Apache服務器SSL雙向認證配置

以Win32版Apache與OpenSSL爲例，介紹從建立數字證書到Apache配置的整個過程，但願對讀者有所幫助。

Apache是目前最流行的WEB服務器之一，藉助OpenSSL庫，咱們能夠在Apache上創建SSL通道，提供SSL鏈接服務。OpenSSL庫除提供Apache的SSL模塊外，還提供了一套數字證書工具，能夠建立、轉換數字證書。

1       環境準備

軟件下載

l       Apache：apache_2.2.4-win32-x86-openssl-0.9.8d.msi

l       openSSL：Win32 OpenSSL v0.9.8e

apache_2.2.4-win32-x86-openssl-0.9.8d.msi是一個捆綁的軟件包，包含了apache與openssl必選組件，apache的版本是2.2.4，OpenSSL版本是0.9.8d。如沒必要使用最新的openssl，則僅下載此軟件包便可。

軟件安裝

（1）   運行Win32OpenSSL-0_9_8e.exe安裝OpenSSL；

（2）   運行apache_2.2.4-win32-x86-openssl-0.9.8d.msi安裝apache。

若是想使用最新版的OpenSSL，則應刪除apache安裝目錄下的libeay32.dll與ssleay32.dll兩個文件，迫使Apache使用OpenSSL安裝在c:"windows"system32下的兩個最新文件。

軟件配置

1.3.1            Apache配置

編輯apache的conf目錄下的httpd.conf文件，將＃LoadModule ssl_module modules/mod_ssl.so前的＃刪除，使得Apache啓動時加載mod_ssl.so模塊。從新啓動apache，若是看到下列畫面，說明mod_ssl.so已經加載成功。

