基于apache双向ssl虚拟主机服务配置
2015-05-19 13:40
716 查看
因为公司需要最近一直研究apache双向认证的问题,公司只有一台服务器,这台服务器上部署着wiki知识库,owncloud私有云,phpmyadmin,zendaopms。现在想实现owncloud需要证书认证的方式才能访问,其他三个可以通过http访问。想要实现这样的环境需要用到apache双向ssl的配置还有apache虚拟主机的知识。 软件环境
Apache Httpd 2.2.16
openssl-1.0.0e.tar.gz
SSL-Tools(http://www.openssl.org/contrib/ssl.ca-0.1.tar.gz )
1、 安装openssl
#tar zxvf openssl-1.0.0e.tar.gz
#cd openssl-1.0.0e.tar.gz
#./config –prefix=/usr/local/openssl
#make
#make install 2、 Httpd的安装
#tar zxvf httpd-2.2.16.tar.gz
#cd httpd-2.2.16
#./configure --prefix=/usr/local/apache2 --with-included-apr --enable-mods-shared=most --enable-ssl --enable-rewrite --enable-so --with-ssl=/usr/local/openssl
#make
#make install
此步骤在/apache/httpd目录中安装httpd服务(通过参数--prefix指定),同时使用--with-ssl指定刚才所安装OpenSSL的路径,用于将mod_ssl静态的编译到httpd服务中。
3.制作证书
我们必须手工来生成SSL用到的证书,对证书不熟悉的人,有一个工具可以使用:http://www.openssl.org/contrib/ssl.ca-0.1.tar.gz 。下面是如何通过这个工具来生成证书的过程:
#cpssl.ca-0.1.tar.gz /usr/local/apache/httpd/conf
#cd/usr/local/apache/conf
#tar zxvfssl.ca-0.1.tar.gz
#cd ssl.ca-0.1
#./new-root-ca.sh (生成根证书)
No Root CA keyround. Generating one
Generating RSAprivate key, 1024 bit long modulus
...........................++++++
....++++++
e is 65537(0x10001)
Enter pass phrasefor ca.key: (输入一个密码)
Verifying - Enterpass phrase for ca.key: (再输入一次密码)
......
Self-sign the rootCA... (签署根证书)
Enter pass phrasefor ca.key: (输入刚刚设置的密码)
........
........ (下面开始签署)
Country Name (2letter code) [MY]:CN
State or ProvinceName (full name) [Perak]:Beijing//随你喜欢
Locality Name (eg,city) [Sitiawan]:Beijing//随你喜欢
Organization Name(eg, company) [My Directory Sdn Bhd]:chosen//随你喜欢
Organizational UnitName (eg, section) [Certification Services Division]:tech//随你喜欢
Common Name (eg, MDRoot CA) []:tech//随你喜欢
Email Address []:di.wang@chosenglobal.com//随你喜欢
这样就生成了ca.key和ca.crt两个文件,下面还要为我们的服务器生成一个证书:
#./new-server-cert.sh server (这个证书的名字是server)
......
......
