SSL 双向认证
利用OpenSSL生成库和命令程序,在生成的命令程序中包括对加/解密算法的测试,openssl程序,ca程序.利用openssl,ca可生成用于C/S模式的证书文件以及CA文件.下面以C/S模式说明证书文件的生成步骤:
证书文件生成:
一.服务器端
1.生成服务器端的私钥(key文件);
openssl genrsa -des3 -out server.key 1024
运行时会提示输入密码,此密码用于加密key文件(参数des3是加密算法,也可以选用其他安全的算法),以后每当需读取此文件(通过openssl提供的命令或API)都需输入口令.如果不要口令,则可用以下命令去除口令:
openssl rsa -in server.key -out server.key
2.生成服务器端证书签名请求文件(csr文件);
openssl req -new -key server.key -out server.csr
生成Certificate Signing Request(CSR),生成的csr文件交给CA签名后形成服务端自己的证书.屏幕上将有提示,依照其 提示一步一步输入要求的个人信息即可(如:Country,province,city,company等).
二.客户端
1.对客户端也作同样的命令生成key及csr文件;
openssl genrsa -des3 -out client.key 1024
openssl req -new -key client.key -out client.csr
三.生成CA证书文件
server.csr与client.csr文件必须有CA的签名才可形成证书.
1.首先生成CA的key文件:
openssl genrsa -des3 -out ca.key 1024
2.生成CA自签名证书:
openssl req -new -x509 -key ca.key -out ca.crt
可以加证书过期时间选项 "-days 365".
四.利用CA证书进行签名
用生成的CA证书为server.csr,client.csr文件签名,利用openssl中附带的CA.pl文件(在安装目录中openssl/apps目录下),
1.ca.pl -newca, 在提示输入已有的证书文件时,输入上面已生成的ca.crt证书文件;
2.生成服务端证书文件
Openssl ca -in server.csr -out server.crt -cert ca.crt -keyfile ca.key -config openssl.cnf
3.生成客户端证书文件
Openssl ca -in client.csr -out client.crt -cert ca.crt -keyfile ca.key -config openssl.cnf
必须保证openssl.cnf在当前目录下,这个文件可以在apps目录中找到.
1.首先要生成服务器端的私钥(key文件):
[root@qiujicai.com~/ssl]#openssl genrsa -des3 -out server.key 1024
运行时会提示输入密码,此密码用于加密key文件(参数des3便是指加密算法,当然也可以选用其他你认为安全的算法.),以后每当需读取此文件(通过openssl提供的命令或API)都需输入口令.如果觉得不方便,也可以去除这个口令,但一定要采取其他的保护措施!
去除key文件口令的命令:
[root@qiujicai.com~/ssl]#openssl rsa -in server.key -out server.key
2.用server.key生成一个证书:
[root@qiujicai.com~/ssl]#openssl req -new -key server.key -out server.csr
Enter pass phrase for server.key:12345
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [AU]:CN
State or Province Name (full name) [Some-State]:china
Locality Name (eg, city) []:Zhuhai
Organization Name (eg, company) [Internet Widgits Pty Ltd]:xxxx Ltd....
Organizational Unit Name (eg, section) []:jecks
Common Name (eg, YOUR name) []:www.qiuicai.com
Email Address []:xxx@qiujicai.com
Please enter the following 'extra' attributes
to be sent with your certificate request
A challenge password []:12345
An optional company name []:xxx@qiujicai.com
生成Certificate Signing Request(CSR),生成的csr文件交给CA签名后形成服务端自己的证书.屏幕上将有提示,依照其指示一步一步输入要求的个人信息即可.
3.对客户端也作同样的命令生成key及csr文件(在这两步写在一起):
A: [root@qiujicai.com~/ssl]#openssl genrsa -des3 -out client.key 1024
Generating RSA private key, 1024 bit long modulus
...........++++++
..++++++
e is 65537 (0x10001)
Enter pass phrase for client.key:12345
Verifying - Enter pass phrase for client.key:12345
B: [root@qiujicai.com~/ssl]# openssl req -new -key client.key -out client.csr
Enter pass phrase for client.key:12345
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [AU]:CN
State or Province Name (full name) [Some-State]:china
Locality Name (eg, city) []:Zhuhai
Organization Name (eg, company) [Internet Widgits Pty Ltd]:xxxx Ltd....