1.3.2            OpenSSL配置

（1）建立證書管理目錄與文件；

l       建立C:"CA做爲證書管理主目錄；

l       C:"CA下建立certs與keys兩個目錄，存儲證書與私鑰；

l       C:"CA下建立crl目錄，存儲證書註銷列表文件；

l       C:"CA下建立一個空文件index.txt，存儲證書清單；

l       C:"CA下建立一個index.txt.attr文件，內容爲unique_subject = no；

l       C:"CA下建立證書序列號文件serial，內容爲01；

l       C:"CA下建立證書註銷列表序號文件crlnumber，內容爲01。

（2）編輯OpenSSL的bin/openssl.cnf文件，修改下列內容：

# # OpenSSL example configuration file. # This is mostly being used for generation of certificate requests. # # This definition stops the following lines choking if HOME isn't # defined. HOME          = . RANDFILE      = $ENV::HOME/.rnd # Extra OBJECT IDENTIFIER info: #oid_file     = $ENV::HOME/.oid oid_section        = new_oids # To use this configuration file with the "-extfile" option of the # "openssl x509" utility, name here the section containing the # X.509v3 extensions to use: # extensions       = # (Alternatively, use a configuration file that has only # X.509v3 extensions in its main [= default] section.) [ new_oids ] # We can add new OIDs in here for use by 'ca' and 'req'. # Add a simple OID like this: # testoid1=1.2.3.4 # Or use config file substitution like this: # testoid2=${testoid1}.5.6 #################################################################### [ ca ] default_ca    = CA_default       # The default ca section #################################################################### [ CA_default ] dir      = C:/CA       # Where everything is kept certs         = $dir/certs       # Where the issued certs are kept crl_dir       = $dir/crl         # Where the issued crl are kept database= $dir/index.txt   # database index file. #unique_subject    = no          # Set to 'no' to allow creation of                        # several ctificates with same subject. new_certs_dir= $dir/certs       # default place for new certs. certificate   = $dir/certs/CA.YOUR.COM.crt     # The CA certificate serial        = $dir/serial          # The current serial number crlnumber= $dir/crlnumber   # the current crl number                        # must be commented out to leave a V1 CRL crl      = $dir/crl.pem         # The current CRL private_key   = $dir/keys/CA.YOUR.COM.key    # The private key RANDFILE= $dir/keys/.rand       # private random number file x509_extensions    = usr_cert         # The extentions to add to the cert # Comment out the following two lines for the "traditional" # (and highly broken) format. name_opt = ca_default       # Subject Name options cert_opt = ca_default       # Certificate field options # Extension copying option: use with caution. # copy_extensions = copy # Extensions to add to a CRL. Note: Netscape communicator chokes on V2 CRLs # so this is commented out by default to leave a V1 CRL. # crlnumber must also be commented out to leave a V1 CRL. # crl_extensions   = crl_ext default_days = 365              # how long to certify for default_crl_days= 30             # how long before next CRL default_md    = sha1             # which md to use. preserve= no          # keep passed DN ordering # A few difference way of specifying how similar the request should look # For type CA, the listed attributes must be the same, and the optional # and supplied fields are just that :-) policy        = policy_match # For the CA policy [ policy_match ] countryName        = match stateOrProvinceName    = match organizationName   = match organizationalUnitName= optional commonName         = supplied emailAddress       = optional # For the 'anything' policy # At this point in time, you must list all acceptable 'object' # types. [ policy_anything ] countryName        = optional stateOrProvinceName    = optional localityName       = optional organizationName   = optional organizationalUnitName= optional commonName         = supplied emailAddress       = optional #################################################################### [ req ] default_bits       = 1024 default_keyfile    = privkey.pem distinguished_name= req_distinguished_name attributes         = req_attributes x509_extensions    = v3_ca # The extentions to add to the self signed cert # Passwords for private keys if not present they will be prompted for # input_password = secret # output_password = secret # This sets a mask for permitted string types. There are several options. # default: PrintableString, T61String, BMPString. # pkix   : PrintableString, BMPString. # utf8only: only UTF8Strings. # nombstr : PrintableString, T61String (no BMPStrings or UTF8Strings). # MASK:XXXX a literal mask value. # WARNING: current versions of Netscape crash on BMPStrings or UTF8Strings # so use this option with caution! string_mask = nombstr # req_extensions = v3_req # The extensions to add to a certificate request [ req_distinguished_name ] countryName            = Country Name (2 letter code) countryName_default         = CN countryName_min             = 2 countryName_max             = 2 stateOrProvinceName         = State or Province Name (full name) stateOrProvinceName_default= BeiJing localityName           = Locality Name (eg, city) 