openssl apache2 config
2015-08-24 00:00
791 查看
openssl apache2 config
时间:2015-02-28 21:37
作者:
lsgxeva
分类:
我的笔记>>web>>
apache
摘要:
openssl apache2 config
标签:
openssl apache2 config
提示:
文章均来自网络,版权为原作者所有,如有侵犯权益,请联络我们.
PKCS标准
PKCS 全称是 Public-Key Cryptography Standards ,是由 RSA 实验室与其它安全系统开发商为促进公钥密码的发展而制订的一系列标准,PKCS 目前共发布过 15 个标准。 常用的有:
PKCS#7 Cryptographic Message Syntax Standard
PKCS#10 Certification Request Standard
PKCS#12 Personal Information Exchange Syntax Standard
X.509是常见通用的证书格式。所有的证书都符合为Public Key Infrastructure (PKI) 制定的 ITU-T X509 国际标准。
PKCS#7 常用的后缀是: .P7B .P7C .SPC
PKCS#12 常用的后缀有: .P12 .PFX
X.509 DER 编码(ASCII)的后缀是: .DER .CER .CRT
X.509 PAM 编码(Base64)的后缀是: .PEM .CER .CRT
.cer/.crt是用于存放证书,它是2进制形式存放的,不含私钥。
.pem跟crt/cer的区别是它以Ascii来表示。
pfx/p12用于存放个人证书/私钥,他通常包含保护密码,2进制方式
p10是证书请求
p7r是CA对证书请求的回复,只用于导入
p7b以树状展示证书链(certificate chain),同时也支持单个证书,不含私钥。
基本OpenSSL命令
确定OpenSSL的版本:
openssl version
OpenSSL的可用命令:
openssl help
为查找某一命令的帮助,在命令后加-h,如
openssl verify -h
列出所有可用的加密算法: openssl ciphers -v
使用openssl speed可以查看本机的openssl速度,查看每个算法美妙的加密字节数,以及sign/verify的时间
配置文件
$ cat
lsgxevaCA/openssl.cnf
--------------------------------------------------------------------------------
#
# OpenSSL lsgxeva configuration file.
# This is mostly being used for generation of certificate requests.
#
# This definition stops the following lines choking if HOME isn't
# defined.
HOME
= .
RANDFILE
= $ENV::HOME/.rnd
# Extra OBJECT IDENTIFIER info:
#oid_file
= $ENV::HOME/.oid
oid_section
= new_oids
# To use this configuration file with the "-extfile" option of the
# "openssl x509" utility, name here the section containing the
# X.509v3 extensions to use:
# extensions
=
# (Alternatively, use a configuration file that has only
# X.509v3 extensions in its main [= default] section.)
[ new_oids ]
# We can add new OIDs in here for use by 'ca', 'req' and 'ts'.
# Add a simple OID like this:
# testoid1=1.2.3.4
# Or use config file substitution like this:
# testoid2=${testoid1}.5.6
# Policies used by the TSA examples.
tsa_policy1 = 1.2.3.4.1
tsa_policy2 = 1.2.3.4.5.6
tsa_policy3 = 1.2.3.4.5.7
####################################################################
[ ca ]
default_ca
= CA_default
# The default ca section
####################################################################
[ CA_default ]
dir
=
./lsgxevaCA
# Where everything is kept
certs
= $dir/certs
# Where the issued certs are kept
crl_dir
=
$dir/crl
# Where the issued crl are kept
database
=
$dir/index.txt
# database index file.
#unique_subject
= no
# Set to 'no' to allow creation of
# several ctificates with same subject.
new_certs_dir
=
$dir/newcerts
# default place for new certs.
certificate
= $dir/cacert.pem
# The CA certificate
serial
=
$dir/serial
# The current serial number
crlnumber
= $dir/crlnumber
# the current crl number
# must be commented out to leave a V1 CRL
crl
= $dir/crl.pem
# The current CRL
private_key
=
$dir/private/cakey.pem
# The private key
RANDFILE
= $dir/private/.rand
# private random number file
#x509_extensions
= user_cert
# The extentions to add to the cert
x509_extensions
=
v3_ca
# The extentions to add to the cert
# Comment out the following two lines for the "traditional"
# (and highly broken) format.
name_opt
= ca_default
# Subject Name options
cert_opt
= ca_default
# Certificate field options
# Extension copying option: use with caution.
# copy_extensions = copy
# Extensions to add to a CRL. Note: Netscape communicator chokes on V2 CRLs
# so this is commented out by default to leave a V1 CRL.
# crlnumber must also be commented out to leave a V1 CRL.
# crl_extensions
= crl_ext
default_days
= 365
# how long to certify for
default_crl_days= 30
# how long before next CRL
#default_md
= default
# use public key default MD
default_md
= md5
# use public key default MD
preserve
= no
# keep passed DN ordering
# A few difference way of specifying how similar the request should look
# For type CA, the listed attributes must be the same, and the optional
# and supplied fields are just that :-)
policy
= policy_match
#policy
= policy_anything
# For the CA policy
[ policy_match ]
countryName
= match
stateOrProvinceName
= match
organizationName
= match
organizationalUnitName
=
optional
commonName
= supplied
emailAddress
=
optional
# For the 'anything' policy
# At this point in time, you must list all acceptable 'object'
# types.
[ policy_anything ]
countryName
= optional
stateOrProvinceName
= optional
localityName
= optional
organizationName
= optional
organizationalUnitName
= optional
commonName
= supplied
emailAddress
= optional
####################################################################
[ req ]
