<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd"> <html><head><meta http-equiv="Cont

本文涉及的产品
转发路由器TR,750小时连接 100GB跨地域
简介: 环境:  Ubuntu14.04,apache2.4.7, openssl1.0.1f 安装apache2 apt-get install apache2 -y 一般openssl默认已经安装 开启apache的ssl模块和ssl站点 a2enmod ssl a2ensite default-ssl.

环境:  Ubuntu14.04,apache2.4.7, openssl1.0.1f


安装apache2

apt-get install apache2 -y

一般openssl默认已经安装

开启apache的ssl模块和ssl站点

a2enmod ssl

a2ensite default-ssl.conf

创建证书目录

mkdir /etc/apache2/certs

 

进入目录创建证书和秘钥

cd /etc/apache2/certs

/usr/lib/ssl/misc/CA.sh -newca

 

    root@bogon:/etc/apache2/certs# /usr/lib/ssl/misc/CA.sh -newca

   CA certificate filename (or enter to create)

   

   Making CA certificate ...

   Generating a 2048 bit RSA private key

   .............................................................................................+++

   ..+++

   writing new private key to './demoCA/private/./cakey.pem'

   Enter PEM pass phrase:

   Verifying - Enter PEM pass phrase:

   -----

   You are about to be asked to enter information that will be incorporated

   into your certificate request.

   What you are about to enter is what is called a Distinguished Name or aDN.

   There are quite a few fields but you can leave some blank

    For some fields there will be a defaultvalue,

   If you enter '.', the field will be left blank.

   -----

   Country Name (2 letter code) [AU]:CN

   State or Province Name (full name) [Some-State]:Beijing

   Locality Name (eg, city) []:Beijing

    OrganizationName (eg, company) [Internet Widgits Pty Ltd]:PWRD

   Organizational Unit Name (eg, section) []:OPS

   Common Name (e.g. server FQDN or YOUR name) []:10.1.1.128

   Email Address []:jailman@sina.com

   

   Please enter the following 'extra' attributes

   to be sent with your certificate request

    Achallenge password []:111111

   An optional company name []:pwrd

   Using configuration from /usr/lib/ssl/openssl.cnf

   Enter pass phrase for ./demoCA/private/./cakey.pem:

   Check that the request matches the signature

   Signature ok

   Certificate Details:

           Serial Number: 14695213526817228816 (0xcbefe2d81474c810)

           Validity

                Not Before: Jan  5 05:30:34 2017 GMT

                Not After : Jan  5 05:30:34 2020 GMT

           Subject:

                countryName               = CN

                stateOrProvinceName       = Beijing

                organizationName          = PWRD

                organizationalUnitName    = OPS

                commonName                = 10.1.1.128

                emailAddress              = jailman@sina.com

           X509v3 extensions:

                X509v3 Subject Key Identifier:

                   50:CA:37:3C:45:11:0E:E1:BA:E7:80:74:66:D0:98:B9:21:8E:13:BD

                X509v3 Authority KeyIdentifier:

                   keyid:50:CA:37:3C:45:11:0E:E1:BA:E7:80:74:66:D0:98:B9:21:8E:13:BD

   

                X509v3 Basic Constraints:

                    CA:TRUE

   Certificate is to be certified until Jan 5 05:30:34 2020 GMT (1095 days)

   

   Write out database with 1 new entries

   Data Base Updated

      

      

      

      

tree命令查看一下

    root@bogon:/etc/apache2/certs# tree

    .

   └── demoCA

       ├── cacert.pem

       ├── careq.pem

       ├── certs

       ├── crl

       ├── index.txt

       ├── index.txt.attr

       ├── index.txt.old

       ├── newcerts

       │   └── CBEFE2D81474C810.pem

       ├── private

       │   └── cakey.pem

       └── serial

   

    5directories, 8 files

      

      

 

生成服务器证书(密码全部设置为111111)

a)    生成私钥:        openssl genrsa -des3 -out server.key2048

b)    生成csr文件:     openssl req -new -keyserver.key -out server.csr

c)    生成证书&签名:   openssl ca -in server.csr-out server.crt 

#遇到下列不成功时修改vim demoCA/index.txt.attr中unique_subject =no

    failed to update database

   TXT_DB error number 2

 

