环境: Ubuntu14.04,apache2.4.7, openssl1.0.1f
安装apache2
apt-get install apache2 -y
一般openssl默认已经安装
开启apache的ssl模块和ssl站点
a2enmod ssl
a2ensite default-ssl.conf
创建证书目录
mkdir /etc/apache2/certs
进入目录创建证书和秘钥
cd /etc/apache2/certs
/usr/lib/ssl/misc/CA.sh -newca
root@bogon:/etc/apache2/certs# /usr/lib/ssl/misc/CA.sh -newca
CA certificate filename (or enter to create)
Making CA certificate ...
Generating a 2048 bit RSA private key
.............................................................................................+++
..+++
writing new private key to './demoCA/private/./cakey.pem'
Enter PEM pass phrase:
Verifying - Enter PEM pass phrase:
-----
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or aDN.
There are quite a few fields but you can leave some blank
For some fields there will be a defaultvalue,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [AU]:CN
State or Province Name (full name) [Some-State]:Beijing
Locality Name (eg, city) []:Beijing
OrganizationName (eg, company) [Internet Widgits Pty Ltd]:PWRD
Organizational Unit Name (eg, section) []:OPS
Common Name (e.g. server FQDN or YOUR name) []:10.1.1.128
Email Address []:jailman@sina.com
Please enter the following 'extra' attributes
to be sent with your certificate request
Achallenge password []:111111
An optional company name []:pwrd
Using configuration from /usr/lib/ssl/openssl.cnf
Enter pass phrase for ./demoCA/private/./cakey.pem:
Check that the request matches the signature
Signature ok
Certificate Details:
Serial Number: 14695213526817228816 (0xcbefe2d81474c810)
Validity
Not Before: Jan 5 05:30:34 2017 GMT
Not After : Jan 5 05:30:34 2020 GMT
Subject:
countryName = CN
stateOrProvinceName = Beijing
organizationName = PWRD
organizationalUnitName = OPS
commonName = 10.1.1.128
emailAddress = jailman@sina.com
X509v3 extensions:
X509v3 Subject Key Identifier:
50:CA:37:3C:45:11:0E:E1:BA:E7:80:74:66:D0:98:B9:21:8E:13:BD
X509v3 Authority KeyIdentifier:
keyid:50:CA:37:3C:45:11:0E:E1:BA:E7:80:74:66:D0:98:B9:21:8E:13:BD
X509v3 Basic Constraints:
CA:TRUE
Certificate is to be certified until Jan 5 05:30:34 2020 GMT (1095 days)
Write out database with 1 new entries
Data Base Updated
tree命令查看一下
root@bogon:/etc/apache2/certs# tree
.
└── demoCA
├── cacert.pem
├── careq.pem
├── certs
├── crl
├── index.txt
├── index.txt.attr
├── index.txt.old
├── newcerts
│ └── CBEFE2D81474C810.pem
├── private
│ └── cakey.pem
└── serial
5directories, 8 files
生成服务器证书(密码全部设置为111111)
a) 生成私钥: openssl genrsa -des3 -out server.key2048
b) 生成csr文件: openssl req -new -keyserver.key -out server.csr
c) 生成证书&签名: openssl ca -in server.csr-out server.crt
#遇到下列不成功时修改vim demoCA/index.txt.attr中unique_subject =no
failed to update database
TXT_DB error number 2
上述执行结果
root@bogon:/etc/apache2/certs# openssl genrsa -des3 -out server.key 2048
Generating RSA private key, 2048 bit long modulus
........................................+++
............................+++
eis 65537 (0x10001)
Enter pass phrase for server.key:
Verifying - Enter pass phrase for server.key:
root@bogon:/etc/apache2/certs# openssl req -new -key server.key -outserver.csr
Enter pass phrase for server.key:
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or aDN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [AU]:CN