0.organizationName     = Organization Name (eg, company) 0.organizationName_default = COM # we can do this but it is not needed normally :-) #1.organizationName         = Second Organization Name (eg, company) #1.organizationName_default= World Wide Web Pty Ltd organizationalUnitName      = Organizational Unit Name (eg, section) organizationalUnitName_default   = YOUR commonName             = Common Name (eg, YOUR name) commonName_max              = 64 emailAddress           = Email Address emailAddress_max       = 64 # SET-ex3          = SET extension number 3 [ req_attributes ] challengePassword      = A challenge password challengePassword_min       = 4 challengePassword_max       = 20 unstructuredName       = An optional company name [ usr_cert ] # These extensions are added when 'ca' signs a request. # This goes against PKIX guidelines but some CAs do it and some software # requires this to avoid interpreting an end user certificate as a CA. basicConstraints=CA:FALSE # Here are some examples of the usage of nsCertType. If it is omitted # the certificate can be used for anything *except* object signing. # This is OK for an SSL server. # nsCertType           = server # For an object signing certificate this would be used. # nsCertType = objsign # For normal client use this is typical # nsCertType = client, email # and for everything including object signing: # nsCertType = client, email, objsign # This is typical in keyUsage for a client certificate. # keyUsage = nonRepudiation, digitalSignature, keyEncipherment # This will be displayed in Netscape's comment listbox. nsComment          = "OpenSSL Generated Certificate" # PKIX recommendations harmless if included in all certificates. subjectKeyIdentifier=hash authorityKeyIdentifier=keyid,issuer # This stuff is for subjectAltName and issuerAltname. # Import the email address. # subjectAltName=email:copy # An alternative to produce certificates that aren't # deprecated according to PKIX. # subjectAltName=email:move # Copy subject details # issuerAltName=issuer:copy #nsCaRevocationUrl     = http://www.domain.dom/ca-crl.pem #nsBaseUrl #nsRevocationUrl #nsRenewalUrl #nsCaPolicyUrl #nsSslServerName [ v3_req ] # Extensions to add to a certificate request basicConstraints = CA:FALSE keyUsage = nonRepudiation, digitalSignature, keyEncipherment [ v3_ca ] # Extensions for a typical CA # PKIX recommendation. subjectKeyIdentifier=hash authorityKeyIdentifier=keyid:always,issuer:always # This is what PKIX recommends but some broken software chokes on critical # extensions. #basicConstraints = critical,CA:true # So we do this instead. basicConstraints = CA:true # Key usage: this is typical for a CA certificate. However since it will # prevent it being used as an test self-signed certificate it is best # left out by default. # keyUsage = cRLSign, keyCertSign # Some might want this also # nsCertType = sslCA, emailCA # Include email address in subject alt name: another PKIX recommendation # subjectAltName=email:copy # Copy issuer details # issuerAltName=issuer:copy # DER hex encoding of an extension: beware experts only! # obj=DER:02:03 # Where 'obj' is a standard or added object # You can even override a supported extension: # basicConstraints= critical, DER:30:03:01:01:FF [ crl_ext ] # CRL extensions. # Only issuerAltName and authorityKeyIdentifier make any sense in a CRL. # issuerAltName=issuer:copy authorityKeyIdentifier=keyid:always,issuer:always [ proxy_cert_ext ] # These extensions should be added when creating a proxy certificate # This goes against PKIX guidelines but some CAs do it and some software # requires this to avoid interpreting an end user certificate as a CA. basicConstraints=CA:FALSE # Here are some examples of the usage of nsCertType. If it is omitted # the certificate can be used for anything *except* object signing. # This is OK for an SSL server. # nsCertType           = server # For an object signing certificate this would be used. # nsCertType = objsign # For normal client use this is typical # nsCertType = client, email # and for everything including object signing: # nsCertType = client, email, objsign # This is typical in keyUsage for a client certificate. # keyUsage = nonRepudiation, digitalSignature, keyEncipherment # This will be displayed in Netscape's comment listbox. nsComment          = "OpenSSL Generated Certificate" # PKIX recommendations harmless if included in all certificates. subjectKeyIdentifier=hash authorityKeyIdentifier=keyid,issuer:always # This stuff is for subjectAltName and issuerAltname. # Import the email address. # subjectAltName=email:copy # An alternative to produce certificates that aren't # deprecated according to PKIX. # subjectAltName=email:move # Copy subject details # issuerAltName=issuer:copy #nsCaRevocationUrl     = http://www.domain.dom/ca-crl.pem #nsBaseUrl #nsRevocationUrl #nsRenewalUrl #nsCaPolicyUrl #nsSslServerName # This really needs to be in place for it to be a proxy certificate. proxyCertInfo=critical,language:id-ppl-anyLanguage,pathlen:3,policy:foo

