posts - 122,  comments - 25,  trackbacks - 0
我们的项目都是基于https协议访问的,由于费用问题,在开发、测试环境中使了一个过期证书。所以每天得面对浏览器提示证书过期问题,若只是页面访问,多确认一下就完了,但遇到系统间的页面跳转、互相调用,就玩不转了。没折,干脆自已做证书。

通过Openssl建立根证书和服务器证书,并用根证书对服务器证书进行签名。

1、使用Openssl的CA脚本来建立根证书(/usr/share/ssl/misc/CA)
运行CA -newca,Openssl会找CA自己的私有密钥密码文件。如果没有这个文件?按回车会自动创建,输入密码来保护这个密码文件。之后会提示你输入公司信息来做CA.crt文件。最后,在当前目录下多了一个demoCA目录,demoCA/private/cakey.pem就是CA的key文件了,而demoCA/cacert.pem就是CA的crt文件了。具体如下:
[root@xplan-dev8 ca]# ./CA -newca
CA certificate filename (or enter to create)

Making CA certificate 

Generating a 
1024 bit RSA private key
.++++++
++++++
writing new private key to 
'./demoCA/private/./cakey.pem'
Enter PEM pass phrase
:
Verifying 
- Enter PEM pass phrase:
-----
You are about to be asked to enter information that will be incorporated
into your certificate request
.
What you are about to enter is what is called a Distinguished Name or a DN
.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (
2 letter code) [GB]:CN
State or Province Name (full name) [Berkshire]
:Zhejiang
Locality Name (eg
, city) [Newbury]:Hangzhou
Organization Name (eg
, company) [My Company Ltd]:Mysoft.com corpration
Organizational Unit Name (eg
, section) []:Mysoft.com
Common Name (eg
, your name or your server's hostname) []:Mysoft.com
Email Address []:

2、生成服务器证书
生成服务器私钥Key文件,openssl genrsa -des3 -out server.key 1024,并输入保护密码:
[root@xplan-dev8 ca]# openssl genrsa -des3 -out server.key 1024
Generating RSA private key, 1024 bit long modulus
..++++++
..++++++
e is 
65537 (0x10001)
Enter pass phrase 
for server.key:
Verifying 
- Enter pass phrase for server.key:

生成服务器证书(注:输入Common Name一项时,若需对泛域名支持证书时,需用*.mysoft.com):
[root@xplan-dev8 ca]# openssl req -new -key server.key -out server.csr -days 365
Enter pass phrase for server.key:
You are about to be asked to enter information that will be incorporated
into your certificate request
.
What you are about to enter is what is called a Distinguished Name or a DN
.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (
2 letter code) [GB]:CN
State or Province Name (full name) [Berkshire]
:Zhejiang
Locality Name (eg
, city) [Newbury]:Hangzhou
Organization Name (eg
, company) [My Company Ltd]:Mysoft.com
Organizational Unit Name (eg
, section) []:Mysoft.com
Common Name (eg
, your name or your server's hostname) []:*.mysoft.com
Email Address []:

Please enter the following 
'extra' attributes
to be sent with your certificate request
A challenge password []:
An optional company name []:

3、用根证书对服务器证书进行签名
把server.crt文件重命名成newreq.pem,然后用CA脚本进行签名,期间会提示要求输入cakey.pem的保护密码。

[root@xplan-dev8 ca]# mv server.csr newreq.pem

[root@xplan-dev8 ca]# ./CA -sign
Using configuration from /usr/share/ssl/openssl.cnf
Enter pass phrase for ./demoCA/private/cakey.pem:
Check that the request matches the signature
Signature ok
Certificate Details:
        Serial Number: 1 (0x1)
        Validity
            Not Before: Dec  8 12:27:14 2008 GMT
            Not After : Dec  8 12:27:14 2009 GMT
        Subject:
            countryName               = CN
            stateOrProvinceName       = Zhejiang
            localityName              = Hangzhou
            organizationName          = Mysoft.com
            organizationalUnitName    = Mysoft.com
            commonName                = *.mysoft.com
        X509v3 extensions:
            X509v3 Basic Constraints:
            CA:FALSE
            Netscape Comment:
            OpenSSL Generated Certificate
            X509v3 Subject Key Identifier:
            0F:0C:46:82:EB:68:61:CE:6F:06:10:78:BC:7B:2F:10:F8:96:7E:09
            X509v3 Authority Key Identifier:
            keyid:E0:01:2C:50:62:87:8D:10:7A:17:6D:AB:2C:43:0A:79:EB:5F:26:0C
            DirName:/C=CN/ST=Zhejiang/L=Hangzhou/O=Mysoft.com corpration/OU=Mysoft.com/CN=Mysoft.com
            serial:00