State or Province Name (full name) [Some-State]:Beijing
Locality Name (eg, city) []:Beijing
Organization Name (eg, company) [Internet Widgits Pty Ltd]:PWRD
Organizational Unit Name (eg, section) []:OPS
Common Name (e.g. server FQDN or YOUR name) []:10.1.1.128
Email Address []:jailman@sina.com
Please enter the following 'extra' attributes
to be sent with your certificate request
Achallenge password []:111111
An optional company name []:pwrd
root@bogon:/etc/apache2/certs# openssl ca -in server.csr -out server.crt
Using configuration from /usr/lib/ssl/openssl.cnf
Enter pass phrase for ./demoCA/private/cakey.pem:
Check that the request matches the signature
Signature ok
Certificate Details:
Serial Number: 14695213526817228817 (0xcbefe2d81474c811)
Validity
Not Before: Jan 5 05:39:32 2017 GMT
Not After : Jan 5 05:39:32 2018 GMT
Subject:
countryName = CN
stateOrProvinceName = Beijing
organizationName = PWRD
organizationalUnitName = OPS
commonName = 10.1.1.128
emailAddress = jailman@sina.com
X509v3 extensions:
X509v3 Basic Constraints:
CA:FALSE
Netscape Comment:
OpenSSL GeneratedCertificate
X509v3 Subject Key Identifier:
FB:32:4F:A6:6D:01:D3:00:98:00:BF:0A:2E:E5:E6:90:CC:E0:E4:8B
X509v3 Authority KeyIdentifier:
keyid:50:CA:37:3C:45:11:0E:E1:BA:E7:80:74:66:D0:98:B9:21:8E:13:BD
Certificate is to be certified until Jan 5 05:39:32 2018 GMT (365 days)
Sign the certificate? [y/n]:y
1out of 1 certificate requests certified, commit? [y/n]y
Write out database with 1 new entries
Data Base Updated
生成客户端证书(密码全部设置为111111)
a) 生成私钥: openssl genrsa -des3 -out client.key2048
b) 生成csr文件: openssl req -new -keyclient.key -out client.csr
c) 生成证书&签名: openssl ca -in client.csr-out client.crt
上述命令执行结果:
root@bogon:/etc/apache2/certs# openssl genrsa -des3 -out client.key 2048
Generating RSA private key, 2048 bit long modulus
...........................................................................................+++
............................+++
eis 65537 (0x10001)
Enter pass phrase for client.key:
Verifying - Enter pass phrase for client.key:
root@bogon:/etc/apache2/certs# openssl req -new -key client.key -outclient.csr
Enter pass phrase for client.key:
You are about to be asked to enter information that will be incorporated
intoyour certificate request.
What you are about to enter is what is called a Distinguished Name or aDN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [AU]:CN
State or Province Name (full name) [Some-State]:Beijing
Locality Name (eg, city) []:Beijing
Organization Name (eg, company) [Internet Widgits Pty Ltd]:PWRD
Organizational Unit Name (eg, section) []:OPS
Common Name (e.g. server FQDN or YOUR name) []:10.1.1.128
Email Address []:jailman@sina.com
Please enter the following 'extra' attributes
to be sent with your certificate request
Achallenge password []:111111
An optional company name []:pwrd
root@bogon:/etc/apache2/certs# openssl ca -in client.csr -out client.crt
Using configuration from /usr/lib/ssl/openssl.cnf
Enter pass phrase for ./demoCA/private/cakey.pem:
Check that the request matches the signature
Signature ok
Certificate Details:
Serial Number: 14695213526817228818 (0xcbefe2d81474c812)
