Windows+apache of the case, the implementation of SSL certificate certification (win with OpenSSL to do a certificate extremely difficult problem solved completely)
I wrote it in great detail and made it very clear step by step. The actual operation is very simple, or 5 minutes, it is my word to play too much. If you find an error, omit it.
First, go to http://hunter.campbus.com/to download the same apache_xxx-xxxopenssl_xxx-win32.zip as your own Apache version. After decompression find these 5 files mod_ssl.so (modules directory), ssl.conf,ssl.default.conf (conf directory,
Where default.conf as a backup), Libeay32.dll, Ssleay32.dll (these 2 are all in the bin directory). Copy them all to the corresponding directory under your own APAHCE.
###############################################################################
Next, change the settings file
For httpd.conf and ssl.conf, if your server does not have a domain name, then servername will fill in the IP. For example: ServerName 10.10.10.10:80 (httpd.conf) ServerName 10.10.10.10:443 (ssl.conf)
Open httpd.conf: Find #loadmodule ssl_module modules/mod_ssl.so, remove the front ' # ' so that the SSL module is loaded at startup.
Open ssl.conf: Find #<ifdefine ssl>; and #</ifdefine>, remove the front ' # ', or start Apache with parameters, trouble. The following settings: Sslmutex None (this I am none, someone is default, specifically how to set can be researched) sslcertificatefile CONF/SERVER.CRT (server certificate Location, is the public key? Sslcertificatekeyfile Conf/server.key (the location of the server private key) Sslcacertificatefile CONF/CA.CRT (the location of the CA root certificate is required for client authentication.) Is it also a CA public key?
I put them all in Apache's conf directory) DocumentRoot "xxxxx" (point to the document directory for SSL encryption authentication, such as "F:/http")
Sslverifyclient require (remove the previous ' # ' number, required for client authentication) Sslverifydepth 1 (Remove the previous ' # ' number, change 10 to 1, make the client Required during verification)
############################################################################## Now, we're going to make a certificate.
Go to openvpn.net to download and install OpenVPN. This is a virtual personal network production tool, he can perfect in win (LINUX,BSD) under the production of root, server, client certificate. After installation, start-Program-Accessories-command prompt, into the OpenVPN Easy-rsa directory, such as: F:\program files\openvpn\easy-rsa>;_ input: Init-config Enter
will produce several files, switch them out, open the Vars.bat file, modify the Key_country (Country 2 letters), Key_province (province 2 letters), key_city (city), key_org (organization), Key_ Email (e-mail) These parameters, exempt from the back of the production certificate
Repeated input trouble. Save the exit and continue using the command prompt. Enter the following two commands, of course, respectively: VARs Clean-all (These two are preparatory work)
####################################################################################
1. Establish the CA root certificate
Then enter BUILD-CA carriage return (this is the establishment of the CA root certificate)
And then show:
Ai:/usr/share/openvpn/easy-rsa # ./build-ca generating a 1024 bit rsa Private key .... ++++++ ... ++++++ writing new private key to ' Ca.key, the ..... ...... '-----you are about to be asked to enter information that Will be incorporated Into your certificate request. what you are about to enter is what is called a Distinguished name or a dn. there are quite a few fields but you can leave some Blank For some fields there will be a default value, If you enter '. ', the field will be left blank. -----country name (2 letter code) [KG]: Country Name 2-bit letter, the default parameter is what we have just modified. State or province name (full name) [NA]: Province, State Name 2-letter Locality Name (eg, city) [BISHKEK]: city name organization name (Eg, company) [OpenVPN-TEST]: organization name organizational unit name (eg, section) []: The unit name in the organization common name (Eg, your name or your server ' s hostname) []: This is the key, you should enter the domain name of the issuing root certificate unit
, but because it is a root certificate, it doesn't matter how you fill it. Only server certificates need to be carefully populated. email address [[email protected]: e-mail
OK, the CA root certificate is finished! In the keys directory, its name is called Ca.crt,ca's private key is Ca.key
#######################################################################
2. Now make the server certificate: At the command prompt, enter Build-key-server server carriage return you will see something very similar to the above but note here the common name (eg, your name or your server ' s hos Tname) []: This is the real key. You should enter the domain name of the server, such as www.xxx.com. If you do not have a domain name, you should fill in the IP, corresponding to the settings in httpd.conf and ssl.conf, ServerName 10.10.10.10:80 (httpd.conf) ServerName 10.10.10.10:443 ( ssl.conf)
That is, fill in: 10.10.10.10
Next see a challenge password []: Fill not fill casually, I do not fill in a optional company name []: Fill not fill casually, I do not fill
Sign the certificate? [y/n] Knock y to enter. The server certificate is signed and authenticated with the CA root certificate. 1 out 1 certificate requests certified,commit? [y/n] Knock y enter, confirm.
