這二天想做個 HTTPS 連線,把筆記再記一下好了
環境是 FreeBSD 8.2 + Apache 2.2,順序是
1. 自己當 CA
2. 自己再簽一張 Server 的憑證,並由 CA 來簽核它
前置作業如下
# cd /etc/ssl
# cp openssl.cnf openssl.cnf.org
# mkdir certs crl newcerts private
# echo "01" > serial
# touch index.txt
# openssl rand 1024 > ./private/.rand
# chmod 600 ./private/.rand
將 openssl.cnf 裡面這二行設定一下
# vi openssl.cnf
dir = /etc/ssl # Where everything is kept
default_days = 3650 # how long to certify for
開始簽發一張 RootCA,CA 的期限設為 20 年
# openssl req -new -x509 -keyout private/cakey.pem -out cacert.pem -days 7305 -config openssl.cnf
Generating a 1024 bit RSA private key
..................................++++++
...............................................................................++++++
writing new private key to 'private/cakey.pem'
Enter PEM pass phrase: 請輸入公正單位密碼
Verifying - Enter PEM pass phrase: 請再一次輸入公正單位密碼
-----
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [AU]:TW
State or Province Name (full name) [Some-State]:Taiwan
Locality Name (eg, city) []:Taipei
Organization Name (eg, company) [Internet Widgits Pty Ltd]:單位名稱
Organizational Unit Name (eg, section) []:部門名稱
Common Name (eg, YOUR name) []:請輸入完整的 DomainName
Email Address []:bojack@bojack.com
#
CA 製作好之後,接下來要來製作自己 Server 的憑證
# openssl req -nodes -new -x509 -keyout mykey.pem -out myreq.pem -days 365 -config openssl.cnf
Generating a 1024 bit RSA private key
...++++++
.............................................................++++++
writing new private key to 'mykey.pem'
-----
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [AU]:TW
State or Province Name (full name) [Some-State]:Taiwan
Locality Name (eg, city) []:Taipei
Organization Name (eg, company) [Internet Widgits Pty Ltd]:單位名稱
Organizational Unit Name (eg, section) []:部門名稱
Common Name (eg, YOUR name) []:請輸入完整的 DomainName
Email Address []:bojack@bojack.com
# openssl x509 -x509toreq -in myreq.pem -signkey mykey.pem -out tmp.pem
Getting request Private Key
Generating certificate request
# openssl ca -config openssl.cnf -policy policy_anything -out mycert.pem -infiles tmp.pem
Using configuration from openssl.cnf
Enter pass phrase for /etc/ssl/private/cakey.pem:請輸入公正單位密碼
Check that the request matches the signature
Signature ok
Certificate Details:
Serial Number: 1 (0x1)
Validity
Not Before: Sep 14 03:16:27 2011 GMT
Not After : Sep 13 03:16:27 2012 GMT
Subject:
countryName = TW
stateOrProvinceName = Taiwan
localityName = Taipei
organizationName = 公司名稱
organizationalUnitName = 部門名稱
commonName = 機器完整 DomainName
emailAddress = bojack@bojack.com
X509v3 extensions:
X509v3 Basic Constraints:
CA:FALSE
Netscape Comment:
OpenSSL Generated Certificate
X509v3 Subject Key Identifier:
22:22:22:22:22:22:22:22:22:22:22:22:22:22:22:22:22:22:22:22
X509v3 Authority Key Identifier:
keyid:22:22:22:22:22:22:22:22:22:22:22:22:22:22:22:22:22:22:22:22
Certificate is to be certified until Sep 13 03:16:27 2012 GMT (365 days)
Sign the certificate? [y/n]:y
1 out of 1 certificate requests certified, commit? [y/n]y
Write out database with 1 new entries
Data Base Updated
#
這樣子製作好的憑證就由 CA 簽好了(其實也只是自己球員當裁判 :p)
最後來幫檔案搬個家也變個名稱
# cd /etc/ssl
# mv cacert.pem ./certs/ca.crt
# mv mycert.pem ./certs/server.crt
# mv mykey.pem ./private/server.key
# mv ./private/cakey.pem ./private/ca.key
# rm myreq.pem tmp.pem
把製作出來的金鑰設定一下權限
# chmod -R 400 private
到此為止咱們的憑證就製作完了,接下來要到 Apache 做後續的設定
先編輯 Apache 的設定檔 httpd.conf 找到這一行把前面的 # 拿掉
Include etc/apache22/extra/httpd-ssl.conf
接下來編輯 httpd-ssl.conf
# General setup for the virtual host
DocumentRoot "/usr/local/www/apache22/data"
ServerName 主機名稱:443
ServerAdmin 網站管理者 E-mail
ErrorLog "/var/log/httpd-error.log"
TransferLog "/var/log/httpd-access.log"
SSLCertificateFile "/etc/ssl/certs/server.crt"
SSLCertificateKeyFile "/etc/ssl/private/server.key"
SSLCertificateChainFile "/etc/ssl/certs/ca.crt"
而 /etc/rc.conf 請確認改成這樣
apache22_enable="YES"
apache22_http_accept_enable="YES"
apache22_flags="-DSSL"
最後重新啟動 Apache 再連 https://你的主機/ 應該就 OK 了!
另外也有找到這一篇 FreeBSD 產生 apache2 ssl 認證,按照這做也是 OK 的
留言列表