最近负责完成一个内部系统的证书认证,关于ssl本身的配置其实并不难,主要是有很多细节的地方需要注意一下,ssl原理就不再赘述了,查询相关资料即可,主要讲一下ssl在apache中的相关配置以及企业应用中的一些注意事项。
设置证书认证流程为:(CA生成;服务器证书签发;WEB SERVER(APACHE)配置;客户端证书创建;吊销列表生成测试)
1、准备证书相关文件
[root@localhost CA]# wget http://www.openssl.org/contrib/ssl.ca-0.1.tar.gz
[root@localhost CA]# tar -zxf ssl.ca-0.1.tar.gz
[root@localhost CA]# cd ssl.ca-0.1
1.1)生成根证书
[root@localhost ssl.ca-0.1]# ./new-root-ca.sh
No Root CA key round. Generating one
Generating RSA private key, 1024 bit long modulus
........++++++
.........++++++
e is 65537 (0x10001)
Enter pass phrase for ca.key: //输入密码
Verifying - Enter pass phrase for ca.key: //确认密码
Self-sign the root CA... //签署根证书
Enter pass phrase for ca.key:
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
----- //信息输入
Country Name (2 letter code) [MY]:CN
State or Province Name (full name) [Perak]:zhejiang
Locality Name (eg, city) [Sitiawan]:hangzhou
Organization Name (eg, company) [My Directory Sdn Bhd]:ccssl
Organizational Unit Name (eg, section) [Certification Services Division]:ccdw
Common Name (eg, MD Root CA) []:intranet
Email Address []:summersun_ym@126.com
[root@localhost ssl.ca-0.1]#
1.2) 服务器生成证书
[root@localhost ssl.ca-0.1]# ./new-server-cert.sh server //证书名称
No server.key round. Generating one
Generating RSA private key, 1024 bit long modulus
...................................................++++++
....++++++
e is 65537 (0x10001)
Fill in certificate data
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
----- //输入相关信息
Country Name (2 letter code) [MY]:CN
State or Province Name (full name) [Perak]:zhejiang
Locality Name (eg, city) [Sitiawan]:hangzhou
Organization Name (eg, company) [My Directory Sdn Bhd]:ccssl
Organizational Unit Name (eg, section) [Secure Web Server]:ccdw
Common Name (eg, www.domain.com) []:localhost //服务器的ip或者域名
Email Address []:summersun_ym@126.com
You may now run ./sign-server-cert.sh to get it signed
[root@localhost ssl.ca-0.1]#
1.3)签发服务器证书
[root@localhost ssl.ca-0.1]# ./sign-server-cert.sh server //为server服务器签发证书
CA signing: server.csr -> server.crt:
Using configuration from ca.config
Enter pass phrase for ./ca.key: //输入之前设置的密码
Check that the request matches the signature
Signature ok
The Subject's Distinguished Name is as follows
countryName:PRINTABLE:'CN'
stateOrProvinceName:PRINTABLE:'zhejiang'
localityName:PRINTABLE:'hangzhou'
organizationName:PRINTABLE:'ccssl'
organizationalUnitName:PRINTABLE:'ccdw'
commonName:PRINTABLE:'localhost'
emailAddress:IA5STRING:'summersun_ym@126.com'
Certificate is to be certified until Aug 12 05:49:48 2011 GMT (365 days)
Sign the certificate? [y/n]:y
1 out of 1 certificate requests certified, commit? [y/n]y
Write out database with 1 new entries
Data Base Updated
CA verifying: server.crt <-> CA cert
server.crt: OK
[root@localhost ssl.ca-0.1]#
2、WEB SERVER(APACHE)配置
设置以下选项,启用SSL连接,同时客户端访问需要提供有效证书。相关值具体路径根据实际情况进行调整:
修改/usr/local/apache2/conf/httpd.conf,启动httpd-ssl.conf选项
# Secure (SSL/TLS) connections
#Include conf/extra/httpd-ssl.conf
修改/usr/local/apache2/conf/extra/httpd-ssl.conf ,启动SSL相关选项
# Certificate Authority (CA):
#SSLCACertificatePath "/usr/local/apache2/conf"
SSLCACertificateFile "/usr/local/apache2/conf/ca.crt"
# Server Certificate:
SSLCertificateFile "/usr/local/apache2/conf/server.crt"
# Server Private Key:
SSLCertificateKeyFile "/usr/local/apache2/conf/server.key"
# Client Authentication (Type): //客户端认证类型
SSLVerifyClient optional
SSLVerifyDepth 10
将证书按照APACHE配置文件设置放置到指定目录;
[root@localhost ssl.ca-0.1]# cp server.crt server.key ca.crt /usr/local/apache2/conf/
3、生成客户端证书测试
[root@localhost ssl.ca-0.1]# ./new-user-cert.sh client //创建客户端证书
No client.key round. Generating one
Generating RSA private key, 1024 bit long modulus
................................++++++
..++++++
e is 65537 (0x10001)
Fill in certificate data
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Common Name (eg, John Doe) []:CN
Email Address []:summersun_ym@126.com
You may now run ./sign-user-cert.sh to get it signed
[root@localhost ssl.ca-0.1]# ll
[root@localhost ssl.ca-0.1]# ./sign-user-cert.sh client //签发客户端证书
CA signing: client.csr -> client.crt:
Using configuration from ca.config
Enter pass phrase for ./ca.key: //输入密码
Check that the request matches the signature
Signature ok
The Subject's Distinguished Name is as follows
commonName
RINTABLE:'CN'
emailAddress :IA5STRING:'summersun_ym@126.com'
Certificate is to be certified until Aug 12 07:13:06 2011 GMT (365 days)
Sign the certificate? [y/n]:y
1 out of 1 certificate requests certified, commit? [y/n]y
Write out database with 1 new entries
Data Base Updated
CA verifying: client.crt <-> CA cert
client.crt: OK
[root@localhost ssl.ca-0.1]#
将客户端证书转换为pkcs12格式,用于客户端安装使用:
[root@localhost ssl.ca-0.1]# openssl pkcs12 -export -clcerts -in client.crt -inkey client.key -out client.pfx
Enter Export Password: //该密码为客户端安装时会用到
Verifying - Enter Export Password:
[root@localhost ssl.ca-0.1]#
客户端直接双击该cc.pfx,会提示证书安装向导。将其导入,直接IE访问 https://localhost/ 时,会提示客户端证书
- 大小: 34.1 KB
分享到:
相关推荐
Apache SSL配置手册旨在指导用户如何在Apache web服务器上设置安全套接层(SSL)以实现HTTPS通信。SSL是网络通信中的安全协议,用于加密数据传输,保护用户信息免受中间人攻击。以下是对Apache2下配置SSL的详细步骤...