Country Name (2letter code) [MY]:CN
State or ProvinceName (full name) [Perak]:Beijing
Locality Name (eg,city) [Sitiawan]: Beijing
Organization Name(eg, company) [My Directory Sdn Bhd]:chosen
Organizational UnitName (eg, section) [Secure Web Server]:tech
Common Name (eg,www.domain.com) []:tech
Email Address []:di.wang@chosenglobal.com
这样就生成了server.csr和server.key这两个文件。
还需要签署一下才能使用的:
#./sign-server-cert.sh server
CA signing:server.csr -> server.crt:
Using configurationfrom ca.config
Enter pass phrasefor ./ca.key: (输入上面设置的根证书密码)
Check that therequest matches the signature
Signature ok
The Subject'sDistinguished Name is as follows
countryName:PRINTABLE:'CN'
stateOrProvinceName:PRINTABLE:'Beijing'
localityName:PRINTABLE:’Beijing’
organizationName:PRINTABLE:'chosen'
organizationalUnitName:PRINTABLE:'chosen'
commonName:PRINTABLE:'tech'
emailAddress:IA5STRING:' di.wang@chosenglobal.com '
Certificate is tobe certified until Jan 19 21:59:46 2011 GMT (365 days)
Sign thecertificate? [y/n]:y
1 out of 1certificate requests certified, commit? [y/n]y
Write out databasewith 1 new entries
Data Base Updated
CA verifying:server.crt <-> CA cert
server.crt: OK
4、配置证书相关权限和路径:# cd /usr/local/apache2/conf/ssl.ca-0.1# chmod 644 server.key server.crt ca.crt 5、SSL双向认证配置为客户端生成一个证书:# /usr/local/apache2/conf/ssl.ca-0.1# ./new-user-cert.sh client1-----------------------------------------No client1.key round. Generating oneGenerating RSA private key, 1024 bit long modulus...........++++++...++++++e is 65537 (0x10001)Fill in certificate dataYou are about to be asked to enter information that will beincorporatedinto your certificate request.What you are about to enter is what is called a DistinguishedName or a DN.There are quite a few fields but you can leave some blankFor some fields there will be a default value,If you enter '.', the field will be left blank.-----Common Name (eg, John Doe) []:client1Email Address []:di.wang@chosenglobal.comYou may now run ./sign-user-cert.sh to get it signed-------------------------------------------签署该证书:# ./sign-user-cert.sh client1--------------------------------------CA signing: client1.csr -> client1.crt:Using configuration from ca.configEnter pass phrase for ./ca.key: (输入ca根认证密码)Check that the request matches the signatureSignature okThe Subject's Distinguished Name is as followscommonName :PRINTABLE:'client1'emailAddress :IA5STRING:'info@example.com'Certificate is to be certified until Aug 8 08:41:512014 GMT (365 days)Sign the certificate? [y/n]:y1 out of 1 certificate requests certified, commit? [y/n]yWrite out database with 1 new entriesData Base UpdatedCA verifying: client1.crt <-> CA certclient1.crt: OK------------------------------------将该客户端证书转换成浏览器可识别的.p12格式# ./p12.sh client1-------------------------------------Enter Export Password: (输入ca根认证密码)Verifying - Enter Export Password: (确认)The certificate for client1 has been collected into a pkcs12file.You can download to your browser and import it.--------------------------------------# ll client1.p12---------------------------------------rw-r--r-- 1 root root 2601 8月 8 16:44 client1.p12--------------------------------------将该p12文件分发给可信任的客户端,实现双向证书加密功能注:此处将该文件传送到本机作为示例,实际线上可以利用程序实现证书认证下载配置https实现SSL虚拟主机双向加密# vi /usr/local/apache2/conf/extra/httpd-vhosts.conf添加如下内容:----------------------------<VirtualHost *:443> DocumentRoot"/usr/local/apache2/htdocs" ServerAliashttps://10.10.10.1 SSLEngine on SSLCertificateFile"/usr/local/ssl.ca/server.crt" SSLCertificateKeyFile "/usr/local/ssl.ca/server.key" SSLCACertificateFile "/usr/local/ssl.ca/ca.crt" SSLVerifyClient require SSLVerifyDepth 10</VirtualHost>---------------------------- 6、测试结果1).使用Chrome浏览器输入 https://10.10.10.1/owncloud未导入客户端证书,提示SSL连接出错
2).SO导入证书:a.windows下运行该证书文件b.进入证书导入向导,一路下一步即可完成操作 重新使用Chrome浏览器输入 http://10.10.10.1/owncloud提示
参考资料:
http://blog.csdn.net/passwordport/article/details/8005292 apache2 ssl 双向认证
Apache Httpd 2.2.16
openssl-1.0.0e.tar.gz
SSL-Tools(http://www.openssl.org/contrib/ssl.ca-0.1.tar.gz )
1、 安装openssl
#tar zxvf openssl-1.0.0e.tar.gz
#cd openssl-1.0.0e.tar.gz
#./config –prefix=/usr/local/openssl
#make
#make install 2、 Httpd的安装
#tar zxvf httpd-2.2.16.tar.gz
#cd httpd-2.2.16
#./configure --prefix=/usr/local/apache2 --with-included-apr --enable-mods-shared=most --enable-ssl --enable-rewrite --enable-so --with-ssl=/usr/local/openssl
#make
#make install
此步骤在/apache/httpd目录中安装httpd服务(通过参数--prefix指定),同时使用--with-ssl指定刚才所安装OpenSSL的路径,用于将mod_ssl静态的编译到httpd服务中。
3.制作证书
我们必须手工来生成SSL用到的证书,对证书不熟悉的人,有一个工具可以使用:http://www.openssl.org/contrib/ssl.ca-0.1.tar.gz 。下面是如何通过这个工具来生成证书的过程:
#cpssl.ca-0.1.tar.gz /usr/local/apache/httpd/conf
#cd/usr/local/apache/conf
#tar zxvfssl.ca-0.1.tar.gz
#cd ssl.ca-0.1
#./new-root-ca.sh (生成根证书)
No Root CA keyround. Generating one
Generating RSAprivate key, 1024 bit long modulus
...........................++++++
....++++++
e is 65537(0x10001)
Enter pass phrasefor ca.key: (输入一个密码)
Verifying - Enterpass phrase for ca.key: (再输入一次密码)
......