Validity
Not Before: Jan 5 05:43:35 2017 GMT
Not After : Jan 5 05:43:35 2018 GMT
Subject:
countryName = CN
stateOrProvinceName = Beijing
organizationName = PWRD
organizationalUnitName = OPS
commonName = 10.1.1.128
emailAddress = jailman@sina.com
X509v3 extensions:
X509v3 Basic Constraints:
CA:FALSE
Netscape Comment:
OpenSSL GeneratedCertificate
X509v3 Subject Key Identifier:
78:4C:B0:9E:BA:EE:BD:E2:88:55:F4:06:B4:57:5E:74:71:E0:1B:2D
X509v3 Authority KeyIdentifier:
keyid:50:CA:37:3C:45:11:0E:E1:BA:E7:80:74:66:D0:98:B9:21:8E:13:BD
Certificate is to be certified until Jan 5 05:43:35 2018 GMT (365 days)
Sign the certificate? [y/n]:y
1out of 1 certificate requests certified, commit? [y/n]y
Write out database with 1 new entries
Data Base Updated
查看上述两步生成的证书和秘钥
root@bogon:/etc/apache2/certs# ls
client.crt client.key server.crt server.key
client.csr demoCA server.csr
*生成浏览器支持的.pfx(.p12)证书
a) openssl pkcs12 -export -clcerts -in client.crt -inkey client.key -outclient.p12
执行结果
root@bogon:/etc/apache2/certs# openssl pkcs12 -export -clcerts -inclient.crt -inkey client.key -out client.p12
Enterpass phrase for client.key:
EnterExport Password:
Verifying- Enter Export Password:
生成不带密码验证的client/server.key.unsecure
如果你想要把数字证书用于Nginx、Apache等Web服务器,你会发现启动nginx服务器时会要求你输入数字证书密码,
这是因为在设置私钥key时将密码写入了key文件,导致Nginx/Apache等系列服务器在启动时要求Enter PEM pass phrase。
我们需要做的是剥离这个密码,利用如下OpenSSL命令生成server.key.unsecure文件
openssl rsa -in server.key -outserver.key.unsecure
最终的结果:
root@bogon:/etc/apache2/certs# tree
.
├──client.crt
├──client.csr
├──client.key
├──client.p12
├──demoCA
│??├── cacert.pem
│??├── careq.pem
│??├── certs
│??├── crl
│??├── index.txt
│??├── index.txt.attr
│??├── index.txt.attr.old
│??├── index.txt.old
│??├── newcerts
│??│?? ├── CBEFE2D81474C810.pem
│??│?? ├── CBEFE2D81474C811.pem
│??│?? └── CBEFE2D81474C812.pem
│??├── private
│??│?? └── cakey.pem
│??├── serial
│??└── serial.old
├──server.crt
├──server.csr
└──server.key
5directories, 19 files
配置apache2 https
vim/etc/apache2/sites-enabled/default-ssl.conf
<IfModule mod_ssl.c>
<VirtualHost_default_:443>
ServerAdminwebmaster@localhost
DocumentRoot/var/www/html
ErrorLog${APACHE_LOG_DIR}/error.log
CustomLog${APACHE_LOG_DIR}/access.log combined
SSLEngineon
SSLCertificateFile /etc/apache2/certs/server.crt
SSLCertificateKeyFile/etc/apache2/certs/server.key
SSLCACertificateFile/etc/apache2/certs/demoCA/cacert.pem
SSLVerifyClientrequire
SSLVerifyDepth 10
<FilesMatch"\.(cgi|shtml|phtml|php)$">
SSLOptions+StdEnvVars
</FilesMatch>
<Directory/usr/lib/cgi-bin>
SSLOptions+StdEnvVars
</Directory>
BrowserMatch"MSIE [2-6]" \
nokeepalivessl-unclean-shutdown \
downgrade-1.0force-response-1.0
BrowserMatch"MSIE [17-9]" ssl-unclean-shutdown
</VirtualHost>
</IfModule>
serviceapache2 restart
root@bogon:/etc/apache2/sites-enabled#service apache2 restart
*Restarting web server apache2 Apache needs to decrypt your SSL Keys for bogon.localdomain:443 (RSA)
Pleaseenter passphrase:
输入密码启动
证书导出到本地准备写入加密锁
root@bogon:/etc/apache2/certs# szclient.p12
打开USB锁管理软件
输入PIN登录
这里实际上我们已经提前将加密锁初始化为了PKI锁
点击导入,选择证书,输入证书密码,其他默认
Win10提示导入成功
导入后的效果
USB加密锁保持插入,访问测试站点https://10.1.1.128,有证书提示
点击确定输入PIN码
忽略安全提示
成功访问
不插key的情况下访问结果
我使用的是ET199加密锁,加上运费一共花了29元