      

上述执行结果

    root@bogon:/etc/apache2/certs# openssl genrsa -des3 -out server.key 2048

   Generating RSA private key, 2048 bit long modulus

   ........................................+++

    ............................+++

    eis 65537 (0x10001)

   Enter pass phrase for server.key:

   Verifying - Enter pass phrase for server.key:

   root@bogon:/etc/apache2/certs# openssl req -new -key server.key -outserver.csr

   Enter pass phrase for server.key:

   You are about to be asked to enter information that will be incorporated

   into your certificate request.

   What you are about to enter is what is called a Distinguished Name or aDN.

   There are quite a few fields but you can leave some blank

   For some fields there will be a default value,

   If you enter '.', the field will be left blank.

   -----

   Country Name (2 letter code) [AU]:CN

   State or Province Name (full name) [Some-State]:Beijing    

    Locality Name (eg, city) []:Beijing

   Organization Name (eg, company) [Internet Widgits Pty Ltd]:PWRD

   Organizational Unit Name (eg, section) []:OPS

   Common Name (e.g. server FQDN or YOUR name) []:10.1.1.128

   Email Address []:jailman@sina.com

   

   Please enter the following 'extra' attributes

   to be sent with your certificate request

    Achallenge password []:111111

   An optional company name []:pwrd   

   

   

   root@bogon:/etc/apache2/certs# openssl ca -in server.csr -out server.crt

   Using configuration from /usr/lib/ssl/openssl.cnf

   Enter pass phrase for ./demoCA/private/cakey.pem:

   Check that the request matches the signature

   Signature ok

   Certificate Details:

           Serial Number: 14695213526817228817 (0xcbefe2d81474c811)

           Validity

                Not Before: Jan  5 05:39:32 2017 GMT

                Not After : Jan  5 05:39:32 2018 GMT

           Subject:

                countryName               = CN

                stateOrProvinceName       = Beijing

                organizationName          = PWRD

                organizationalUnitName    = OPS

                commonName                = 10.1.1.128

                emailAddress              = jailman@sina.com

           X509v3 extensions:

                X509v3 Basic Constraints:

                    CA:FALSE

                Netscape Comment:

                    OpenSSL GeneratedCertificate

                X509v3 Subject Key Identifier:

                    FB:32:4F:A6:6D:01:D3:00:98:00:BF:0A:2E:E5:E6:90:CC:E0:E4:8B

                X509v3 Authority KeyIdentifier:

                   keyid:50:CA:37:3C:45:11:0E:E1:BA:E7:80:74:66:D0:98:B9:21:8E:13:BD

   

   Certificate is to be certified until Jan 5 05:39:32 2018 GMT (365 days)

   Sign the certificate? [y/n]:y

   

   

    1out of 1 certificate requests certified, commit? [y/n]y

   Write out database with 1 new entries

   Data Base Updated

      

      

 

生成客户端证书(密码全部设置为111111)

a)    生成私钥:        openssl genrsa -des3 -out client.key2048

b)    生成csr文件:     openssl req -new -keyclient.key -out client.csr

c)    生成证书&签名:   openssl ca -in client.csr-out client.crt

    

上述命令执行结果:

    root@bogon:/etc/apache2/certs# openssl genrsa -des3 -out client.key 2048

   Generating RSA private key, 2048 bit long modulus

   ...........................................................................................+++

   ............................+++

    eis 65537 (0x10001)

   Enter pass phrase for client.key:

    Verifying - Enter pass phrase for client.key:

   

   root@bogon:/etc/apache2/certs# openssl req -new -key client.key -outclient.csr

   Enter pass phrase for client.key:

   You are about to be asked to enter information that will be incorporated

    intoyour certificate request.

   What you are about to enter is what is called a Distinguished Name or aDN.

   There are quite a few fields but you can leave some blank

   For some fields there will be a default value,

   If you enter '.', the field will be left blank.