【Apache+SSL安全反向代理配置案例】 Apache作为一款广泛应用的开源HTTP服务器,常常被用于构建网站服务。SSL(Secure Socket Layer)则是提供网络安全传输的一种协议,常用于加密通信,确保数据在传输过程中不被...
Apache 配置 HTTPS 协议搭载 SSL 配置全过程 本文将指导您如何配置 Apache 服务器以使用 HTTPS 协议,并搭载 SSL 加密。该过程分为两大步骤:安装必要的软件和生成服务器证书。 安装必要的软件 首先,您需要从 ...
如果你选择自签名证书,可以在Apache的`conf\extra`目录下找到`httpd-ssl.conf`模板文件,这个文件专门用于SSL配置。 编辑`httpd.conf`主配置文件,通常位于`conf`目录下,找到以下行: ```apacheconf # Load ...
### Apache的SSL配置和应用详解 #### 一、Apache与SSL概述 Apache是全球最流行的Web服务器之一,它可以通过配置支持SSL(Secure Sockets Layer)加密传输,为网站提供安全的数据传输服务。SSL证书用于在客户端与...
Apache服务器SSL配置是确保Web服务安全传输的重要环节。SSL(Secure Sockets Layer)或其更新版本TLS(Transport Layer Security)提供了在互联网上进行加密通信的能力,保护数据免受中间人攻击,验证服务器身份,并...
在Centos7.6平台下使用openssl给apache做自签名证书,并给apache设置HTTPS的SSL证书。(无坑版) 二、平台 [root@kahn.xiao ~]# uname -r 3.10.0-957.el7.x86_64 [root@kahn.xiao ~]# cat /etc/redhat-release ...
6. **测试SSL连接**:通过访问`https://your.domain.com`来检查SSL配置是否成功。浏览器可能会显示警告,因为使用的是自签名证书,但如果是测试环境,这并不影响验证配置是否工作。 请注意,对于生产环境,应从受...
4. 配置ssl.conf文件:在`/etc/httpd/conf.d/ssl.conf`(或`/etc/apache2/sites-available/default-ssl.conf`)中,配置SSL虚拟主机。这里,你需要指定SSL证书的位置以及一些SSL相关的设置,例如: ``` *:443> ...
### Windows 下 Apache 配置 SSL 安全连接详解 #### 一、SSL 概述 SSL(Secure Socket Layer)是一种广泛应用于互联网上的安全通信协议,主要用于保护 HTTP 协议的安全传输。通过 SSL 加密,可以确保客户端与...
这通常涉及到配置Apache的SSL证书验证和SVN的授权文件(如authz)。 12. **电子邮件通知**: 为了实现提交更改后的电子邮件通知,可以集成SVN钩子脚本(post-commit)。当有提交发生时,该脚本会触发发送通知邮件...
apache和tomcat整合配置 ssl
# 可选:添加其他SSL配置,如只允许某些加密套件或开启HSTS SSLProtocol All -SSLv2 -SSLv3 SSLCipherSuite HIGH:!aNULL:!MD5:!3DES Header always set Strict-Transport-Security "max-age=31536000; include...
这通常涉及到下载OpenSSL二进制文件,将其添加到系统路径,然后在Apache的配置文件httpd.conf中修改或添加必要的SSL设置,如SSL证书和私钥的位置,以及启用SSL模块。 Apache的配置文件httpd.conf是控制服务器行为的...
### ApacheFtpServer之ssl配置详解 #### 一、FTPS概述 FTPS(File Transfer Protocol Secure),即安全文件传输协议,是一种通过SSL/TLS(Secure Sockets Layer/Transport Layer Security)来保护传统FTP(File ...
在IT行业中,安全是至关重要的,...总的来说,配置Apache与phpStudy的SSL证书涉及多个环节,需要正确处理证书文件,并在Apache配置中指定。了解这些步骤和注意事项,能帮助你成功实现HTTPS网站,保护用户数据的安全。
Apache SSL(Secure Sockets Layer)加密机制是网络服务器安全配置中的关键组成部分,它为Web通信提供了数据加密、服务器身份验证和消息完整性检查等安全保障。在本文中,我们将深入探讨Apache SSL加密机制的工作...
6. **重定向HTTP到HTTPS**:为了强制安全连接,可以在HTTP虚拟主机配置中添加`RedirectMatch permanent ^(.*)$ https://%{HTTP_HOST}$1`。 7. **再次重启Apache**:完成HTTPS配置后,同样需要重启服务。 最后,...