For a long time did not update lamp related documents, just the most recent unit to do projects need to use Apache SSL virtual host two-way authentication, just before doing lamp in passing SSL module loading, so reference to Google a large number of documents, spent a half a day to fix, Here is a summary to share with you.
This scheme is to realize the two-way authentication of SSL virtual host under Apache, so as to realize trusted users can access the specific virtual site, and realize the data encryption and two-way reliable authentication.
Linux operating system: centOS6.3 64bit (Installation system default development package)
I. Closing iptables and SELinux
# Vi/etc/sysconfig/selinux
Two. Compile and install Apache
1. Install Pcre Dependency Pack
# wget Http://sourceforge.net/projects/pcre/files/pcre/8.32/pcre-8.32.tar.gz/download
# TAR-XZVF Pcre-8.32.tar.gz
#./configure--prefix=/usr/local/pcre
1). Download Apache and Apr compilation package
# wget HTTP://ARCHIVE.APACHE.ORG/DIST/HTTPD/HTTPD-2.4.3-DEPS.TAR.BZ2
# wget HTTP://ARCHIVE.APACHE.ORG/DIST/HTTPD/HTTPD-2.4.4.TAR.BZ2
2). Integrate Apache and APR compilation package
Note: HTTPD-2.4.3-DEPS.TAR.BZ2 has integrated APR to check pcre for successful installation before installing Apache.
# tar JXVF httpd-2.4.4.tar.bz2
# tar JXVF httpd-2.4.3-deps.tar.bz2
# CP-RF httpd-2.4.3/* httpd-2.4.4
3. Compile installation (load Mod_ssl module)
#./configure--prefix=/usr/local/apache2--enable-so--enable-rewrite-enable-ssl=static-with-ssl=/usr/local/ssl- Enable-mods-shared=all--with-pcre=/usr/local/pcre/bin/pcre-config
Note: If the error is in the compilation process:
----------------------------------
Checking for OpenSSL version >= 0.9.7 ... FAILED
Configure:WARNING:OpenSSL version is too old
Checking whether to enable Mod_ssl ... Configure:error:mod_ssl has been requested but can not is built due to prerequisit E Failures
-----------------------------------
# yum Install Openssl-devel-y
Three. SSL One-way authentication Configuration
1. Load SSL configuration file:
# vi/usr/local/apache2/conf/httpd.conf
Search for "Include conf/extra/httpd-ssl.conf" and remove "#" in front of this line
# vi/usr/local/apache2/conf/extra/httpd-ssl.conf
Search for "Shmcb:/usr/local/apache2/logs/ssl_scache (512000)" and comment out the line with "#"
Verify that the following lines are configured correctly:
----------------------------
Sslcertificatefile "/USR/LOCAL/APACHE2/CONF/SERVER.CRT"
Sslcertificatekeyfile "/usr/local/apache2/conf/server.key"
Sslcacertificatefile "/USR/LOCAL/APACHE2/CONF/CA.CRT"
----------------------------
3. Certificate configuration:
1). Download and decompress SSL Certificate generation Compression Pack:
# cd/usr/local/apache2/conf
# wget http://www.openssl.org/contrib/ssl.ca-0.1.tar.gz
# tar ZXVF ssl.ca-0.1.tar.gz
2. Generate a root certificate using an SSL script:
---------------------------------------------------
No Root CA key round. Generating One
Generating RSA private key, 1024 bit long modulus
... ++++++ ..................
Enter pass phrase for Ca.key: (Enter a password)
Verifying–enter Pass phrase for Ca.key: (again enter password)
Self-sign the root CA ... (Signed root certificate)
Enter pass phrase for Ca.key: (Enter the password you just set)
Country Name (2 letter code) [MY]:CN
State or province Name (full name) [Perak]:jiangsu
Locality Name (eg, city) [sitiawan]:nanjing
Organization Name (eg, company) [My Directory Sdn bhd]:example co.,ltd
Organizational unit Name (eg, section) [Certification Services Division]:example
Common Name (eg, MD Root CA) []:example
Email Address []:info@111cn.net
--------------------------------------------------
This generates the Ca.key and ca.crt two files
3. Generate service-side certificates:
#./new-server-cert.sh Server
Note: certificate name is server
----------------------------------------------------
Country Name (2 letter code) [MY]:CN
State or province Name (full name) [Perak]:jiangsu
Locality Name (eg, city) [sitiawan]:nanjing
Organization Name (eg, company) [My Directory Sdn bhd]:example co.,ltd
Organizational unit Name (eg, section) [Secure Web Server]:example
Common Name (eg, http://www.domain.com) []:http://www.111cn.net
Email Address []:info@111cn.net
-----------------------------------------------------
This generates the two files SERVER.CSR and Server.key.
4). Sign the service-side certificate:
#./sign-server-cert.sh Server
-------------------------------------------------
CA SIGNING:SERVER.CSR-> SERVER.CRT:
Using Configuration from Ca.config
Enter pass phrase for./ca.key: (Enter the root certificate password set above)
Check that the request matches the signature
The Subject ' s distinguished Name is as follows
CountryName rintable: ' CN '
Stateorprovincename rintable: ' Jiangsu '
Localityname rintable: ' Nanjing '
OrganizationName rintable: ' Example Co.,ltd '
Organizationalunitname:printable: ' Example '
CommonName rintable: ' Http://www.111cn.net '
Emailaddress:ia5string: ' Info@111cn.net '
Certificate is to being certified until 12:55:34 (365 days)
Sign the certificate? [Y/n]:y
1 out of 1 certificate requests certified, commit? [Y/n]y
Write out database with 1 new entries
CA VERIFYING:SERVER.CRT <-> CA cert
-------------------------------------------
Note: If there is an error here, it's best to start over, delete the ssl.ca-0.1 directory, and restart from the decompression point.