default_bits
= 2048
default_keyfile
= privkey.pem
distinguished_name
= req_distinguished_name
attributes
= req_attributes
x509_extensions
=
v3_ca
# The extentions to add to the self signed cert
# Passwords for private keys if not present they will be prompted for
# input_password = secret
# output_password = secret
# This sets a mask for permitted string types. There are several options.
# default: PrintableString, T61String, BMPString.
# pkix
: PrintableString, BMPString (PKIX recommendation before 2004)
# utf8only: only UTF8Strings (PKIX recommendation after 2004).
# nombstr : PrintableString, T61String (no BMPStrings or UTF8Strings).
# MASK:XXXX a literal mask value.
# WARNING: ancient versions of Netscape crash on BMPStrings or UTF8Strings.
string_mask =
utf8only
#string_mask = nombstr
# req_extensions = v3_req # The extensions to add to a certificate request
[ req_distinguished_name ]
countryName
= Country Name (2 letter code)
countryName_default
= CN
countryName_min
= 2
countryName_max
= 2
stateOrProvinceName
= State or Province Name (full name)
stateOrProvinceName_default
= China
localityName
= Locality Name (eg, city)
localityName_default
= Shenzhen
0.organizationName
= Organization Name (eg, company)
#0.organizationName_default
= Internet Widgits Pty Ltd
0.organizationName_default
= lsgxeva Corp., Ltd.
# we can do this but it is not needed normally :-)
#1.organizationName
= Second Organization Name (eg, company)
#1.organizationName_default
= World Wide Web Pty Ltd
organizationalUnitName
= Organizational Unit Name (eg, section)
organizationalUnitName_default
=
lsgxeva think
commonName
= Common Name (e.g. server FQDN or YOUR name)
commonName_default
= lsgxeva
commonName_max
= 64
emailAddress
= Email Address
emailAddress_default
=
lsgxthink@gmail.com
emailAddress_max
= 64
# SET-ex3
= SET extension number 3
[ req_attributes ]
challengePassword
= A challenge password
challengePassword_min
= 4
challengePassword_max
= 20
unstructuredName
= An optional company name
[
user_cert ]
# These extensions are added when 'ca' signs a request.
# This goes against PKIX guidelines but some CAs do it and some software
# requires this to avoid interpreting an end user certificate as a CA.
basicConstraints=CA:FALSE
# Here are some examples of the usage of nsCertType. If it is omitted
# the certificate can be used for anything *except* object signing.
# This is OK for an SSL server.
# nsCertType
= server
# For an object signing certificate this would be used.
# nsCertType = objsign
# For normal client use this is typical
# nsCertType = client, email
# and for everything including object signing:
nsCertType =
client, email, objsign
# This is typical in keyUsage for a client certificate.
keyUsage =
nonRepudiation, digitalSignature, keyEncipherment
# This will be displayed in Netscape's comment listbox.
nsComment
= "OpenSSL Generated Certificate For User"
# PKIX recommendations harmless if included in all certificates.
subjectKeyIdentifier=hash
authorityKeyIdentifier=keyid,issuer
# This stuff is for subjectAltName and issuerAltname.
# Import the email address.
# subjectAltName=email:copy
# An alternative to produce certificates that aren't
# deprecated according to PKIX.
# subjectAltName=email:move
# Copy subject details
# issuerAltName=issuer:copy
#nsCaRevocationUrl
= http://www.domain.dom/ca-crl.pem
#nsBaseUrl
#nsRevocationUrl
#nsRenewalUrl
#nsCaPolicyUrl
#nsSslServerName
# This is required for TSA certificates.
#extendedKeyUsage = critical,timeStamping
[
server_cert ]
# These extensions are added when 'ca' signs a request.
# This goes against PKIX guidelines but some CAs do it and some software
# requires this to avoid interpreting an end user certificate as a CA.
basicConstraints=CA:FALSE
# Here are some examples of the usage of nsCertType. If it is omitted
# the certificate can be used for anything *except* object signing.
# This is OK for an SSL server.
#nsCertType
= server
nsCertType =
server, email, objsign
# For an object signing certificate this would be used.
# nsCertType = objsign
# For normal client use this is typical
# nsCertType = client, email
# and for everything including object signing:
# nsCertType = client, email, objsign
# This is typical in keyUsage for a client certificate.
# keyUsage = nonRepudiation, digitalSignature, keyEncipherment
keyUsage =
nonRepudiation, digitalSignature, keyEncipherment, dataEncipherment, keyAgreement
# This will be displayed in Netscape's comment listbox.
nsComment
= "OpenSSL Generated Certificate For Server"
# PKIX recommendations harmless if included in all certificates.
subjectKeyIdentifier=hash
authorityKeyIdentifier=keyid,issuer
# This stuff is for subjectAltName and issuerAltname.
# Import the email address.
# subjectAltName=email:copy
# An alternative to produce certificates that aren't
# deprecated according to PKIX.
# subjectAltName=email:move
# Copy subject details
# issuerAltName=issuer:copy
#nsCaRevocationUrl
= http://www.domain.dom/ca-crl.pem
#nsBaseUrl
#nsRevocationUrl
#nsRenewalUrl
#nsCaPolicyUrl
#nsSslServerName
# This is required for TSA certificates.
#extendedKeyUsage = critical,timeStamping
#extendedKeyUsage =
serverAuth, nsSGC, msSGC
[
client_cert ]
