我们的项目都是基于https协议访问的，由于费用问题，在开发、测试环境中使了一个过期证书。所以每天得面对浏览器提示证书过期问题，若只是页面访问，多确认一下就完了，但遇到系统间的页面跳转、互相调用，就玩不转了。没折，干脆自已做证书。

通过Openssl建立根证书和服务器证书，并用根证书对服务器证书进行签名。

1、使用Openssl的CA脚本来建立根证书（/usr/share/ssl/misc/CA）
运行CA -newca，Openssl会找CA自己的私有密钥密码文件。如果没有这个文件？按回车会自动创建，输入密码来保护这个密码文件。之后会提示你输入公司信息来做CA.crt文件。最后，在当前目录下多了一个demoCA目录，demoCA/private/cakey.pem就是CA的key文件了，而demoCA/cacert.pem就是CA的crt文件了。具体如下：

[root@xplan-dev8 ca]# ./CA -newca

CA certificate filename (or enter to create)

Making CA certificate

Generating a 1024 bit RSA private key

.++++++

++++++

writing new private key to './demoCA/private/./cakey.pem'

Enter PEM pass phrase:

Verifying - Enter PEM pass phrase:

-----

You are about to be asked to enter information that will be incorporated

into your certificate request.

What you are about to enter is what is called a Distinguished Name or a DN.

There are quite a few fields but you can leave some blank

For some fields there will be a default value,

If you enter '.', the field will be left blank.

-----

Country Name (2 letter code) [GB]:CN

State or Province Name (full name) [Berkshire]:Zhejiang

Locality Name (eg, city) [Newbury]:Hangzhou

Organization Name (eg, company) [My Company Ltd]:Mysoft.com corpration

Organizational Unit Name (eg, section) []:Mysoft.com

Common Name (eg, your name or your server's hostname) []:Mysoft.com

Email Address []:

2、生成服务器证书
生成服务器私钥Key文件，openssl genrsa -des3 -out server.key 1024，并输入保护密码：

[root@xplan-dev8 ca]# openssl genrsa -des3 -out server.key 1024

Generating RSA private key, 1024 bit long modulus

..++++++

e is 65537 (0x10001)

Enter pass phrase for server.key:

Verifying - Enter pass phrase for server.key:

生成服务器证书(注：输入Common Name一项时，若需对泛域名支持证书时，需用*.mysoft.com)：

[root@xplan-dev8 ca]# openssl req -new -key server.key -out server.csr -days 365

Enter pass phrase for server.key:

You are about to be asked to enter information that will be incorporated

into your certificate request.

What you are about to enter is what is called a Distinguished Name or a DN.

There are quite a few fields but you can leave some blank

For some fields there will be a default value,

If you enter '.', the field will be left blank.

-----

Country Name (2 letter code) [GB]:CN

State or Province Name (full name) [Berkshire]:Zhejiang

Locality Name (eg, city) [Newbury]:Hangzhou

Organization Name (eg, company) [My Company Ltd]:Mysoft.com

Organizational Unit Name (eg, section) []:Mysoft.com

Common Name (eg, your name or your server's hostname) []:*.mysoft.com

Email Address []:

Please enter the following 'extra' attributes

to be sent with your certificate request

A challenge password []:

An optional company name []:

3、用根证书对服务器证书进行签名
把server.crt文件重命名成newreq.pem，然后用CA脚本进行签名，期间会提示要求输入cakey.pem的保护密码。

[root@xplan-dev8 ca]# mv server.csr newreq.pem

[root@xplan-dev8 ca]# ./CA -sign
Using configuration from /usr/share/ssl/openssl.cnf
Enter pass phrase for ./demoCA/private/cakey.pem:
Check that the request matches the signature
Signature ok
Certificate Details:
        Serial Number: 1 (0x1)
        Validity
            Not Before: Dec 8 12:27:14 2008 GMT
            Not After : Dec 8 12:27:14 2009 GMT
        Subject:
            countryName               = CN
            stateOrProvinceName       = Zhejiang
            localityName              = Hangzhou
            organizationName          = Mysoft.com
            organizationalUnitName    = Mysoft.com
            commonName                = *.mysoft.com
        X509v3 extensions:
            X509v3 Basic Constraints:
            CA:FALSE
            Netscape Comment:
            OpenSSL Generated Certificate
            X509v3 Subject Key Identifier:
            0F:0C:46:82:EB:68:61:CE:6F:06:10:78:BC:7B:2F:10:F8:96:7E:09
            X509v3 Authority Key Identifier:
            keyid:E0:01:2C:50:62:87:8D:10:7A:17:6D:AB:2C:43:0A:79:EB:5F:26:0C
            DirName:/C=CN/ST=Zhejiang/L=Hangzhou/O=Mysoft.com corpration/OU=Mysoft.com/CN=Mysoft.com
            serial:00

Certificate is to be certified until Dec 8 12:27:14 2009 GMT (365 days)
Sign the certificate? [y/n]:y