   -----

   Country Name (2 letter code) [AU]:CN

   State or Province Name (full name) [Some-State]:Beijing

   Locality Name (eg, city) []:Beijing

   Organization Name (eg, company) [Internet Widgits Pty Ltd]:PWRD

   Organizational Unit Name (eg, section) []:OPS

   Common Name (e.g. server FQDN or YOUR name) []:10.1.1.128

   Email Address []:jailman@sina.com

   

   Please enter the following 'extra' attributes

   to be sent with your certificate request

    Achallenge password []:111111

   An optional company name []:pwrd

   

   root@bogon:/etc/apache2/certs# openssl ca -in client.csr -out client.crt

   Using configuration from /usr/lib/ssl/openssl.cnf

   Enter pass phrase for ./demoCA/private/cakey.pem:

   Check that the request matches the signature

   Signature ok

   Certificate Details:

           Serial Number: 14695213526817228818 (0xcbefe2d81474c812)

           Validity

                Not Before: Jan  5 05:43:35 2017 GMT

                Not After : Jan  5 05:43:35 2018 GMT

           Subject:

                countryName               = CN

                stateOrProvinceName       = Beijing

                organizationName          = PWRD

                organizationalUnitName    = OPS

               commonName                = 10.1.1.128

                emailAddress              = jailman@sina.com

           X509v3 extensions:

                X509v3 Basic Constraints:

                    CA:FALSE

                Netscape Comment:

                    OpenSSL GeneratedCertificate

                X509v3 Subject Key Identifier:

                   78:4C:B0:9E:BA:EE:BD:E2:88:55:F4:06:B4:57:5E:74:71:E0:1B:2D

                X509v3 Authority KeyIdentifier:

                    keyid:50:CA:37:3C:45:11:0E:E1:BA:E7:80:74:66:D0:98:B9:21:8E:13:BD

   

   Certificate is to be certified until Jan 5 05:43:35 2018 GMT (365 days)

   Sign the certificate? [y/n]:y

   

   

    1out of 1 certificate requests certified, commit? [y/n]y

   Write out database with 1 new entries

   Data Base Updated  

      

 

查看上述两步生成的证书和秘钥

    root@bogon:/etc/apache2/certs# ls

   client.crt  client.key  server.crt server.key

   client.csr  demoCA      server.csr   

      

      

*生成浏览器支持的.pfx(.p12)证书

    a)   openssl pkcs12 -export -clcerts -in client.crt -inkey client.key -outclient.p12

    执行结果

       root@bogon:/etc/apache2/certs# openssl pkcs12 -export -clcerts -inclient.crt -inkey client.key -out client.p12

       Enterpass phrase for client.key:

       EnterExport Password:

       Verifying- Enter Export Password:

 

      

     生成不带密码验证的client/server.key.unsecure

    如果你想要把数字证书用于Nginx、Apache等Web服务器,你会发现启动nginx服务器时会要求你输入数字证书密码,

     这是因为在设置私钥key时将密码写入了key文件,导致Nginx/Apache等系列服务器在启动时要求Enter PEM pass phrase。

     我们需要做的是剥离这个密码,利用如下OpenSSL命令生成server.key.unsecure文件

    openssl rsa -in server.key -outserver.key.unsecure  

      

      

      

最终的结果:

       root@bogon:/etc/apache2/certs# tree

       .

       ├──client.crt

       ├──client.csr

       ├──client.key

       ├──client.p12

       ├──demoCA

       │??├── cacert.pem

       │??├── careq.pem

       │??├── certs

       │??├── crl

       │??├── index.txt

       │??├── index.txt.attr

       │??├── index.txt.attr.old

       │??├── index.txt.old

       │??├── newcerts

       │??│?? ├── CBEFE2D81474C810.pem

       │??│?? ├── CBEFE2D81474C811.pem

       │??│?? └── CBEFE2D81474C812.pem

       │??├── private

       │??│?? └── cakey.pem

       │??├── serial

       │??└── serial.old

       ├──server.crt

       ├──server.csr

       └──server.key

      

       5directories, 19 files

      

      

配置apache2 https

vim/etc/apache2/sites-enabled/default-ssl.conf

       <IfModule mod_ssl.c>

                     <VirtualHost_default_:443>

                    

