Complete the SSL (Secure Socket Layer) Certificate Service through Linux + Apache + OpenSSL, and provide secure HTTPS (Hypertext Transfer Protocol over Secure Socket Layer) services.
Device SSL
1. device OpenSSL
Tar-zxvf openssl-0.9.8a.tar.gz
CD openssl-0.9.8a
./Configure
Make
Make install
The OpenSSL device is in the/usr/local/SSL directory.
2. install Apache
Tar-zxvf httpd-2.0.55.tar.gz
CD httpd-2.0.55
./Configure-Prefix =/usr/local/Apache-enable-SSL-enable-rewrite-enable-so-with-SSL =/usr/local/SSL
Make
Make install
The Apache device is in the/usr/local/Apache directory.
The above is the source code device, the best device method through the RPM device. Install apache rpm first, and then OpenSSL rpm. OpenSSL can be automatically installed in the Apache directory.
Certificate content first
SSL security certificate can be issued by myself and by a third-party Ca (Certification Authority) Certificate core payment request.
SSL security certificates include:
1. CA certificate, also known as root certificate or two-level certificate. For one-way HTTPS authentication, the CA certificate is optional. Secondary means is to form a certificate chain to reach the reader suspect certificate. If a CA certificate is used, both the server certificate and client certificate use the CA certificate to sign the certificate. If the CA certificate is not installed, the reader acquiesce that it is not safe.
2. server certificate. Required. After the private key of the server, the native certificate requests the CSR file, and then signs the native server certificate with the CA certificate.
3. Customer certificate. Optional. If there is a customer certificate, it is a two-way authentication https, otherwise it is a one-way authentication HTTPS. The native method is similar to the server certificate.
The following certificates can be created by myself. In terms of trade, I provide a service or client certificate, which is a real private key and certificate, and request a CSR to request a third-party institution to pay for the service certificate and customer certificate signed by the CA certificate.
Native Certificate
Use the ca. Sh tool provided by OpenSSL to sign the certificate. Put the certificate in the/usr/local/apache2/CONF/SSL. CRT directory and copy the tool to the directory:
CP/usr/share/SSL/MISC/CA. sh/usr/local/apache2/CONF/SSL. CRT
1. CA certificate (Root Certificate/two-level certificate)
It is provided by a ca. It is required if it is a two-way authentication. Otherwise, it is optional. After CA certificates, a certificate chain is formed to make the reader suspect your certificate. If the CA certificate is used, it is used to sign the server and customer certificate to reach the reader's suspicion.
My native CA certificate method:
./CA. Sh-newca
Press enter to create a new file, output the encrypted password, and enter the certificate message:
Country name (2 letter code) [au]: CN
State or province name (full name) [some-State]: Guangdong
Locality name (eg, city) []: Shenzhen
Organization Name (eg, company) [Internet widgits Pty Ltd]: XXX
Organizational unit name (eg, section) []: XXX
Common name (eg, your name) []: www.shenmiguo.com
Email Address []: xxx@xxx.com
Entering the common name in the host name is a good choice. This title must be the opposite of the URL of your website visited by a reader. Otherwise, the user will find that the common name of your server certificate is not matched with the site name, the user will doubt the authenticity of your certificate. The common name of the server certificate and customer certificate is different from that of the CA.
Natural consequence: democa/private/cakey. PEM is the private key file of the CA certificate, and democa/cacert. PEM is the CA certificate.
In this way, a CA server is created with the private key cakey of the root certificate. PEM and a root certificate cacert. PEM, now can use cacert. PEM to sign the server certificate or customer certificate.
Let's name the CA certificate and rename the CA certificate and key:
CP democa/private/cakey. pem ca. Key
CP democa/cacert. pem ca. CRT
CA. Key is the two-level certificate private key, and Ca. CRT is the two-level certificate.
2. server certificate
A) Native server Private Key
OpenSSL genrsa-des3-out server. Key 1024
The encrypted password is output. The 128-bit RSA algorithm is used to generate a natural key and the server. Key file is lost.
B) Native server certificate request (CSR)
OpenSSL req-New-key server. Key-out server. CSR
CSR (Certificate Signing Request) is a certificate signature request. Before requesting a certificate, you must first create a CSR on the Web server and submit it to the CA authentication core, CA can issue an SSL server certificate to you. We can think that CSR is a natural certificate on your server. The secondary form of CSR is as follows:
Country name (2 letter code) [au]: CN
State or province name (full name) [some-State]: Guangdong
Locality name (eg, city) []: Shenzhen
Organization Name (eg, company) [Internet widgits Pty Ltd]: XXX
Organizational unit name (eg, section) []: XXX
Common name (eg, your name) []: shenmiguo.com
Email Address []: xxx@xxx.com
Please enter the following 'extra 'attributes
To be sent with your certificate request
A challenge password []:
An optional company name []:
Enter the common name in the Host Name and Ca differences.