Certificate is to be certified until Dec  8 12:27:14 2009 GMT (365 days)
Sign the certificate? [y/n]:y


1 out of 1 certificate requests certified, commit? [y/n]y
Write out database with 1 new entries
Data Base Updated
Certificate:
    Data:
        Version: 3 (0x2)
        Serial Number: 1 (0x1)
        Signature Algorithm: md5WithRSAEncryption
        Issuer: C=CN, ST=Zhejiang, L=Hangzhou, O=Mysoft.com corpration, OU=Mysoft.com, CN=Mysoft.com
        Validity
            Not Before: Dec  8 12:27:14 2008 GMT
            Not After : Dec  8 12:27:14 2009 GMT
        Subject: C=CN, ST=Zhejiang, L=Hangzhou, O=Mysoft.com, OU=Mysoft.com, CN=*.mysoft.com
        Subject Public Key Info:
            Public Key Algorithm: rsaEncryption
            RSA Public Key: (1024 bit)
                Modulus (1024 bit):
                    00:f0:46:a7:a3:9d:8d:ce:09:da:f1:02:a0:fd:1f:
                    5c:df:a5:08:66:ea:13:0d:17:ac:49:92:9f:65:21:
                    cf:ec:f8:79:73:a1:73:0a:3e:d6:d0:c3:a4:d4:36:
                    22:b8:4c:82:51:fe:5d:e1:13:22:99:5f:4c:ef:c6:
                    65:3a:5d:de:1f:83:f2:17:a5:2b:f3:03:94:9a:31:
                    bc:09:c8:1c:9e:4d:ad:3b:90:2d:dc:65:0c:e3:04:
                    9b:8a:d5:c2:93:b7:51:8e:fe:92:1d:ee:55:6e:a0:
                    77:25:e1:a1:24:7f:55:7a:b4:4d:f4:84:83:13:56:
                    8d:62:be:2d:db:f8:1a:de:35
                Exponent: 65537 (0x10001)
        X509v3 extensions:
            X509v3 Basic Constraints:
            CA:FALSE
            Netscape Comment:
            OpenSSL Generated Certificate
            X509v3 Subject Key Identifier:
            0F:0C:46:82:EB:68:61:CE:6F:06:10:78:BC:7B:2F:10:F8:96:7E:09
            X509v3 Authority Key Identifier:
            keyid:E0:01:2C:50:62:87:8D:10:7A:17:6D:AB:2C:43:0A:79:EB:5F:26:0C
            DirName:/C=CN/ST=Zhejiang/L=Hangzhou/O=Mysoft.com corpration/OU=Mysoft.com/CN=Mysoft.com
            serial:00

    Signature Algorithm: md5WithRSAEncryption
        0b:dc:15:f3:87:5c:e0:07:23:0e:78:47:af:56:fb:43:31:4b:
        0d:12:76:57:95:cd:d7:2a:75:00:01:21:96:9d:d4:bf:9d:e9:
        b6:26:cc:70:98:95:fd:ca:af:ad:68:fb:10:79:09:05:32:20:
        02:7a:84:53:2f:e0:d5:cd:ed:4d:42:e7:d5:9d:90:78:9a:2e:
        d8:72:cb:7f:f7:29:30:24:25:f2:0f:2d:b4:9d:a2:b3:24:00:
        b4:f7:e9:de:5c:1a:50:d3:59:a4:9c:1d:03:15:04:17:6d:c2:
        ab:95:a8:1f:28:e5:ad:3c:a9:a8:c8:30:3a:09:3f:75:5d:70:
        2e:af
-----BEGIN CERTIFICATE-----
MIIDfDCCAuWgAwIBAgIBATANBgkqhkiG9w0BAQQFADCBgDELMAkGA1UEBhMCQ04x
ETAPBgNVBAgTCFpoZWppYW5nMREwDwYDVQQHEwhIYW5nemhvdTEfMB0GA1UEChMW
QWxpc29mdC5jb20gY29ycHJhdGlvbjEUMBIGA1UECxMLQWxpc29mdC5jb20xFDAS
BgNVBAMTC0FsaXNvZnQuY29tMB4XDTA4MTIwODEyMjcxNFoXDTA5MTIwODEyMjcx
NFowdzELMAkGA1UEBhMCQ04xETAPBgNVBAgTCFpoZWppYW5nMREwDwYDVQQHEwhI
YW5nemhvdTEUMBIGA1UEChMLQWxpc29mdC5jb20xFDASBgNVBAsTC0FsaXNvZnQu
Y29tMRYwFAYDVQQDFA0qLmFsaXNvZnQuY29tMIGfMA0GCSqGSIb3DQEBAQUAA4GN
ADCBiQKBgQDwRqejnY3OCdrxAqD9H1zfpQhm6hMNF6xJkp9lIc/s+HlzoXMKPtbQ
w6TUNiK4TIJR/l3hEyKZX0zvxmU6Xd4fg/IXpSvzA5SaMbwJyByeTa07kC3cZQzj
BJuK1cKTt1GO/pId7lVuoHcl4aEkf1V6tE30hIMTVo1ivi3b+BreNQIDAQABo4IB
DDCCAQgwCQYDVR0TBAIwADAsBglghkgBhvhCAQ0EHxYdT3BlblNTTCBHZW5lcmF0
ZWQgQ2VydGlmaWNhdGUwHQYDVR0OBBYEFA8MRoLraGHObwYQeLx7LxD4ln4JMIGt
BgNVHSMEgaUwgaKAFOABLFBih40QehdtqyxDCnnrXyYMoYGGpIGDMIGAMQswCQYD
VQQGEwJDTjERMA8GA1UECBMIWmhlamlhbmcxETAPBgNVBAcTCEhhbmd6aG91MR8w
HQYDVQQKExZBbGlzb2Z0LmNvbSBjb3JwcmF0aW9uMRQwEgYDVQQLEwtBbGlzb2Z0
LmNvbTEUMBIGA1UEAxMLQWxpc29mdC5jb22CAQAwDQYJKoZIhvcNAQEEBQADgYEA
C9wV84dc4AcjDnhHr1b7QzFLDRJ2V5XN1yp1AAEhlp3Uv53ptibMcJiV/cqvrWj7
EHkJBTIgAnqEUy/g1c3tTULn1Z2QeJou2HLLf/cpMCQl8g8ttJ2isyQAtPfp3lwa
UNNZpJwdAxUEF23Cq5WoHyjlrTypqMgwOgk/dV1wLq8=
-----END CERTIFICATE-----
Signed certificate is in newcert.pem

