证书查看日期:
#openssl x509 -in ufk.yonyouup.com.crt -noout -dates
notBefore=Apr 26 02:51:07 2016 GMT
notAfter=Apr 26 02:51:07 2018 GMT
# curl --insecure -v -s -o /dev/null https://www.baidu.com 2>&1 | grep "expire date"
* expire date: Oct 09 06:31:51 2021 GMT
查看详情:
# openssl x509 -in ufk.yonyouup.com.crt -noout -text
Certificate:
Data:
Version: 3 (0x2)
Serial Number:
54:2a:bc:48:f6:d5:6f:58:e5:3b:09:d8:b8:ce:41:a2
Signature Algorithm: sha256WithRSAEncryption
Issuer: C=CN, O=WoSign CA Limited, CN=CA \xE6\xB2\x83\xE9\x80\x9A\xE5\x85\x8D\xE8\xB4\xB9SSL\xE8\xAF\x81\xE4\xB9\xA6 G2
Validity
Not Before: Apr 26 02:51:07 2016 GMT
Not After : Apr 26 02:51:07 2018 GMT
Subject: CN=www.liutianfeng.com
Subject Public Key Info:
Public Key Algorithm: rsaEncryption
Public-Key: (2048 bit)
Modulus:
00:e0:f3:99:b2:83:e4:9d:c4:16:ab:e5:68:07:c5:
0e:1d:b2:bc:78:be:71:a0:e2:91:33:e9:8c:be:a4:
10:91:14:e3:ff:58:2e:db:ac:1a:24:3e:9a:c5:2c:
f5:e3:97:1a:36:02:84:a2:97:0f:72:01:5a:43:55:
6f:8a:53:a9:f0:08:22:af:8f:da:44:bd:79:2f:62:
49:14:22:aa:d1:8c:fc:c3:7f:96:3e:6a:a6:f1:3a:
b9:51:c6:0e:5d:e0:aa:3c:8e:90:b6:e3:c5:75:74:
46:94:90:e7:b1:3e:fe:9f:09:20:56:db:c9:cb:7c:
99:7c:57:43:f3:e7:9d:f4:9a:c0:d8:b7:f8:ce:c2:
34:b2:18:a2:2c:da:9d:5d:c1:09:01:2d:06:12:a9:
6e:91:7e:86:07:e3:23:0d:7d:a4:eb:aa:ab:13:ac:
94:0d:5e:79:88:e7:45:36:b6:3d:fe:95:1e:53:65:
94:d0:7f:06:f0:0d:00:03:c7:b8:3f:9d:d9:81:97:
9f:ec:cf:8b:7d:de:cf:fd:76:9c:8c:85:95:34:14:
66:54:4c:41:79:bb:6c:c3:8b:ec:de:3a:3a:ed:2d:
ee:e6:f1:61:0d:26:be:e9:eb:10:c3:4d:2a:c1:f3:
30:aa:ae:88:c7:8a:95:58:eb:46:d3:16:58:c5:f1:
1a:9b
Exponent: 65537 (0x10001)
X509v3 extensions:
X509v3 Key Usage: critical
Digital Signature, Key Encipherment
X509v3 Extended Key Usage:
TLS Web Client Authentication, TLS Web Server Authentication
X509v3 Basic Constraints:
CA:FALSE
X509v3 Subject Key Identifier:
2E:4B:70:C3:10:BC:47:EA:9F:28:B6:95:19:00:B4:A8:65:67:A3:2D
X509v3 Authority Key Identifier:
keyid:30:DA:74:86:F3:28:90:56:9E:D7:31:31:C2:BD:59:CD:93:12:39:1D
Authority Information Access:
OCSP - URI:http://ocsp2.wosign.cn/ca2g2/server1/free
CA Issuers - URI:http://aia2.wosign.cn/ca2g2.server1.free.cer
X509v3 CRL Distribution Points:
Full Name:
URI:http://crls2.wosign.cn/ca2g2-server1-free.crl
X509v3 Subject Alternative Name:
DNS:www.liutianfeng.com
X509v3 Certificate Policies:
Policy: 2.23.140.1.2.1
Policy: 1.3.6.1.4.1.36305.1.1.2
CPS: http://www.wosign.com/policy/
Signature Algorithm: sha256WithRSAEncryption
3f:a7:07:39:28:75:d2:fe:f6:92:b9:d8:ad:4e:91:40:28:1e:
45:3d:2a:09:96:b8:6a:73:5b:df:f1:c8:42:a6:1b:30:e2:1d:
90:b8:ab:e7:d9:e7:3f:3f:f6:53:68:c1:14:9f:9b:44:c3:c6:
1a:77:75:43:8a:b4:b7:0d:08:e0:00:90:be:a3:31:52:52:66:
93:98:bb:db:65:70:22:48:00:dd:3d:7c:7b:e4:a0:0e:cd:09:
44:e5:fb:d8:b0:50:49:fe:d2:05:0f:02:ed:68:73:e9:61:ba:
cb:d7:90:77:31:32:e1:29:6f:c2:af:b8:d6:dd:01:e7:d7:73:
d8:f7:93:59:8e:0c:30:d8:9f:3e:e1:28:0f:46:43:eb:ab:df:
1a:60:26:8e:97:2d:23:e5:4c:44:02:d8:4a:0d:b6:df:ec:9c:
9e:14:2d:ee:e3:7b:bc:d0:59:5b:57:30:8b:a9:99:d0:85:d4:
58:70:a1:69:9b:1a:c2:cf:f7:a4:31:37:85:d4:7f:45:04:ec:
f5:c5:3a:d8:f2:d4:7f:9c:c9:87:a7:54:ee:66:8e:be:38:16:
f7:b4:0c:c7:d8:8c:d9:81:76:db:15:06:ab:c4:92:d9:10:1f:
f5:d5:f6:54:3a:11:09:f5:44:86:f8:78:54:aa:48:fa:de:c8:
12:85:8a:ae
测试环境:
httpd主机:192.168.75.55
CA主机:192.168.75.88
CentOS 6.6
Apache 2.2
Apache: 虚拟主机方案,hello.skelchina.com是ssl要配置的你主机
测试方案:
一、CA主机自签证书
二、httpd主机生成csr文件,发送给CA主机签署
三、httpd主机复制签收后的主机,配置https服务
四、windows端安装CA的证书,信任后测试访问结果
一、CA主机(192.168.75.88)自签证书
首先,需要mod_ssl模块的支持,httpd -M查看有没有这个模块,没有的话安装:
http的模块中要有支持ssl的,否则无法实现ssl配置。
默认的httpd程序没有ssl模块,yum安装一下:
# yum install -y mod_ssl
# rpm -ql mod_ssl
/etc/httpd/conf.d/ssl.conf // httpd的conf.d目录生成了一个ssl.conf文件
/usr/lib64/httpd/modules/mod_ssl.so
/var/cache/mod_ssl
/var/cache/mod_ssl/scache.dir
/var/cache/mod_ssl/scache.pag
/var/cache/mod_ssl/scache.sem
CA自签证书:
# pwd
/etc/pki/CA
# (umask 077; openssl genrsa -out private/cakey.pem 2048) // 括号表示一些配置仅在这个指令段有效
Generating RSA private key, 2048 bit long modulus
..........................+++
...................................................................................+++
e is 65537 (0x10001)
# ls private/
cakey.pem
修改默认的配置,之后就不用在生成证书的时候频繁写入内容:
# vim /etc/pki/tls/openssl.cnf
[ req_distinguished_name ]
countryName = Country Name (2 letter code)
countryName_default = CN
countryName_min = 2
countryName_max = 2
stateOrProvinceName = State or Province Name (full name)
stateOrProvinceName_default = Beijing
localityName = Locality Name (eg, city)
localityName_default = Beijing
0.organizationName = Organization Name (eg, company)
0.organizationName_default = skelchina
organizationalUnitName = Organizational Unit Name (eg, section)
organizationalUnitName_default = Tech
commonName = Common Name (eg, your name or your server\'s hostname)
commonName_max = 64
emailAddress = Email Address
emailAddress_max = 64
自签证书,一路回车,因为是自签,hostname方面不用太注意,但发给别的主机,要和主机名(网站的主机名)一致,否则警告。
# openssl req -new -x509 -key /etc/pki/CA/private/cakey.pem -out cacert.pem -days 3655 // 自签证书,一路回车,因为是自签,hostname方面不用太注意,但发给别的主机,要和主机名(网站的主机名)一致,否则警告。
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [CN]:
State or Province Name (full name) [Beijing]:
Locality Name (eg, city) [Beijing]:
Organization Name (eg, company) [skelchina]:
Organizational Unit Name (eg, section) [Tech]:
Common Name (eg, your name or your server's hostname) []:ca.skelchina.com
Email Address []:admin@skelchina.com
将/etc/pki/tls/openssl.conf里面的默认路径等配置一下,以方便签署证书:
[ CA_default ]
dir = /etc/pki/CA # Where everything is kept // 文件存放目录
certs = $dir/certs # Where the issued certs are kept
crl_dir = $dir/crl # Where the issued crl are kept
database = $dir/index.txt # database index file.
