Apache HTTPS authentication under Linux

Reference: http://kyfxbl.iteye.com/blog/1910891 http://showerlee.blog.51cto.com/2047005/1266712

First, the environment
httpd:apache2.4.10
openssl:1.0.1
os:centos5.7

Iv. Configuring one-way https in the httpd
1, edit the httpd.conf, find the following 2 lines of code, and remove the previous #, (the premise is that in the compilation of HTTPd, the SSL module has been compiled)

Vim/usr/local/apache/conf/httpd.confloadmodule socache_shmcb_module modules/mod_socache_shmcb.so  LoadModule Socache_dbm_module modules/mod_socache_dbm.so  LoadModule socache_memcache_module modules/mod_socache_ memcache.so  LoadModule ssl_module modules/mod_ssl.soinclude conf/extra/httpd-ssl.conf <ifmodule ssl_module >  sslrandomseed startup builtin  Sslrandomseed connect builtin  

2, vim/usr/local/apache/conf/extra/httpd-ssl.conf

Sslengine on  sslcertificatefile "/usr/local/httpd/conf/server.cer"  
#SSLCACertificateFile "/usr/local/httpd/conf/ca.cer"  #SSLVerifyClient require  #SSLVerifyDepth  10  

Just open the first 3, one-way HTTPS authentication is configured. The following 3 are currently commented out, is the back two-way authentication to use, and then restart the httpd, will find an error:

Ah00526:syntax error on line 106 of/usr/local/httpd/conf/extra/httpd-ssl.conf:
Sslcertificatefile:file '/usr/local/httpd/conf/server.cer ' does not exist or is empty

This is because HTTPD requires a server-side private key (. Key.pem), and a server-side certificate (. cer). The paths to these 2 files have been configured earlier, but have not yet been created. The next step is to create these files

V. Create a CA (Certificate authority)
1. Preparatory work
Create the following subdirectories under/usr/local/:/private,/certificates

2. Create the CA private key

OpenSSL genrsa-aes256-out PRIVATE/CA.KEY.PEM 2048 Enter password: 111111    (password can be empty) or command comes with password (-passout pass:111111) OpenSSL Genrsa-aes256-passout Pass:111111-out PRIVATE/CA.KEY.PEM 2048

3. Create a CA signing request

OpenSSL req-new-key private/ca.key.pem-out private/ca.csr-subj "/c=cn/st=sz/l=sz/o=pldsec/ou=pldsec/cn=*. Pldsec.com "
After the carriage return here is required to enter the above CA private key password, must be appended with double quotation marks or (-passin pass:111111) OpenSSL req-passin pass:111111-new-key private/ Ca.key.pem-out private/ca.csr-subj "/c=cn/st=sz/l=sz/o=pldsec/ou=pldsec/cn=*.pldsec.com"

It is important to note that if you do not use the-SUBJ parameter, you will interactively enter the identity information of the issuing target at the command line, which is called the DN (distinguished name). None of them matter, the most important thing is CN that line, because I here is the root certificate, so I set to *.pldsec.com, so I later with this CA issued www.pldsec.com, game.pldsec.com, news.pldsec.com ... , it's all valid.

4. Issuing the CA root certificate yourself

OpenSSL x509-req-days 3650-sha1-extensions v3_ca-signkey private/ca.key.pem-in private/ca.csr-out certificates/ca.c Er or (-passin pass:111111) OpenSSL x509-req-days 3650-sha1-extensions v3_ca-signkey private/ca.key.pem-in private/ca. Csr-out Certificates/ca.cer-passin pass:111111

5. Convert the root certificate from PEM code to PKCS code

OpenSSL pkcs12-export-cacerts-inkey private/ca.key.pem-in certificates/ca.cer-out certificates/ca.p12 or (- Passin pass:111111-passout pass:111111
OpenSSL pkcs12-export-cacerts-inkey private/ca.key.pem-in certificates/ca.cer-out certificates/ca.p12-passin pass:1 11111-passout pass:111111 (First verify the original password, reset the new password, the new password and the old password can be the same, or different)

Vi. issue of service-side certificates
1. Create the service-side private key

OpenSSL genrsa-aes256-out Private/server.key.pem 2048 or (-passout pass:111111 Note the location of-passout pass:111111) OpenSSL Genrsa -aes256-passout Pass:111111-out PRIVATE/SERVER.KEY.PEM 2048

2. Create a service-side certificate issuance request

OpenSSL req-new-key private/server.key.pem-out private/server.csr-subj "/c=cn/st=sz/l=sz/o=pldsec/ou=pldsec/cn= Www.pldsec.com "or (-passin pass:111111) OpenSSL req-passin pass:111111-new-key private/server.key.pem-out private/se RVER.CSR-SUBJ "/c=cn/st=sz/l=sz/o=pldsec/ou=pldsec/cn=www.pldsec.com"

And CA.CSR the difference is that the CN here is not *.pldsec.com, but www.pldsec.com, because I am now in the www.pldsec.com to apply for a certificate

