HTTPS双向认证+USB硬件加密锁(加密狗)配置

Posted on 2017-09-06 13:53  #大囚长#  阅读(1336)  评论(0编辑  收藏  举报

环境:  Ubuntu14.04,apache2.4.7, openssl1.0.1f


安装apache2

apt-get install apache2 -y

一般openssl默认已经安装

开启apache的ssl模块和ssl站点

a2enmod ssl

a2ensite default-ssl.conf

创建证书目录

mkdir /etc/apache2/certs

 

进入目录创建证书和秘钥

cd /etc/apache2/certs

/usr/lib/ssl/misc/CA.sh -newca

 

    root@bogon:/etc/apache2/certs# /usr/lib/ssl/misc/CA.sh -newca

   CA certificate filename (or enter to create)

   

   Making CA certificate ...

   Generating a 2048 bit RSA private key

   .............................................................................................+++

   ..+++

   writing new private key to './demoCA/private/./cakey.pem'

   Enter PEM pass phrase:

   Verifying - Enter PEM pass phrase:

   -----

   You are about to be asked to enter information that will be incorporated

   into your certificate request.

   What you are about to enter is what is called a Distinguished Name or aDN.

   There are quite a few fields but you can leave some blank

    For some fields there will be a defaultvalue,

   If you enter '.', the field will be left blank.

   -----

   Country Name (2 letter code) [AU]:CN

   State or Province Name (full name) [Some-State]:Beijing

   Locality Name (eg, city) []:Beijing

    OrganizationName (eg, company) [Internet Widgits Pty Ltd]:PWRD

   Organizational Unit Name (eg, section) []:OPS

   Common Name (e.g. server FQDN or YOUR name) []:10.1.1.128

   Email Address []:jailman@sina.com

   

   Please enter the following 'extra' attributes

   to be sent with your certificate request

    Achallenge password []:111111

   An optional company name []:pwrd

   Using configuration from /usr/lib/ssl/openssl.cnf

   Enter pass phrase for ./demoCA/private/./cakey.pem:

   Check that the request matches the signature

   Signature ok

   Certificate Details:

           Serial Number: 14695213526817228816 (0xcbefe2d81474c810)

           Validity

                Not Before: Jan  5 05:30:34 2017 GMT

                Not After : Jan  5 05:30:34 2020 GMT

           Subject:

                countryName               = CN

                stateOrProvinceName       = Beijing

                organizationName          = PWRD

                organizationalUnitName    = OPS

                commonName                = 10.1.1.128

                emailAddress              = jailman@sina.com

           X509v3 extensions:

                X509v3 Subject Key Identifier:

                   50:CA:37:3C:45:11:0E:E1:BA:E7:80:74:66:D0:98:B9:21:8E:13:BD

                X509v3 Authority KeyIdentifier:

                   keyid:50:CA:37:3C:45:11:0E:E1:BA:E7:80:74:66:D0:98:B9:21:8E:13:BD

   

                X509v3 Basic Constraints:

                    CA:TRUE

   Certificate is to be certified until Jan 5 05:30:34 2020 GMT (1095 days)

   

   Write out database with 1 new entries

   Data Base Updated

      

      

      

      

tree命令查看一下

    root@bogon:/etc/apache2/certs# tree

    .

   └── demoCA

       ├── cacert.pem

       ├── careq.pem

       ├── certs

       ├── crl

       ├── index.txt

       ├── index.txt.attr

       ├── index.txt.old

       ├── newcerts

       │   └── CBEFE2D81474C810.pem

       ├── private

       │   └── cakey.pem

       └── serial

   

    5directories, 8 files

      

      

 

生成服务器证书(密码全部设置为111111)

a)    生成私钥:        openssl genrsa -des3 -out server.key2048

b)    生成csr文件:     openssl req -new -keyserver.key -out server.csr

c)    生成证书&签名:   openssl ca -in server.csr-out server.crt 

#遇到下列不成功时修改vim demoCA/index.txt.attr中unique_subject =no

    failed to update database

   TXT_DB error number 2

 

      

上述执行结果

    root@bogon:/etc/apache2/certs# openssl genrsa -des3 -out server.key 2048

   Generating RSA private key, 2048 bit long modulus

   ........................................+++

    ............................+++

    eis 65537 (0x10001)

   Enter pass phrase for server.key:

   Verifying - Enter pass phrase for server.key:

   root@bogon:/etc/apache2/certs# openssl req -new -key server.key -outserver.csr

   Enter pass phrase for server.key:

   You are about to be asked to enter information that will be incorporated

   into your certificate request.

   What you are about to enter is what is called a Distinguished Name or aDN.

   There are quite a few fields but you can leave some blank

   For some fields there will be a default value,

   If you enter '.', the field will be left blank.

