[转]RHEL5+Apache+Openssl证书管理

RHEL5+Apache+OpenSSL 证书管理

 

【测试环境】

OS：RHEL5.2

Apache：httpd-2.2.3-11.el5_1.3

Openssl：openssl-0.9.8b-10.el5

IPAddress：192.168.254.80

Site：www.example.com

 

【操作步骤】

1． 安装相应软件包

[root@web01 ~]# rpm -qa |grep httpd

httpd-2.2.3-11.el5_1.3

[root@web01 ~]# rpm -qa |grep mod_ssl

mod_ssl-2.2.3-11.el5_1.3

[root@web01 ~]# rpm -qa |grep openssl

openssl-0.9.8b-10.el5

openssl-devel-0.9.8b-10.el5

[root@web01 ~]#

 

2． 修改证书生成时的默认参数

a)         以下修改生成证书的默认参数

vi /etc/pki/tls/openssl.cnf

[ req_distinguished_name ]

countryName                     = Country Name (2 letter code)

countryName_default             = CN

countryName_min                 = 2

countryName_max                 = 2

 

stateOrProvinceName             = State or Province Name (full name)

stateOrProvinceName_default     = SHANGHAI

 

localityName                    = Locality Name (eg, city)

localityName_default            = SHANGHAI

 

0.organizationName              = Organization Name (eg, company)

0.organizationName_default      = example.com

 

# we can do this but it is not needed normally :-)

#1.organizationName             = Second Organization Name (eg, company)

#1.organizationName_default     = World Wide Web Pty Ltd

 

organizationalUnitName          = Organizational Unit Name (eg, section)

#organizationalUnitName_default =

organizationalUnitName_default  = IT Deps.

 

commonName                      = Common Name (eg, your name or your server/'s hostname)

commonName_max                  = 64

 

emailAddress                    = Email Address

emailAddress_max                = 64

 

# SET-ex3                       = SET extension number 3

 

cd /etc/pki/tls/misc/

 

b)        生成CA证书        //此步很重要

./CA –newca

完成后会生成根证书的私钥（/etc/pki/CA/private/cakey.pem）及根证书(/etc/pki/CA/cacert.pem)。

 

3． 服务器证书生成及配置

注意：此处将所有证书都生成到/etc/httpd/ca目录下，建立/etc/httpd/ca目录：

[root@web01 ~]# mkdir /etc/httpd/ca

[root@web01 ~]# cd /etc/httpd/ca

 

a)         生成服务器端的私钥(server.key文件):

[root@web01 ca]# openssl genrsa -des3 -out server.key

注意这里会让您输入一下密码，请记住这个密码，（例如：key_password）

Generating RSA private key, 512 bit long modulus

...........................++++++++++++

......++++++++++++

e is 65537 (0x10001)

Enter pass phrase for server.key:

Verifying - Enter pass phrase for server.key:

以下指令执行完成后，会在当前目录下生成server.key 的文件。

 

b)        你可以使用以下方法查看key文件(注意：需要提供刚才设置的密码哟)

[root@web01 ca]# openssl rsa -noout -text -in server.key

Enter pass phrase for server.key:

Private-Key: (512 bit)

modulus:

    00:cc:f5:d5:68:89:1a:5d:80:83:b5:52:77:7f:9b:

    c7:3a:1c:ea:87:f5:37:cb:17:a5:bd:63:18:94:bc:

    69:e7:6f:a0:ee:42:46:6d:d8:33:75:d4:f1:b3:18:

    4d:4f:33:27:6d:76:65:36:25:cb:4d:04:96:7b:b2:

    8d:53:eb:a2:ed

publicExponent: 65537 (0x10001)

privateExponent:

    00:c6:d1:6d:8b:b2:fb:5d:5a:2d:e9:35:2e:f0:1d:

