我們的項目都是基于https協議訪問的，由于費用問題，在開發、測試環境中使了一個過期證書。所以每天得面對瀏覽器提示證書過期問題，若只是頁面訪問，多確認一下就完了，但遇到系統間的頁面跳轉、互相調用，就玩不轉了。沒折，干脆自已做證書。

通過Openssl建立根證書和服務器證書，并用根證書對服務器證書進行簽名。

1、使用Openssl的CA腳本來建立根證書（/usr/share/ssl/misc/CA）
運行CA -newca，Openssl會找CA自己的私有密鑰密碼文件。如果沒有這個文件？按回車會自動創建，輸入密碼來保護這個密碼文件。之后會提示你輸入公司信息來做CA.crt文件。最后，在當前目錄下多了一個demoCA目錄，demoCA/private/cakey.pem就是CA的key文件了，而demoCA/cacert.pem就是CA的crt文件了。具體如下：

[root@xplan-dev8 ca]# ./CA -newca

CA certificate filename (or enter to create)

Making CA certificate

Generating a 1024 bit RSA private key

.++++++

++++++

writing new private key to './demoCA/private/./cakey.pem'

Enter PEM pass phrase:

Verifying - Enter PEM pass phrase:

-----

You are about to be asked to enter information that will be incorporated

into your certificate request.

What you are about to enter is what is called a Distinguished Name or a DN.

There are quite a few fields but you can leave some blank

For some fields there will be a default value,

If you enter '.', the field will be left blank.

-----

Country Name (2 letter code) [GB]:CN

State or Province Name (full name) [Berkshire]:Zhejiang

Locality Name (eg, city) [Newbury]:Hangzhou

Organization Name (eg, company) [My Company Ltd]:Mysoft.com corpration

Organizational Unit Name (eg, section) []:Mysoft.com

Common Name (eg, your name or your server's hostname) []:Mysoft.com

Email Address []:

2、生成服務器證書
生成服務器私鑰Key文件，openssl genrsa -des3 -out server.key 1024，并輸入保護密碼：

[root@xplan-dev8 ca]# openssl genrsa -des3 -out server.key 1024

Generating RSA private key, 1024 bit long modulus

..++++++

e is 65537 (0x10001)

Enter pass phrase for server.key:

Verifying - Enter pass phrase for server.key:

生成服務器證書(注：輸入Common Name一項時，若需對泛域名支持證書時，需用*.mysoft.com)：

[root@xplan-dev8 ca]# openssl req -new -key server.key -out server.csr -days 365

Enter pass phrase for server.key:

You are about to be asked to enter information that will be incorporated

into your certificate request.

What you are about to enter is what is called a Distinguished Name or a DN.

There are quite a few fields but you can leave some blank

For some fields there will be a default value,

If you enter '.', the field will be left blank.

-----

Country Name (2 letter code) [GB]:CN

State or Province Name (full name) [Berkshire]:Zhejiang

Locality Name (eg, city) [Newbury]:Hangzhou

Organization Name (eg, company) [My Company Ltd]:Mysoft.com

Organizational Unit Name (eg, section) []:Mysoft.com

Common Name (eg, your name or your server's hostname) []:*.mysoft.com

Email Address []:

Please enter the following 'extra' attributes

to be sent with your certificate request

A challenge password []:

An optional company name []:

3、用根證書對服務器證書進行簽名
把server.crt文件重命名成newreq.pem，然后用CA腳本進行簽名，期間會提示要求輸入cakey.pem的保護密碼。

[root@xplan-dev8 ca]# mv server.csr newreq.pem

[root@xplan-dev8 ca]# ./CA -sign
Using configuration from /usr/share/ssl/openssl.cnf
Enter pass phrase for ./demoCA/private/cakey.pem:
Check that the request matches the signature
Signature ok
Certificate Details:
        Serial Number: 1 (0x1)
        Validity
            Not Before: Dec 8 12:27:14 2008 GMT
            Not After : Dec 8 12:27:14 2009 GMT
        Subject:
            countryName               = CN
            stateOrProvinceName       = Zhejiang
            localityName              = Hangzhou
            organizationName          = Mysoft.com
            organizationalUnitName    = Mysoft.com
            commonName                = *.mysoft.com
        X509v3 extensions:
            X509v3 Basic Constraints:
            CA:FALSE
            Netscape Comment:
            OpenSSL Generated Certificate
            X509v3 Subject Key Identifier:
            0F:0C:46:82:EB:68:61:CE:6F:06:10:78:BC:7B:2F:10:F8:96:7E:09
            X509v3 Authority Key Identifier:
            keyid:E0:01:2C:50:62:87:8D:10:7A:17:6D:AB:2C:43:0A:79:EB:5F:26:0C
            DirName:/C=CN/ST=Zhejiang/L=Hangzhou/O=Mysoft.com corpration/OU=Mysoft.com/CN=Mysoft.com
            serial:00

