從有為青年變成有為中年男子的生活札記

這二天想做個 HTTPS 連線，把筆記再記一下好了

環境是 FreeBSD 8.2 + Apache 2.2，順序是

1. 自己當 CA

2. 自己再簽一張 Server 的憑證，並由 CA 來簽核它

前置作業如下

# cd /etc/ssl
# cp openssl.cnf openssl.cnf.org
# mkdir certs crl newcerts private
# echo "01" > serial
# touch index.txt
# openssl rand 1024 > ./private/.rand
# chmod 600 ./private/.rand

將 openssl.cnf 裡面這二行設定一下

# vi openssl.cnf
dir = /etc/ssl   # Where everything is kept
default_days = 3650   # how long to certify for

開始簽發一張 RootCA，CA 的期限設為 20 年

# openssl req -new -x509 -keyout private/cakey.pem -out cacert.pem -days 7305 -config openssl.cnf
Generating a 1024 bit RSA private key
..................................++++++
...............................................................................++++++
writing new private key to 'private/cakey.pem'
Enter PEM pass phrase: 請輸入公正單位密碼
Verifying - Enter PEM pass phrase: 請再一次輸入公正單位密碼
-----
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [AU]:TW
State or Province Name (full name) [Some-State]:Taiwan
Locality Name (eg, city) []:Taipei
Organization Name (eg, company) [Internet Widgits Pty Ltd]:單位名稱
Organizational Unit Name (eg, section) []:部門名稱
Common Name (eg, YOUR name) []:請輸入完整的 DomainName
Email Address []:bojack@bojack.com
#

CA 製作好之後，接下來要來製作自己 Server 的憑證

# openssl req -nodes -new -x509 -keyout mykey.pem -out myreq.pem -days 365 -config openssl.cnf
Generating a 1024 bit RSA private key
...++++++
.............................................................++++++
writing new private key to 'mykey.pem'
-----
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [AU]:TW
State or Province Name (full name) [Some-State]:Taiwan
Locality Name (eg, city) []:Taipei
Organization Name (eg, company) [Internet Widgits Pty Ltd]:單位名稱
Organizational Unit Name (eg, section) []:部門名稱
Common Name (eg, YOUR name) []:請輸入完整的 DomainName
Email Address []:bojack@bojack.com
# openssl x509 -x509toreq -in myreq.pem -signkey mykey.pem -out tmp.pem
Getting request Private Key
Generating certificate request
# openssl ca -config openssl.cnf -policy policy_anything -out mycert.pem -infiles tmp.pem
Using configuration from openssl.cnf
Enter pass phrase for /etc/ssl/private/cakey.pem:請輸入公正單位密碼
Check that the request matches the signature
Signature ok
Certificate Details:
        Serial Number: 1 (0x1)
        Validity
            Not Before: Sep 14 03:16:27 2011 GMT
            Not After : Sep 13 03:16:27 2012 GMT
        Subject:
            countryName               = TW
            stateOrProvinceName       = Taiwan
            localityName              = Taipei
            organizationName          = 公司名稱
            organizationalUnitName    = 部門名稱
            commonName                = 機器完整 DomainName
            emailAddress              = bojack@bojack.com
        X509v3 extensions:
            X509v3 Basic Constraints:
                CA:FALSE
            Netscape Comment:
                OpenSSL Generated Certificate
            X509v3 Subject Key Identifier:
                22:22:22:22:22:22:22:22:22:22:22:22:22:22:22:22:22:22:22:22
            X509v3 Authority Key Identifier:
                keyid:22:22:22:22:22:22:22:22:22:22:22:22:22:22:22:22:22:22:22:22

Certificate is to be certified until Sep 13 03:16:27 2012 GMT (365 days)
Sign the certificate? [y/n]:y

1 out of 1 certificate requests certified, commit? [y/n]y
Write out database with 1 new entries
Data Base Updated
#

這樣子製作好的憑證就由 CA 簽好了（其實也只是自己球員當裁判 :p) 

最後來幫檔案搬個家也變個名稱

# cd /etc/ssl
# mv cacert.pem ./certs/ca.crt
# mv mycert.pem ./certs/server.crt
# mv mykey.pem ./private/server.key
# mv ./private/cakey.pem ./private/ca.key
# rm myreq.pem tmp.pem

把製作出來的金鑰設定一下權限

# chmod -R 400 private

到此為止咱們的憑證就製作完了，接下來要到 Apache 做後續的設定

先編輯 Apache 的設定檔 httpd.conf 找到這一行把前面的 # 拿掉

Include etc/apache22/extra/httpd-ssl.conf

接下來編輯 httpd-ssl.conf

#   General setup for the virtual host
DocumentRoot "/usr/local/www/apache22/data"
ServerName 主機名稱:443
ServerAdmin 網站管理者 E-mail
ErrorLog "/var/log/httpd-error.log"
TransferLog "/var/log/httpd-access.log"

SSLCertificateFile "/etc/ssl/certs/server.crt"
SSLCertificateKeyFile "/etc/ssl/private/server.key"
SSLCertificateChainFile "/etc/ssl/certs/ca.crt"

而 /etc/rc.conf 請確認改成這樣

apache22_enable="YES"
apache22_http_accept_enable="YES"
apache22_flags="-DSSL"

最後重新啟動 Apache 再連 https://你的主機/ 應該就 OK 了！

另外也有找到這一篇 FreeBSD 產生 apache2 ssl 認證，按照這做也是 OK 的