# These extensions are added when 'ca' signs a request.
# This goes against PKIX guidelines but some CAs do it and some software
# requires this to avoid interpreting an end user certificate as a CA.
basicConstraints=CA:FALSE
# Here are some examples of the usage of nsCertType. If it is omitted
# the certificate can be used for anything *except* object signing.
# This is OK for an SSL server.
#nsCertType
= server
# For an object signing certificate this would be used.
# nsCertType = objsign
# For normal client use this is typical
# nsCertType = client, email
# and for everything including object signing:
nsCertType =
client, email, objsign
# This is typical in keyUsage for a client certificate.
keyUsage =
nonRepudiation, digitalSignature, keyEncipherment
# This will be displayed in Netscape's comment listbox.
nsComment
= "OpenSSL Generated Certificate For Client"
# PKIX recommendations harmless if included in all certificates.
subjectKeyIdentifier=hash
authorityKeyIdentifier=keyid,issuer
# This stuff is for subjectAltName and issuerAltname.
# Import the email address.
# subjectAltName=email:copy
# An alternative to produce certificates that aren't
# deprecated according to PKIX.
# subjectAltName=email:move
# Copy subject details
# issuerAltName=issuer:copy
#nsCaRevocationUrl
= http://www.domain.dom/ca-crl.pem
#nsBaseUrl
#nsRevocationUrl
#nsRenewalUrl
#nsCaPolicyUrl
#nsSslServerName
# This is required for TSA certificates.
#extendedKeyUsage = critical,timeStamping
#extendedKeyUsage =
clientAuth, nsSGC, msSGC
[ v3_req ]
# Extensions to add to a certificate request
basicConstraints = CA:FALSE
keyUsage = nonRepudiation, digitalSignature, keyEncipherment
[
v3_ca ]
# Extensions for a typical CA
# PKIX recommendation.
subjectKeyIdentifier=hash
authorityKeyIdentifier=keyid:always,issuer
# This is what PKIX recommends but some broken software chokes on critical
# extensions.
#basicConstraints = critical,CA:true
# So we do this instead.
basicConstraints =
CA:true
#basicConstraints = critical, CA:true, pathlen:4
# custom subjectAltName for lsgxeva
subjectAltName = DNS:*.lsgxeva.net, DNS:*.lsgxeva.com, DNS:*.lsgxeva.org, DNS:*.lsgxeva.cc, DNS:lsgxeva.com
# Key usage: this is typical for a CA certificate. However since it will
# prevent it being used as an test self-signed certificate it is best
# left out by default.
#keyUsage =
cRLSign, keyCertSign
# Some might want this also
#nsCertType =
sslCA, emailCA
# This is required for TSA certificates.
#extendedKeyUsage
= serverAuth, clientAuth
#extendedKeyUsage =
serverAuth, clientAuth, nsSGC, msSGC
# This will be displayed in Netscape's comment listbox.
nsComment
= "OpenSSL Generated Certificate For CA"
# Include email address in subject alt name: another PKIX recommendation
# subjectAltName=email:copy
# Copy issuer details
# issuerAltName=issuer:copy
# DER hex encoding of an extension: beware experts only!
# obj=DER:02:03
# Where 'obj' is a standard or added object
# You can even override a supported extension:
# basicConstraints= critical, DER:30:03:01:01:FF
[
crl_ext ]
# CRL extensions.
# Only issuerAltName and authorityKeyIdentifier make any sense in a CRL.
# issuerAltName=issuer:copy
authorityKeyIdentifier=
keyid:always
# Key usage: this is typical for a CA certificate. However since it will
# prevent it being used as an test self-signed certificate it is best
# left out by default.
#keyUsage =
digitalSignature, keyEncipherment
# This will be displayed in Netscape's comment listbox.
nsComment
= "OpenSSL Generated Certificate For CLR"
[ proxy_cert_ext ]
# These extensions should be added when creating a proxy certificate
# This goes against PKIX guidelines but some CAs do it and some software
# requires this to avoid interpreting an end user certificate as a CA.
basicConstraints=CA:FALSE
# Here are some examples of the usage of nsCertType. If it is omitted
# the certificate can be used for anything *except* object signing.
# This is OK for an SSL server.
# nsCertType
= server
# For an object signing certificate this would be used.
# nsCertType = objsign
# For normal client use this is typical
# nsCertType = client, email
# and for everything including object signing:
# nsCertType = client, email, objsign
# This is typical in keyUsage for a client certificate.
# keyUsage = nonRepudiation, digitalSignature, keyEncipherment
# This will be displayed in Netscape's comment listbox.
nsComment
= "OpenSSL Generated Certificate For Proxy"
# PKIX recommendations harmless if included in all certificates.
subjectKeyIdentifier=hash
authorityKeyIdentifier=keyid,issuer
# This stuff is for subjectAltName and issuerAltname.
# Import the email address.
# subjectAltName=email:copy
# An alternative to produce certificates that aren't
# deprecated according to PKIX.
# subjectAltName=email:move
# Copy subject details
# issuerAltName=issuer:copy
#nsCaRevocationUrl
= http://www.domain.dom/ca-crl.pem
#nsBaseUrl
#nsRevocationUrl
#nsRenewalUrl
#nsCaPolicyUrl
#nsSslServerName
# This really needs to be in place for it to be a proxy certificate.
proxyCertInfo=critical,language:id-ppl-anyLanguage,pathlen:3,policy:foo
####################################################################
[ tsa ]
default_tsa = tsa_config1
# the default TSA section
[ tsa_config1 ]
# These are used by the TSA reply generation only.
dir
=
./lsgxevaCA
# TSA root directory
serial
= $dir/tsaserial
# The current serial number (mandatory)
crypto_device
= builtin
# OpenSSL engine to use for signing
signer_cert
= $dir/tsacert.pem
# The TSA signing certificate
# (optional)
certs
= $dir/cacert.pem
# Certificate chain to include in reply
# (optional)
signer_key
= $dir/private/tsakey.pem # The TSA private key (optional)