1 out of 1 certificate requests certified, commit? [y/n]y
Write out database with 1 new entries
Data Base Updated
Certificate:
    Data:
        Version: 3 (0x2)
        Serial Number: 1 (0x1)
        Signature Algorithm: md5WithRSAEncryption
        Issuer: C=CN, ST=Zhejiang, L=Hangzhou, O=Mysoft.com corpration, OU=Mysoft.com, CN=Mysoft.com
        Validity
            Not Before: Dec 8 12:27:14 2008 GMT
            Not After : Dec 8 12:27:14 2009 GMT
        Subject: C=CN, ST=Zhejiang, L=Hangzhou, O=Mysoft.com, OU=Mysoft.com, CN=*.mysoft.com
        Subject Public Key Info:
            Public Key Algorithm: rsaEncryption
            RSA Public Key: (1024 bit)
                Modulus (1024 bit):
                    00:f0:46:a7:a3:9d:8d:ce:09:da:f1:02:a0:fd:1f:
                    5c:df:a5:08:66:ea:13:0d:17:ac:49:92:9f:65:21:
                    cf:ec:f8:79:73:a1:73:0a:3e:d6:d0:c3:a4:d4:36:
                    22:b8:4c:82:51:fe:5d:e1:13:22:99:5f:4c:ef:c6:
                    65:3a:5d:de:1f:83:f2:17:a5:2b:f3:03:94:9a:31:
                    bc:09:c8:1c:9e:4d:ad:3b:90:2d:dc:65:0c:e3:04:
                    9b:8a:d5:c2:93:b7:51:8e:fe:92:1d:ee:55:6e:a0:
                    77:25:e1:a1:24:7f:55:7a:b4:4d:f4:84:83:13:56:
                    8d:62:be:2d:db:f8:1a:de:35
                Exponent: 65537 (0x10001)
        X509v3 extensions:
            X509v3 Basic Constraints:
            CA:FALSE
            Netscape Comment:
            OpenSSL Generated Certificate
            X509v3 Subject Key Identifier:
            0F:0C:46:82:EB:68:61:CE:6F:06:10:78:BC:7B:2F:10:F8:96:7E:09
            X509v3 Authority Key Identifier:
            keyid:E0:01:2C:50:62:87:8D:10:7A:17:6D:AB:2C:43:0A:79:EB:5F:26:0C
            DirName:/C=CN/ST=Zhejiang/L=Hangzhou/O=Mysoft.com corpration/OU=Mysoft.com/CN=Mysoft.com
            serial:00

    Signature Algorithm: md5WithRSAEncryption
        0b:dc:15:f3:87:5c:e0:07:23:0e:78:47:af:56:fb:43:31:4b:
        0d:12:76:57:95:cd:d7:2a:75:00:01:21:96:9d:d4:bf:9d:e9:
        b6:26:cc:70:98:95:fd:ca:af:ad:68:fb:10:79:09:05:32:20:
        02:7a:84:53:2f:e0:d5:cd:ed:4d:42:e7:d5:9d:90:78:9a:2e:
        d8:72:cb:7f:f7:29:30:24:25:f2:0f:2d:b4:9d:a2:b3:24:00:
        b4:f7:e9:de:5c:1a:50:d3:59:a4:9c:1d:03:15:04:17:6d:c2:
        ab:95:a8:1f:28:e5:ad:3c:a9:a8:c8:30:3a:09:3f:75:5d:70:
        2e:af
-----BEGIN CERTIFICATE-----
MIIDfDCCAuWgAwIBAgIBATANBgkqhkiG9w0BAQQFADCBgDELMAkGA1UEBhMCQ04x
ETAPBgNVBAgTCFpoZWppYW5nMREwDwYDVQQHEwhIYW5nemhvdTEfMB0GA1UEChMW
QWxpc29mdC5jb20gY29ycHJhdGlvbjEUMBIGA1UECxMLQWxpc29mdC5jb20xFDAS
BgNVBAMTC0FsaXNvZnQuY29tMB4XDTA4MTIwODEyMjcxNFoXDTA5MTIwODEyMjcx
NFowdzELMAkGA1UEBhMCQ04xETAPBgNVBAgTCFpoZWppYW5nMREwDwYDVQQHEwhI
YW5nemhvdTEUMBIGA1UEChMLQWxpc29mdC5jb20xFDASBgNVBAsTC0FsaXNvZnQu
Y29tMRYwFAYDVQQDFA0qLmFsaXNvZnQuY29tMIGfMA0GCSqGSIb3DQEBAQUAA4GN
ADCBiQKBgQDwRqejnY3OCdrxAqD9H1zfpQhm6hMNF6xJkp9lIc/s+HlzoXMKPtbQ
w6TUNiK4TIJR/l3hEyKZX0zvxmU6Xd4fg/IXpSvzA5SaMbwJyByeTa07kC3cZQzj
BJuK1cKTt1GO/pId7lVuoHcl4aEkf1V6tE30hIMTVo1ivi3b+BreNQIDAQABo4IB
DDCCAQgwCQYDVR0TBAIwADAsBglghkgBhvhCAQ0EHxYdT3BlblNTTCBHZW5lcmF0
ZWQgQ2VydGlmaWNhdGUwHQYDVR0OBBYEFA8MRoLraGHObwYQeLx7LxD4ln4JMIGt
BgNVHSMEgaUwgaKAFOABLFBih40QehdtqyxDCnnrXyYMoYGGpIGDMIGAMQswCQYD
VQQGEwJDTjERMA8GA1UECBMIWmhlamlhbmcxETAPBgNVBAcTCEhhbmd6aG91MR8w
HQYDVQQKExZBbGlzb2Z0LmNvbSBjb3JwcmF0aW9uMRQwEgYDVQQLEwtBbGlzb2Z0
LmNvbTEUMBIGA1UEAxMLQWxpc29mdC5jb22CAQAwDQYJKoZIhvcNAQEEBQADgYEA
C9wV84dc4AcjDnhHr1b7QzFLDRJ2V5XN1yp1AAEhlp3Uv53ptibMcJiV/cqvrWj7
EHkJBTIgAnqEUy/g1c3tTULn1Z2QeJou2HLLf/cpMCQl8g8ttJ2isyQAtPfp3lwa
UNNZpJwdAxUEF23Cq5WoHyjlrTypqMgwOgk/dV1wLq8=
-----END CERTIFICATE-----
Signed certificate is in newcert.pem

