基于SSL的Web服务器
PKI基础;
证书生成、管理和认证过程;
关于SSL的服务器搭健;
PKI基础:
public key infrastructure (PKI) -
利用公钥加密体制完成诸如加密,认证等事务的技术机制;机密方式本身可分为对称加密和基础公钥体制的不对称加密。PKI的核心是公钥证书和CA认证机构,
认证机构履行证书的发布,认证和回收等职责来保证PKI的实施和有效。
证书的取得和其他:
可以从CA获得由机构签发的证书,其实也可以自己生成和发布自签发的证书,特别是在公司或组织规模不是很大的内部范围内使用,自己签发自认证证书是可行的!
生成证书
RSA Key:
openssl genrsa -out private_key.pem 2048
DSA Key:
openssl dsaparam -out dsa_param.pem 2048
openssl gendsa -out dsa_private_key.pem dsa_param.pem
以上使用的都是PEM格式的密钥,有时需要其他格式的密钥,可以通过Openssl工具转化,例如转成PKCS12格式可以用下面的命令,
openssl pkcs12 -export -in pem_formatted_file -out pkcs12-formatted-file
有了私钥,下面需要基于该私钥生成我们的公钥证书
openssl req -new -x509 -key private_key.pem -out certificate.der
如果是内部使用或仅是测试,以上公钥即可使用,事实上,真正的应用还需要CA机构签证我们的公钥,
openssl req -new -key private_key.pem -out certificate_request.csr
应用到服务器
1. Web Server需要支持SSL,以Apache为例,需要有Mod_ssl模块,并被正确配置和加载;
2. Web Server的Key和证书正确配置和放置;
以Fedora Core 2为例,在/etc/httpd/conf.d/ssl.conf中,
SSLEngin on
SSLCertificateFile /etc/httpd/conf/ssl.crt/server.crt
SSLCertificateKeyFile /etc/httpd/conf/ssl.key/server.key
3. 验证Server支持https,以feodra core 2默认配置为例,在浏览器中输入, https://yourserver/看是不是跳出证书认证对话框(和浏览器设置有关).
附上Simple OpenSSL Cert Howto
证书生成、管理和认证过程;
关于SSL的服务器搭健;
PKI基础:
public key infrastructure (PKI) -
利用公钥加密体制完成诸如加密,认证等事务的技术机制;机密方式本身可分为对称加密和基础公钥体制的不对称加密。PKI的核心是公钥证书和CA认证机构,
认证机构履行证书的发布,认证和回收等职责来保证PKI的实施和有效。
证书的取得和其他:
可以从CA获得由机构签发的证书,其实也可以自己生成和发布自签发的证书,特别是在公司或组织规模不是很大的内部范围内使用,自己签发自认证证书是可行的!
生成证书
RSA Key:
openssl genrsa -out private_key.pem 2048
DSA Key:
openssl dsaparam -out dsa_param.pem 2048
openssl gendsa -out dsa_private_key.pem dsa_param.pem
以上使用的都是PEM格式的密钥,有时需要其他格式的密钥,可以通过Openssl工具转化,例如转成PKCS12格式可以用下面的命令,
openssl pkcs12 -export -in pem_formatted_file -out pkcs12-formatted-file
有了私钥,下面需要基于该私钥生成我们的公钥证书
openssl req -new -x509 -key private_key.pem -out certificate.der
如果是内部使用或仅是测试,以上公钥即可使用,事实上,真正的应用还需要CA机构签证我们的公钥,
openssl req -new -key private_key.pem -out certificate_request.csr
应用到服务器
1. Web Server需要支持SSL,以Apache为例,需要有Mod_ssl模块,并被正确配置和加载;
2. Web Server的Key和证书正确配置和放置;
以Fedora Core 2为例,在/etc/httpd/conf.d/ssl.conf中,
SSLEngin on
SSLCertificateFile /etc/httpd/conf/ssl.crt/server.crt
SSLCertificateKeyFile /etc/httpd/conf/ssl.key/server.key
3. 验证Server支持https,以feodra core 2默认配置为例,在浏览器中输入, https://yourserver/看是不是跳出证书认证对话框(和浏览器设置有关).
附上Simple OpenSSL Cert Howto
Make a new ssl private key:
- Generate a new unencrypted rsa private key in PEM format:
openssl genrsa -out privkey.pem 1024
You can create an encrypted key by adding the -des3 option.
- Generate a new unencrypted rsa private key in PEM format:
To make a self-signed certificate:
- Create a certificate signing request (CSR) using your rsa private key:
openssl req -new -key privkey.pem -out certreq.csr
( This is also the type of CSR you would create to send to a root CA for them to sign for you. ) - Self-sign your CSR with your own private key:
openssl x509 -req -in certreq.csr -signkey privkey.pem -out newcert.pem
- Create a certificate signing request (CSR) using your rsa private key:
To make a certificate signed by your own certificate authority (CA):
- Configure /etc/ssl/openssl.cnf and use CA.pl to create the CA private key and certificate:
vi /etc/ssl/openssl.cnf /usr/lib/ssl/misc/CA.pl -newca
Your copy of openssl.cnf and CA.pl may be located elsewhere. - Create an unsigned certificate using your rsa private key:
openssl req -new -x509 -key privkey.pem -out cert.pem
- Use your private key and your certificate to make a CSR:
cat cert.pem privkey.pem | openssl x509 -x509toreq -signkey privkey.pem -out certreq.csr
- Sign the certificate with the CA private key using the CSR you just made:
openssl ca -in certreq.csr -out newcert.pem rm -f certreq.csr
- Configure /etc/ssl/openssl.cnf and use CA.pl to create the CA private key and certificate:
To install the signed certificate and private key for use by an ssl server:
- The newcert.pem is the certificate signed by your local CA that you can then use in an ssl server:
( openssl x509 -in newcert.pem; cat privkey.pem ) > server.pem ln -s server.pem `openssl x509 -hash
-noout -in server.pem`.0 # dot-zero
( The server.pem is a PEM file that can be used by apache along with the hash file. )
You can view the contents of a CSR with:openssl req -noout -text -in certreq.csr
You can view the contents of a certificate with:openssl x509 -noout -text -in newcert.pem
You can display the MD5 fingerprint of a certificate with:openssl x509 -fingerprint -noout -in newcert.pem
You can verify that your private key, CSR, and signed cert match by comparing:openssl rsa -noout -modulus -in privkey.pem |openssl md5 openssl req -noout -modulus -in certreq.csr |openssl md5
- The newcert.pem is the certificate signed by your local CA that you can then use in an ssl server:
openssl x509 -noout -modulus -in newcert.pem |openssl md5
Comments