                                   ServerAdminwebmaster@localhost

                                   DocumentRoot/var/www/html   

                                   ErrorLog${APACHE_LOG_DIR}/error.log

                                   CustomLog${APACHE_LOG_DIR}/access.log combined      

                                   SSLEngineon    

                                   SSLCertificateFile    /etc/apache2/certs/server.crt

                                   SSLCertificateKeyFile/etc/apache2/certs/server.key            

                                   SSLCACertificateFile/etc/apache2/certs/demoCA/cacert.pem  

                                   SSLVerifyClientrequire

                                   SSLVerifyDepth  10 

                                   <FilesMatch"\.(cgi|shtml|phtml|php)$">

                                                               SSLOptions+StdEnvVars

                                   </FilesMatch>

                                   <Directory/usr/lib/cgi-bin>

                                                               SSLOptions+StdEnvVars

                                   </Directory>

      

                                   BrowserMatch"MSIE [2-6]" \

                                                               nokeepalivessl-unclean-shutdown \

                                                               downgrade-1.0force-response-1.0

                                   BrowserMatch"MSIE [17-9]" ssl-unclean-shutdown

      

                     </VirtualHost>

       </IfModule>

      

serviceapache2 restart

       root@bogon:/etc/apache2/sites-enabled#service apache2 restart

       *Restarting web server apache2                                                      Apache needs to decrypt your SSL Keys for bogon.localdomain:443 (RSA)

       Pleaseenter passphrase:

     输入密码启动

      

      

证书导出到本地准备写入加密锁

root@bogon:/etc/apache2/certs# szclient.p12

打开USB锁管理软件

 

输入PIN登录

这里实际上我们已经提前将加密锁初始化为了PKI锁

 

点击导入,选择证书,输入证书密码,其他默认


Win10提示导入成功

导入后的效果

 

USB加密锁保持插入,访问测试站点https://10.1.1.128,有证书提示


点击确定输入PIN码

 

忽略安全提示


成功访问

不插key的情况下访问结果

 

我使用的是ET199加密锁,加上运费一共花了29元


目录
相关文章
|
Web App开发 新零售 前端开发
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd"> <html><head><meta http-equiv="Cont
1.尽可能地了解需求,系统层面适用开闭原则 2.模块化,低耦合,能快速响应变化,也可以避免一个子系统的问题波及整个大系统 3.
751 0
|
Web App开发 前端开发 Java
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd"> <html><head><meta http-equiv="Cont
服务端需在vm arguments一栏下加上    -agentlib:jdwp=transport=dt_socket,server=y,address=8000 并以run模式启动 如果以debug模式启动服务端...
723 0
|
Web App开发 前端开发
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd"> <html><head><meta http-equiv="Cont
service cloudera-scm-agent stop service cloudera-scm-agent stop umount /var/run/cloudera-scm-agent/process umo...
760 0
|
Web App开发 前端开发
|
Web App开发 前端开发 Linux
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd"> <html><head><meta http-equiv="Cont
[root@hadoop058 ~]# mii-tool eth0: negotiated 100baseTx-FD, link ok 100M linux 下查看网卡工作速率 Ethtool是用于查询及设置网卡参数的命令。
648 0
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd"> <html><head><meta http-equiv="Cont
生产服务器环境最小化安装后 Centos 6.5优化配置备忘 本文 centos 6.5 优化 的项有18处,列表如下: 1、centos6.
1545 0
|
Web App开发 前端开发
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd"> <html><head><meta http-equiv="Cont
在统计分析系统中, 维度:指人们分析事物的角度。比如,分析活跃用户,可以从时间的维度,也可以从地域的维度去看,也可以时间、地域两个维度组合去分析。
667 0
|
Web App开发 前端开发
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd"> <html><head><meta http-equiv="Cont
一个典型的星型模式包括一个大型的事实表和一组逻辑上围绕这个事实表的维度表。  事实表是星型模型的核心,事实表由主键和度量数据两部分组成。
542 0

热门文章

最新文章

下一篇
无影云桌面