RHEL5.2+Apach+OpenSSL 證書管理
RHEL5+Apache+Openssl證書管理
【測試環境】
OS:RHEL5.2
Apache:httpd-2.2.3-11.el5_1.3
Openssl:openssl-0.9.8b-10.el5
IPAddress:192.168.254.80
Site:www.example.com
【操作步驟】
1. 安裝相應軟體包
# rpm -qa |grep httpd
httpd-2.2.3-11.el5_1.3
# rpm -qa |grep mod_ssl
mod_ssl-2.2.3-11.el5_1.3
# rpm -qa |grep openssl
openssl-0.9.8b-10.el5
openssl-devel-0.9.8b-10.el5
#
2. 修改證書生成時的默認參數
a) 以下修改生成證書的默認參數
vi /etc/pki/tls/openssl.cnf
[ req_distinguished_name ]
countryName = Country Name (2 letter code)
countryName_default = CN
countryName_min = 2
countryName_max = 2
stateOrProvinceName = State or Province Name (full name)
stateOrProvinceName_default = SHANGHAI
localityName = Locality Name (eg, city)
localityName_default = SHANGHAI
0.organizationName = Organization Name (eg, company)
0.organizationName_default = example.com
# we can do this but it is not needed normally :-)
#1.organizationName = Second Organization Name (eg, company)
#1.organizationName_default = World Wide Web Pty Ltd
organizationalUnitName = Organizational Unit Name (eg, section)
#organizationalUnitName_default =
organizationalUnitName_default = IT Deps.
commonName = Common Name (eg, your name or your server\'s hostname)
commonName_max = 64
emailAddress = Email Address
emailAddress_max = 64
# SET-ex3 = SET extension number 3
cd /etc/pki/tls/misc/
b) 生成CA證書 //此步很重要
./CA –newca
完成後會生成根證書的私鑰(/etc/pki/CA/private/cakey.pem)及根證書(/etc/pki/CA/cacert.pem)。
3. 伺服器證書生成及配置
注意:此處將所有證書都生成到/etc/httpd/ca目錄下,建立/etc/httpd/ca目錄:
# mkdir /etc/httpd/ca
# cd /etc/httpd/ca
a) 生成伺服器端的私鑰(server.key文件):
# openssl genrsa -des3 -out server.key
注意這裡會讓您輸入一下密碼,請記住這個密碼,(例如:key_password)
Generating RSA private key, 512 bit long modulus
...........................++++++++++++
......++++++++++++
e is 65537 (0x10001)
Enter pass phrase for server.key:
Verifying - Enter pass phrase for server.key:
以下指令執行完成後,會在當前目錄下生成server.key 的文件。
b) 你可以使用以下方法查看key文件(注意:需要提供剛才設置的密碼喲)
# openssl rsa -noout -text -in server.key
Enter pass phrase for server.key:
Private-Key: (512 bit)
modulus:
00:cc:f5:d5:68:89:1a:5d:80:83:b5:52:77:7f:9b:
c7:3a:1c:ea:87:f5:37:cb:17:a5:bd:63:18:94:bc:
69:e7:6f:a0:ee:42:46:6d:d8:33:75:d4:f1:b3:18:
4d:4f:33:27:6d:76:65:36:25:cb:4d:04:96:7b:b2:
8d:53:eb:a2:ed
publicExponent: 65537 (0x10001)
privateExponent:
00:c6:d1:6d:8b:b2:fb:5d:5a:2d:e9:35:2e:f0:1d:
57:9c:1a:b2:b2:e1:ff:96:45:c1:23:be:bd:f8:81:
f0:a5:6b:99:79:12:c8:af:2b:73:55:99:68:f6:2a:
a1:4b:32:87:db:51:e7:db:df:e9:bd:10:44:67:6d:
08:17:1a:ad:01
prime1:
00:f1:fa:fc:1a:6e:73:97:ea:95:b5:ec:4f:7d:78:
00:31:81:7a:bb:a7:de:37:62:74:70:e0:45:02:5f:
aa:b2:c1
prime2:
00:d8:d5:c5:b2:16:a4:c1:f0:9d:c9:3d:f6:10:5f:
31:f3:1d:9d:7a:2b:22:91:84:2f:19:ff:b9:2b:56:
f2:f7:2d
exponent1:
00:da:05:71:2f:bf:64:96:f3:dd:7f:d4:32:aa:b1:
7c:3b:1e:96:1e:8d:d9:41:bd:8b:7c:48:14:e5:56:
9c:ce:01
exponent2:
2d:58:1e:fc:8c:01:ae:50:ec:1e:2e:67:eb:aa:8c:
9e:83:9d:ef:f3:5f:4a:40:f3:3c:a3:9e:8c:72:a5:
62:8d
coefficient:
00:dd:9a:2e:10:ae:47:ba:40:75:a2:17:de:72:2c:
8d:ee:29:02:b6:ff:a6:e9:6d:84:7b:e1:c0:87:24:
83:46:d3
c) 去除啟動時的密碼(啟動時說不需要輸入密碼了)
這裡將去除密碼的私鑰另存為server.key.nopw
# openssl rsa < server.key > server.key.nopw
Enter pass phrase:
writing RSA key
完成後會在當前目錄下生成一個server.key.nopw的文件。
d) 生成伺服器證書請求文件
# openssl req -new -key server.key > server.csr
Enter pass phrase for server.key:
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) :
State or Province Name (full name) :
