apache中ssl的证书认证
时间:2006-04-24 来源:coldrainsunc
author:supersun
首先,下载httpd-2.2.0,地址:http://mirror.vmmatrix.net/apache/httpd/httpd-2.2.0.tar.gz
及PGP签名:
http://www.apache.org/dist/httpd/httpd-2.2.0.tar.gz.asc
签证软件包的正确完整性:
首下载KEY:
http://www.apache.org/dist/httpd/KEYS
导入KEY:
gpg --import KEYS
签证:
gpg --verify httpd-2.2.0.tar.gz.asc
[root@supersun openca]# gpg --verify httpd-2.2.0.tar.gz.asc
gpg: Signature made 2005年11月29日 星期二 16时22分08秒 CST using DSA key ID 42721F00
gpg: Good signature from "Paul Querna <[email protected]>"
gpg: aka "Paul Querna <[email protected]>"
gpg: aka "Paul Querna <[email protected]>"
gpg: aka "Paul Querna <[email protected]>"
gpg: checking the trustdb
gpg: checking at depth 0 signed=0 ot(-/q/n/m/f/u)=0/0/0/0/0/1
gpg: WARNING: This key is not certified with a trusted signature!
gpg: There is no indication that the signature belongs to the owner.
Primary key fingerprint: 39F6 691A 0ECF 0C50 E8BB 849C F788 75F6 4272 1F00
如果数字签名错误,则:
[root@supersun openca]# gpg --verify httpd-2.2.0.tar.gz.asc
gpg: Signature made 2005年10月14日 星期五 07时45分35秒 CST using DSA key ID 08C975E5
gpg: BAD signature from "Jim Jagielski <[email protected]>"
下面开始编译httpd2.2并将ssl选为动态模块,安装目录为:
/home/http
mkdir /home/build
cp http-2.2.0.tar.gz /home/build
cd /home/build
tar zxvf http-2.2.0.tar.gz
cd http-2.2.0
./configure --prefix=/home/http --enable-so --enable-ssl=share
make
make install
下一步,就是编缉apache的配置文件:/home/http/conf/httpd.conf
将ssl部分的配置增加进去:
Listen 0.0.0.0:443
AddType application/x-x509-ca-cert .crt
AddType application/x-pkcs7-crl .crl
SSLPassPhraseDialog builtin
SSLSessionCache shmcb:/var/cache/mod_ssl/scache(512000)
SSLSessionCacheTimeout 300
SSLMutex file:logs/ssl_mutex
SSLRandomSeed startup builtin
SSLRandomSeed connect builtin
SSLCryptoDevice builtin
<VirtualHost _default_:443>
ErrorLog logs/ssl_error_log
TransferLog logs/ssl_access_log
SSLEngine on
SSLCipherSuite ALL:!ADH:!EXPORT56:RC4+RSA:+HIGH:+MEDIUM:+LOW:+SSLv2:+EXP
SSLCertificateFile /home/http/conf/ssl.crt/server.crt
SSLCertificateKeyFile /home/http/conf/ssl.key/server.key
SSLCACertificateFile conf/ca.crt/ca.crt
SSLVerifyClient require
<Files ~ "\.(cgi|shtml|phtml|php3?)$">
SSLOptions +StdEnvVars
</Files>
<Directory "/var/www/cgi-bin">
SSLOptions +StdEnvVars
</Directory>
SetEnvIf User-Agent ".*MSIE.*" \
nokeepalive ssl-unclean-shutdown \
downgrade-1.0 force-response-1.0
CustomLog logs/ssl_request_log \
"%t %h %{SSL_PROTOCOL}x %{SSL_CIPHER}x \"%r\" %b"
</VirtualHost>
其他的地方自己配吧!
这里的几个配置项注意一下:
SSLCertificateFile 服务器端证书存放地址;
SSLCertificateKeyFile 服务器端私钥文件;
SSLCACertificateFile 认证中心证书文件;
SSLVerifyClient require 客户端连接时要求认证.
好了,测试一下:
/home/http/bin/apachectl -k start
打开浏览器并输入地址:
https://127.0.0.1
就可以看到服务器端发出的证书了.因为本地浏览器没有安装证书,所有不能建立连接;
我们现在做一个证书,经认证中心签发后,导入浏览器.(这里的认证中心和服务器 端签发证书的认证中心是同一个),就可以建立连接了,在建立的时候,会有指示,问是否接收服务器端发来的证书,这里因为浏览器没有认证中心的证书.我们将 认证中心的证书导入浏览器,就不会有上面的提示了!
