openssl實現https訪問web網頁

一．相關介紹

1.什麼是CA
認證中心（CA─Certificate Authority）做爲權威的、可信賴的、公正的第三方機構，專門負責發放並管理全部參與網上交易的實體所需的數字證書。它做爲一個權威機構，對密鑰進行有效地管理，頒發證書證實密鑰的有效性，並將公開密鑰同某一個實體（消費者、商戶、銀行）聯繫在一塊兒。能夠創建起安全程度極高的加解密和身份認證系統，從而使信息除發送方和接收方外，不被其餘方知悉；保證傳輸過程當中不被篡改；發送方確信接收方不是假冒的（身份的真實性和不可假裝性）；發送方不可否認 本身的發送行爲（不可抵賴性）。
2,oppenssl的基本使用

       1 OpenSSL：SSL的開源實現  

       2      libcrypto：通用加密庫，提供了各類加密函數  

       3      libssl：TLS/SSL協議的實現,基於會話的、實現了身份認證、數據機密性和會話完整性的TLS/SSL庫  

       4      openssl：多用途的命令行工具；可以實現私有證書頒發機構；即在公司內部實現身份的驗證；  

       5 openssl：  

       6      genrsa:經過RSA算法，生成密鑰(私鑰和公鑰)  

       7      req:申請和生成證書  

       8      -new：生成新的證書  

       9      -x509：互聯網經常使用的一種標準  

       10      -in：證書的位置(簽署證書及證書請求經常用到)  

       11      -out：證書的存放位置  

       12      -days：證書的有效期限

二．具體配置

（1）Web

[root@tx1 ~]# cd /var/www/html/

[root@tx1 html]# echo "hello client" > index.html

[root@tx1 html]# service httpd restart

Stopping httpd:                                            [FAILED]

Starting httpd:                                            [  OK  ]

[root@tx1 ~]# openssl genrsa 1024 > newhttps.key////網站生成本身的私鑰

Generating RSA private key, 1024 bit long modulus

.++++++

............++++++

e is 65537 (0x10001)

[root@tx1 ~]# openssl req -new -key newhttps.key -days 365 -out newhttps.csr

//生成一個證書請求

You are about to be asked to enter information that will be incorporated

into your certificate request.

What you are about to enter is what is called a Distinguished Name or a DN.

There are quite a few fields but you can leave some blank

For some fields there will be a default value,

If you enter '.', the field will be left blank.

-----

Country Name (2 letter code) [GB]:CN

State or Province Name (full name) [Berkshire]:jilin

Locality Name (eg, city) [Newbury]:tonghua

Organization Name (eg, company) [My Company Ltd]:tongshi

Organizational Unit Name (eg, section) []:student

Common Name (eg, your name or your server's hostname) []:tx1.test.com

Email Address []:tx1@.com

Please enter the following 'extra' attributes

to be sent with your certificate request

A challenge password []:

An optional company name []:

（2）CA的配置（這裏採用排錯的方法）

@1.[root@tx1 ~]# openssl ca -in newhttps.csr -out newhttps.crt  //簽發證書

Using configuration from /etc/pki/tls/openssl.cnf

Error opening CA private key ../../CA/private/cakey.pem

4048:error:02001002:system library:fopen:No such file or directory:bss_file.c:352:fopen('../../CA/private/cakey.pem','r')

4048:error:20074002:BIO routines:FILE_CTRL:system lib:bss_file.c:354:

unable to load CA private key

//系統報錯，說沒有找到CA的私鑰，同時使用了相對路徑的方式

//先修改爲爲絕對路徑

[root@tx1 ~]# vim /etc/pki/tls/openssl.cnf

45 dir = /etc/pki/CA

@2.[root@tx1 ~]# openssl ca -in newhttps.csr -out newhttps.crt

Using configuration from /etc/pki/tls/openssl.cnf

Error opening CA private key /etc/pki/CA/private/cakey.pem

4061:error:02001002:system library:fopen:No such file or directory:bss_file.c:352:fopen('/etc/pki/CA/private/cakey.pem','r')

4061:error:20074002:BIO routines:FILE_CTRL:system lib:bss_file.c:354:

unable to load CA private key

//系統報錯，說/etc/pki/CA/private/cakey.pem

//這個CA的私鑰文件不存在

//解決辦法，生成這個私鑰

[root@tx1 ~]# openssl genrsa 1024 > /etc/pki/CA/private/cakey.pem //生成CA的私鑰

Generating RSA private key, 1024 bit long modulus

......................................++++++

......++++++

e is 65537 (0x10001)

@3.[root@tx1 ~]# openssl ca -in newhttps.csr -out newhttps.crt

Using configuration from /etc/pki/tls/openssl.cnf

Error opening CA certificate /etc/pki/CA/cacert.pem

4069:error:02001002:system library:fopen:No such file or directory:bss_file.c:352:fopen('/etc/pki/CA/cacert.pem','r')

4069:error:20074002:BIO routines:FILE_CTRL:system lib:bss_file.c:354:

unable to load certificate

//系統報錯，說找不到CA的證書/etc/pki/CA/cacert.pem

//解決辦法，生成一個自簽名證書

[root@tx1 ~]# openssl req -new -key /etc/pki/CA/private/cakey.pem -x509 -days 365 -out /etc/pki/CA/cacert.pem

You are about to be asked to enter information that will be incorporated

into your certificate request.