    57:9c:1a:b2:b2:e1:ff:96:45:c1:23:be:bd:f8:81:

    f0:a5:6b:99:79:12:c8:af:2b:73:55:99:68:f6:2a:

    a1:4b:32:87:db:51:e7:db:df:e9:bd:10:44:67:6d:

    08:17:1a:ad:01

prime1:

    00:f1:fa:fc:1a:6e:73:97:ea:95:b5:ec:4f:7d:78:

    00:31:81:7a:bb:a7:de:37:62:74:70:e0:45:02:5f:

    aa:b2:c1

prime2:

    00:d8:d5:c5:b2:16:a4:c1:f0:9d:c9:3d:f6:10:5f:

    31:f3:1d:9d:7a:2b:22:91:84:2f:19:ff:b9:2b:56:

    f2:f7:2d

exponent1:

    00:da:05:71:2f:bf:64:96:f3:dd:7f:d4:32:aa:b1:

    7c:3b:1e:96:1e:8d:d9:41:bd:8b:7c:48:14:e5:56:

    9c:ce:01

exponent2:

    2d:58:1e:fc:8c:01:ae:50:ec:1e:2e:67:eb:aa:8c:

    9e:83:9d:ef:f3:5f:4a:40:f3:3c:a3:9e:8c:72:a5:

    62:8d

coefficient:

    00:dd:9a:2e:10:ae:47:ba:40:75:a2:17:de:72:2c:

    8d:ee:29:02:b6:ff:a6:e9:6d:84:7b:e1:c0:87:24:

    83:46:d3

c)        去除启动时的密码（启动时说不需要输入密码了）

这里将去除密码的私钥另存为server.key.nopw

[root@web01 ca]# openssl rsa < server.key > server.key.nopw

Enter pass phrase:

writing RSA key

完成后会在当前目录下生成一个server.key.nopw的文件。

 

d)        生成服务器证书请求文件

[root@web01 ca]# openssl req -new -key server.key > server.csr

Enter pass phrase for server.key:

You are about to be asked to enter information that will be incorporated

into your certificate request.

What you are about to enter is what is called a Distinguished Name or a DN.

There are quite a few fields but you can leave some blank

For some fields there will be a default value,

If you enter '.', the field will be left blank.

-----

Country Name (2 letter code) [CN]:

State or Province Name (full name) [ShangHai]:

Locality Name (eg, city) [ShangHai]:

Organization Name (eg, company) [example.com]:

Organizational Unit Name (eg, section) [IT Deps.]:

Common Name (eg, your name or your server's hostname) []:www.example.com

Email Address []:root@example.com

 

Please enter the following 'extra' attributes

to be sent with your certificate request

A challenge password []:

An optional company name []:

完成后当前目录下会生成一个server.csr的文件。

 

e)         创建服务器公钥

[root@web01 ca]# openssl x509 -req -days 3650 < server.csr -signkey server.key > server.crt

Signature ok

subject=/C=CN/ST=ShangHai/L=ShangHai/O=example.com/OU=IT Deps./CN=www.example.com/emailAddress=root@example.com

Getting Private key

Enter pass phrase for server.key:

完成后，会在当前目录下生成server.crt文件。

 

f)         修改Apache关于ssl的配置文件

修改/etc/httpd/conf.d/ssl.conf：

[root@web01 ca]# vi /etc/httpd/conf.d/ssl.conf

 修改以下两个属性：

SSLCertificateFile /etc/httpd/ca/server.crt

SSLCertificateKeyFile /etc/httpd/ca/server.key

SSLCACertificateFile /etc/pki/CA/cacert.pem              #指定CA证书位置，客户端证书验证的时候会要用到

 

g)        重启Apache，会要求输入生成私钥时的密码

[root@web01 ca]# service httpd restart

Stopping httpd: [  OK  ]

Starting httpd: Apache/2.2.3 mod_ssl/2.2.3 (Pass Phrase Dialog)

Some of your private key files are encrypted for security reasons.

