https功能实现-自签证书测试

每日一练 Liemer_Lius 920℃ 0评论

证书查看日期:

#openssl x509 -in ufk.yonyouup.com.crt  -noout -dates
notBefore=Apr 26 02:51:07 2016 GMT
notAfter=Apr 26 02:51:07 2018 GMT
# curl --insecure -v -s -o /dev/null  https://www.baidu.com 2>&1   | grep "expire date"
* 	expire date: Oct 09 06:31:51 2021 GMT

查看详情:

# openssl x509 -in ufk.yonyouup.com.crt -noout -text
Certificate:
    Data:
        Version: 3 (0x2)
        Serial Number:
            54:2a:bc:48:f6:d5:6f:58:e5:3b:09:d8:b8:ce:41:a2
    Signature Algorithm: sha256WithRSAEncryption
        Issuer: C=CN, O=WoSign CA Limited, CN=CA \xE6\xB2\x83\xE9\x80\x9A\xE5\x85\x8D\xE8\xB4\xB9SSL\xE8\xAF\x81\xE4\xB9\xA6 G2
        Validity
            Not Before: Apr 26 02:51:07 2016 GMT
            Not After : Apr 26 02:51:07 2018 GMT
        Subject: CN=www.liutianfeng.com
        Subject Public Key Info:
            Public Key Algorithm: rsaEncryption
                Public-Key: (2048 bit)
                Modulus:
                    00:e0:f3:99:b2:83:e4:9d:c4:16:ab:e5:68:07:c5:
                    0e:1d:b2:bc:78:be:71:a0:e2:91:33:e9:8c:be:a4:
                    10:91:14:e3:ff:58:2e:db:ac:1a:24:3e:9a:c5:2c:
                    f5:e3:97:1a:36:02:84:a2:97:0f:72:01:5a:43:55:
                    6f:8a:53:a9:f0:08:22:af:8f:da:44:bd:79:2f:62:
                    49:14:22:aa:d1:8c:fc:c3:7f:96:3e:6a:a6:f1:3a:
                    b9:51:c6:0e:5d:e0:aa:3c:8e:90:b6:e3:c5:75:74:
                    46:94:90:e7:b1:3e:fe:9f:09:20:56:db:c9:cb:7c:
                    99:7c:57:43:f3:e7:9d:f4:9a:c0:d8:b7:f8:ce:c2:
                    34:b2:18:a2:2c:da:9d:5d:c1:09:01:2d:06:12:a9:
                    6e:91:7e:86:07:e3:23:0d:7d:a4:eb:aa:ab:13:ac:
                    94:0d:5e:79:88:e7:45:36:b6:3d:fe:95:1e:53:65:
                    94:d0:7f:06:f0:0d:00:03:c7:b8:3f:9d:d9:81:97:
                    9f:ec:cf:8b:7d:de:cf:fd:76:9c:8c:85:95:34:14:
                    66:54:4c:41:79:bb:6c:c3:8b:ec:de:3a:3a:ed:2d:
                    ee:e6:f1:61:0d:26:be:e9:eb:10:c3:4d:2a:c1:f3:
                    30:aa:ae:88:c7:8a:95:58:eb:46:d3:16:58:c5:f1:
                    1a:9b
                Exponent: 65537 (0x10001)
        X509v3 extensions:
            X509v3 Key Usage: critical
                Digital Signature, Key Encipherment
            X509v3 Extended Key Usage: 
                TLS Web Client Authentication, TLS Web Server Authentication
            X509v3 Basic Constraints: 
                CA:FALSE
            X509v3 Subject Key Identifier: 
                2E:4B:70:C3:10:BC:47:EA:9F:28:B6:95:19:00:B4:A8:65:67:A3:2D
            X509v3 Authority Key Identifier: 
                keyid:30:DA:74:86:F3:28:90:56:9E:D7:31:31:C2:BD:59:CD:93:12:39:1D

            Authority Information Access: 
                OCSP - URI:http://ocsp2.wosign.cn/ca2g2/server1/free
                CA Issuers - URI:http://aia2.wosign.cn/ca2g2.server1.free.cer

            X509v3 CRL Distribution Points: 