What you are about to enter is what is called a Distinguished Name or a DN.

There are quite a few fields but you can leave some blank

For some fields there will be a default value,

If you enter '.', the field will be left blank.

-----

Country Name (2 letter code) [GB]:CN

State or Province Name (full name) [Berkshire]:jilin

Locality Name (eg, city) [Newbury]:tonghua

Organization Name (eg, company) [My Company Ltd]:tongshi

Organizational Unit Name (eg, section) []:student

Common Name (eg, your name or your server's hostname) []:tx1.test.com

Email Address []:tx1@.com

@4.[root@tx1 ~]# openssl ca -in newhttps.csr -out newhttps.crt

Using configuration from /etc/pki/tls/openssl.cnf

I am unable to access the /etc/pki/CA/newcerts directory

/etc/pki/CA/newcerts: No such file or directory

//系統報錯，說沒有/etc/pki/CA/newcerts目錄

//解決辦法，建立該目錄

[root@tx1 ~]# mkdir /etc/pki/CA/newcerts

@5.[root@tx1 ~]# openssl ca -in newhttps.csr -out newhttps.crt

Using configuration from /etc/pki/tls/openssl.cnf

/etc/pki/CA/index.txt: No such file or directory

unable to open '/etc/pki/CA/index.txt'

4097:error:02001002:system library:fopen:No such file or directory:bss_file.c:352:fopen('/etc/pki/CA/index.txt','r')

4097:error:20074002:BIO routines:FILE_CTRL:system lib:bss_file.c:354:

//說沒有/etc/pki/CA/index.txt

//解決建立這個文件

[root@tx1 ~]# touch /etc/pki/CA/index.txt

@6.[root@tx1 ~]# openssl ca -in newhttps.csr -out newhttps.crt

Using configuration from /etc/pki/tls/openssl.cnf

/etc/pki/CA/serial: No such file or directory

error while loading serial number

4103:error:02001002:system library:fopen:No such file or directory:bss_file.c:352:fopen('/etc/pki/CA/serial','r')

4103:error:20074002:BIO routines:FILE_CTRL:system lib:bss_file.c:354:

//沒有找到序列號

//解決辦法,向/etc/pki/CA/serial導入初始化序列號

[root@tx1 ~]# echo 00 > /etc/pki/CA/serial

@7.[root@tx1 ~]# openssl ca -in newhttps.csr -out newhttps.crt

Using configuration from /etc/pki/tls/openssl.cnf

Check that the request matches the signature

Signature ok

Certificate Details:

       Serial Number: 0 (0x0)

       Validity

           Not Before: Jul 27 02:38:37 2013 GMT

           Not After : Jul 27 02:38:37 2014 GMT

       Subject:

           countryName               = CN

           stateOrProvinceName       = jilin

           organizationName          = tongshi

           organizationalUnitName    = student

           commonName                = tx1.test.com

           emailAddress              = tx1@.com

       X509v3 extensions:

           X509v3 Basic Constraints:

               CA:FALSE

           Netscape Comment:

               OpenSSL Generated Certificate

           X509v3 Subject Key Identifier:

               63:CF:FA:50:A6:69:F9:3E:84:A5:7F:B8:D5:1E:C2:60:F2:B9:06:F9

           X509v3 Authority Key Identifier:

               keyid:DB:FE:54:C0:B5:FE:F8:08:7A:00:48:E5:DE:22:29:6E:AD:24:47:43

Certificate is to be certified until Jul 27 02:38:37 2014 GMT (365 days)

Sign the certificate? [y/n]:y

1 out of 1 certificate requests certified, commit? [y/n]y

Write out database with 1 new entries

Data Base Updated

[root@tx1 ~]# scp newhttps.crt 192.168.8.71:/root

root@192.168.8.71's password:

newhttps.crt                                  100% 3201     3.1KB/s   00:00  

（3）Web

[root@tx1 ~]#  yum install  mod_ssl -y

[root@tx1 ~]# vim /etc/httpd/conf.d/ssl.conf

112 SSLCertificateFile /etc/pki/tls/certs/newhttps.crt

119 SSLCertificateKeyFile /etc/pki/tls/private/newhttps.key

[root@tx1 ~]# cp newhttps.key /etc/pki/tls/private/newhttps.key

[root@tx1 ~]# cp newhttps.crt /etc/pki/tls/certs/newhttps.crt

[root@tx1 ~]# service httpd restart

Stopping httpd:                                            [  OK  ]

Starting httpd:                                            [  OK  ]

三．客戶端驗證

1.訪問

2.開始導入CA的證書

3.再次訪問