In order to read them you have to provide the pass phrases.

 

Server www.example.com:443 (RSA)

Enter pass phrase:

 

OK: Pass Phrase Dialog successful.

[  OK  ]

 

h)        设置重启apache时不用输入密码

将/etc/httpd/conf.d/ssl.conf中的

SSLCertificateKeyFile /etc/httpd/ca/server.key

修改成为:

SSLCertificateKeyFile /etc/httpd/ca/server.key.nopw

完成后，重启apache时不需要输入密码了。

[root@web01 ca]# service httpd restart

Stopping httpd: [  OK  ]

Starting httpd: [  OK  ]

 

4． 客户端证书生成及安装

a)         创建目录client存放客户端证书

[root@web01 ca]# mkdir client

[root@web01 ca]# cd client/

 

b)        创建访问用户的csr文件（computer1）

这里会要求输入一些信息，按需要信息输入就行，这里密码设置为“clientpassword”。

[root@web01 client]# openssl req –new > computer1.csr

Generating a 1024 bit RSA private key

…++++++

….....++++++

writing new private key to ‘privkey.pem’

Enter PEM pass phrase:

Verifying – Enter PEM pass phrase:

You are about to be asked to enter information that will be incorporated

into your certificate request.

What you are about to enter is what is called a Distinguished Name or a DN.

There are quite a few fields but you can leave some blank

For some fields there will be a default value,

If you enter ‘.’, the field will be left blank.

Country Name (2 letter code) [CN]:

State or Province Name (full name) [ShangHai]:

Locality Name (eg, city) [ShangHai]:

Organization Name (eg, company) [example.com]:

Organizational Unit Name (eg, section) [IT Deps.]:

Common Name (eg, your name or your server’s hostname) []:computer1

 

Email Address []:

Please enter the following ‘extra’ attributes

to be sent with your certificate request

A challenge password []:

An optional company name []:

完成后会在当前目录下生成以下两个文件：computer1.csr privkey.pem

 

c)        创建访问用户的crt证书文件

注意这里要输入CA根证书的私钥密码。

[root@web01 client]# openssl x509 –req < computer1.csr  > computer1.crt –signkey /etc/pki/CA/private/cakey.pem –CA /etc/pki/CA/cacert.pem –Cakey/etc/pki/CA/private/cakey.pem –Cacreateserial –days 3650

Signature ok

subject=/C=CN/ST=ShangHai/L=ShangHai/O=example.com/OU=IT Deps./CN=computer1

Getting CA Private Key

Enter pass phrase for /etc/pki/CA/private/cakey.pem:

完成后会在当前目录下生成computer1.crt文件。

 

d)        将crt文件导出为pfx文件（ie中只能导入pfx格式证书）

注意：这里设置的Export Password是安装证书时要使用的哟！我这里设置为“clientpassword”。

[root@web01 client]# openssl pkcs12 –export –in computer1.crt –inkey /etc/pki/CA/private/cakey.pem –out computer1.pfx

Enter pass phrase for /etc/pki/CA/private/cakey.pem:

Enter Export Password:

Verifying – Enter Export Password:

完成后会在当前目录下生成computer1.pfx文件。

 

e)         修改apache要求客户端必须使用证书访问

修改/etc/httpd/conf.d/ssl.conf文件：

SSLVerifyClient require

SSLVerifyDepth  10

       修改完成后重启Apache服务：

[root@web01 client]# /etc/init.d/httpd restart

Stopping httpd: [  OK  ]

Starting httpd: [  OK  ]

 

f)         下载并安装客户端证书

 

 

 

 

g)        以上完成后，可以在客户端通过证书访问本站点了，没有证书则访问不了！

 

 

5． 客户端证书撤消，更新

a)         目录切换后劲/etc/pki/tls/misc

cd /etc/pki/tls/misc

 

b)        撤销客户端证书computer1.crt

[root@web01 misc]# openssl ca -keyfile /etc/pki/CA/private/cakey.pem -cert /etc/pki/CA/cacert.pem -revoke /etc/httpd/ca/client/computer1.crt

Using configuration from /etc/pki/tls/openssl.cnf

Enter pass phrase for /etc/pki/CA/private/cakey.pem:

Adding Entry with serial number 8B962ECF679FB9AB to DB for /C=CN/ST=ShangHai/L=ShangHai/O=example.com/OU=IT Deps./CN=computer1

Revoking Certificate 8B962ECF679FB9AB.

