论坛徽章:: 0

电梯直达

1楼 [收藏(0)] [报告]

发表于 2009-02-25 18:00 |只看该作者 |倒序浏览

RHEL5+Apache+Openssl证书管理

【测试环境】

OS：RHEL5.2
Apache：httpd-2.2.3-11.el5_1.3
Openssl：openssl-0.9.8b-10.el5
IPAddress：192.168.254.80
Site：www.example.com

【操作步骤】

1．安装相应软件包

[root@web01 ~]# rpm -qa |grep httpd
httpd-2.2.3-11.el5_1.3
[root@web01 ~]# rpm -qa |grep mod_ssl
mod_ssl-2.2.3-11.el5_1.3
[root@web01 ~]# rpm -qa |grep openssl
openssl-0.9.8b-10.el5
openssl-devel-0.9.8b-10.el5
[root@web01 ~]#

2．       修改证书生成时的默认参数
a)       以下修改生成证书的默认参数
vi /etc/pki/tls/openssl.cnf
[ req_distinguished_name ]
countryName                   = Country Name (2 letter code)
countryName_default          = CN
countryName_min                = 2
countryName_max                = 2

stateOrProvinceName          = State or Province Name (full name)
stateOrProvinceName_default    = SHANGHAI

localityName                   = Locality Name (eg, city)
localityName_default          = SHANGHAI

0.organizationName             = Organization Name (eg, company)
0.organizationName_default    = example.com

# we can do this but it is not needed normally

#1.organizationName          = Second Organization Name (eg, company)
#1.organizationName_default    = World Wide Web Pty Ltd

organizationalUnitName       = Organizational Unit Name (eg, section)
#organizationalUnitName_default =
organizationalUnitName_default  = IT Deps.

commonName                   = Common Name (eg, your name or your server\'s hostname)
commonName_max                = 64

emailAddress                   = Email Address
emailAddress_max             = 64

# SET-ex3                      = SET extension number 3

cd /etc/pki/tls/misc/

b)       生成CA证书             //此步很重要
./CA –newca
完成后会生成根证书的私钥（/etc/pki/CA/private/cakey.pem）及根证书(/etc/pki/CA/cacert.pem)。

3．       服务器证书生成及配置

注意：此处将所有证书都生成到/etc/httpd/ca目录下，建立/etc/httpd/ca目录：
[root@web01 ~]# mkdir /etc/httpd/ca
[root@web01 ~]# cd /etc/httpd/ca

a)       生成服务器端的私钥(server.key文件):
[root@web01 ca]# openssl genrsa -des3 -out server.key
注意这里会让您输入一下密码，请记住这个密码，（例如：key_password）
Generating RSA private key, 512 bit long modulus
...........................++++++++++++
......++++++++++++
e is 65537 (0x10001)
Enter pass phrase for server.key:
Verifying - Enter pass phrase for server.key:
以下指令执行完成后，会在当前目录下生成server.key 的文件。

b)       你可以使用以下方法查看key文件(注意：需要提供刚才设置的密码哟)
[root@web01 ca]# openssl rsa -noout -text -in server.key
Enter pass phrase for server.key:
Private-Key: (512 bit)
modulus:
00:cc:f5:d5:68:89:1a:5d:80:83:b5:52:77:7f:9b:
c7:3a:1c:ea:87:f5:37:cb:17:a5:bd:63:18:94:bc:
69:e7:6f:a0:ee:42:46:6d:d8:33:75:d4:f1:b3:18:
4d:4f:33:27:6d:76:65:36:25:cb:4d:04:96:7b:b2:
8d:53:eb:a2:ed
publicExponent: 65537 (0x10001)
privateExponent:
00:c6:d1:6d:8b:b2:fb:5d:5a:2d:e9:35:2e:f0:1d:
57:9c:1a:b2:b2:e1:ff:96:45:c1:23:be:bd:f8:81:
f0:a5:6b:99:79:12:c8:af:2b:73:55:99:68:f6:2a:
a1:4b:32:87:db:51:e7:db:df:e9:bd:10:44:67:6d:
08:17:1a:ad:01
prime1:
00:f1:fa:fc:1a:6e:73:97:ea:95:b5:ec:4f:7d:78:
00:31:81:7a:bb:a7:de:37:62:74:70:e0:45:02:5f:
aa:b2:c1
prime2:
00:d8:d5:c5:b2:16:a4:c1:f0:9d:c9:3d:f6:10:5f:
31:f3:1d:9d:7a:2b:22:91:84:2f:19:ff:b9:2b:56:
f2:f7:2d
exponent1:
00:da:05:71:2f:bf:64:96:f3:dd:7f:d4:32:aa:b1:
7c:3b:1e:96:1e:8d:d9:41:bd:8b:7c:48:14:e5:56:
9c:ce:01
exponent2:
2d:58:1e:fc:8c:01:ae:50:ec:1e:2e:67:eb:aa:8c:
9e:83:9d:ef:f3:5f:4a:40:f3:3c:a3:9e:8c:72:a5:
62:8d
coefficient:
00:dd:9a:2e:10:ae:47:ba:40:75:a2:17:de:72:2c:
8d:ee:29:02:b6:ff:a6:e9:6d:84:7b:e1:c0:87:24:
83:46:d3
c)       去除启动时的密码（启动时说不需要输入密码了）
这里将去除密码的私钥另存为server.key.nopw
[root@web01 ca]# openssl rsa < server.key > server.key.nopw
Enter pass phrase:
writing RSA key
完成后会在当前目录下生成一个server.key.nopw的文件。