（3）建立隨機數種子rand文件：

cd c:"openssl"bin openssl rand -out c:/ca/keys/.rand 1024

2       建立數字證書

建立根證書（CA.COM）

（1）建立根證書的私鑰與證書申請；

openssl genrsa -des3 -out c:/ca/keys/CA.COM.key 2048 ** 建立時須要指定根私鑰保護密碼，請牢記此密碼。 openssl req -new -out CA.COM.csr -key c:/ca/keys/CA.COM.key -config openssl.cnf ** 建立時須要指定下列內容，其餘內容使用默認值。 Country Name : CN State or Province Name: BeiJing Organization Name：COM Organizational Unit Name：COM Common Name：CA.COM

或：

openssl req -newkey rsa:2048 -keyout c:/ca/Keys/CA.COM.key -out CA.COM.csr -config openssl.cnf ** 建立時須要指定下列內容，其餘內容使用默認值。 Country Name : CN State or Province Name: BeiJing Organization Name：COM Organizational Unit Name：COM Common Name：CA.COM

（2）使用根私鑰對根證書自簽名；

openssl ca -in CA.COM.csr -out c:/ca/certs/CA.COM.crt -selfsign -keyfilec:/ca/keys/CA.COM.key -days 7305 -extensions v3_ca -config openssl.cnf ** 確認證書主題是：             countryName               = CN             stateOrProvinceName       = BeiJing             organizationName          = COM             organizationalUnitName    = COM             commonName                = CA.COM

或：

openssl x509 -in CA.COM.csr -out c:/ca/certs/CA.COM.crt -req -signkeyc:/ca/keys/CA.COM.key -days 7305 -extensions v3_ca -config openssl.cnf ** 確認證書主題是：             countryName               = CN             stateOrProvinceName       = BeiJing             organizationName          = COM             organizationalUnitName    = COM             commonName                = CA.COM

（3）刪除根證書申請文件CA.COM.csr。

建立二級根證書（CA.YOUR.COM）

建立完根證書後，咱們能夠使用根證書建立二級根證書。

（1）建立二級根證書的證書申請；

openssl req -newkey rsa:2048 -keyout c:/ca/keys/CA.YOUR.COM.key -outCA.YOUR.COM.csr -config openssl.cnf ** 建立時須要指定二級證書私鑰的保護密碼，請牢記此密碼； ** 建立時須要指定下列內容，其餘內容使用默認值。 Country Name : CN State or Province Name: BeiJing Organization Name：COM Organizational Unit Name：YOUR Common Name：CA.YOUR.COM

（2）使用根證書對二級根證書進行簽名；

openssl ca -in CA.YOUR.COM.csr -out c:/ca/certs/CA.YOUR.COM.crt -keyfilec:/ca/keys/CA.COM.key -cert c:/ca/certs/CA.COM.crt -days 7305 -extensions v3_ca -config openssl.cnf ** 輸入根私鑰的保護密碼； ** 確認證書主題是：            countryName               = CN             stateOrProvinceName       = BeiJing             organizationName          = COM             organizationalUnitName    = YOUR             commonName                = CA.YOUR.COM

（3）刪除二級根證書申請文件CA.YOUR.COM.csr。

至此咱們建立完二級根證書，後續的服務器證書與我的證書，咱們都使用二級根證書作簽名。固然，咱們也能夠使用根證書籤名，但爲模擬更現實的狀況，咱們使用二級根證書作主要的簽名證書。

建立服務器證書

（1）建立服務器證書的證書申請；

openssl req -newkey rsa:1024 -keyout c:/ca/keys/www.your.com.key -outwww.your.com.csr -config openssl.cnf ** 建立時須要指定服務器證書私鑰的保護密碼，請牢記此密碼； ** 建立時須要指定下列內容，其餘內容使用默認值。 Country Name : CN State or Province Name: BeiJing Organization Name：COM Organizational Unit Name：YOUR Common Name：www.your.com

（2）使用二級根證書對服務器證書籤名；

openssl ca -in www.your.com.csr -out c:/ca/certs/www.your.com.crt -config openssl.cnf ** 輸入二級證書的私鑰保護密碼； ** 確認證書主題是：  countryName               = CN  stateOrProvinceName       = BeiJing  organizationName          = COM  organizationalUnitName    = YOUR  commonName                = www.your.com 注意：本步驟中咱們使用了配置文件openssl.cnf中指定的簽名證書ca.your.com.crt與簽名證書私鑰ca.your.com.key以及有效期365，於是命令比2.2節命令要簡潔許多。