这样就生成了server的证书newcert.pem，把newcert.pem 重命名为server.crt。

4、配置apache

NameVirtualHost *:443

ServerAdmin sa@mysoft.com

ServerName xplan.mysoft.com

DocumentRoot /home/admin/project/htdocs

SSLEngine on

SSLCipherSuite ALL:!ADH:!EXPORT56:RC4+RSA:+HIGH:+MEDIUM:+LOW:+SSLv2:+SSLv3:+EXP:+eNULL

SSLCertificateFile /home/admin/modules/crt/server.crt

SSLCertificateKeyFile /home/admin/modules/crt/server.key

SSLProxyEngine on

RewriteEngine on

RewriteRule ^/$ /xplan/user/login!login.jspa [L,P]

</VirtualHost>

重启apache时，会提示要求输入服务端证书的密码。如下：

[root@localhost]# bin/apachectl restart

httpd not running, trying to start

Apache/2.2.0 mod_ssl/2.2.0 (Pass Phrase Dialog)

Some of your private key files are encrypted for security reasons.

In order to read them you have to provide the pass phrases.

Server xplan.mysoft.com:443 (RSA)

Enter pass phrase:

OK: Pass Phrase Dialog successful.

5、客户端(IE)导入根证书(ca.cert)
在"选项"->"内容"->"证书"->"受信任根证书颁发机构"中点击"导入"，选中"ca.crt"，完成导入。或者，直接在点ca.crt文件右键，选择安装即可。

6、重启apache，要求输入密码的问题解决

1)、去掉bin/apachectl start启动的pass phrase，用空pass phrase启动apache
(while preserving the original file):
[root@xplan-dev8 ca]$ cp server.key server.key.org
[root@xplan-dev8 ca]$ openssl rsa -in server.key.org -out server.key

确认server.key 文件为root可读
[root@xplan-dev8 ca]$ chmod 400 server.key

2、编辑
[root@xplan-dev8 ca]$ vi conf/extra/httpd-ssl.conf
注释SSLPassPhraseDialog builtin
在后添加：SSLPassPhraseDialog exec:/usr/local/apache2/conf/apache_pass.sh

[root@xplan-dev8 ca]$ vi conf/apache_pass.sh
#!/bin/sh
echo "密码"
[root@xplan-dev8 ca]$ chmod +x /usr/local/apache2/conf/apache_pass.sh

posted on 2008-12-08 21:19 josson 阅读(2607) 评论(1) 编辑收藏所属分类: 大杂烩

FeedBack:

# re: 利用Openssl 建立自己的证书。[未登录]

2009-05-19 11:49 | zhang

谢谢
回复更多评论

新用户注册刷新评论列表


只有注册用户登录后才能发表评论。




网站导航: 博客园 IT新闻知识库 C++博客博问管理
相关文章: firefox中证书的使用我的2010 团队管理若干. 诚信开发人员谈系统可用性和用户体验 maven2常用命令批处理解决多测试环境切换问题利用Openssl 建立自己的证书。网络驱动器无法显示SVN图标问题 Window环境下Apache(With SSL) 与 JBoss的集成

2008年12月

日

一

二

三

四

五

六

常用链接

留言簿(3)

随笔分类

随笔档案

收藏夹

搜索

最新评论

阅读排行榜

评论排行榜