default_policy
= tsa_policy1
# Policy if request did not specify it
# (optional)
other_policies
= tsa_policy2, tsa_policy3
# acceptable policies (optional)
digests
= md5, sha1
# Acceptable message digests (mandatory)
accuracy
= secs:1, millisecs:500, microsecs:100
# (optional)
clock_precision_digits = 0
# number of digits after dot. (optional)
ordering
= yes
# Is ordering defined for timestamps?
# (optional, default: no)
tsa_name
= yes
# Must the TSA name be included in the reply?
# (optional, default: no)
ess_cert_id_chain
= no
# Must the ESS cert id chain be included?
# (optional, default: no)
--------------------------------------------------------------------------------
制作CA根证书
mkdir -p ./lsgxevaCA/{crl,req,private,newcerts}
touch ./lsgxevaCA/index.txt
echo '01' > ./lsgxevaCA/serial
cp /etc/ssl/openssl.cnf lsgxevaCA/openssl.cnf
export OPENSSL_CONF=./lsgxevaCA/openssl.conf
echo $OPENSSL_CONF
unset OPENSSL_CONF
echo $OPENSSL_CONF
--------------------
$ tree lsgxevaCA/
lsgxevaCA/
├── crl
├── index.txt
├── newcerts
├── openssl.cnf
├── private
├── req
└── serial
4 directories, 3 files
----------------------
openssl genrsa -des3 -out ./lsgxevaCA/private/cakey.pem 2048
openssl req -new -days 3650 -config /etc/ssl/openssl.cnf -key ./lsgxevaCA/private/cakey.pem -out ./lsgxevaCA/req/careq.pem
-----
Country Name (2 letter code) [CN]:
State or Province Name (full name) [China]:
Locality Name (eg, city) [Shenzhen]:
Organization Name (eg, company) [lsgxeva Corp., Ltd.]:
Organizational Unit Name (eg, section) [
lsgxeva think]:
Common Name (e.g. server FQDN or YOUR name) [lsgxeva]:
Email Address [
lsgxthink@gmail.com]:
-----
echo '01' > ./lsgxevaCA/serial
rm ./lsgxevaCA/index.txt
touch ./lsgxevaCA/index.txt
openssl ca -selfsign
-extfile /etc/ssl/openssl.cnf
-extensions v3_ca -config /etc/ssl/openssl.cnf -in ./lsgxevaCA/req/careq.pem
-keyfile ./lsgxevaCA/private/cakey.pem
-days 3650
-out ./lsgxevaCA/cacert.pem
制作User证书
mkdir -p ./lsgxevaCA/user/{private,req}
openssl genrsa -des3 -out ./lsgxevaCA/user/private/userkey.pem 2048
openssl req -new -days 365 -config /etc/ssl/openssl.cnf -key ./lsgxevaCA/user/private/userkey.pem -out ./lsgxevaCA/user/req/userreq.pem
-----
Country Name (2 letter code) [CN]:
State or Province Name (full name) [China]:
Locality Name (eg, city) [Shenzhen]:
Organization Name (eg, company) [lsgxeva Corp., Ltd.]:
Organizational Unit Name (eg, section) [lsgxeva think]:
lsgxeva user
Common Name (e.g. server FQDN or YOUR name) [lsgxeva]:
Email Address [lsgxthink@gmail.com]:
lsgxuser@gmail.com
-----
rm ./lsgxevaCA/index.txt
touch ./lsgxevaCA/index.txt
openssl ca
-extfile /etc/ssl/openssl.cnf
-extensions
user_cert -config /etc/ssl/openssl.cnf -in ./lsgxevaCA/user/req/userreq.pem
-days 365
-out ./lsgxevaCA/user/usercert.pem -cert ./lsgxevaCA/cacert.pem -keyfile ./lsgxevaCA/private/cakey.pem
openssl rsa -in ./lsgxevaCA/user/private/userkey.pem -out ./lsgxevaCA/user/private/userkey_insecure.pem
制作Server证书
openssl genrsa -des3 -out ./lsgxevaCA/user/private/serverkey.pem 2048
openssl req -new -days 365 -config /etc/ssl/openssl.cnf -key ./lsgxevaCA/user/private/serverkey.pem -out ./lsgxevaCA/user/req/serverreq.pem
-----
Country Name (2 letter code) [CN]:
State or Province Name (full name) [China]:
Locality Name (eg, city) [Shenzhen]:
Organization Name (eg, company) [lsgxeva Corp., Ltd.]:
Organizational Unit Name (eg, section) [lsgxeva think]:
lsgxeva server
Common Name (e.g. server FQDN or YOUR name) [lsgxeva]:
Email Address [lsgxthink@gmail.com]:
lsgxserver@gmail.com
-----
rm ./lsgxevaCA/index.txt
touch ./lsgxevaCA/index.txt
openssl ca
-extfile /etc/ssl/openssl.cnf
-extensions
server_cert -config /etc/ssl/openssl.cnf -in ./lsgxevaCA/user/req/serverreq.pem
-days 365
-out ./lsgxevaCA/user/servercert.pem -cert ./lsgxevaCA/cacert.pem -keyfile ./lsgxevaCA/private/cakey.pem
openssl rsa -in ./lsgxevaCA/user/private/serverkey.pem -out ./lsgxevaCA/user/private/serverkey_insecure.pem
制作Client证书
openssl genrsa -des3 -out ./lsgxevaCA/user/private/clientkey.pem 2048
openssl req -new -days 365 -config /etc/ssl/openssl.cnf -key ./lsgxevaCA/user/private/clientkey.pem -out ./lsgxevaCA/user/req/clientreq.pem