   -----

   Country Name (2 letter code) [AU]:CN

   State or Province Name (full name) [Some-State]:Beijing    

    Locality Name (eg, city) []:Beijing

   Organization Name (eg, company) [Internet Widgits Pty Ltd]:PWRD

   Organizational Unit Name (eg, section) []:OPS

   Common Name (e.g. server FQDN or YOUR name) []:10.1.1.128

   Email Address []:jailman@sina.com

   

   Please enter the following 'extra' attributes

   to be sent with your certificate request

    Achallenge password []:111111

   An optional company name []:pwrd   

   

   

   root@bogon:/etc/apache2/certs# openssl ca -in server.csr -out server.crt

   Using configuration from /usr/lib/ssl/openssl.cnf

   Enter pass phrase for ./demoCA/private/cakey.pem:

   Check that the request matches the signature

   Signature ok

   Certificate Details:

           Serial Number: 14695213526817228817 (0xcbefe2d81474c811)

           Validity

                Not Before: Jan  5 05:39:32 2017 GMT

                Not After : Jan  5 05:39:32 2018 GMT

           Subject:

                countryName               = CN

                stateOrProvinceName       = Beijing

                organizationName          = PWRD

                organizationalUnitName    = OPS

                commonName                = 10.1.1.128

                emailAddress              = jailman@sina.com

           X509v3 extensions:

                X509v3 Basic Constraints:

                    CA:FALSE

                Netscape Comment:

                    OpenSSL GeneratedCertificate

                X509v3 Subject Key Identifier:

                    FB:32:4F:A6:6D:01:D3:00:98:00:BF:0A:2E:E5:E6:90:CC:E0:E4:8B

                X509v3 Authority KeyIdentifier:

                   keyid:50:CA:37:3C:45:11:0E:E1:BA:E7:80:74:66:D0:98:B9:21:8E:13:BD

   

   Certificate is to be certified until Jan 5 05:39:32 2018 GMT (365 days)

   Sign the certificate? [y/n]:y

   

   

    1out of 1 certificate requests certified, commit? [y/n]y

   Write out database with 1 new entries

   Data Base Updated

      

      

 

生成客户端证书(密码全部设置为111111)

a)    生成私钥:        openssl genrsa -des3 -out client.key2048

b)    生成csr文件:     openssl req -new -keyclient.key -out client.csr

c)    生成证书&签名:   openssl ca -in client.csr-out client.crt

    

上述命令执行结果:

    root@bogon:/etc/apache2/certs# openssl genrsa -des3 -out client.key 2048

   Generating RSA private key, 2048 bit long modulus

   ...........................................................................................+++

   ............................+++

    eis 65537 (0x10001)

   Enter pass phrase for client.key:

    Verifying - Enter pass phrase for client.key:

   

   root@bogon:/etc/apache2/certs# openssl req -new -key client.key -outclient.csr

   Enter pass phrase for client.key:

   You are about to be asked to enter information that will be incorporated

    intoyour certificate request.

   What you are about to enter is what is called a Distinguished Name or aDN.

   There are quite a few fields but you can leave some blank

   For some fields there will be a default value,

   If you enter '.', the field will be left blank.

   -----

   Country Name (2 letter code) [AU]:CN

   State or Province Name (full name) [Some-State]:Beijing

   Locality Name (eg, city) []:Beijing

   Organization Name (eg, company) [Internet Widgits Pty Ltd]:PWRD

   Organizational Unit Name (eg, section) []:OPS

   Common Name (e.g. server FQDN or YOUR name) []:10.1.1.128

   Email Address []:jailman@sina.com

   

   Please enter the following 'extra' attributes

   to be sent with your certificate request

    Achallenge password []:111111

   An optional company name []:pwrd

   

   root@bogon:/etc/apache2/certs# openssl ca -in client.csr -out client.crt

   Using configuration from /usr/lib/ssl/openssl.cnf

   Enter pass phrase for ./demoCA/private/cakey.pem:

   Check that the request matches the signature

   Signature ok

   Certificate Details:

           Serial Number: 14695213526817228818 (0xcbefe2d81474c812)

           Validity

                Not Before: Jan  5 05:43:35 2017 GMT

                Not After : Jan  5 05:43:35 2018 GMT

           Subject:

                countryName               = CN

                stateOrProvinceName       = Beijing

                organizationName          = PWRD

                organizationalUnitName    = OPS

               commonName                = 10.1.1.128

                emailAddress              = jailman@sina.com

           X509v3 extensions:

                X509v3 Basic Constraints:

                    CA:FALSE

                Netscape Comment:

                    OpenSSL GeneratedCertificate

                X509v3 Subject Key Identifier:

                   78:4C:B0:9E:BA:EE:BD:E2:88:55:F4:06:B4:57:5E:74:71:E0:1B:2D

                X509v3 Authority KeyIdentifier:

                    keyid:50:CA:37:3C:45:11:0E:E1:BA:E7:80:74:66:D0:98:B9:21:8E:13:BD

   

   Certificate is to be certified until Jan 5 05:43:35 2018 GMT (365 days)

   Sign the certificate? [y/n]:y

   

   

    1out of 1 certificate requests certified, commit? [y/n]y

   Write out database with 1 new entries

   Data Base Updated  

      

 

查看上述两步生成的证书和秘钥

    root@bogon:/etc/apache2/certs# ls

   client.crt  client.key  server.crt server.key

   client.csr  demoCA      server.csr   

      

      

*生成浏览器支持的.pfx(.p12)证书

    a)   openssl pkcs12 -export -clcerts -in client.crt -inkey client.key -outclient.p12

    执行结果

       root@bogon:/etc/apache2/certs# openssl pkcs12 -export -clcerts -inclient.crt -inkey client.key -out client.p12

       Enterpass phrase for client.key:

       EnterExport Password:

       Verifying- Enter Export Password:

 

      

     生成不带密码验证的client/server.key.unsecure

    如果你想要把数字证书用于Nginx、Apache等Web服务器,你会发现启动nginx服务器时会要求你输入数字证书密码,

     这是因为在设置私钥key时将密码写入了key文件,导致Nginx/Apache等系列服务器在启动时要求Enter PEM pass phrase。

     我们需要做的是剥离这个密码,利用如下OpenSSL命令生成server.key.unsecure文件

    openssl rsa -in server.key -outserver.key.unsecure  

      

      

      

最终的结果:

       root@bogon:/etc/apache2/certs# tree

       .

       ├──client.crt

       ├──client.csr

       ├──client.key

       ├──client.p12

       ├──demoCA

       │??├── cacert.pem

       │??├── careq.pem

       │??├── certs

       │??├── crl

       │??├── index.txt

       │??├── index.txt.attr

       │??├── index.txt.attr.old

       │??├── index.txt.old

       │??├── newcerts

       │??│?? ├── CBEFE2D81474C810.pem

       │??│?? ├── CBEFE2D81474C811.pem

       │??│?? └── CBEFE2D81474C812.pem

       │??├── private

       │??│?? └── cakey.pem

       │??├── serial

       │??└── serial.old

       ├──server.crt

       ├──server.csr

       └──server.key

      

       5directories, 19 files

      

      

配置apache2 https

vim/etc/apache2/sites-enabled/default-ssl.conf

       <IfModule mod_ssl.c>

                     <VirtualHost_default_:443>

                    

                                   ServerAdminwebmaster@localhost

                                   DocumentRoot/var/www/html   

                                   ErrorLog${APACHE_LOG_DIR}/error.log

                                   CustomLog${APACHE_LOG_DIR}/access.log combined      

                                   SSLEngineon    

                                   SSLCertificateFile    /etc/apache2/certs/server.crt

                                   SSLCertificateKeyFile/etc/apache2/certs/server.key            

                                   SSLCACertificateFile/etc/apache2/certs/demoCA/cacert.pem  

                                   SSLVerifyClientrequire

                                   SSLVerifyDepth  10 

                                   <FilesMatch"\.(cgi|shtml|phtml|php)$">

                                                               SSLOptions+StdEnvVars

                                   </FilesMatch>

                                   <Directory/usr/lib/cgi-bin>

                                                               SSLOptions+StdEnvVars

                                   </Directory>

      

                                   BrowserMatch"MSIE [2-6]" \

                                                               nokeepalivessl-unclean-shutdown \

                                                               downgrade-1.0force-response-1.0

                                   BrowserMatch"MSIE [17-9]" ssl-unclean-shutdown

      

                     </VirtualHost>

       </IfModule>

      

serviceapache2 restart

       root@bogon:/etc/apache2/sites-enabled#service apache2 restart

       *Restarting web server apache2                                                      Apache needs to decrypt your SSL Keys for bogon.localdomain:443 (RSA)

       Pleaseenter passphrase:

     输入密码启动

      

      

证书导出到本地准备写入加密锁

root@bogon:/etc/apache2/certs# szclient.p12

打开USB锁管理软件

 

输入PIN登录

这里实际上我们已经提前将加密锁初始化为了PKI锁

 

点击导入,选择证书,输入证书密码,其他默认


Win10提示导入成功

导入后的效果

 

USB加密锁保持插入,访问测试站点https://10.1.1.128,有证书提示


点击确定输入PIN码

 

忽略安全提示


成功访问

不插key的情况下访问结果

 

我使用的是ET199加密锁,加上运费一共花了29元