C) My native server certificate
If you do not use the CA certificate signature, use the following method:
OpenSSL req-X509-days 1024-key server. Key-in server. CSR> server. CRT
Use the server key and certificate to request the native Certificate Server. CRT. The-days parameter specifies that the certificate has no effective period, in days. Trade goes on, the server certificate is issued by a third-party organization, which is issued by a third-party certification organization.
If you use the CA certificate signature, use the tool ca. Sh provided by OpenSSL to generate a server certificate:
MV server. CSR newreq. pem
./CA. Sh-sign
MV newcert. pem server. CRT
After signing the certificate, run the following command to check the form of the server certificate:
OpenSSL X509-noout-text-in server. CRT
Run the following command to verify the server certificate:
OpenSSL verify-cafile ca. CRT server. CRT
3. Customer Certificate
The customer certificate is optional. If there is a customer certificate, it is two-way authentication https, otherwise it is one-way authentication HTTPS.
A) Native customer Private Key
OpenSSL genrsa-des3-out client. Key 1024
B) request for signature of a natural customer Certificate
OpenSSL req-New-key client. Key-out client. CSR
C) Native customer certificate (signature using CA certificate)
OpenSSL ca-in client. CSR-out client. CRT
D) convert the certificate to a format familiar to the reader
OpenSSL PKCS12-export-clcerts-in client. CRT-inkey client. Key-out client. pfx
4. Certificate list
If two-way authentication is used, there will be three private keys and three certificates. Identify ca. Key, Ca. CRT, server. Key, server. CRT, client. Key, client. CRT, and client. pfx for the reader.
For one-way authentication with a CA certificate, the certificate and private key are ca. Key, Ca. CRT, server. Key, server. CRT.
For one-way authentication without a CA certificate, the certificate and private key are server. Key and server. CRT.
Configure Certificate
The Apache standard approach is to configure the extended configuration in the corresponding CONF file, httpd. conf indirectly include the conf file of each function configuration (for example, PHP-related configuration is called PHP. conf: the SSL configuration is called SSL. conf ). The benefit is that the configuration is easy to manage and change, and httpd. conf can still be easily understood.
1. Configure httpd. conf
Include CONF/SSL. conf
2. Configure SSL. conf
Secondary configurations include certificate channels and authentication strategies:
Listen 443 # HTTPS Port
Sslrandomseed startup builtin
Sslpassphrasedialog builtin
Sslsessioncache DBM: logs/ssl_scache
Sslsessioncachetimeout 300
Sslmutex default
Serveradmin
DocumentRoot/usr/local/apache2/htdocs/
# Directoryindex digitalidcenter.htm
Servername shenmiguo.com: 443
Errorlog logs/443-error_log
Customlog/usr/local/apache2/logs/ssl_request_log "% T % H % {ssl_protocol} X % {ssl_cipher} X \" % R \ "% B"
Loglevel info
Sslengine on
Sslciphersuite all :! ADH :! Export56: RC4 + RSA: + high: + medium: + low: + SSLv2: + exp: + enull
Sslcertificatefile/usr/local/apache2/CONF/SSL. CRT/server. CRT # specify the server certificate path
Sslcertificatekeyfile/usr/local/apache2/CONF/SSL. CRT/server. Key # server certificate Private Key Path
Sslcertificatechainfile/usr/local/apache2/CONF/SSL. CRT/CA. CRT # ca two-level certificate Channel
Sslcacertificatepath/usr/local/apache2/CONF/SSL. CRT # client certificate directory (used only for two-way authentication)
Sslcacertificatefile/usr/local/apache2/CONF/SSL. CRT/client. CRT # client certificate channel (used only for two-way authentication)
Sslverifyclient require # force the customer to hold the SSL certificate request
Sslverifydepth 10
For more information about mod_ssl configuration options, see apache documentation:
Http://lamp.linux.gov.cn/Apache/ApacheMenu/mod/mod_ssl.html
3. Start Apache
CD/usr/local/apache2/bin
./Apachectl startssl
You can modify the apachectl script to enable the SSL method to launch Apache. In the apachectl script:
Start | stop | restart | graceful)
$ Httpd-K $ argv
Error = $?
;;
Startssl | sslstart | start-SSL)
$ Httpd-K start-dssl
Error = $?
;;
Corrected:
Stop | graceful)
$ Httpd-K $ argv
Error = $?
;;
Restart)
Killall-9 httpd
$ Httpd-K start-dssl
;;
Start | startssl | sslstart | start-SSL)
$ Httpd-K start-dssl
Error = $?
;;
Output the password of server. Key at the time of launch. It can be decrypted and stored by the private key of the server, and no password needs to be output after restart:
OpenSSL RSA-in server. Key-out my-server.key
Chmod 400 server. Key
The configuration in SSL. conf is changed:
Sslcertificatekeyfile/usr/local/apache2/CONF/SSL. CRT/my-server.key # server certificate decryption Private Key Path
From http://yun1baxx.blog.hexun.com/52768794_d.html