首先,下载httpd-2.2.0,地址:http://mirror.vmmatrix.net/apache/httpd/httpd-2.2.0.tar.gz
及PGP签名:
http://www.apache.org/dist/httpd/httpd-2.2.0.tar.gz.asc
签证软件包的正确完整性:
首下载KEY:
http://www.apache.org/dist/httpd/KEYS
导入KEY:
gpg --import KEYS
签证:
gpg --verify httpd-2.2.0.tar.gz.asc
[root@supersun openca]# gpg --verify httpd-2.2.0.tar.gz.asc
gpg: Signature made 2005年11月29日 星期二 16时22分08秒 CST using DSA key ID 42721F00
gpg: Good signature from "Paul Querna <[email protected]>"
gpg: aka "Paul Querna <[email protected]>"
gpg: aka "Paul Querna <[email protected]>"
gpg: aka "Paul Querna <[email protected]>"
gpg: checking the trustdb
gpg: checking at depth 0 signed=0 ot(-/q/n/m/f/u)=0/0/0/0/0/1
gpg: WARNING: This key is not certified with a trusted signature!
gpg: There is no indication that the signature belongs to the owner.
Primary key fingerprint: 39F6 691A 0ECF 0C50 E8BB 849C F788 75F6 4272 1F00
如果数字签名错误,则:
[root@supersun openca]# gpg --verify httpd-2.2.0.tar.gz.asc
gpg: Signature made 2005年10月14日 星期五 07时45分35秒 CST using DSA key ID 08C975E5
gpg: BAD signature from "Jim Jagielski <[email protected]>"
下面开始编译httpd2.2并将ssl选为动态模块,安装目录为:
/home/http
mkdir /home/build
cp http-2.2.0.tar.gz /home/build
cd /home/build
tar zxvf http-2.2.0.tar.gz
cd http-2.2.0
./configure --prefix=/home/http --enable-so --enable-ssl=share
make
make install
下一步,就是编缉apache的配置文件:/home/http/conf/httpd.conf
将ssl部分的配置增加进去:
Listen 0.0.0.0:443
AddType application/x-x509-ca-cert .crt
AddType application/x-pkcs7-crl .crl
SSLPassPhraseDialog builtin
SSLSessionCache shmcb:/var/cache/mod_ssl/scache(512000)
SSLSessionCacheTimeout 300
SSLMutex file:logs/ssl_mutex
SSLRandomSeed startup builtin
SSLRandomSeed connect builtin
SSLCryptoDevice builtin
<VirtualHost _default_:443>
ErrorLog logs/ssl_error_log
TransferLog logs/ssl_access_log
SSLEngine on
SSLCipherSuite ALL:!ADH:!EXPORT56:RC4+RSA:+HIGH:+MEDIUM:+LOW:+SSLv2:+EXP
SSLCertificateFile /home/http/conf/ssl.crt/server.crt
SSLCertificateKeyFile /home/http/conf/ssl.key/server.key
SSLCACertificateFile conf/ca.crt/ca.crt
SSLVerifyClient require
<Files ~ "\.(cgi|shtml|phtml|php3?)$">
SSLOptions +StdEnvVars
</Files>
<Directory "/var/www/cgi-bin">
SSLOptions +StdEnvVars
</Directory>
SetEnvIf User-Agent ".*MSIE.*" \
nokeepalive ssl-unclean-shutdown \
downgrade-1.0 force-response-1.0
CustomLog logs/ssl_request_log \
"%t %h %{SSL_PROTOCOL}x %{SSL_CIPHER}x \"%r\" %b"
</VirtualHost>
其他的地方自己配吧!
这里的几个配置项注意一下:
SSLCertificateFile 服务器端证书存放地址;
SSLCertificateKeyFile 服务器端私钥文件;
SSLCACertificateFile 认证中心证书文件;
SSLVerifyClient require 客户端连接时要求认证.
好了,测试一下:
/home/http/bin/apachectl -k start
打开浏览器并输入地址:
https://127.0.0.1
就可以看到服务器端发出的证书了.因为本地浏览器没有安装证书,所有不能建立连接;
我们现在做一个证书,经认证中心签发后,导入浏览器.(这里的认证中心和服务器 端签发证书的认证中心是同一个),就可以建立连接了,在建立的时候,会有指示,问是否接收服务器端发来的证书,这里因为浏览器没有认证中心的证书.我们将 认证中心的证书导入浏览器,就不会有上面的提示了!
相关阅读 更多 +
