SSL网络架设
在网上找了很多的相关资料,最后发现这篇文章真正解决了我困扰几天的问题。特收藏备忘撰写者信息:
Alin Fang (Fang Yunlin)
MSN: cst05001@hotmail.com
G Talk: cst05001@gmail.com
Blog: http://www.alinblog.cn/
修改日期:
10 Nov, 2008
第1次修改
版权:
GNU
声明:
本人实验笔记,非权威文档。如有错误请告知。十分感谢!
特别说明:
本实验全部采用RHEL5所带相关rpm包的脚本进行操作。openssl相关操作均由脚本完成,无须手工干预。
实验环境:
OS: Red Hat Enterprise Linux 5 update 2
hostname: ca.alin
ip: 192.168.8.3
作为HTTPS安全认证服务器
hostname: server.alin
ip: 192.168.8.4
作为https网页服务器
hostname: client.alin
ip: 192.168.8.5
通过浏览器访问server.alin
这个是所有主机的host配置:
127.0.0.1 localhost.localdomain localhost
192.168.8.3 ca.alin
192.168.8.4 server.alin
实验步骤
在ca.alin上操作
# yum install -y httpd mod_ssl
# pwd
/etc/pki
# tree
.
|-- CA
| `-- private
|-- nssdb
| |-- cert8.db
| |-- key3.db
| `-- secmod.db
|-- rpm-gpg
| |-- RPM-GPG-KEY-fedora
| |-- RPM-GPG-KEY-fedora-test
| |-- RPM-GPG-KEY-redhat-auxiliary
| |-- RPM-GPG-KEY-redhat-beta
| |-- RPM-GPG-KEY-redhat-former
| |-- RPM-GPG-KEY-redhat-release
| `-- RPM-GPG-KEY-redhat-rhx
`-- tls
|-- cert.pem -> certs/ca-bundle.crt
|-- certs
| |-- Makefile
| |-- ca-bundle.crt
| |-- localhost.crt
| `-- make-dummy-cert
|-- misc
| |-- CA
| |-- c_hash
| |-- c_info
| |-- c_issuer
| `-- c_name
|-- openssl.cnf
`-- private
`-- localhost.key
8 directories, 22 files
#
ca以及HTTPS要用的东西都在里面了。
# ./CA -?
建立密钥对并自签证书
# ./CA -?
usage: CA -newcert|-newreq|-newca|-sign|-verify
# ./CA -newca
mkdir: cannot create directory `../../CA': File exists
mkdir: cannot create directory `../../CA/private': File exists
CA certificate filename (or enter to create)
Making CA certificate ...
Generating a 1024 bit RSA private key
..............................++++++
...++++++
writing new private key to '../../CA/private/./cakey.pem'
Enter PEM pass phrase:
Verifying - Enter PEM pass phrase:
-----
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) :CN
State or Province Name (full name) :BJ
Locality Name (eg, city) :BJ
Organization Name (eg, company) :Red Hat
Organizational Unit Name (eg, section) []:GSS
Common Name (eg, your name or your server's hostname) []:ca.alin
Email Address []:cst05001@gmail.com
Please enter the following 'extra' attributes
to be sent with your certificate request
A challenge password []:
An optional company name []:
Using configuration from /etc/pki/tls/openssl.cnf
Enter pass phrase for ../../CA/private/./cakey.pem:
Check that the request matches the signature
Signature ok
Certificate Details:
Serial Number: 0 (0x0)
Validity
Not Before: Nov 9 21:24:00 2008 GMT
Not After : Nov 9 21:24:00 2011 GMT
Subject:
countryName = CN
stateOrProvinceName = BJ
organizationName = Red Hat
organizationalUnitName = GSS
commonName = ca.alin
emailAddress = cst05001@gmail.com
X509v3 extensions:
X509v3 Basic Constraints:
CA:FALSE
Netscape Comment:
OpenSSL Generated Certificate
X509v3 Subject Key Identifier:
E3:6D:E2:71:A2:44:EF:F2:38:59:BF:1B:37:CE:90:D4:B8:E4:C9:A7
X509v3 Authority Key Identifier:
keyid:E3:6D:E2:71:A2:44:EF:F2:38:59:BF:1B:37:CE:90:D4:B8:E4:C9:A7
Certificate is to be certified until Nov 9 21:24:00 2011 GMT (1095 days)
Write out database with 1 new entries
Data Base Updated
#
大家可以看到,/etc/pki/CA文件夹下多了一些东西。
# tree /etc/pki/
/etc/pki/
|-- CA
| |-- cacert.pem
| |-- careq.pem
| |-- certs
| |-- crl
| |-- index.txt
| |-- index.txt.attr
| |-- index.txt.old
| |-- newcerts
| | `-- 00.pem
| |-- private
| | `-- cakey.pem
| |-- serial
| `-- serial.old
|-- nssdb
| |-- cert8.db
| |-- key3.db
| `-- secmod.db
|-- rpm-gpg
| |-- RPM-GPG-KEY-fedora
| |-- RPM-GPG-KEY-fedora-test
| |-- RPM-GPG-KEY-redhat-auxiliary
| |-- RPM-GPG-KEY-redhat-beta
| |-- RPM-GPG-KEY-redhat-former
| |-- RPM-GPG-KEY-redhat-release
| `-- RPM-GPG-KEY-redhat-rhx
`-- tls
|-- cert.pem -> certs/ca-bundle.crt
|-- certs
| |-- Makefile
| |-- ca-bundle.crt
| |-- localhost.crt
| `-- make-dummy-cert
|-- misc
| |-- CA
| |-- c_hash
| |-- c_info
| |-- c_issuer
| `-- c_name
|-- openssl.cnf
`-- private
`-- localhost.key
11 directories, 31 files
#
在server.alin操作
# yum install -y httpd mod_ssl
制作https需要的私钥
# cd /etc/pki/tls/
cert.pem certs/ misc/ openssl.cnf private/
# cd /etc/pki/tls/certs
# ls
ca-bundle.crt localhost.crt make-dummy-cert Makefile
# make
This makefile allows you to create:
o public/private key pairs
o SSL certificate signing requests (CSRs)
o self-signed SSL test certificates
To create a key pair, run "make SOMETHING.key".
To create a CSR, run "make SOMETHING.csr".
To create a test certificate, run "make SOMETHING.crt".
To create a key and a test certificate in one file, run "make SOMETHING.pem".
To create a key for use with Apache, run "make genkey".
To create a CSR for use with Apache, run "make certreq".
To create a test certificate for use with Apache, run "make testcert".
To create a test certificate with serial number other than zero, add SERIAL=num
Examples:
make server.key
make server.csr
make server.crt
make stunnel.pem
make genkey
<span style="font-family: Bitstream Vera Sans, sans-serif;"><span style="font-size: xx-small;"><span style="font-size: xx-small;"><span style="font-family: arial black,avant garde;">
页:
[1]