-----
Country Name (2 letter code) [CN]:
State or Province Name (full name) [China]:
Locality Name (eg, city) [Shenzhen]:
Organization Name (eg, company) [lsgxeva Corp., Ltd.]:
Organizational Unit Name (eg, section) [lsgxeva think]:
lsgxeva client
Common Name (e.g. server FQDN or YOUR name) [lsgxeva]:
Email Address [lsgxthink@gmail.com]:
lsgxclient@gmail.com
-----
rm ./lsgxevaCA/index.txt
touch ./lsgxevaCA/index.txt
openssl ca
-extfile /etc/ssl/openssl.cnf
-extensions client_cert -config /etc/ssl/openssl.cnf -in ./lsgxevaCA/user/req/clientreq.pem
-days 365
-out ./lsgxevaCA/user/clientcert.pem -cert ./lsgxevaCA/cacert.pem -keyfile ./lsgxevaCA/private/cakey.pem
openssl rsa -in ./lsgxevaCA/user/private/clientkey.pem -out ./lsgxevaCA/user/private/clientkey_insecure.pem
验证文件并查看信息
查看key信息
openssl rsa -noout -text -in ./lsgxevaCA/private/cakey.pem
openssl rsa -noout -text -in ./lsgxevaCA/user/private/userkey.pem
查看req信息
openssl req -noout -text -in ./lsgxevaCA/req/careq.pem
openssl req -noout -text -in ./lsgxevaCA/user/req/userreq.pem
查看cert信息
openssl x509 -noout -text -in ./lsgxevaCA/cacert.pem
openssl x509 -noout -text -in ./lsgxevaCA/user/usercert.pem
验证cert信息
openssl verify ./lsgxevaCA/cacert.pem
openssl verify -CAfile ./lsgxevaCA/cacert.pem ./lsgxevaCA/user/usercert.pem
去掉key的密码
openssl rsa -in ./lsgxevaCA/user/private/userkey.pem -out ./lsgxevaCA/user/private/userkey_insecure.pem
计算文件MD5信息 MD5 digest
openssl dgst -md5 ./lsgxevaCA/user/usercert.pem
计算文件SHA1信息 SHA1 digest
openssl dgst -sha1 ./lsgxevaCA/user/usercert.pem
吊销证书
touch ./lsgxevaCA/crlnumber
echo '01' > ./lsgxevaCA/crlnumber
openssl ca -gencrl -out ./lsgxevaCA/crl/crl.pem -config /etc/ssl/openssl.cnf
openssl ca -revoke ./lsgxevaCA/user/usercert.pem -config /etc/ssl/openssl.cnf
证书转码
PEM转换为PKCS
openssl pkcs12 -export -
clcerts -in ./lsgxevaCA/user/clientcert.pem -inkey ./lsgxevaCA/user/private/clientkey.pem -out ./lsgxevaCA/user/client.p12
openssl pkcs12 -export -in ./lsgxevaCA/user/clientcert.pem -inkey ./lsgxevaCA/user/private/clientkey.pem -
certfile ./lsgxevaCA/cacert.pem -out ./lsgxevaCA/user/client.p12
openssl pkcs12 -export -in ./lsgxevaCA/user/clientcert.pem -inkey ./lsgxevaCA/user/private/clientkey.pem -
chain -
CAfile ./lsgxevaCA/cacert.pem -out ./lsgxevaCA/user/client.p12
cd ./lsgxevaCA/user/
mkdir pkcs
cp client.p12 pkcs/
cd pkcs/
PKCS转换为PEM
openssl pkcs12 -in client.p12 -
nodes -out client.pem (包含公私钥点对)
openssl pkcs12 -
clcerts -
nokeys -in client.p12 -out clientcert.pem (提取公钥)
openssl pkcs12
-nocerts -nodes
-in client
.p12 -out
client
key
.pem (提取私钥)
PEM转换为DER
openssl x509 -outform der -in clientcert.pem -out clientcert.der
DER转换为PEM
openssl x509 -inform der -in clientcert.der -out clientcert.cer
cd ~/work/
将证书文件复制到指定位置
sudo mkdir /etc/apache2/{ssl,ssl.crt,ssl.key,ssl.crl}
sudo chmod 777 /etc/apache2/ssl
cp -rf lsgxevaCA /etc/apache2/ssl/
sudo cp ./lsgxevaCA/cacert.pem /etc/apache2/ssl.crt/ca_lsgxeva.crt
sudo cp ./lsgxevaCA/user/servercert.pem /etc/apache2/ssl.crt/server_lsgxeva.crt
sudo cp ./lsgxevaCA/user/private/serverkey.pem /etc/apache2/ssl.key/server_lsgxeva.key
sudo cp ./lsgxevaCA/user/private/serverkey_insecure.pem /etc/apache2/ssl.key/server_lsgxeva.key
sudo cp ./lsgxevaCA/crl/crl.pem /etc/apache2/ssl.crl/ca_lsgxeva.crl
配置Apache2 SSL相关设置
cd /etc/apache2/
sudo vi sites-available/default-8080.conf
-------------------------------------------------------------------
<Directory /var/www/default_8080/public_html>
Options Indexes FollowSymLinks
AllowOverride None
Require all granted
</Directory>
<VirtualHost *:
8080>
#ServerName www.lsgxeva.com
ServerAdmin webmaster@localhost
DocumentRoot
/var/www/default_8080/public_html
ErrorLog ${APACHE_LOG_DIR}/error.log
CustomLog ${APACHE_LOG_DIR}/access.log combined
</VirtualHost>
# vim: syntax=apache ts=4 sw=4 sts=4 sr noet
-------------------------------------------------------------------
$ sudo vi sites-available/default-ssl.conf
--------------------------------------------------------------------------------------
<IfModule mod_ssl.c>
<VirtualHost _default_:
443>
ServerAdmin webmaster@localhost
DocumentRoot
/var/www/defaultssl_443/public_html
# Available loglevels: trace8, ..., trace1, debug, info, notice, warn,
# error, crit, alert, emerg.
# It is also possible to configure the loglevel for particular
# modules, e.g.
#LogLevel info ssl:warn
ErrorLog ${APACHE_LOG_DIR}/error.log
CustomLog ${APACHE_LOG_DIR}/access.log combined
# For most configuration files from conf-available/, which are
# enabled or disabled at a global level, it is possible to
# include a line for only one particular virtual host. For example the
# following line enables the CGI configuration for this host only
# after it has been globally disabled with "a2disconf".
#Include conf-available/serve-cgi-bin.conf
# SSL Engine Switch:
# Enable/Disable SSL for this virtual host.
SSLEngine on
# A self-signed (snakeoil) certificate can be created by installing
# the ssl-cert package. See
# /usr/share/doc/apache2/README.Debian.gz for more info.
# If both key and certificate are stored in the same file, only the
# SSLCertificateFile directive is needed.
#SSLCertificateFile
/etc/ssl/certs/ssl-cert-snakeoil.pem
#SSLCertificateKeyFile /etc/ssl/private/ssl-cert-snakeoil.key
SSLCertificateFile /etc/apache2/ssl.crt/server_lsgxeva.crt
SSLCertificateKeyFile /etc/apache2/ssl.key/server_lsgxeva.key
# Server Certificate
Chain:
# Point SSLCertificateChainFile at a file containing the
# concatenation of PEM encoded CA certificates which form the
# certificate chain for the server certificate. Alternatively
# the referenced file can be the same as SSLCertificateFile
# when the CA certificates are directly appended to the server
# certificate for convinience.
#SSLCertificateChainFile /etc/apache2/ssl.crt/server-ca.crt
# Certificate Authority (
CA):
# Set the CA certificate verification path where to find CA
# certificates for client authentication or alternatively one
# huge file containing all of them (file must be PEM encoded)
# Note: Inside SSLCACertificatePath you need hash symlinks
#
to point to the certificate files. Use the provided
#
Makefile to update the hash symlinks after changes.
#SSLCACertificatePath /etc/ssl/certs/
#SSLCACertificateFile /etc/apache2/ssl.crt/ca-bundle.crt
SSLCACertificatePath /etc/ssl/certs/
SSLCACertificateFile /etc/apache2/ssl.crt/ca_lsgxeva.crt
# Certificate Revocation Lists (CRL):
# Set the CA revocation path where to find CA CRLs for client
# authentication or alternatively one huge file containing all
# of them (file must be PEM encoded)
# Note: Inside SSLCARevocationPath you need hash symlinks
#
to point to the certificate files. Use the provided
#
Makefile to update the hash symlinks after changes.
#SSLCARevocationPath /etc/apache2/ssl.crl/
#SSLCARevocationFile /etc/apache2/ssl.crl/ca-bundle.crl
SSLCARevocationPath /etc/apache2/ssl.crl/
SSLCARevocationFile /etc/apache2/ssl.crl/ca_lsgxeva.crl
# Client Authentication (Type):
# Client certificate verification type and depth. Types are
# none, optional, require and optional_no_ca. Depth is a
# number which specifies how deeply to verify the certificate
# issuer chain before deciding the certificate is not valid.
SSLVerifyClient require
SSLVerifyDepth 10
# SSL Engine Options:
# Set various options for the SSL engine.
# o FakeBasicAuth:
#
Translate the client X.509 into a Basic Authorisation. This means that
#
the standard Auth/DBMAuth methods can be used for access control. The
#
user name is the `one line' version of the client's X.509 certificate.
#
Note that no password is obtained from the user. Every entry in the user
#
file needs this password: `xxj31ZMTZzkVA'.
# o ExportCertData:
#
This exports two additional environment variables: SSL_CLIENT_CERT and
#
SSL_SERVER_CERT. These contain the PEM-encoded certificates of the
#
server (always existing) and the client (only existing when client
#
authentication is used). This can be used to import the certificates
#
into CGI scripts.
# o StdEnvVars:
#
This exports the standard SSL/TLS related `SSL_*' environment variables.
#
Per default this exportation is switched off for performance reasons,
#
because the extraction step is an expensive operation and is usually
#
useless for serving static content. So one usually enables the
#
exportation for CGI and SSI requests only.
# o OptRenegotiate:
#
This enables optimized SSL connection renegotiation handling when SSL
#
directives are used in per-directory context.
#SSLOptions +FakeBasicAuth +ExportCertData +StrictRequire
<FilesMatch "\.(cgi|shtml|phtml|php)$">
SSLOptions +StdEnvVars
</FilesMatch>
<Directory /usr/lib/cgi-bin>
SSLOptions +StdEnvVars
</Directory>
# SSL Protocol Adjustments:
# The safe and default but still SSL/TLS standard compliant shutdown
# approach is that mod_ssl sends the close notify alert but doesn't wait for
# the close notify alert from client. When you need a different shutdown
# approach you can use one of the following variables:
# o ssl-unclean-shutdown:
#
This forces an unclean shutdown when the connection is closed, i.e. no
#
SSL close notify alert is send or allowed to received. This violates
#
the SSL/TLS standard but is needed for some brain-dead browsers. Use
#
this when you receive I/O errors because of the standard approach where
#
mod_ssl sends the close notify alert.
# o ssl-accurate-shutdown:
#
This forces an accurate shutdown when the connection is closed, i.e. a
#
SSL close notify alert is send and mod_ssl waits for the close notify
#
alert of the client. This is 100% SSL/TLS standard compliant, but in
#
practice often causes hanging connections with brain-dead browsers. Use
#
this only for browsers where you know that their SSL implementation
#
works correctly.