Self-sign the rootCA... (签署根证书)
Enter pass phrasefor ca.key: (输入刚刚设置的密码)
........
........ (下面开始签署)
Country Name (2letter code) [MY]:CN
State or ProvinceName (full name) [Perak]:Beijing//随你喜欢
Locality Name (eg,city) [Sitiawan]:Beijing//随你喜欢
Organization Name(eg, company) [My Directory Sdn Bhd]:chosen//随你喜欢
Organizational UnitName (eg, section) [Certification Services Division]:tech//随你喜欢
Common Name (eg, MDRoot CA) []:tech//随你喜欢
Email Address []:di.wang@chosenglobal.com//随你喜欢
这样就生成了ca.key和ca.crt两个文件,下面还要为我们的服务器生成一个证书:
#./new-server-cert.sh server (这个证书的名字是server)
......
......
Country Name (2letter code) [MY]:CN
State or ProvinceName (full name) [Perak]:Beijing
Locality Name (eg,city) [Sitiawan]: Beijing
Organization Name(eg, company) [My Directory Sdn Bhd]:chosen
Organizational UnitName (eg, section) [Secure Web Server]:tech
Common Name (eg,www.domain.com) []:tech
Email Address []:di.wang@chosenglobal.com
这样就生成了server.csr和server.key这两个文件。
还需要签署一下才能使用的:
#./sign-server-cert.sh server
CA signing:server.csr -> server.crt:
Using configurationfrom ca.config
Enter pass phrasefor ./ca.key: (输入上面设置的根证书密码)
Check that therequest matches the signature
Signature ok
The Subject'sDistinguished Name is as follows
countryName:PRINTABLE:'CN'
stateOrProvinceName:PRINTABLE:'Beijing'
localityName:PRINTABLE:’Beijing’
organizationName:PRINTABLE:'chosen'
organizationalUnitName:PRINTABLE:'chosen'
commonName:PRINTABLE:'tech'
emailAddress:IA5STRING:' di.wang@chosenglobal.com '
Certificate is tobe certified until Jan 19 21:59:46 2011 GMT (365 days)
Sign thecertificate? [y/n]:y
1 out of 1certificate requests certified, commit? [y/n]y
Write out databasewith 1 new entries
Data Base Updated
CA verifying:server.crt <-> CA cert
server.crt: OK
4、配置证书相关权限和路径:# cd /usr/local/apache2/conf/ssl.ca-0.1# chmod 644 server.key server.crt ca.crt 5、SSL双向认证配置为客户端生成一个证书:# /usr/local/apache2/conf/ssl.ca-0.1# ./new-user-cert.sh client1-----------------------------------------No client1.key round. Generating oneGenerating RSA private key, 1024 bit long modulus...........++++++...++++++e is 65537 (0x10001)Fill in certificate dataYou are about to be asked to enter information that will beincorporatedinto your certificate request.What you are about to enter is what is called a DistinguishedName or a DN.There are quite a few fields but you can leave some blankFor some fields there will be a default value,If you enter '.', the field will be left blank.