基于SSL的Web服务器

PKI基础;
证书生成、管理和认证过程;
关于SSL的服务器搭健;
PKI基础:
public key infrastructure (PKI) -
利用公钥加密体制完成诸如加密,认证等事务的技术机制;机密方式本身可分为对称加密和基础公钥体制的不对称加密。PKI的核心是公钥证书和CA认证机构,
认证机构履行证书的发布,认证和回收等职责来保证PKI的实施和有效。

证书的取得和其他:
可以从CA获得由机构签发的证书,其实也可以自己生成和发布自签发的证书,特别是在公司或组织规模不是很大的内部范围内使用,自己签发自认证证书是可行的!
生成证书
RSA Key:
openssl genrsa -out private_key.pem 2048
DSA Key:
openssl dsaparam -out dsa_param.pem 2048
openssl gendsa -out dsa_private_key.pem dsa_param.pem
以上使用的都是PEM格式的密钥,有时需要其他格式的密钥,可以通过Openssl工具转化,例如转成PKCS12格式可以用下面的命令,
openssl pkcs12 -export -in pem_formatted_file -out pkcs12-formatted-file
有了私钥,下面需要基于该私钥生成我们的公钥证书
openssl req -new -x509 -key private_key.pem -out certificate.der
如果是内部使用或仅是测试,以上公钥即可使用,事实上,真正的应用还需要CA机构签证我们的公钥,
openssl req -new -key private_key.pem -out certificate_request.csr
应用到服务器
1. Web Server需要支持SSL,以Apache为例,需要有Mod_ssl模块,并被正确配置和加载;
2. Web Server的Key和证书正确配置和放置;
以Fedora Core 2为例,在/etc/httpd/conf.d/ssl.conf中,
SSLEngin on
SSLCertificateFile /etc/httpd/conf/ssl.crt/server.crt
SSLCertificateKeyFile /etc/httpd/conf/ssl.key/server.key
3. 验证Server支持https,以feodra core 2默认配置为例,在浏览器中输入, https://yourserver/看是不是跳出证书认证对话框(和浏览器设置有关).


附上Simple OpenSSL Cert Howto



  • Make a new ssl private key:



    • Generate a new unencrypted rsa private key in PEM format:
      openssl genrsa -out privkey.pem 1024

      You can create an encrypted key by adding the -des3 option.




  • To make a self-signed certificate:



    • Create a certificate signing request (CSR) using your rsa private key:
      openssl req -new -key privkey.pem -out certreq.csr

      ( This is also the type of CSR you would create to send to a root CA for them to sign for you. )

    • Self-sign your CSR with your own private key:
      openssl x509 -req -in certreq.csr -signkey privkey.pem -out newcert.pem





  • To make a certificate signed by your own certificate authority (CA):



    • Configure /etc/ssl/openssl.cnf and use CA.pl to create the CA private key and certificate:
      vi /etc/ssl/openssl.cnf    /usr/lib/ssl/misc/CA.pl -newca

      Your copy of openssl.cnf and CA.pl may be located elsewhere.

    • Create an unsigned certificate using your rsa private key:
      openssl req -new -x509 -key privkey.pem -out cert.pem


    • Use your private key and your certificate to make a CSR:
      cat cert.pem privkey.pem | openssl x509 -x509toreq -signkey privkey.pem -out certreq.csr


    • Sign the certificate with the CA private key using the CSR you just made:
      openssl ca -in certreq.csr -out newcert.pem    rm -f certreq.csr





  • To install the signed certificate and private key for use by an ssl server:



    • The newcert.pem is the certificate signed by your local CA that you can then use in an ssl server:
      ( openssl x509 -in newcert.pem; cat privkey.pem ) > server.pem    ln -s server.pem `openssl x509 -hash
      -noout -in



    • server.pem`.0   # dot-zero

      ( The server.pem is a PEM file that can be used by apache along with the hash file. )


    You can view the contents of a CSR with:
    openssl req -noout -text -in certreq.csr

    You can view the contents of a certificate with:
    openssl x509 -noout -text -in newcert.pem

    You can display the MD5 fingerprint of a certificate with:
    openssl x509 -fingerprint -noout -in newcert.pem

    You can verify that your private key, CSR, and signed cert match by comparing:
    openssl rsa -noout -modulus -in privkey.pem |openssl md5    openssl req -noout -modulus -in certreq.csr |openssl md5



  • openssl x509 -noout -modulus -in newcert.pem |openssl md5



Comments

Post a Comment

Popular posts from this blog

Freeware Software Top 300 from winAddons.Com!

来自winAddons.Com的推荐,最好的300款免费软件,其中当然不乏Open Source的品牌产品,如OpenOffice,Firefox等,也包含了Windows平台下常用的不花钱的玩意儿,如Adobe Acrobat Reader等。 全文摘录如下, 对我个人经常使用和熟悉的一些产品进行了评价!! Office 办公软件 OpenOffice - 最著名的免费的办公套件 PC Suite 602 - office suite AbiWord - text editor Atlantis Nova - text editor Microsoft PowerPoint Viewer - power point files viewer Adobe Reader - pdf reader Foxit PDF Reader - pdf reader PDFCreator - 优秀的PDF制作引擎,用于直接打印到PDF文件 Doc Convertor - document convertor Convert - unit convertor Converber - unit convertor Sunbird - calendar/organizer EssentialPIM Free - calendar/organizer PhraseExpress - speed up your writing ATnotes - create notes on the desktop Archive managers 压缩文件管理器 7-Zip - 最流行的免费压缩工具 IZArc - compression program TugZIP - compression program CabPack - compression program Universal Extractor - extract files from any type of archive Internet 因特网 Firefox - 火狐,火狐 Internet Explorer - web browser Maxthon - web browser Opera - web browser Avant Browser - web browser Thu...
Read more

What is DevOPS?

Image
What is DevOPS? As be a DevOPS engineer more than five years in the past, I was always asked what is DevOPS or what is a DevOPS role or what should a DevOPS Engineer do? Or even question like how to be a good DevOPS? What? How? should be the most two frequently questions from almost all organizations. As I am working with  Amazon Web Service  for a long time with my DevOPS career, I tried to get answers from AWS guys frist as they have a special section about AWS DevOPS, also they have AWS DevOPS certificate cources, even though I never try such cources. This is the first page said about DevOPS on AWS DevOPS to answer "What is DevOPS?", DevOps is the combination of cultural philosophies, practices, and tools that increases an organization’s ability to deliver applications and services at high velocity: evolving and improving products at a faster pace than organizations using traditional software development and infrastructure management processes. This speed enable...
Read more

RPM Build Tips!

Now, I am trying to build a Linux system based on the Fedora Core Release! Working with the RPM system in deep.The unpackaged file terminate the build process under RPM 4.x! Unpackaged files message in RPM-4.1 and following RPM version 4.1 and following demonstrate a new behaviour in the rpmbuild process. Previously, a build process might place any number of files, say in the %install stanza, when running the make install part of a Makefile , in the customary /var/tmp/%{name}-root/ BuildRoot (the RPM_BUILD_ROOT ). Once through that part of the Makefile , it can then completely ignore these files in the %files binary packaging stanza. This often happens when an upstream maintainer adds, or deletes items from new directory spurs in the make install , and the change might be missed during an unattended or automated rebuild. This option permits careful packagers to cross check the quality of their packaging. So as a cross check, /usr/lib/rpm/check-files is now enabled during ...
Read more