# Notice: Most problems of broken clients are also related to the HTTP
# keep-alive facility, so you usually additionally want to disable
# keep-alive for those clients, too. Use variable "nokeepalive" for this.
# Similarly, one has to force some clients to use HTTP/1.0 to workaround
# their broken HTTP/1.1 implementation. Use variables "downgrade-1.0" and
# "force-response-1.0" for this.
BrowserMatch "MSIE [2-6]" \
nokeepalive ssl-unclean-shutdown \
downgrade-1.0 force-response-1.0
# MSIE 7 and newer should be able to use keepalive
BrowserMatch "MSIE [17-9]" ssl-unclean-shutdown
</VirtualHost>
</IfModule>
# vim: syntax=apache ts=4 sw=4 sts=4 sr noet
--------------------------------------------------------------------------
cd /var/www/
sudo vi html/index.html
-------------------------------------------------------------------------------
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<!--
Modified from the Debian original for Ubuntu
Last updated: 2014-03-19
See: https://launchpad.net/bugs/1288690
-->
<head>
<meta http-equiv="Content-Type" content="text/html; charset=UTF-8" />
<title>Apache2 Ubuntu Default Page: It works</title>
<style type="text/css" media="screen">
* {
margin: 0px 0px 0px 0px;
padding: 0px 0px 0px 0px;
}
body, html {
padding: 3px 3px 3px 3px;
background-color: #D8DBE2;
font-family: Verdana, sans-serif;
font-size: 11pt;
text-align: center;
}
div.main_page {
position: relative;
display: table;
width: 800px;
margin-bottom: 3px;
margin-left: auto;
margin-right: auto;
padding: 0px 0px 0px 0px;
border-width: 2px;
border-color: #212738;
border-style: solid;
background-color: #FFFFFF;
text-align: center;
}
div.page_header {
height: 99px;
width: 100%;
background-color: #F5F6F7;
}
div.page_header span {
margin: 15px 0px 0px 50px;
font-size: 180%;
font-weight: bold;
}
div.page_header img {
margin: 3px 0px 0px 40px;
border: 0px 0px 0px;
}
div.table_of_contents {
clear: left;
min-width: 200px;
margin: 3px 3px 3px 3px;
background-color: #FFFFFF;
text-align: left;
}
div.table_of_contents_item {
clear: left;
width: 100%;
margin: 4px 0px 0px 0px;
background-color: #FFFFFF;
color: #000000;
text-align: left;
}
div.table_of_contents_item a {
margin: 6px 0px 0px 6px;
}
div.content_section {
margin: 3px 3px 3px 3px;
background-color: #FFFFFF;
text-align: left;
}
div.content_section_text {
padding: 4px 8px 4px 8px;
color: #000000;
font-size: 100%;
}
div.content_section_text pre {
margin: 8px 0px 8px 0px;
padding: 8px 8px 8px 8px;
border-width: 1px;
border-style: dotted;
border-color: #000000;
background-color: #F5F6F7;
font-style: italic;
}
div.content_section_text p {
margin-bottom: 6px;
}
div.content_section_text ul, div.content_section_text li {
padding: 4px 8px 4px 16px;
}
div.section_header {
padding: 3px 6px 3px 6px;
background-color: #8E9CB2;
color: #FFFFFF;
font-weight: bold;
font-size: 112%;
text-align: center;
}
div.section_header_red {
background-color: #CD214F;
}
div.section_header_grey {
background-color: #9F9386;
}
.floating_element {
position: relative;
float: left;
}
div.table_of_contents_item a,
div.content_section_text a {
text-decoration: none;
font-weight: bold;
}
div.table_of_contents_item a:link,
div.table_of_contents_item a:visited,
div.table_of_contents_item a:active {
color: #000000;
}
div.table_of_contents_item a:hover {
background-color: #000000;
color: #FFFFFF;
}
div.content_section_text a:link,
div.content_section_text a:visited,
div.content_section_text a:active {
background-color: #DCDFE6;
color: #000000;
}
div.content_section_text a:hover {
background-color: #000000;
color: #DCDFE6;
}
div.validator {
}
.textarea{
width: 800px;
min-height: 20px;
max-height: 300px;
_height: 120px;
margin-left: auto;
margin-right: auto;
padding: 3px;
outline: 0;
border: 1px solid #a0b3d6;
font-size: 12px;
line-height: 24px;
padding: 2px;
word-wrap: break-word;
overflow-x: hidden;
overflow-y: auto;
border-color: rgba(82, 168, 236, 0.8);
box-shadow: inset 0 1px 3px rgba(0, 0, 0, 0.1), 0 0 8px rgba(82, 168, 236, 0.6);
}
</style>
</head>
<body>
<p>
<div class="textarea" contenteditable="true"><br />
UbuntuServer IP:192.168.195.145 Port:80 Page:index.html
<br /></div>
</p>
<div class="main_page">
<div class="page_header floating_element">
<img src="/icons/ubuntu-logo.png" alt="Ubuntu Logo" class="floating_element"/>
<span class="floating_element">
Apache2 Ubuntu Default Page
</span>
</div>
<!-- <div class="table_of_contents floating_element">
<div class="section_header section_header_grey">
TABLE OF CONTENTS
</div>
<div class="table_of_contents_item floating_element">
<a href="#about">About</a>
</div>
<div class="table_of_contents_item floating_element">
<a href="#changes">Changes</a>
</div>
<div class="table_of_contents_item floating_element">
<a href="#scope">Scope</a>
</div>
<div class="table_of_contents_item floating_element">
<a href="#files">Config files</a>
</div>
</div>
-->
<div class="content_section floating_element">
<div class="section_header section_header_red">
<div id="about"></div>
It works!
</div>
<div class="content_section_text">
<p>
This is the default welcome page used to test the correct
operation of the Apache2 server after installation on Ubuntu systems.
It is based on the equivalent page on Debian, from which the Ubuntu Apache
packaging is derived.
If you can read this page, it means that the Apache HTTP server installed at
this site is working properly. You should <b>replace this file</b> (located at
<tt>/var/www/html/index.html</tt>) before continuing to operate your HTTP server.
</p>
<p>
If you are a normal user of this web site and don't know what this page is
about, this probably means that the site is currently unavailable due to
maintenance.