All right, build it. SERVER.CRT (certificate) and Server.key (private key) in the keys directory
#######################################################################
3. Now create the client certificate:
At the command prompt, enter Build-key client1 carriage return is a national provincial and municipal organizations and so on, Comman name is also casually filled. Then a challenge password []: Fill not fill casually, I do not fill in an optional company name []: Fill not fill casually, I do not fill
Sign the certificate? [y/n] Knock y to enter. The client certificate is signed and authenticated with the CA root certificate. 1 out 1 certificate requests certified,commit? [y/n] Knock y enter, confirm.
All right, build it. CLIENT1.CRT (client certificate) and Client1.key (private key) in the keys directory
Wait, the. CRT client certificate is not available and must be converted to a. pfx format file!!
So, still at the command prompt, enter OpenSSL carriage return to see openssl>; Then enter Pkcs12-export–in keys/client1.crt-inkey keys/client1.key-out keys/client1.pfx Enter and see Enter export password: You will be asked to establish a customer The output password of the end certificate, I fill hehe, Verifying-enter export password confirm again hehe, OK!
########################################################################
Copy both the CA.CRT and Server.crt,server.key in the keys directory to the Apache Conf directory, and (ssl.conf need) Ca.key yourself and find a suitable place to store them.
#########################################################################
Client Installation Certificate
Open Internet Explorer (IE), tools-internet Options-Content-certificates, click on ' Personal ' and tap import to import the client certificate client1.pfx into a personal group (don't forget the extension is PFX). It is also necessary to enter the output password just created hehe to pour it.
Next, click on ' Trusted Root Certification authorities ' and import to import the CA root certificate ca.crt into a trusted root certification authority.
#########################################################################
OK, restart Apache, open IE, enter https://10.10.10.10 or domain name in the address bar, pop up a window to select the personal digital certificate. Click to select and then OK. If the server certificate common name is filled in correctly, you can go directly to the website, see the lower right corner of the small lock (reliable SSL128 bit). If the server certificate common name is not filled in correctly, it will pop up a ' security alert ' box that tells you 3:1. The security certificate is issued by a trusted site (if it is issued by an untrusted site, your CA root certificate ca.crt not be imported into the Trusted root certification authority of IE)
2. The date of the security certificate is valid (the default is 10, you can adjust the changes in the openssl.cnf in the OpenVPN Easy-rsa directory, and then re-create a full set of certificates (OPENSSL.CNF looks like dial
Network shortcuts, use Notepad, WordPad to open the changes))
3. "The name on the security certificate is invalid or does not match the site name" This is the common name of the server certificate is not properly filled out, but it doesn't matter, it seems like this. I don't want to see this warning box annoying.
Even if there is a security alert, you can still access the website and see the small lock in the lower right corner (reliable SSL128 bit)
################################# Finally, success! Use it.
I myself put httpd.conf in the Listen 80 add # comment, servername instead of 10.10.10.10:443, only with https not http, ho Ho!!! |
|