#unique_subject = no # Set to 'no' to allow creation of
# several ctificates with same subject.
new_certs_dir = $dir/newcerts # default place for new certs.
certificate = $dir/cacert.pem # The CA certificate // 我们生成cacert的时候就是这个名称,为了方便。
serial = $dir/serial # The current serial number
crlnumber = $dir/crlnumber # the current crl number
crl = $dir/crl.pem # The current CRL
private_key = $dir/private/cakey.pem# The private key // 默认的私钥地址,定义的时候也按照这个名称定义的
RANDFILE = $dir/private/.rand # private random number file
准备一些目录、文件,方便httpd服务器的cert签署:
# pwd
/etc/pki/CA
# mkdir certs crl newcerts // 准备用到的目录
# touch index.txt // 建立索引文件
# echo 01 > serial // 将序列号加入到文件之中
二、http服务器生成cert签署请求,发送给CA,交由CA签署
httpd服务器生成csr请求:
# mkdir /etc/httpd/ssl && cd /etc/httpd/ssl
# (umask 077; openssl genrsa 2048 > httpd.key) // 生成一个密钥,可以是2048位
Generating RSA private key, 2048 bit long modulus
........................................++++++
............++++++
e is 65537 (0x10001)
[root@MyLinux ssl]# ll
total 4
-rw------- 1 root root 887 Feb 13 07:22 httpd.key // 权限600
[root@MyLinux ssl]# openssl req -new -key httpd.key -out httpd.csr // 生成csr文件
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [XX]:CN // 注意要和CA机构的参数完全一致
State or Province Name (full name) []:Beijing
Locality Name (eg, city) [Default City]:Beijing
Organization Name (eg, company) [Default Company Ltd]:SkelChina
Organizational Unit Name (eg, section) []:Tech
Common Name (eg, your name or your server's hostname) []:hello.skelchina.com // 签署的主机名,很重要
Email Address []:hello@skelchina.com // 以下的不重要,可以不填或者自定义
Please enter the following 'extra' attributes
to be sent with your certificate request
A challenge password []:
An optional company name []:
复制到CA主机并签署:
# scp httpd.csr 192.168.75.88:/tmp
[root@Lius CA]# openssl ca -in /tmp/httpd.csr -out /tmp/httpd.crt -days 3650 // CA端签署
Using configuration from /etc/pki/tls/openssl.cnf
Check that the request matches the signature
Signature ok
Certificate Details:
Serial Number: 1 (0x1)
Validity
Not Before: Feb 13 12:38:26 2018 GMT
Not After : Feb 11 12:38:26 2028 GMT
Subject:
countryName = CN
stateOrProvinceName = Beijing
organizationName = SkelChina
organizationalUnitName = Tech
commonName = hello.skelchina.com
emailAddress = admin@hello.com
X509v3 extensions:
X509v3 Basic Constraints:
CA:FALSE
Netscape Comment:
OpenSSL Generated Certificate
X509v3 Subject Key Identifier:
0C:A6:4C:B5:7F:E0:6C:CF:BC:64:53:82:7A:66:CA:1F:8E:FB:87:EF
X509v3 Authority Key Identifier:
keyid:C1:1C:CE:6B:98:99:45:C6:C3:E2:DA:85:C3:F8:E8:2B:3E:06:EC:7E
Certificate is to be certified until Feb 11 12:38:26 2028 GMT (3650 days)
Sign the certificate? [y/n]:y // 是否签署,键入y
1 out of 1 certificate requests certified, commit? [y/n]y // 提交键入y
Write out database with 1 new entries
Data Base Updated
[root@Lius CA]# cat index.txt // 查看index和serial,可以发现内容改变了。
V 280211123826Z 01 unknown /C=CN/ST=Beijing/O=SkelChina/OU=Tech/CN=hello.skelchina.com/emailAddress=admin@hello.com
[root@Lius CA]# cat serial
02
三、http服务器复制cert过来,并进行https配置
[root@MyLinux ssl]# scp 192.168.75.88:/tmp/httpd.crt ./
[root@MyLinux ssl]# ls
httpd.crt httpd.csr httpd.key
注意删除CA里面生成的crt文件和scr文件
# cd /etc/httpd/conf.d
# cp ssl.conf ssl.conf.bak // 先备份一下
# vim ssl.conf // 编辑一下配置文件
LoadModule ssl_module modules/mod_ssl.so // 载入了一个模块
Listen 443
SSLPassPhraseDialog builtin
SSLSessionCache shmcb:/var/cache/mod_ssl/scache(512000)
SSLSessionCacheTimeout 300
SSLMutex default
SSLRandomSeed startup file:/dev/urandom 256
SSLRandomSeed connect builtin
SSLCryptoDevice builtin
# <VirtualHost _default_:443> // 如果有多个ip,要配置特定的ip
<VirtualHost 192.168.75.55:443>
ServerName hello.skelchina.com // 指定ServerName, 因为只提供一个虚拟主机的ssl。
DocumentRoot "/www/skelchina" // 要和不适用ssl的路径相同
ErrorLog logs/ssl_error_log
TransferLog logs/ssl_access_log // 不再叫CustomLog了
LogLevel warn // 日志级别单独定义了
SSLEngine on // 是否启动,很关键
SSLProtocol all -SSLv2 // 支持的ssl版本,-SSLv2,则仅支持SSLv3, TLSv1
SSLCipherSuite DEFAULT:!EXP:!SSLv2:!DES:!IDEA:!SEED:+3DES
SSLCertificateFile /etc/httpd/ssl/httpd.crt // 证书文件
SSLCertificateKeyFile /etc/httpd/ssl/httpd.key // 私钥地址
<Files ~ "\.(cgi|shtml|phtml|php3?)$">
SSLOptions +StdEnvVars
</Files>
<Directory "/var/www/cgi-bin">
SSLOptions +StdEnvVars
</Directory>
SetEnvIf User-Agent ".*MSIE.*" \
nokeepalive ssl-unclean-shutdown \
downgrade-1.0 force-response-1.0
CustomLog logs/ssl_request_log \
"%t %h %{SSL_PROTOCOL}x %{SSL_CIPHER}x \"%r\" %b"
</VirtualHost>
其他信息不用管,直接保存退出即可。
# httpd -t // 检查语法
Syntax OK
[root@MyLinux conf.d]# !ser // 重启服务器
service httpd restart
Stopping httpd: [ OK ]
Starting httpd: [ OK ]
四、复制CA服务器的cacert.pem到windows并安装
复制CA服务器的cacert.pem到windows,修改名称为cacert.crt,双击安装证书为”受信任的根证书颁发机构”,用https://hello.skelchina.com访问,发现可以访问了。
不过,即使这样,浏览器也会提示错误,在高级里面可以添加例外,这样就能访问了。
转载请注明:liutianfeng.com » https功能实现-自签证书测试
发表回复
要发表评论,您必须先登录。