                Full Name:
                  URI:http://crls2.wosign.cn/ca2g2-server1-free.crl

            X509v3 Subject Alternative Name: 
                DNS:www.liutianfeng.com
            X509v3 Certificate Policies: 
                Policy: 2.23.140.1.2.1
                Policy: 1.3.6.1.4.1.36305.1.1.2
                  CPS: http://www.wosign.com/policy/

    Signature Algorithm: sha256WithRSAEncryption
         3f:a7:07:39:28:75:d2:fe:f6:92:b9:d8:ad:4e:91:40:28:1e:
         45:3d:2a:09:96:b8:6a:73:5b:df:f1:c8:42:a6:1b:30:e2:1d:
         90:b8:ab:e7:d9:e7:3f:3f:f6:53:68:c1:14:9f:9b:44:c3:c6:
         1a:77:75:43:8a:b4:b7:0d:08:e0:00:90:be:a3:31:52:52:66:
         93:98:bb:db:65:70:22:48:00:dd:3d:7c:7b:e4:a0:0e:cd:09:
         44:e5:fb:d8:b0:50:49:fe:d2:05:0f:02:ed:68:73:e9:61:ba:
         cb:d7:90:77:31:32:e1:29:6f:c2:af:b8:d6:dd:01:e7:d7:73:
         d8:f7:93:59:8e:0c:30:d8:9f:3e:e1:28:0f:46:43:eb:ab:df:
         1a:60:26:8e:97:2d:23:e5:4c:44:02:d8:4a:0d:b6:df:ec:9c:
         9e:14:2d:ee:e3:7b:bc:d0:59:5b:57:30:8b:a9:99:d0:85:d4:
         58:70:a1:69:9b:1a:c2:cf:f7:a4:31:37:85:d4:7f:45:04:ec:
         f5:c5:3a:d8:f2:d4:7f:9c:c9:87:a7:54:ee:66:8e:be:38:16:
         f7:b4:0c:c7:d8:8c:d9:81:76:db:15:06:ab:c4:92:d9:10:1f:
         f5:d5:f6:54:3a:11:09:f5:44:86:f8:78:54:aa:48:fa:de:c8:
         12:85:8a:ae

测试环境:

httpd主机:192.168.75.55
CA主机:192.168.75.88
CentOS 6.6
Apache 2.2
Apache: 虚拟主机方案,hello.skelchina.com是ssl要配置的你主机

测试方案:

一、CA主机自签证书
二、httpd主机生成csr文件,发送给CA主机签署
三、httpd主机复制签收后的主机,配置https服务
四、windows端安装CA的证书,信任后测试访问结果

一、CA主机(192.168.75.88)自签证书

首先,需要mod_ssl模块的支持,httpd -M查看有没有这个模块,没有的话安装:

http的模块中要有支持ssl的,否则无法实现ssl配置。
默认的httpd程序没有ssl模块,yum安装一下:
# yum install -y mod_ssl
# rpm -ql mod_ssl
/etc/httpd/conf.d/ssl.conf      // httpd的conf.d目录生成了一个ssl.conf文件
/usr/lib64/httpd/modules/mod_ssl.so
/var/cache/mod_ssl
/var/cache/mod_ssl/scache.dir
/var/cache/mod_ssl/scache.pag
/var/cache/mod_ssl/scache.sem

CA自签证书:

# pwd
/etc/pki/CA
# (umask 077; openssl genrsa -out private/cakey.pem 2048)    // 括号表示一些配置仅在这个指令段有效
Generating RSA private key, 2048 bit long modulus
..........................+++
...................................................................................+++
e is 65537 (0x10001)
# ls private/
cakey.pem

修改默认的配置,之后就不用在生成证书的时候频繁写入内容:

# vim /etc/pki/tls/openssl.cnf
[ req_distinguished_name ]
countryName                     = Country Name (2 letter code)
countryName_default             = CN
countryName_min                 = 2
countryName_max                 = 2

stateOrProvinceName             = State or Province Name (full name)
stateOrProvinceName_default    = Beijing

localityName                    = Locality Name (eg, city)
localityName_default    = Beijing

0.organizationName              = Organization Name (eg, company)
0.organizationName_default      = skelchina

organizationalUnitName          = Organizational Unit Name (eg, section)
organizationalUnitName_default  = Tech

commonName                      = Common Name (eg, your name or your server\'s hostname)
commonName_max                  = 64

emailAddress                    = Email Address
emailAddress_max                = 64