If the problem persists, please contact the site's administrator.
</p>
</div>
<div class="section_header">
<div id="changes"></div>
Configuration Overview
</div>
<div class="content_section_text">
<p>
Ubuntu's Apache2 default configuration is different from the
upstream default configuration, and split into several files optimized for
interaction with Ubuntu tools. The configuration system is
<b>fully documented in
/usr/share/doc/apache2/README.Debian.gz</b>. Refer to this for the full
documentation. Documentation for the web server itself can be
found by accessing the <a href="/manual">manual</a> if the <tt>apache2-doc</tt>
package was installed on this server.
</p>
<p>
The configuration layout for an Apache2 web server installation on Ubuntu systems is as follows:
</p>
<pre>
/etc/apache2/
|-- apache2.conf
| `-- ports.conf
|-- mods-enabled
| |-- *.load
| `-- *.conf
|-- conf-enabled
| `-- *.conf
|-- sites-enabled
| `-- *.conf
</pre>
<ul>
<li>
<tt>apache2.conf</tt> is the main configuration
file. It puts the pieces together by including all remaining configuration
files when starting up the web server.
</li>
<li>
<tt>ports.conf</tt> is always included from the
main configuration file. It is used to determine the listening ports for
incoming connections, and this file can be customized anytime.
</li>
<li>
Configuration files in the <tt>mods-enabled/</tt>,
<tt>conf-enabled/</tt> and <tt>sites-enabled/</tt> directories contain
particular configuration snippets which manage modules, global configuration
fragments, or virtual host configurations, respectively.
</li>
<li>
They are activated by symlinking available
configuration files from their respective
*-available/ counterparts. These should be managed
by using our helpers
<tt>
<a href="http://manpages.debian.org/cgi-bin/man.cgi?query=a2enmod">a2enmod</a>,
<a href="http://manpages.debian.org/cgi-bin/man.cgi?query=a2dismod">a2dismod</a>,
</tt>
<tt>
<a href="http://manpages.debian.org/cgi-bin/man.cgi?query=a2ensite">a2ensite</a>,
<a href="http://manpages.debian.org/cgi-bin/man.cgi?query=a2dissite">a2dissite</a>,
</tt>
and
<tt>
<a href="http://manpages.debian.org/cgi-bin/man.cgi?query=a2enconf">a2enconf</a>,
<a href="http://manpages.debian.org/cgi-bin/man.cgi?query=a2disconf">a2disconf</a>
</tt>. See their respective man pages for detailed information.
</li>
<li>
The binary is called apache2. Due to the use of
environment variables, in the default configuration, apache2 needs to be
started/stopped with <tt>/etc/init.d/apache2</tt> or <tt>apache2ctl</tt>.
<b>Calling <tt>/usr/bin/apache2</tt> directly will not work</b> with the
default configuration.
</li>
</ul>
</div>
<div class="section_header">
<div id="docroot"></div>
Document Roots
</div>
<div class="content_section_text">
<p>
By default, Ubuntu does not allow access through the web browser to
<em>any</em> file apart of those located in <tt>/var/www</tt>,
<a href="http://httpd.apache.org/docs/2.4/mod/mod_userdir.html">public_html</a>
directories (when enabled) and <tt>/usr/share</tt> (for web
applications). If your site is using a web document root
located elsewhere (such as in <tt>/srv</tt>) you may need to whitelist your
document root directory in <tt>/etc/apache2/apache2.conf</tt>.
</p>
<p>
The default Ubuntu document root is <tt>/var/www/html</tt>. You
can make your own virtual hosts under /var/www. This is different
to previous releases which provides better security out of the box.
</p>
</div>
<div class="section_header">
<div id="bugs"></div>
Reporting Problems
</div>
<div class="content_section_text">
<p>
Please use the <tt>ubuntu-bug</tt> tool to report bugs in the
Apache2 package with Ubuntu. However, check <a
href="https://bugs.launchpad.net/ubuntu/+source/apache2">existing
bug reports</a> before reporting a new bug.
</p>
<p>
Please report bugs specific to modules (such as PHP and others)
to respective packages, not to the web server itself.
</p>
</div>
</div>
</div>
<div class="validator">
<p>
<a href="http://validator.w3.org/check?uri=referer"><img src="http://www.w3.org/Icons/valid-xhtml10" alt="Valid XHTML 1.0 Transitional" height="31" width="88" /></a>
</p>
<p>
<div class="textarea" contenteditable="true"><br />
Apache2 Ubuntu Default Page
<br /></div>
</p>
</div>
</body>
</html>
-------------------------------------------------------------------------------
sudo a2dismod deflate
sudo a2enmod ssl
sudo a2ensite default-ssl.conf
sudo service apache2 force-reload
sudo service apache2 restart
来自为知笔记(Wiz)
附件列表
内容来自用户分享和网络整理,不保证内容的准确性,如有侵权内容,可联系管理员处理 
相关文章推荐
- ubuntu14.04安装apache2.4,启动ssl
- Apache知识整理
- 2.6-Apache禁止指定user_agent
- 2.5-Apache禁止解析php
- 2.4-Apache访问控制
- apache mina串口程序
- django+apache部署
- org.apache.jasper.JasperException: Unable to compile class for JSP.JSP文件过大,导致文件编译出错
- Linux配置apache等系列
- Apache Kafka开发入门指南(2)
- Apache Kafka开发入门指南(1)
- Apache Shiro 开源权限框架
- kafka笔记(PacktPub.Apache.Kafka)
- Apache Shiro权限框架在SpringMVC+Hibernate中的应用
- Apache Shiro(安全框架)
- Apache ActiveMQ -- Version 5入门指南
- 2.3-Apache配置防盗链
- Apache PIO基本使用
- Apache2 使用Tips
- Apache虚拟主机的配置