Locality Name (eg, city) :
Organization Name (eg, company) :
Organizational Unit Name (eg, section) :
Common Name (eg, your name or your server's hostname) []:www.example.com
Email Address []:root@example.com
Please enter the following 'extra' attributes
to be sent with your certificate request
A challenge password []:
An optional company name []:
完成後當前目錄下會生成一個server.csr的文件。
e) 創建伺服器公鑰
# openssl x509 -req -days 3650 < server.csr -signkey server.key > server.crt
Signature ok
subject=/C=CN/ST=ShangHai/L=ShangHai/O=example.com/OU=IT Deps./CN=www.example.com/emailAddress=root@example.com
Getting Private key
Enter pass phrase for server.key:
完成後,會在當前目錄下生成server.crt文件。
f) 修改Apache關於ssl的配置文件
修改/etc/httpd/conf.d/ssl.conf:
# vi /etc/httpd/conf.d/ssl.conf
修改以下兩個屬性:
SSLCertificateFile /etc/httpd/ca/server.crt
SSLCertificateKeyFile /etc/httpd/ca/server.key
SSLCACertificateFile /etc/pki/CA/cacert.pem #指定CA證書位置,客戶端證書驗證的時候會要用到
g) 重啟Apache,會要求輸入生成私鑰時的密碼
# service httpd restart
Stopping httpd: [ OK ]
Starting httpd: Apache/2.2.3 mod_ssl/2.2.3 (Pass Phrase Dialog)
Some of your private key files are encrypted for security reasons.
In order to read them you have to provide the pass phrases.
Server www.example.com:443 (RSA)
Enter pass phrase:
OK: Pass Phrase Dialog successful.
[ OK ]
h) 設置重啟apache時不用輸入密碼
將/etc/httpd/conf.d/ssl.conf中的
SSLCertificateKeyFile /etc/httpd/ca/server.key
修改成為:
SSLCertificateKeyFile /etc/httpd/ca/server.key.nopw
完成後,重啟apache時不需要輸入密碼了。
# service httpd restart
Stopping httpd: [ OK ]
Starting httpd: [ OK ]
4. 客戶端證書生成及安裝
a) 創建目錄client存放客戶端證書
# mkdir client
# cd client/
b) 創建訪問用戶的csr文件(computer1)
這裡會要求輸入一些信息,按需要信息輸入就行,這裡密碼設置為「clientpassword」。
# openssl req –new > computer1.csr
Generating a 1024 bit RSA private key
…++++++
….....++++++
writing new private key to 『privkey.pem』
Enter PEM pass phrase:
Verifying – Enter PEM pass phrase:
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter 『.』, the field will be left blank.
Country Name (2 letter code) :
State or Province Name (full name) :
Locality Name (eg, city) :
Organization Name (eg, company) :
Organizational Unit Name (eg, section) :
Common Name (eg, your name or your server』s hostname) []:computer1
Email Address []:
Please enter the following 『extra』 attributes
to be sent with your certificate request
A challenge password []:
An optional company name []:
完成後會在當前目錄下生成以下兩個文件:computer1.csr privkey.pem
c) 創建訪問用戶的crt證書文件
注意這裡要輸入CA根證書的私鑰密碼。
# openssl x509 –req < computer1.csr > computer1.crt –signkey /etc/pki/CA/private/cakey.pem –CA /etc/pki/CA/cacert.pem –Cakey /etc/pki/CA/private/cakey.pem –Cacreateserial –days 3650
Signature ok
subject=/C=CN/ST=ShangHai/L=ShangHai/O=example.com/OU=IT Deps./CN=computer1
Getting CA Private Key
Enter pass phrase for /etc/pki/CA/private/cakey.pem:
完成後會在當前目錄下生成computer1.crt文件。
d) 將crt文件導出為pfx文件(ie中只能導入pfx格式證書)
注意:這裡設置的Export Password是安裝證書時要使用的喲!我這裡設置為「clientpassword」。
# openssl pkcs12 –export –in computer1.crt –inkey /etc/pki/CA/private/cakey.pem –out computer1.pfx
Enter pass phrase for /etc/pki/CA/private/cakey.pem:
Enter Export Password:
Verifying – Enter Export Password:
完成後會在當前目錄下生成computer1.pfx文件。
e) 修改apache要求客戶端必須使用證書訪問
修改/etc/httpd/conf.d/ssl.conf文件:
SSLVerifyClient require
SSLVerifyDepth 10
修改完成後重啟Apache服務:
# /etc/init.d/httpd restart
Stopping httpd: [ OK ]
Starting httpd: [ OK ]
f) 下載並安裝客戶端證書
g) 以上完成後,可以在客戶端通過證書訪問本站點了,沒有證書則訪問不了!