（3）刪除服務器證書申請文件www.your.com.csr。

建立我的證書

（1）建立我的證書的證書申請；

openssl req -newkey rsa:1024 -keyout my.key -out my.csr -config openssl.cnf ** 建立時須要指定我的證書私鑰的保護密碼，請牢記此密碼； ** 建立時須要指定下列內容，其餘內容使用默認值。 Country Name : CN State or Province Name: BeiJing Organization Name：COM Organizational Unit Name：YOUR Common Name：my@your.com

（2）使用二級根證書對我的證書籤名；

openssl ca -in my.csr -out my.crt -config openssl.cnf ** 輸入二級證書的私鑰保護密碼； ** 確認證書主題是：  countryName               = CN  stateOrProvinceName       = BeiJing  organizationName          = COM  organizationalUnitName    = YOUR  commonName                = my@your.com

（3）添加證書鏈到我的證書。編輯my.crt文件，將CA.YOUR.COM.crt和CA.COM.crt文件從BEGIN CERTIFICATE開始的內容按序複製到my.crt文件中；

（4）合併編輯後的my.crt與my.key爲我的證書文件my.pfx；

openssl pkcs12 -export -in my.crt -inkey my.key -out c:/ca/certs/my.pfx ** 輸入my的證書私鑰保護密碼； ** 從新指定我的證書的保護密碼，請牢記此密碼；

（5）刪除我的證書申請文件my.csr、私鑰文件my.key、證書文件my.crt。

注意：第三、4兩步能夠使用下列命令一步完成：

openssl pkcs12 -export -in my.crt -inkey my.key -out c:/ca/certs/my.pfx -certfile c:/ca/certs/ca.your.com.crt -certfile c:/ca/certs/ca.com.crt

再按以上步驟，建立另一張我的證書my1.pfx，Common Name爲my1。後面咱們將註銷這張證書，演示證書註銷列表的使用。

建立證書鏈文件

Web服務器與客戶端創建SSL通訊通道前，要交換雙方的證書，並使用本方的證書鏈文件（P7B－PKCS7）與證書註銷列表文件（CRL）驗證對方證書的合法性。

證書鏈文件，實際上就是多個CA的證書（公鑰），有兩種格式：一是文本格式（Privacy Enhanced Mail，PEM），即便用BASE64轉碼後的格式；二是二進制格式(Distinguished Encoding Rules，DER)，即P7B文件。其中，PEM格式僅需將各CA的證書從枝到根的順序合併在一塊兒便可。而P7B格式的證書鏈文件，則須要特殊處理。

使用OpenSSL建立P7B格式的證書鏈文件的命令以下：

openssl crl2pkcs7 -out c:/ca/your.p7b -nocrl -certfilec:/ca/certs/CA.YOUR.COM.crt -certfile c:/ca/certs/CA.COM.crt

建立證書註銷列表文件

（1）註銷證書my1.pfx；

編輯c:/ca/index.txt文件，查閱/C=CN /ST=BeiJing /O=COM /OU=YOUR /CN=lny對應的證書序號爲05。建立證書時，openssl自動將新建立的證書存儲在certs目錄下，文件名爲<證書序號>.pem，所以05.pem即爲my1.pfx對應的證書。使用下列命令能夠顯示證書的主題信息進行確認：

openssl x509 -in c:/ca/certs/05.pem -text ** 確認主題是：Subject: C=CN, ST=BeiJing, O=COM, OU=YOUR, CN=my1

而後，使用下列命令註銷此證書：

openssl ca -revoke c:/ca/certs/05.pem ** 輸入二級根證書的私鑰保護密碼。

再次編輯c:/ca/index.txt，能夠看到05號證書的狀態已經修改成R，即註銷了。

（2）生成證書註銷列表文件；

openssl ca -gencrl -crldays 7 -crlexts crl_ext -out c:/ca/crl/your.crl -config openssl.cnf ** 輸入二級證書的私鑰保護密碼；