-----Common Name (eg, John Doe) []:client1Email Address []:di.wang@chosenglobal.comYou may now run ./sign-user-cert.sh to get it signed-------------------------------------------签署该证书:# ./sign-user-cert.sh client1--------------------------------------CA signing: client1.csr -> client1.crt:Using configuration from ca.configEnter pass phrase for ./ca.key: (输入ca根认证密码)Check that the request matches the signatureSignature okThe Subject's Distinguished Name is as followscommonName :PRINTABLE:'client1'emailAddress :IA5STRING:'info@example.com'Certificate is to be certified until Aug 8 08:41:512014 GMT (365 days)Sign the certificate? [y/n]:y1 out of 1 certificate requests certified, commit? [y/n]yWrite out database with 1 new entriesData Base UpdatedCA verifying: client1.crt <-> CA certclient1.crt: OK------------------------------------将该客户端证书转换成浏览器可识别的.p12格式# ./p12.sh client1-------------------------------------Enter Export Password: (输入ca根认证密码)Verifying - Enter Export Password: (确认)The certificate for client1 has been collected into a pkcs12file.You can download to your browser and import it.--------------------------------------# ll client1.p12---------------------------------------rw-r--r-- 1 root root 2601 8月 8 16:44 client1.p12--------------------------------------将该p12文件分发给可信任的客户端,实现双向证书加密功能注:此处将该文件传送到本机作为示例,实际线上可以利用程序实现证书认证下载配置https实现SSL虚拟主机双向加密# vi /usr/local/apache2/conf/extra/httpd-vhosts.conf添加如下内容:----------------------------<VirtualHost *:443> DocumentRoot"/usr/local/apache2/htdocs" ServerAliashttps://10.10.10.1 SSLEngine on SSLCertificateFile"/usr/local/ssl.ca/server.crt" SSLCertificateKeyFile "/usr/local/ssl.ca/server.key" SSLCACertificateFile "/usr/local/ssl.ca/ca.crt" SSLVerifyClient require SSLVerifyDepth 10</VirtualHost>---------------------------- 6、测试结果1).使用Chrome浏览器输入 https://10.10.10.1/owncloud未导入客户端证书,提示SSL连接出错
2).SO导入证书:a.windows下运行该证书文件b.进入证书导入向导,一路下一步即可完成操作 重新使用Chrome浏览器输入 http://10.10.10.1/owncloud提示
参考资料:
http://blog.csdn.net/passwordport/article/details/8005292 apache2 ssl 双向认证
http://www.showerlee.com/archives/1211 Centos6.3下apache实现SSL虚拟主机双向认证
http://honghuihun.iteye.com/blog/1137204 linux下apache-ssl配置
内容来自用户分享和网络整理,不保证内容的准确性,如有侵权内容,可联系管理员处理 
相关文章推荐
- Windows XP下配置基于本机DNS服务的Apache虚拟主机和SSL
- 在Red Hat Linux5下构建LAMP网站服务平台之编译安装Apache与配置基于域名的虚拟Web主机
- 在RHEL5下构建LAMP网站服务平台之编译安装Apache与配置基于域名的虚拟Web主机
- Apache服务之基于端口的虚拟主机配置
- 20171107L09-01老男孩Linux运维实战培训-Lamp系列-Apache服务生产实战应用指南04-基于IP的虚拟主机实战配置
- Apache2.4的虚拟主机配置(基于ip地址)
- 配置Apache服务器,提供一个Tomcat虚拟主机和一个静态内容虚拟主机的服务
- Ubuntu Linux下apache基于域名的虚拟主机配置详解
- apache配置虚拟主机,为什么总是第一个VirtualHost起效 apache基于域名虚拟主机,只访问第一个的问题
- debian下apache的虚拟主机配置,基于多IP和基于多域名的虚拟主机
- Centos6.3下apache实现SSL虚拟主机双向认证
- Web服务基础三之Apache虚拟主机、虚拟目录配置
- Apache 简单的基于名称的虚拟主机配置
- apache配置虚拟主机,为什么总是第一个VirtualHost起效 apache基于域名虚拟主机,只访问第一个的问题
- windows2003下apache配置虚拟主机和绑定域名服务
- 基于 Apache 在本地配置多个虚拟主机
- 基于 Apache 在本地配置多个虚拟主机
- 基于Apache在本地配置多个虚拟主机站点 .
- LHEL6 配置apache基于域名的虚拟主机
- LINUX系统apache基于IP,基于port和基于域名的三种虚拟主机的配置方法