5. 客戶端證書撤消,更新
a) 目錄切換後勁/etc/pki/tls/misc
cd /etc/pki/tls/misc
b) 撤銷客戶端證書computer1.crt
# openssl ca -keyfile /etc/pki/CA/private/cakey.pem -cert /etc/pki/CA/cacert.pem -revoke /etc/httpd/ca/client/computer1.crt
Using configuration from /etc/pki/tls/openssl.cnf
Enter pass phrase for /etc/pki/CA/private/cakey.pem:
Adding Entry with serial number 8B962ECF679FB9AB to DB for /C=CN/ST=ShangHai/L=ShangHai/O=example.com/OU=IT Deps./CN=computer1
Revoking Certificate 8B962ECF679FB9AB.
Data Base Updated
c) 生成新的證書撤銷列表
請注意,此時的操作會報錯。
# openssl ca -gencrl -keyfile /etc/pki/CA/private/cakey.pem -cert /etc/pki/CA/cacert.pem -out /etc/httpd/ca/example.com.crl
Using configuration from /etc/pki/tls/openssl.cnf
Enter pass phrase for /etc/pki/CA/private/cakey.pem:
../../CA/crlnumber: No such file or directory
error while loading CRL number
12727:error:02001002:system library:fopen:No such file or directory:bss_file.c:352:fopen('../../CA/crlnumber','r')
12727:error:20074002:BIO routines:FILE_CTRL:system lib:bss_file.c:354:
此處有些問題,不知道為什麼?我是手動建立文件來解決的:
# echo "01" >../../CA/crlnumber
然後創建成功
# openssl ca -gencrl -keyfile /etc/pki/CA/private/cakey.pem -cert /etc/pki/CA/cacert.pem -out /etc/httpd/ca/example.com.crl
Using configuration from /etc/pki/tls/openssl.cnf
Enter pass phrase for /etc/pki/CA/private/cakey.pem:
d) 查看證書撤銷列表
# openssl crl -noout -text -in example.com.crl
Certificate Revocation List (CRL):
Version 2 (0x1)
Signature Algorithm: sha1WithRSAEncryption
Issuer: /C=CN/ST=ShangHai/O=example.com/OU=IT Deps./CN=www.example.com/emailAddress=root@example.com
Last Update: Feb 24 14:40:04 2009 GMT
Next Update: Mar 26 14:40:04 2009 GMT
CRL extensions:
X509v3 CRL Number:
2
Revoked Certificates:
Serial Number: 8B962ECF679FB9AB
Revocation Date: Feb 24 14:28:44 2009 GMT
Signature Algorithm: sha1WithRSAEncryption
86:45:16:c7:0b:7d:15:6e:3c:eb:4e:92:1c:4f:62:ec:64:44:
cd:59:68:28:23:4b:ff:b0:93:1a:13:b7:cf:10:91:4f:da:6d:
25:48:99:9c:9d:f5:03:91:8b:c7:45:cb:92:68:79:ba:d5:68:
1f:e8:0f:a7:fa:ff:15:f8:a6:8b:9f:2f:c8:14:7d:9c:7a:c6:
36:6b:03:d8:c2:90:40:3a:24:51:43:71:47:84:5d:f8:38:44:
f3:06:df:cf:81:3a:ef:ac:99:29:fc:ed:44:4e:79:79:ee:aa:
15:1a:61:cc:e0:9f:23:75:fb:4a:a2:af:4a:cc:c9:9b:88:be:
8a:7b
e) 修改Apache配置,添加證書吊銷列表
修改ssl配置文件/etc/httpd/conf.d/ssl.conf,修改以下一行:
SSLCARevocationFile "/etc/pki/tls/misc/example.com.crl"
重啟Apache:
# service httpd restart
Stopping httpd: [ OK ]
Starting httpd: [ OK ]
f) 客戶端訪問測試,訪問失敗,提示證書已經撤銷
《解決方案》
收藏了,非常感謝
《解決方案》
謝謝,正想好好學習一下證書,難得有那麼詳細的文檔。
《解決方案》
不錯