（3）轉換PEM格式證書列表文件爲DER格式；

本步驟是可選的。若是客戶端或服務器須要DER格式的證書註銷列表文件，則能夠使用下列命令進行格式轉換：

openssl crl -inform PEM -outform DER -in c:/ca/crl/your.crl -outc:/ca/crl/your_bin.crl

注意：上述操做中，咱們能夠註銷多個證書後再生成證書註銷列表。生成證書註銷列表時，咱們指定了下次發佈證書註銷列表的日期爲7往後（-crldays 7）。

3       配置Apache

準備好須要的各類證書及配套的文件後，咱們能夠配置Apache，啓用SSL鏈接服務。

（1）編輯apache/conf/httpd.conf，刪除#Include conf/extra/ httpd-ssl.conf前的＃，激活httpd-ssl.conf；

（2）編輯apache/conf/extra/httpd-ssl.conf，將所有包含C:/Program Files/Apache Software Foundation/Apache2.2的項編輯爲使用""括（蘭色字體部分），修改以下：

# # This is the Apache server configuration file providing SSL support. # It contains the configuration directives to instruct the server how to # serve pages over an https connection. For detailing information about these # directives see <URL:http://httpd.apache.org/docs/2.2/mod/mod_ssl.html> # # Do NOT simply read the instructions in here without understanding # what they do. They're here only as hints or reminders. If you are unsure # consult the online docs. You have been warned.  # # # Pseudo Random Number Generator (PRNG): # Configure one or more sources to seed the PRNG of the SSL library. # The seed data should be of good random quality. # WARNING! On some platforms /dev/random blocks if not enough entropy # is available. This means you then cannot use the /dev/random device # because it would lead to very long connection times (as long as # it requires to make more entropy available). But usually those # platforms additionally provide a /dev/urandom device which doesn't # block. So, if available, use this one instead. Read the mod_ssl User # Manual for more details. # #SSLRandomSeed startup file:/dev/random 512 #SSLRandomSeed startup file:/dev/urandom 512 #SSLRandomSeed connect file:/dev/random 512 #SSLRandomSeed connect file:/dev/urandom 512 # # When we also provide SSL we have to listen to the # standard HTTP port (see above) and to the HTTPS port # # Note: Configurations that use IPv6 but not IPv4-mapped addresses need two #       Listen directives: "Listen [::]:443" and "Listen 0.0.0.0:443" # Listen 443 ## ## SSL Global Context ## ## All SSL configuration in this context applies both to ## the main server and all SSL-enabled virtual hosts. ## # #   Some MIME-types for downloading Certificates and CRLs # AddType application/x-x509-ca-cert .crt AddType application/x-pkcs7-crl    .crl #   Pass Phrase Dialog: #   Configure the pass phrase gathering process. #   The filtering dialog program (`builtin' is a internal #   terminal dialog) has to provide the pass phrase on stdout. SSLPassPhraseDialog builtin #   Inter-Process Session Cache: #   Configure the SSL Session Cache: First the mechanism #   to use and second the expiring timeout (in seconds). #SSLSessionCache         dbm:C:/Program Files/Apache Software Foundation/Apache2.2/logs/ssl_scache SSLSessionCache        "shmcb:C:/Program Files/Apache Software Foundation/Apache2.2/logs/ssl_scache(512000)" SSLSessionCacheTimeout 300 #   Semaphore: #   Configure the path to the mutual exclusion semaphore the #   SSL engine uses internally for inter-process synchronization. SSLMutex default ## ## SSL Virtual Host Context ## <VirtualHost _default_:443>   #   General setup for the virtual host DocumentRoot "C:/Program Files/Apache Software Foundation/Apache2.2/htdocs" ServerName lny.your.com:443 ServerAdmin nyli@your.cn ErrorLog "C:/Program Files/Apache Software Foundation/Apache2.2/logs/error_log" TransferLog "C:/Program Files/Apache Software Foundation/Apache2.2/logs/access_log" #   SSL Engine Switch: #   Enable/Disable SSL for this virtual host. SSLEngine