d)       生成服务器证书请求文件
[root@web01 ca]# openssl req -new -key server.key > server.csr
Enter pass phrase for server.key:
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [CN]:
State or Province Name (full name) [ShangHai]:
Locality Name (eg, city) [ShangHai]:
Organization Name (eg, company) [example.com]:
Organizational Unit Name (eg, section) [IT Deps.]:
Common Name (eg, your name or your server's hostname) []:www.example.com
Email Address []:root@example.com

Please enter the following 'extra' attributes
to be sent with your certificate request
A challenge password []:
An optional company name []:
完成后当前目录下会生成一个server.csr的文件。

e)       创建服务器公钥
[root@web01 ca]# openssl x509 -req -days 3650 < server.csr -signkey server.key > server.crt
Signature ok
subject=/C=CN/ST=ShangHai/L=ShangHai/O=example.com/OU=IT Deps./CN=www.example.com/emailAddress=root@example.com
Getting Private key
Enter pass phrase for server.key:
完成后，会在当前目录下生成server.crt文件。

f)       修改Apache关于ssl的配置文件
修改/etc/httpd/conf.d/ssl.conf：
[root@web01 ca]# vi /etc/httpd/conf.d/ssl.conf
修改以下两个属性：
SSLCertificateFile /etc/httpd/ca/server.crt
SSLCertificateKeyFile /etc/httpd/ca/server.key
SSLCACertificateFile /etc/pki/CA/cacert.pem             #指定CA证书位置，客户端证书验证的时候会要用到

g)       重启Apache，会要求输入生成私钥时的密码
[root@web01 ca]# service httpd restart
Stopping httpd: [  OK  ]
Starting httpd: Apache/2.2.3 mod_ssl/2.2.3 (Pass Phrase Dialog)
Some of your private key files are encrypted for security reasons.
In order to read them you have to provide the pass phrases.

Server www.example.com:443 (RSA)
Enter pass phrase:

OK: Pass Phrase Dialog successful.
[  OK  ]

h)       设置重启apache时不用输入密码
将/etc/httpd/conf.d/ssl.conf中的
SSLCertificateKeyFile /etc/httpd/ca/server.key
修改成为:
SSLCertificateKeyFile /etc/httpd/ca/server.key.nopw
完成后，重启apache时不需要输入密码了。
[root@web01 ca]# service httpd restart
Stopping httpd: [  OK  ]
Starting httpd: [  OK  ]

4．       客户端证书生成及安装

a)       创建目录client存放客户端证书
[root@web01 ca]# mkdir client
[root@web01 ca]# cd client/

b)       创建访问用户的csr文件（computer1）
这里会要求输入一些信息，按需要信息输入就行，这里密码设置为“clientpassword”。
[root@web01 client]# openssl req –new > computer1.csr
Generating a 1024 bit RSA private key
…++++++
….....++++++
writing new private key to ‘privkey.pem’
Enter PEM pass phrase:
Verifying – Enter PEM pass phrase:
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter ‘.’, the field will be left blank.
Country Name (2 letter code) [CN]:
State or Province Name (full name) [ShangHai]:
Locality Name (eg, city) [ShangHai]:
Organization Name (eg, company) [example.com]:
Organizational Unit Name (eg, section) [IT Deps.]:
Common Name (eg, your name or your server’s hostname) []:computer1

Email Address []:
Please enter the following ‘extra’ attributes
to be sent with your certificate request
A challenge password []:
An optional company name []:
完成后会在当前目录下生成以下两个文件：computer1.csr privkey.pem

c)       创建访问用户的crt证书文件
注意这里要输入CA根证书的私钥密码。
[root@web01 client]# openssl x509 –req < computer1.csr  > computer1.crt –signkey /etc/pki/CA/private/cakey.pem –CA /etc/pki/CA/cacert.pem –Cakey /etc/pki/CA/private/cakey.pem –Cacreateserial –days 3650
Signature ok
subject=/C=CN/ST=ShangHai/L=ShangHai/O=example.com/OU=IT Deps./CN=computer1
Getting CA Private Key
Enter pass phrase for /etc/pki/CA/private/cakey.pem:
完成后会在当前目录下生成computer1.crt文件。

