivi3b+BreNQIDAQABo4IB
DDCCAQgwCQYDVR0TBAIwADAsBglghkgBhvhCAQ0EHxYdT3BlblNTTCBHZW5lcmF0
ZWQgQ2VydGlmaWNhdGUwHQYDVR0OBBYEFA8MRoLraGHObwYQeLx7LxD4ln4JMIGt
BgNVHSMEgaUwgaKAFOABLFBih40QehdtqyxDCnnrXyYMoYGGpIGDMIGAMQswCQYD
VQQGEwJDTjERMA8GA1UECBMIWmhlamlhbmcxETAPBgNVBAcTCEhhbmd6aG91MR8w
HQYDVQQKExZBbGlzb2Z0LmNvbSBjb3JwcmF0aW9uMRQwEgYDVQQLEwtBbGlzb2Z0
LmNvbTEUMBIGA1UEAxMLQWxpc29mdC5jb22CAQAwDQYJKoZIhvcNAQEEBQADgYEA
C9wV84dc4AcjDnhHr1b7QzFLDRJ2V5XN1yp1AAEhlp3Uv53ptibMcJiV/cqvrWj7
EHkJBTIgAnqEUy/g1c3tTULn1Z2QeJou2HLLf/cpMCQl8g8ttJ2isyQAtPfp3lwa
UNNZpJwdAxUEF23Cq5WoHyjlrTypqMgwOgk/dV1wLq8=
-----END CERTIFICATE-----
Signed certificate is in newcert.pem
这样就生成了server的证书newcert.pem,把newcert.pem 重命名为server.crt。
4、配置apache
NameVirtualHost *:443
<VirtualHost *:443>
ServerAdmin sa@mysoft.com
ServerName xplan.mysoft.com
DocumentRoot /home/admin/project/htdocs
SSLEngine on
SSLCipherSuite ALL:!ADH:!EXPORT56:RC4+RSA:+HIGH:+MEDIUM:+LOW:+SSLv2:+SSLv3:+EXP:+eNULL
SSLCertificateFile /home/admin/modules/crt/server.crt
SSLCertificateKeyFile /home/admin/modules/crt/server.key
SSLProxyEngine on
RewriteEngine on
RewriteRule ^/$ /xplan/user/login!login.jspa [L,P]
</VirtualHost>
重启apache时,会提示要求输入服务端证书的密码。如下:
[root@localhost]# bin/apachectl restart
httpd not running, trying to start
Apache/2.2.0 mod_ssl/2.2.0 (Pass Phrase Dialog)
Some of your private key files are encrypted for security reasons.
In order to read them you have to provide the pass phrases.
Server xplan.mysoft.com:443 (RSA)
Enter pass phrase:
OK: Pass Phrase Dialog successful.
5、客户端(IE)导入根证书(ca.cert)
在"选项"->"内容"->"证书"->"受信任根证书颁发机构"中点击"导入",选中"ca.crt",完成导入。或者,直接在点ca.crt文件右键,选择安装即可。
6、重启apache,要求输入密码的问题解决
1)、去掉bin/apachectl start启动的pass phrase,用空pass phrase启动apache
(while preserving the original file):
[root@xplan-dev8 ca]$ cp server.key server.key.org
[root@xplan-dev8 ca]$ openssl rsa -in server.key.org -out server.key
确认server.key 文件为root可读
[root@xplan-dev8 ca]$ chmod 400 server.key
2、编辑
[root@xplan-dev8 ca]$ vi conf/extra/httpd-ssl.conf
注释SSLPassPhraseDialog builtin
在后添加:SSLPassPhraseDialog exec:/usr/local/apache2/conf/apache_pass.sh
[root@xplan-dev8 ca]$ vi conf/apache_pass.sh
#!/bin/sh
echo "密码"
[root@xplan-dev8 ca]$ chmod +x /usr/local/apache2/conf/apache_pass.sh
posted on 2008-12-08 21:19
josson 阅读(2631)
评论(1) 编辑 收藏 所属分类:
大杂烩