Data Base Updated

 

c)        生成新的证书撤销列表

请注意，此时的操作会报错。

[root@web01 misc]# openssl ca -gencrl -keyfile /etc/pki/CA/private/cakey.pem -cert /etc/pki/CA/cacert.pem -out /etc/httpd/ca/example.com.crl

Using configuration from /etc/pki/tls/openssl.cnf

Enter pass phrase for /etc/pki/CA/private/cakey.pem:

../../CA/crlnumber: No such file or directory

error while loading CRL number

12727:error:02001002:system library:fopen:No such file or directory:bss_file.c:352:fopen('../../CA/crlnumber','r')

12727:error:20074002:BIO routines:FILE_CTRL:system lib:bss_file.c:354:

此处有些问题，不知道为什么？我是手动建立文件来解决的：

[root@web01 misc]# echo "01" >../../CA/crlnumber

然后创建成功

[root@web01 misc]# openssl ca -gencrl -keyfile /etc/pki/CA/private/cakey.pem -cert /etc/pki/CA/cacert.pem -out /etc/httpd/ca/example.com.crl

Using configuration from /etc/pki/tls/openssl.cnf

Enter pass phrase for /etc/pki/CA/private/cakey.pem:

 

d)        查看证书撤销列表

[root@web01 misc]# openssl crl -noout -text -in example.com.crl

Certificate Revocation List (CRL):

        Version 2 (0x1)

        Signature Algorithm: sha1WithRSAEncryption

        Issuer: /C=CN/ST=ShangHai/O=example.com/OU=IT Deps./CN=www.example.com/emailAddress=root@example.com

        Last Update: Feb 24 14:40:04 2009 GMT

        Next Update: Mar 26 14:40:04 2009 GMT

        CRL extensions:

            X509v3 CRL Number:

                2

Revoked Certificates:

    Serial Number: 8B962ECF679FB9AB

        Revocation Date: Feb 24 14:28:44 2009 GMT

    Signature Algorithm: sha1WithRSAEncryption

        86:45:16:c7:0b:7d:15:6e:3c:eb:4e:92:1c:4f:62:ec:64:44:

        cd:59:68:28:23:4b:ff:b0:93:1a:13:b7:cf:10:91:4f:da:6d:

        25:48:99:9c:9d:f5:03:91:8b:c7:45:cb:92:68:79:ba:d5:68:

        1f:e8:0f:a7:fa:ff:15:f8:a6:8b:9f:2f:c8:14:7d:9c:7a:c6:

        36:6b:03:d8:c2:90:40:3a:24:51:43:71:47:84:5d:f8:38:44:

        f3:06:df:cf:81:3a:ef:ac:99:29:fc:ed:44:4e:79:79:ee:aa:

        15:1a:61:cc:e0:9f:23:75:fb:4a:a2:af:4a:cc:c9:9b:88:be:

        8a:7b

 

e)         修改Apache配置，添加证书吊销列表

修改ssl配置文件/etc/httpd/conf.d/ssl.conf，修改以下一行：

SSLCARevocationFile "/etc/pki/tls/misc/example.com.crl"

重启Apache：

[root@web01 misc]# service httpd restart

Stopping httpd: [  OK  ]

Starting httpd: [  OK  ]

 

f)         客户端访问测试，访问失败，提示证书已经撤销