d)       将crt文件导出为pfx文件（ie中只能导入pfx格式证书）
注意：这里设置的Export Password是安装证书时要使用的哟！我这里设置为“clientpassword”。
[root@web01 client]# openssl pkcs12 –export –in computer1.crt –inkey /etc/pki/CA/private/cakey.pem –out computer1.pfx
Enter pass phrase for /etc/pki/CA/private/cakey.pem:
Enter Export Password:
Verifying – Enter Export Password:
完成后会在当前目录下生成computer1.pfx文件。

e)       修改apache要求客户端必须使用证书访问
修改/etc/httpd/conf.d/ssl.conf文件：
SSLVerifyClient require
SSLVerifyDepth  10
      修改完成后重启Apache服务：
[root@web01 client]# /etc/init.d/httpd restart
Stopping httpd: [  OK  ]
Starting httpd: [  OK  ]

f)       下载并安装客户端证书

g) 以上完成后，可以在客户端通过证书访问本站点了，没有证书则访问不了！

5．客户端证书撤消，更新

a)       目录切换后劲/etc/pki/tls/misc
cd /etc/pki/tls/misc

b)       撤销客户端证书computer1.crt
[root@web01 misc]# openssl ca -keyfile /etc/pki/CA/private/cakey.pem -cert /etc/pki/CA/cacert.pem -revoke /etc/httpd/ca/client/computer1.crt
Using configuration from /etc/pki/tls/openssl.cnf
Enter pass phrase for /etc/pki/CA/private/cakey.pem:
Adding Entry with serial number 8B962ECF679FB9AB to DB for /C=CN/ST=ShangHai/L=ShangHai/O=example.com/OU=IT Deps./CN=computer1
Revoking Certificate 8B962ECF679FB9AB.
Data Base Updated

c)       生成新的证书撤销列表
请注意，此时的操作会报错。
[root@web01 misc]# openssl ca -gencrl -keyfile /etc/pki/CA/private/cakey.pem -cert /etc/pki/CA/cacert.pem -out /etc/httpd/ca/example.com.crl
Using configuration from /etc/pki/tls/openssl.cnf
Enter pass phrase for /etc/pki/CA/private/cakey.pem:
../../CA/crlnumber: No such file or directory
error while loading CRL number
12727:error:02001002:system library:fopen:No such file or directory:bss_file.c:352:fopen('../../CA/crlnumber','r')
12727:error:20074002:BIO routines:FILE_CTRL:system lib:bss_file.c:354:
此处有些问题，不知道为什么？我是手动建立文件来解决的：
[root@web01 misc]# echo "01" >../../CA/crlnumber
然后创建成功
[root@web01 misc]# openssl ca -gencrl -keyfile /etc/pki/CA/private/cakey.pem -cert /etc/pki/CA/cacert.pem -out /etc/httpd/ca/example.com.crl
Using configuration from /etc/pki/tls/openssl.cnf
Enter pass phrase for /etc/pki/CA/private/cakey.pem:

d)       查看证书撤销列表
[root@web01 misc]# openssl crl -noout -text -in example.com.crl
Certificate Revocation List (CRL):
      Version 2 (0x1)
      Signature Algorithm: sha1WithRSAEncryption
      Issuer: /C=CN/ST=ShangHai/O=example.com/OU=IT Deps./CN=www.example.com/emailAddress=root@example.com
      Last Update: Feb 24 14:40:04 2009 GMT
      Next Update: Mar 26 14:40:04 2009 GMT
      CRL extensions:
         X509v3 CRL Number:
            2
Revoked Certificates:
Serial Number: 8B962ECF679FB9AB
      Revocation Date: Feb 24 14:28:44 2009 GMT
Signature Algorithm: sha1WithRSAEncryption
      86:45:16:c7:0b:7d:15:6e:3c:eb:4e:92:1c:4f:62:ec:64:44:
      cd:59:68:28:23:4b:ff:b0:93:1a:13:b7:cf:10:91:4f:da:6d:
      25:48:99:9c:9d:f5:03:91:8b:c7:45:cb:92:68:79:ba:d5:68:
      1f:e8:0f:a7:fa:ff:15:f8:a6:8b:9f:2f:c8:14:7d:9c:7a:c6:
      36:6b:03:d8:c2:90:40:3a:24:51:43:71:47:84:5d:f8:38:44:
      f3:06:df:cf:81:3a:ef:ac:99:29:fc:ed:44:4e:79:79:ee:aa:
      15:1a:61:cc:e0:9f:23:75:fb:4a:a2:af:4a:cc:c9:9b:88:be:
      8a:7b

e)       修改Apache配置，添加证书吊销列表
修改ssl配置文件/etc/httpd/conf.d/ssl.conf，修改以下一行：
SSLCARevocationFile "/etc/pki/tls/misc/example.com.crl"
重启Apache：
[root@web01 misc]# service httpd restart
Stopping httpd: [  OK  ]
Starting httpd: [  OK  ]

f)       客户端访问测试，访问失败，提示证书已经撤销