Follow the httpd-ssl.conf setting to place the certificate in the appropriate place.
5). Configure certificate-related permissions and paths:
# cd/usr/local/apache2/conf/ssl.ca-0.1
# chmod 644 Server.key SERVER.CRT CA.CRT
4. Configure HTTPS to achieve SSL virtual host one-way encryption
1). Load the virtual host configuration file:
# vi/usr/local/apache2/conf/httpd.conf
Search for "Include conf/extra/httpd-vhosts.conf" and remove "#" in front of this line
2. Allow Www.111cn.net virtual host to achieve HTTPS access
# vi/usr/local/apache2/conf/extra/httpd-vhosts.conf
---------------------------
DocumentRoot "/usr/local/apache2/htdocs/www.111cn.net/"
Serveralias http://www.111cn.net
Sslcertificatefile "/USR/LOCAL/APACHE2/CONF/SERVER.CRT"
Sslcertificatekeyfile "/usr/local/apache2/conf/server.key"
Sslcacertificatefile "/USR/LOCAL/APACHE2/CONF/CA.CRT"
----------------------------
# Cd/usr/local/apache2/htdocs
# mkdir Http://www.111cn.net
# CD http://www.111cn.net/
# echo ' This is a test SSL Web page ' > index.html
#/usr/local/apache2/bin/apachectl Start
4). See if the SSL port is open:
---------------------------------
COMMAND PID USER FD TYPE DEVICE size/off NODE NAME
httpd 125366 root 6u IPv6 6351523 0t0 TCP *:https (LISTEN)
httpd 125885 daemon 6u IPv6 6351523 0t0 TCP *:https (LISTEN)
httpd 125886 daemon 6u IPv6 6351523 0t0 TCP *:https (LISTEN)
httpd 125887 daemon 6u IPv6 6351523 0t0 TCP *:https (LISTEN)
httpd 125946 daemon 6u IPv6 6351523 0t0 TCP *:https (LISTEN)
---------------------------------
5). Browser Input Https://www.111cn.net
Note: The native host file needs to be configured
Four. SSL Two-way authentication configuration:
1. Generate a certificate for the client:
#/usr/local/apache2/conf/ssl.ca-0.1
#./new-user-cert.sh Client1
-----------------------------------------
No Client1.key round. Generating One
Generating RSA private key, 1024 bit long modulus
are about to is asked to enter information that would be incorporated
into your certificate request.
What you are about to enter the What is called a distinguished Name or a DN.
There are quite a few fields but you can leave some
For some fields there would be a default value,
If you enter '. ', the field would be left blank.
Common Name (eg, John Doe) []:client1
Email Address []:info@111cn.net
You could now run./sign-user-cert.sh the IT signed
-------------------------------------------
#./sign-user-cert.sh Client1
--------------------------------------
CA SIGNING:CLIENT1.CSR-> CLIENT1.CRT:
Using Configuration from Ca.config
Enter pass phrase for./ca.key: (Enter CA root authentication password)
Check that the request matches the signature
The Subject ' s distinguished Name is as follows
CommonName:P rintable: ' Client1 '
Emailaddress:ia5string: ' Info@111cn.net '
Certificate is to was certified until Aug 8 08:41:51 2014 GMT (365 days)
Sign the certificate? [Y/n]:y
1 out of 1 certificate requests certified, commit? [Y/n]y
Write out database with 1 new entries
CA VERIFYING:CLIENT1.CRT <-> CA cert
------------------------------------
3. Convert the client certificate to a browser-aware. p12 format
-------------------------------------
Enter Export Password: (Enter CA root authentication password)
Verifying-enter Export Password: (confirm)
The certificate for CLIENT1 has been collected to a PKCS12 file.
Can download to your browser and import it.
--------------------------------------
--------------------------------------
-rw-r--r--1 root 2601 August 8 16:44 CLIENT1.P12
--------------------------------------
4. Distribute the P12 file to a trusted client to enable bidirectional certificate encryption
Note: This file is transferred to the local computer as an example, the actual online can use the program to achieve certification certification download
5. Configure HTTPS to achieve SSL virtual host bidirectional encryption
# vi/usr/local/apache2/conf/extra/httpd-vhosts.conf
----------------------------
DocumentRoot "/usr/local/apache2/htdocs/www.111cn.net/"
Serveralias http://www.111cn.net
Sslcertificatefile "/USR/LOCAL/APACHE2/CONF/SERVER.CRT"
Sslcertificatekeyfile "/usr/local/apache2/conf/server.key"
Sslcacertificatefile "/USR/LOCAL/APACHE2/CONF/CA.CRT"
----------------------------
1). Use Chrome browser to enter Https://www.111cn.net
The client certificate was not imported, prompting for an error in SSL connection
2). So import Certificate:
Run the certificate file under A.windows
B. Go to the Certificate Import Wizard and do the next steps
Re-use Chrome browser input https://www.111cn.net