这样就生成了server的证书newcert.pem,把newcert.pem 重命名为server.crt。

4、配置apache

NameVirtualHost *:443
<VirtualHost *:443>
    ServerAdmin sa@mysoft.com
    ServerName xplan.mysoft.com
    DocumentRoot /home/admin/project/htdocs

    SSLEngine on
    SSLCipherSuite ALL:!ADH:!EXPORT56:RC4+RSA:+HIGH:+MEDIUM:+LOW:+SSLv2:+SSLv3:+EXP:+eNULL
    SSLCertificateFile /home/admin/modules/crt/server.crt
    SSLCertificateKeyFile /home/admin/modules/crt/server.key

    SSLProxyEngine on
    RewriteEngine on
    RewriteRule ^/$ /xplan/user/login!login.jspa [L,P]
</VirtualHost>

重启apache时,会提示要求输入服务端证书的密码。如下:

[root@localhost]# bin/apachectl restart
httpd not running, trying to start
Apache/2.2.0 mod_ssl/2.2.0 (Pass Phrase Dialog)
Some of your private key files are encrypted for security reasons.
In order to read them you have to provide the pass phrases.

Server xplan.mysoft.com:443 (RSA)
Enter pass phrase:

OK: Pass Phrase Dialog successful.



5、客户端(IE)导入根证书(ca.cert)
在"选项"->"内容"->"证书"->"受信任根证书颁发机构"中点击"导入",选中"ca.crt",完成导入。或者,直接在点ca.crt文件右键,选择安装即可。


6、重启apache,要求输入密码的问题解决

1)、去掉bin/apachectl start启动的pass phrase,用空pass phrase启动apache
(while preserving the original file):
[root@xplan-dev8 ca]$ cp server.key server.key.org
[root@xplan-dev8 ca]$ openssl rsa -in server.key.org -out server.key

确认server.key 文件为root可读
[root@xplan-dev8 ca]$ chmod 400 server.key

2、编辑
[root@xplan-dev8 ca]$ vi conf/extra/httpd-ssl.conf
注释SSLPassPhraseDialog  builtin
在后添加:SSLPassPhraseDialog exec:/usr/local/apache2/conf/apache_pass.sh

[root@xplan-dev8 ca]$ vi conf/apache_pass.sh
#!/bin/sh
echo "密码"
[root@xplan-dev8 ca]$ chmod +x /usr/local/apache2/conf/apache_pass.sh

posted on 2008-12-08 21:19 josson 阅读(2631) 评论(1)  编辑  收藏 所属分类: 大杂烩


FeedBack:
# re: 利用Openssl 建立自己的证书。[未登录]
2009-05-19 11:49 | zhang
谢谢
  回复  更多评论
  

只有注册用户登录后才能发表评论。


网站导航:
 
<2008年12月>
30123456
78910111213
14151617181920
21222324252627
28293031123
45678910

常用链接

留言簿(3)

随笔分类

随笔档案

收藏夹

搜索

  •  

最新评论

阅读排行榜

评论排行榜