3, the use of CA root certificate, the issue of service-side certificate

OpenSSL x509-req-days 3650-sha1-extensions v3_req-ca certificates/ca.cer-cakey private/ca.key.pem-caserial CA.SRL- Cacreateserial-in private/server.csr-out certificates/server.cer or (-passin pass:111111) OpenSSL x509-req-days 3650-s Ha1-extensions v3_req-ca certificates/ca.cer-cakey private/ca.key.pem-caserial ca.srl-cacreateserial-in private/ser Ver.csr-out Certificates/server.cer-passin pass:111111

4. Restart Apache

/usr/local/apache2/bin/apachectl start

If something goes wrong at this point:
Syntax error on line of/usr/local/apache/conf/extra/httpd-ssl.conf:
Sslcertificatefile:file '/USR/LOCAL/APACHE/CONF/SERVER.CRT ' does not exist or is empty
This is because when you start HTTPS, you need a certificate, and we have not generated a certificate for this site, in order to test, we will use OpenSSL to generate a self-signed certificate:

Cd/usr/local/apache/conf/sudo OpenSSL req-new-x509-nodes-out server.crt-keyout server.key

The following OpenSSL will require you to enter some relevant information for the certificate:

    Country name (2 letter code) [Xx]:ch       (country) state or province name (full name) []:zhejiang       (province) Locality name (eg, City) [Default City]:hangzhou (urban) Organization name (eg, company) [Default company LTD]:P ldsec (organization name) Organizational Uni T name (eg, section) []:p ldsec (organizational unit name) Common name (eg, your name or your server ' s hostname) []:p ldsec (common name) Email addres s []:[email protected] (email)

　　

Seven, test one-way certification
Copy the Server.key.pem and server.cer to the/usr/local/httpd/conf/directory, and then start the httpd, and you will be asked to enter a password (the password to create the private key)
Then Https://IP access (test http for normal jump to HTTPS)

1, Apache set the way to automatically redirect http to https
Vim/usr/local/apache/conf/httpd.conf
Found it
<directory "Apache's Environment Directory" >
AllowOverride all #这里原先是None要改为All

Create the. htaccess file at the root of the Web site, and at the bottom add the following statement:

Rewriteengine Onrewritecond%{server_port}!^443$rewriterule ^/? (. *) $ https://%{server_name}/$1 [L,r]

Restart Apache, if you restart the Times wrong, find #loadmodule rewrite_module modules/mod_rewrite.so, remove the previous # number, then restart

Eight, configure two-way authentication

Vim/usr/local/apache/conf/extra/httpd-ssl.confsslcacertificatefile "/usr/local/httpd/conf/ca.cer"  Sslverifyclient require  sslverifydepth  10

　　

Ix. issuing client certificates
1. Create client private key, User: AAA, Password: aaaaaa

OpenSSL genrsa-aes256-out Private/aaa.key.pem 2048 or (Create a client private key password for AAA user for aaaaaa) OpenSSL Genrsa-aes256-passout Pass: AAAAAA-OUT/USR/LOCAL/PRIVATE/AAA.KEY.PEM 2048

2. Create a client certificate signing request

OpenSSL req-new-key private/aaa.key.pem-out private/aaa.csr-subj "/C=CN/ST=SZ/L=SZ/O=PLDSEC/OU=PLDSEC/CN=AAA" or (-passin pass:aaaaaa) OpenSSL req-passin pass:aaaaaa-new-key private/chenchao.key.pem-out private/aaa.csr-subj "/C= Cn/st=sz/l=sz/o=pldsec/ou=pldsec/cn=aaa "

3. Issuing the client certificate with CA root certificate

OpenSSL x509-req-days 3650-sha1-extensions v3_req-ca certificates/ca.cer-cakey private/ca.key.pem-caserial CA.SRL- Cacreateserial-in private/aaa.csr-out certificates/aaa.cer or (-passin pass:111111 input server-side CA certificate private key password) OpenSSL X509-req-day s 3650-sha1-extensions v3_req-ca certificates/ca.cer-cakey private/ca.key.pem-caserial ca.srl-cacreateserial-in pri Vate/aaa.csr-out Certificates/aaa.cer-passin pass:111111

4. Convert client certificate to P12 format

OpenSSL pkcs12-export-clcerts-inkey private/aaa.key.pem-in certificates/aaa.cer-out certificates/aaa.p12 or (-passin Pass:aaaaaa-passout PASS:BBBBBB Enter the client password first, then reset the password, the old password and the new password can be the same or different) OpenSSL Pkcs12-export-clcerts-inkey private/ Aaa.key.pem-in certificates/aaa.cer-out certificates/aaa.p12-passin pass:aaaaaa-passout pass:bbbbbb

This step is necessary because you will need to import the client certificate into the browser later, but the generic browser cannot use the PEM-encoded certificate directly

Ten, test two-way authentication
Copy the Ca.cer to the%httpd_home%/conf/directory and restart the HTTPD

cp/usr/local/certificates/ca.cer/usr/local/apache/conf/

　　

The next step is to import the CLIENT.P12 into the browser.
Import will require a password, this is to avoid someone secretly copied the client certificate, disguised as a legitimate user

Apache HTTPS authentication under Linux