Certificate is to be certified until Dec 8 12:27:14 2009 GMT (365 days)
Sign the certificate? [y/n]:y

1 out of 1 certificate requests certified, commit? [y/n]y
Write out database with 1 new entries
Data Base Updated
Certificate:
    Data:
        Version: 3 (0x2)
        Serial Number: 1 (0x1)
        Signature Algorithm: md5WithRSAEncryption
        Issuer: C=CN, ST=Zhejiang, L=Hangzhou, O=Mysoft.com corpration, OU=Mysoft.com, CN=Mysoft.com
        Validity
            Not Before: Dec 8 12:27:14 2008 GMT
            Not After : Dec 8 12:27:14 2009 GMT
        Subject: C=CN, ST=Zhejiang, L=Hangzhou, O=Mysoft.com, OU=Mysoft.com, CN=*.mysoft.com
        Subject Public Key Info:
            Public Key Algorithm: rsaEncryption
            RSA Public Key: (1024 bit)
                Modulus (1024 bit):
                    00:f0:46:a7:a3:9d:8d:ce:09:da:f1:02:a0:fd:1f:
                    5c:df:a5:08:66:ea:13:0d:17:ac:49:92:9f:65:21:
                    cf:ec:f8:79:73:a1:73:0a:3e:d6:d0:c3:a4:d4:36:
                    22:b8:4c:82:51:fe:5d:e1:13:22:99:5f:4c:ef:c6:
                    65:3a:5d:de:1f:83:f2:17:a5:2b:f3:03:94:9a:31:
                    bc:09:c8:1c:9e:4d:ad:3b:90:2d:dc:65:0c:e3:04:
                    9b:8a:d5:c2:93:b7:51:8e:fe:92:1d:ee:55:6e:a0:
                    77:25:e1:a1:24:7f:55:7a:b4:4d:f4:84:83:13:56:
                    8d:62:be:2d:db:f8:1a:de:35
                Exponent: 65537 (0x10001)
        X509v3 extensions:
            X509v3 Basic Constraints:
            CA:FALSE
            Netscape Comment:
            OpenSSL Generated Certificate
            X509v3 Subject Key Identifier:
            0F:0C:46:82:EB:68:61:CE:6F:06:10:78:BC:7B:2F:10:F8:96:7E:09
            X509v3 Authority Key Identifier:
            keyid:E0:01:2C:50:62:87:8D:10:7A:17:6D:AB:2C:43:0A:79:EB:5F:26:0C
            DirName:/C=CN/ST=Zhejiang/L=Hangzhou/O=Mysoft.com corpration/OU=Mysoft.com/CN=Mysoft.com
            serial:00

    Signature Algorithm: md5WithRSAEncryption
        0b:dc:15:f3:87:5c:e0:07:23:0e:78:47:af:56:fb:43:31:4b:
        0d:12:76:57:95:cd:d7:2a:75:00:01:21:96:9d:d4:bf:9d:e9:
        b6:26:cc:70:98:95:fd:ca:af:ad:68:fb:10:79:09:05:32:20:
        02:7a:84:53:2f:e0:d5:cd:ed:4d:42:e7:d5:9d:90:78:9a:2e:
        d8:72:cb:7f:f7:29:30:24:25:f2:0f:2d:b4:9d:a2:b3:24:00:
        b4:f7:e9:de:5c:1a:50:d3:59:a4:9c:1d:03:15:04:17:6d:c2:
        ab:95:a8:1f:28:e5:ad:3c:a9:a8:c8:30:3a:09:3f:75:5d:70:
        2e:af
-----BEGIN CERTIFICATE-----
MIIDfDCCAuWgAwIBAgIBATANBgkqhkiG9w0BAQQFADCBgDELMAkGA1UEBhMCQ04x
ETAPBgNVBAgTCFpoZWppYW5nMREwDwYDVQQHEwhIYW5nemhvdTEfMB0GA1UEChMW
QWxpc29mdC5jb20gY29ycHJhdGlvbjEUMBIGA1UECxMLQWxpc29mdC5jb20xFDAS
BgNVBAMTC0FsaXNvZnQuY29tMB4XDTA4MTIwODEyMjcxNFoXDTA5MTIwODEyMjcx
NFowdzELMAkGA1UEBhMCQ04xETAPBgNVBAgTCFpoZWppYW5nMREwDwYDVQQHEwhI
YW5nemhvdTEUMBIGA1UEChMLQWxpc29mdC5jb20xFDASBgNVBAsTC0FsaXNvZnQu
Y29tMRYwFAYDVQQDFA0qLmFsaXNvZnQuY29tMIGfMA0GCSqGSIb3DQEBAQUAA4GN
ADCBiQKBgQDwRqejnY3OCdrxAqD9H1zfpQhm6hMNF6xJkp9lIc/s+HlzoXMKPtbQ
w6TUNiK4TIJR/l3hEyKZX0zvxmU6Xd4fg/IXpSvzA5SaMbwJyByeTa07kC3cZQzj
BJuK1cKTt1GO/pId7lVuoHcl4aEkf1V6tE30hIMTVo1ivi3b+BreNQIDAQABo4IB
DDCCAQgwCQYDVR0TBAIwADAsBglghkgBhvhCAQ0EHxYdT3BlblNTTCBHZW5lcmF0
ZWQgQ2VydGlmaWNhdGUwHQYDVR0OBBYEFA8MRoLraGHObwYQeLx7LxD4ln4JMIGt
BgNVHSMEgaUwgaKAFOABLFBih40QehdtqyxDCnnrXyYMoYGGpIGDMIGAMQswCQYD
VQQGEwJDTjERMA8GA1UECBMIWmhlamlhbmcxETAPBgNVBAcTCEhhbmd6aG91MR8w
HQYDVQQKExZBbGlzb2Z0LmNvbSBjb3JwcmF0aW9uMRQwEgYDVQQLEwtBbGlzb2Z0
LmNvbTEUMBIGA1UEAxMLQWxpc29mdC5jb22CAQAwDQYJKoZIhvcNAQEEBQADgYEA
C9wV84dc4AcjDnhHr1b7QzFLDRJ2V5XN1yp1AAEhlp3Uv53ptibMcJiV/cqvrWj7
EHkJBTIgAnqEUy/g1c3tTULn1Z2QeJou2HLLf/cpMCQl8g8ttJ2isyQAtPfp3lwa
UNNZpJwdAxUEF23Cq5WoHyjlrTypqMgwOgk/dV1wLq8=
-----END CERTIFICATE-----
Signed certificate is in newcert.pem