自签证书,一路回车,因为是自签,hostname方面不用太注意,但发给别的主机,要和主机名(网站的主机名)一致,否则警告。

# openssl req -new -x509 -key /etc/pki/CA/private/cakey.pem -out cacert.pem -days 3655     // 自签证书,一路回车,因为是自签,hostname方面不用太注意,但发给别的主机,要和主机名(网站的主机名)一致,否则警告。
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [CN]:
State or Province Name (full name) [Beijing]:
Locality Name (eg, city) [Beijing]:
Organization Name (eg, company) [skelchina]:
Organizational Unit Name (eg, section) [Tech]:
Common Name (eg, your name or your server's hostname) []:ca.skelchina.com
Email Address []:admin@skelchina.com

将/etc/pki/tls/openssl.conf里面的默认路径等配置一下,以方便签署证书:

[ CA_default ]

dir             = /etc/pki/CA           # Where everything is kept   // 文件存放目录
certs           = $dir/certs            # Where the issued certs are kept
crl_dir         = $dir/crl              # Where the issued crl are kept
database        = $dir/index.txt        # database index file.
#unique_subject = no                    # Set to 'no' to allow creation of
                                        # several ctificates with same subject.
new_certs_dir   = $dir/newcerts         # default place for new certs.

certificate     = $dir/cacert.pem       # The CA certificate     // 我们生成cacert的时候就是这个名称,为了方便。
serial          = $dir/serial           # The current serial number
crlnumber       = $dir/crlnumber        # the current crl number

crl             = $dir/crl.pem          # The current CRL
private_key     = $dir/private/cakey.pem# The private key    // 默认的私钥地址,定义的时候也按照这个名称定义的
RANDFILE        = $dir/private/.rand    # private random number file

准备一些目录、文件,方便httpd服务器的cert签署:

# pwd
/etc/pki/CA
# mkdir certs crl newcerts     // 准备用到的目录
# touch index.txt              // 建立索引文件
# echo 01 > serial             // 将序列号加入到文件之中

二、http服务器生成cert签署请求,发送给CA,交由CA签署

httpd服务器生成csr请求:

# mkdir /etc/httpd/ssl && cd /etc/httpd/ssl
# (umask 077; openssl genrsa 2048 > httpd.key)    // 生成一个密钥,可以是2048位
Generating RSA private key, 2048 bit long modulus
........................................++++++
............++++++
e is 65537 (0x10001)
[root@MyLinux ssl]# ll
total 4
-rw------- 1 root root 887 Feb 13 07:22 httpd.key    // 权限600
[root@MyLinux ssl]# openssl req -new -key httpd.key -out httpd.csr    // 生成csr文件
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [XX]:CN     // 注意要和CA机构的参数完全一致
State or Province Name (full name) []:Beijing
Locality Name (eg, city) [Default City]:Beijing
Organization Name (eg, company) [Default Company Ltd]:SkelChina
Organizational Unit Name (eg, section) []:Tech
Common Name (eg, your name or your server's hostname) []:hello.skelchina.com    // 签署的主机名,很重要
Email Address []:hello@skelchina.com   // 以下的不重要,可以不填或者自定义

Please enter the following 'extra' attributes
to be sent with your certificate request
A challenge password []:
An optional company name []:

复制到CA主机并签署:

# scp httpd.csr 192.168.75.88:/tmp
[root@Lius CA]# openssl ca -in /tmp/httpd.csr -out /tmp/httpd.crt -days 3650    // CA端签署
Using configuration from /etc/pki/tls/openssl.cnf
Check that the request matches the signature
Signature ok
Certificate Details:
        Serial Number: 1 (0x1)
        Validity
            Not Before: Feb 13 12:38:26 2018 GMT
            Not After : Feb 11 12:38:26 2028 GMT
        Subject:
            countryName               = CN
            stateOrProvinceName       = Beijing
            organizationName          = SkelChina
            organizationalUnitName    = Tech
            commonName                = hello.skelchina.com
            emailAddress              = admin@hello.com
        X509v3 extensions:
            X509v3 Basic Constraints: 
                CA:FALSE
            Netscape Comment: 
                OpenSSL Generated Certificate
            X509v3 Subject Key Identifier: 
                0C:A6:4C:B5:7F:E0:6C:CF:BC:64:53:82:7A:66:CA:1F:8E:FB:87:EF
            X509v3 Authority Key Identifier: 
                keyid:C1:1C:CE:6B:98:99:45:C6:C3:E2:DA:85:C3:F8:E8:2B:3E:06:EC:7E