Organizational Unit Name (eg, section) []:jecks
Common Name (eg, YOUR name) []:www.qiuicai.com
Email Address []:xxx@qiujicai.com
Please enter the following 'extra' attributes
to be sent with your certificate request
A challenge password []:12345
An optional company name []:xxx@qiujicai.com
4.生成的CSR证书文件必须有CA的签名才可形成证书.这时生成一个KEY文件ca.key 和根证书ca.crt
[root@qiujicai.com~/ssl]# openssl req -new -x509 -keyout ca.key -out ca.crt
Generating a 1024 bit RSA private key
...++++++
...................++++++
writing new private key to 'ca.key'
Enter PEM pass phrase:12345
Verifying - Enter PEM pass phrase:
-----
Country Name (2 letter code) [AU]:CN
State or Province Name (full name) [Some-State]:china
Locality Name (eg, city) []:Zhuhai
Organization Name (eg, company) [Internet Widgits Pty Ltd]:xxxx Ltd....
Organizational Unit Name (eg, section) []:jecks
Common Name (eg, YOUR name) []:www.qiuicai.com
Email Address []:xxx@qiujicai.com
Please enter the following 'extra' attributes
to be sent with your certificate request
A challenge password []:12345
An optional company name []:xxx@qiujicai.com
5.用生成的CA的证书为刚才生成的server.csr,client.csr文件签名(这也是两写在一起):
A: [root@qiujicai.com~/ssl]# openssl ca -in server.csr -out server.crt -cert ca.crt -keyfile ca.key
Using configuration from openssl.cnf
Enter pass phrase for ca.key:
Check that the request matches the signature
Signature ok
Certificate Details:
Serial Number: 1 (0x1)
Validity
Not Before: Feb 26 04:15:02 2010 GMT
Not After : Feb 26 04:15:02 2011 GMT
Subject:
countryName = CN
stateOrProvinceName = china
organizationName = xxx.Ltd.C
organizationalUnitName = jecks
commonName = www.qiujicai.com
X509v3 extensions:
X509v3 Basic Constraints:
CA:FALSE
Netscape Comment:
OpenSSL Generated Certificate
X509v3 Subject Key Identifier:
30:70:D2:EB:9B:73:AE:7B:0E:8E:F6:94:33:7C:53:5B:EF:93:FC:38
X509v3 Authority Key Identifier:
keyid:DB:D6:83:BB:7F:28:C2:A9:40:6A:D8:32:FC:01:E0:5C:48:27:51:19
Certificate is to be certified until Feb 26 04:15:02 2010 GMT (365 days)
Sign the certificate? [y/n]:y
1 out of 1 certificate requests certified, commit? [y/n]y
Write out database with 1 new entries
Data Base Updated
B: [root@qiujicai.com~/ssl]#openssl ca -in client.csr -out client.crt -cert ca.crt -keyfile ca.key
[root@airwaySSL bin]# openssl ca -in client.csr -out client.crt -cert ca.crt -keyfile ca.key -config openssl.cnf
Using configuration from openssl.cnf
Enter pass phrase for ca.key:
Check that the request matches the signature
Signature ok
The countryName field needed to be the same in the
CA certificate (CN) and the request (cn)
..................
另外,这个certificate是BASE64形式的,要转成PKCS12才能装到IE,/NETSCAPE上.所以还要:
[root@qiujicai.com~/ssl]# openssl pkcs12 -export -in client.pem -inkey client.key -out client.pfx
Enter pass phrase for client.key:
Enter Export Password: # 设置client.pfx密码
Verifying - Enter Export Password:
现在我们所需的全部文件便生成了.
另:
client使用的文件有:ca.crt,client.crt,client.key,client.pfx
server使用的文件有:ca.crt,server.crt,server.key
6.最后
编辑/etc/apache2/sites-enabled/000-default
NameVirtualHost *:443
ServerSignature
OnSSLEngine On
SSLCertificateFile /usr/local/apache/conf/ssl.crt/server.crt #指定服务器证书位置
SSLCertificateKeyFile /usr/local/apache/conf/ssl.crt/server.key #指定服务器证书key位置
SSLCACertificatePath /usr/local/apache/conf/ssl.crt #证书目录
SSLCACertificateFile /usr/local/apache/conf/ssl.crt/ca.csr #根证书位置
#开启客户端SSL请求
SSLVerifyClient require
SSLVerifyDepth 1
ServerAdmin webmaster@localhost
ServerName www.qiujicai.com
DocumentRoot /var/www/test
ErrorDocument 404 http://www.qiujicai.com/err.php
Options FollowSymLinks
AllowOverride None
Options Indexes FollowSymLinks MultiViews
AllowOverride None
Order allow,deny
allow from all
证书安装及使用
把
刚才生成的证书:根证书ca.crt和客户证书client.crt(client.pfx)安装到客户端,
ca.crt安装到信任的机构,client.crt直接在windows安装或安装到个人证书位置,然后用IP访问HTTP和https服务器。在IE
中我们一般导入client.pfx证书,导入时会提示上面设置的密码。