這樣就生成了server的證書newcert.pem，把newcert.pem 重命名為server.crt。

4、配置apache

NameVirtualHost *:443

ServerAdmin sa@mysoft.com

ServerName xplan.mysoft.com

DocumentRoot /home/admin/project/htdocs

SSLEngine on

SSLCipherSuite ALL:!ADH:!EXPORT56:RC4+RSA:+HIGH:+MEDIUM:+LOW:+SSLv2:+SSLv3:+EXP:+eNULL

SSLCertificateFile /home/admin/modules/crt/server.crt

SSLCertificateKeyFile /home/admin/modules/crt/server.key

SSLProxyEngine on

RewriteEngine on

RewriteRule ^/$ /xplan/user/login!login.jspa [L,P]

</VirtualHost>

重啟apache時，會提示要求輸入服務端證書的密碼。如下：

[root@localhost]# bin/apachectl restart

httpd not running, trying to start

Apache/2.2.0 mod_ssl/2.2.0 (Pass Phrase Dialog)

Some of your private key files are encrypted for security reasons.

In order to read them you have to provide the pass phrases.

Server xplan.mysoft.com:443 (RSA)

Enter pass phrase:

OK: Pass Phrase Dialog successful.

5、客戶端(IE)導入根證書(ca.cert)
在"選項"->"內容"->"證書"->"受信任根證書頒發機構"中點擊"導入"，選中"ca.crt"，完成導入。或者，直接在點ca.crt文件右鍵，選擇安裝即可。

6、重啟apache，要求輸入密碼的問題解決

1)、去掉bin/apachectl start啟動的pass phrase，用空pass phrase啟動apache
(while preserving the original file):
[root@xplan-dev8 ca]$ cp server.key server.key.org
[root@xplan-dev8 ca]$ openssl rsa -in server.key.org -out server.key

確認server.key 文件為root可讀
[root@xplan-dev8 ca]$ chmod 400 server.key

2、編輯
[root@xplan-dev8 ca]$ vi conf/extra/httpd-ssl.conf
注釋SSLPassPhraseDialog builtin
在后添加：SSLPassPhraseDialog exec:/usr/local/apache2/conf/apache_pass.sh

[root@xplan-dev8 ca]$ vi conf/apache_pass.sh
#!/bin/sh
echo "密碼"
[root@xplan-dev8 ca]$ chmod +x /usr/local/apache2/conf/apache_pass.sh

posted on 2008-12-08 21:19 josson 閱讀(2646) 評論(1) 編輯收藏所屬分類: 大雜燴

FeedBack:

# re: 利用Openssl 建立自己的證書。[未登錄]

2009-05-19 11:49 | zhang

謝謝
回復更多評論

新用戶注冊刷新評論列表


只有注冊用戶登錄后才能發表評論。




網站導航: 博客園 IT新聞 Chat2DB C++博客博問管理
相關文章: firefox中證書的使用我的2010 團隊管理若干. 誠信開發人員談系統可用性和用戶體驗 maven2常用命令批處理解決多測試環境切換問題利用Openssl 建立自己的證書。網絡驅動器無法顯示SVN圖標問題 Window環境下Apache(With SSL) 與 JBoss的集成

2008年12月

日

一

二

三

四

五

六

常用鏈接

留言簿(3)

隨筆分類

隨筆檔案

收藏夾

搜索

最新評論

閱讀排行榜

評論排行榜