Certificate is to be certified until Feb 11 12:38:26 2028 GMT (3650 days)
Sign the certificate? [y/n]:y    // 是否签署,键入y


1 out of 1 certificate requests certified, commit? [y/n]y    // 提交键入y
Write out database with 1 new entries
Data Base Updated

[root@Lius CA]# cat index.txt    // 查看index和serial,可以发现内容改变了。
V	280211123826Z		01	unknown	/C=CN/ST=Beijing/O=SkelChina/OU=Tech/CN=hello.skelchina.com/emailAddress=admin@hello.com
[root@Lius CA]# cat serial
02

三、http服务器复制cert过来,并进行https配置

[root@MyLinux ssl]# scp 192.168.75.88:/tmp/httpd.crt ./
[root@MyLinux ssl]# ls
httpd.crt  httpd.csr  httpd.key
注意删除CA里面生成的crt文件和scr文件
# cd /etc/httpd/conf.d
# cp ssl.conf ssl.conf.bak        // 先备份一下
# vim ssl.conf              // 编辑一下配置文件

LoadModule ssl_module modules/mod_ssl.so   // 载入了一个模块
Listen 443
SSLPassPhraseDialog  builtin
SSLSessionCache         shmcb:/var/cache/mod_ssl/scache(512000)
SSLSessionCacheTimeout  300
SSLMutex default
SSLRandomSeed startup file:/dev/urandom  256
SSLRandomSeed connect builtin
SSLCryptoDevice builtin

# <VirtualHost _default_:443>     // 如果有多个ip,要配置特定的ip
<VirtualHost 192.168.75.55:443>
ServerName hello.skelchina.com    // 指定ServerName, 因为只提供一个虚拟主机的ssl。
DocumentRoot "/www/skelchina"     // 要和不适用ssl的路径相同
ErrorLog logs/ssl_error_log
TransferLog logs/ssl_access_log    // 不再叫CustomLog了
LogLevel warn   // 日志级别单独定义了
SSLEngine on    // 是否启动,很关键
SSLProtocol all -SSLv2    // 支持的ssl版本,-SSLv2,则仅支持SSLv3, TLSv1
SSLCipherSuite DEFAULT:!EXP:!SSLv2:!DES:!IDEA:!SEED:+3DES
SSLCertificateFile /etc/httpd/ssl/httpd.crt        // 证书文件
SSLCertificateKeyFile /etc/httpd/ssl/httpd.key     // 私钥地址
<Files ~ "\.(cgi|shtml|phtml|php3?)$">
    SSLOptions +StdEnvVars
</Files>
<Directory "/var/www/cgi-bin">
    SSLOptions +StdEnvVars
</Directory>

SetEnvIf User-Agent ".*MSIE.*" \
         nokeepalive ssl-unclean-shutdown \
         downgrade-1.0 force-response-1.0
		 
CustomLog logs/ssl_request_log \
          "%t %h %{SSL_PROTOCOL}x %{SSL_CIPHER}x \"%r\" %b"
</VirtualHost>

其他信息不用管,直接保存退出即可。
# httpd -t    // 检查语法
Syntax OK
[root@MyLinux conf.d]# !ser   // 重启服务器
service httpd restart
Stopping httpd:                                            [  OK  ]
Starting httpd:                                            [  OK  ]

四、复制CA服务器的cacert.pem到windows并安装

复制CA服务器的cacert.pem到windows,修改名称为cacert.crt,双击安装证书为”受信任的根证书颁发机构”,用https://hello.skelchina.com访问,发现可以访问了。
不过,即使这样,浏览器也会提示错误,在高级里面可以添加例外,这样就能访问了。

 

转载请注明:skelchina.com » https功能实现-自签证书测试

喜欢 (1)
发表我的评论
取消评论
表情

Hi,您需要填写昵称和邮箱!

  • 昵称 (必填)
  • 邮箱 (必填)
  • 网址