SSL网络架设

happmaoo

在网上找了很多的相关资料，最后发现这篇文章真正解决了我困扰几天的问题。特收藏备忘





撰写者信息：

Alin Fang (Fang Yunlin)
MSN: cst05001@hotmail.com
G Talk: cst05001@gmail.com
Blog: http://www.alinblog.cn/

修改日期：

10 Nov, 2008
第1次修改


版权：

GNU

声明：

本人实验笔记，非权威文档。如有错误请告知。十分感谢！


特别说明：

本实验全部采用RHEL5所带相关rpm包的脚本进行操作。openssl相关操作均由脚本完成，无须手工干预。
实验环境：

OS: Red Hat Enterprise Linux 5 update 2

hostname: ca.alin
ip: 192.168.8.3
作为HTTPS安全认证服务器

hostname: server.alin
ip: 192.168.8.4
作为https网页服务器

hostname: client.alin
ip: 192.168.8.5
通过浏览器访问server.alin

这个是所有主机的host配置：
127.0.0.1 localhost.localdomain localhost
192.168.8.3 ca.alin
192.168.8.4 server.alin

实验步骤


在ca.alin上操作

[root@localhost ~]# yum install -y httpd mod_ssl

[root@localhost pki]# pwd
/etc/pki
[root@localhost pki]# tree
.
|-- CA
| `-- private
|-- nssdb
| |-- cert8.db
| |-- key3.db
| `-- secmod.db
|-- rpm-gpg
| |-- RPM-GPG-KEY-fedora
| |-- RPM-GPG-KEY-fedora-test
| |-- RPM-GPG-KEY-redhat-auxiliary
| |-- RPM-GPG-KEY-redhat-beta
| |-- RPM-GPG-KEY-redhat-former
| |-- RPM-GPG-KEY-redhat-release
| `-- RPM-GPG-KEY-redhat-rhx
`-- tls
|-- cert.pem -> certs/ca-bundle.crt
|-- certs
| |-- Makefile
| |-- ca-bundle.crt
| |-- localhost.crt
| `-- make-dummy-cert
|-- misc
| |-- CA
| |-- c_hash
| |-- c_info
| |-- c_issuer
| `-- c_name
|-- openssl.cnf
`-- private
`-- localhost.key

8 directories, 22 files
[root@localhost pki]#
ca以及HTTPS要用的东西都在里面了。
[root@localhost misc]# ./CA -?
建立密钥对并自签证书


[root@localhost misc]# ./CA -?
usage: CA -newcert|-newreq|-newca|-sign|-verify
[root@localhost misc]# ./CA -newca
mkdir: cannot create directory `../../CA': File exists
mkdir: cannot create directory `../../CA/private': File exists
CA certificate filename (or enter to create)

Making CA certificate ...
Generating a 1024 bit RSA private key
..............................++++++
...++++++
writing new private key to '../../CA/private/./cakey.pem'
Enter PEM pass phrase:
Verifying - Enter PEM pass phrase:
-----
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [GB]:CN
State or Province Name (full name) [Berkshire]:BJ
Locality Name (eg, city) [Newbury]:BJ
Organization Name (eg, company) [My Company Ltd]:Red Hat
Organizational Unit Name (eg, section) []:GSS
Common Name (eg, your name or your server's hostname) []:ca.alin
Email Address []:cst05001@gmail.com

Please enter the following 'extra' attributes
to be sent with your certificate request
A challenge password []:
An optional company name []:
Using configuration from /etc/pki/tls/openssl.cnf
Enter pass phrase for ../../CA/private/./cakey.pem:
Check that the request matches the signature
Signature ok
Certificate Details:
Serial Number: 0 (0x0)
Validity
Not Before: Nov 9 21:24:00 2008 GMT
Not After : Nov 9 21:24:00 2011 GMT
Subject:
countryName = CN
stateOrProvinceName = BJ
organizationName = Red Hat
organizationalUnitName = GSS
commonName = ca.alin
emailAddress = cst05001@gmail.com
X509v3 extensions:
X509v3 Basic Constraints:
CA:FALSE
Netscape Comment:
OpenSSL Generated Certificate
X509v3 Subject Key Identifier:
E3:6D:E2:71:A2:44:EF:F2:38:59:BF:1B:37:CE:90:D4:B8:E4:C9:A7
X509v3 Authority Key Identifier:
keyid:E3:6D:E2:71:A2:44:EF:F2:38:59:BF:1B:37:CE:90:D4:B8:E4:C9:A7

Certificate is to be certified until Nov 9 21:24:00 2011 GMT (1095 days)

Write out database with 1 new entries
Data Base Updated
[root@localhost misc]#


大家可以看到，/etc/pki/CA文件夹下多了一些东西。
[root@localhost misc]# tree /etc/pki/
/etc/pki/
|-- CA
| |-- cacert.pem
| |-- careq.pem
| |-- certs
| |-- crl
| |-- index.txt
| |-- index.txt.attr
| |-- index.txt.old
| |-- newcerts
| | `-- 00.pem
| |-- private
| | `-- cakey.pem
| |-- serial
| `-- serial.old
|-- nssdb
| |-- cert8.db
| |-- key3.db
| `-- secmod.db
|-- rpm-gpg
| |-- RPM-GPG-KEY-fedora
| |-- RPM-GPG-KEY-fedora-test
| |-- RPM-GPG-KEY-redhat-auxiliary
| |-- RPM-GPG-KEY-redhat-beta
| |-- RPM-GPG-KEY-redhat-former
| |-- RPM-GPG-KEY-redhat-release
| `-- RPM-GPG-KEY-redhat-rhx
`-- tls
|-- cert.pem -> certs/ca-bundle.crt
|-- certs
| |-- Makefile
| |-- ca-bundle.crt
| |-- localhost.crt
| `-- make-dummy-cert
|-- misc
| |-- CA
| |-- c_hash
| |-- c_info
| |-- c_issuer
| `-- c_name
|-- openssl.cnf
`-- private
`-- localhost.key

11 directories, 31 files
[root@localhost misc]#


在server.alin操作

[root@localhost ~]# yum install -y httpd mod_ssl

制作https需要的私钥

[root@localhost ~]# cd /etc/pki/tls/
cert.pem certs/ misc/ openssl.cnf private/
[root@localhost ~]# cd /etc/pki/tls/certs
[root@localhost certs]# ls
ca-bundle.crt localhost.crt make-dummy-cert Makefile
[root@localhost certs]# make
This makefile allows you to create:
o public/private key pairs
o SSL certificate signing requests (CSRs)
o self-signed SSL test certificates

To create a key pair, run "make SOMETHING.key".
To create a CSR, run "make SOMETHING.csr".
To create a test certificate, run "make SOMETHING.crt".
To create a key and a test certificate in one file, run "make SOMETHING.pem".

To create a key for use with Apache, run "make genkey".
To create a CSR for use with Apache, run "make certreq".
To create a test certificate for use with Apache, run "make testcert".

To create a test certificate with serial number other than zero, add SERIAL=num

Examples:
make server.key
make server.csr
make server.crt
make stunnel.pem
make genkey

<span style="font-family: Bitstream Vera Sans, sans-serif;"><span style="font-size: xx-small;"><span style="font-size: xx-small;"><span style="font-family: arial black,avant garde;">