on #   SSL Cipher Suite: #   List the ciphers that the client is permitted to negotiate. #   See the mod_ssl documentation for a complete list. SSLCipherSuite ALL:!ADH:!EXPORT56:RC4+RSA:+HIGH:+MEDIUM:+LOW:+SSLv2:+EXP:+eNULL #   Server Certificate: #   Point SSLCertificateFile at a PEM encoded certificate. If #   the certificate is encrypted, then you will be prompted for a #   pass phrase. Note that a kill -HUP will prompt again. Keep #   in mind that if you have both an RSA and a DSA certificate you #   can configure both in parallel (to also allow the use of DSA #   ciphers, etc.) SSLCertificateFile "C:/Program Files/Apache Software Foundation/Apache2.2/conf/server.crt" #SSLCertificateFile C:/Program Files/Apache Software Foundation/Apache2.2/conf/server-dsa.crt #   Server Private Key: #   If the key is not combined with the certificate, use this #   directive to point at the key file. Keep in mind that if #   you've both a RSA and a DSA private key you can configure #   both in parallel (to also allow the use of DSA ciphers, etc.) SSLCertificateKeyFile "C:/Program Files/Apache Software Foundation/Apache2.2/conf/server.key" #SSLCertificateKeyFile C:/Program Files/Apache Software Foundation/Apache2.2/conf/server-dsa.key #   Server Certificate Chain: #   Point SSLCertificateChainFile at a file containing the #   concatenation of PEM encoded CA certificates which form the #   certificate chain for the server certificate. Alternatively #   the referenced file can be the same as SSLCertificateFile #   when the CA certificates are directly appended to the server #   certificate for convinience. SSLCertificateChainFile "C:/Program Files/Apache Software Foundation/Apache2.2/conf/ca.crt" #   Certificate Authority (CA): #   Set the CA certificate verification path where to find CA #   certificates for client authentication or alternatively one #   huge file containing all of them (file must be PEM encoded) #   Note: Inside SSLCACertificatePath you need hash symlinks #         to point to the certificate files. Use the provided #         Makefile to update the hash symlinks after changes. SSLCACertificatePath "C:/Program Files/Apache Software Foundation/Apache2.2/conf" SSLCACertificateFile "C:/Program Files/Apache Software Foundation/Apache2.2/conf/ca.crt" #   Certificate Revocation Lists (CRL): #   Set the CA revocation path where to find CA CRLs for client #   authentication or alternatively one huge file containing all #   of them (file must be PEM encoded) #   Note: Inside SSLCARevocationPath you need hash symlinks #         to point to the certificate files. Use the provided #         Makefile to update the hash symlinks after changes. SSLCARevocationPath "C:/Program Files/Apache Software Foundation/Apache2.2/conf" SSLCARevocationFile "C:/Program Files/Apache Software Foundation/Apache2.2/conf/ca.crl" #   Client Authentication (Type): #   Client certificate verification type and depth. Types are #   none, optional, require and optional_no_ca. Depth is a #   number which specifies how deeply to verify the certificate #   issuer chain before deciding the certificate is not valid. SSLVerifyClient require SSLVerifyDepth 10 #   Access Control: #   With SSLRequire you can do per-directory access control based #   on arbitrary complex boolean expressions containing server #   variable checks and other lookup directives. The syntax is a #   mixture between C and Perl. See the mod_ssl documentation #   for more details. #<Location /> #SSLRequire (    %{SSL_CIPHER} !~ m/^(EXP|NULL)/ " #            and %{SSL_CLIENT_S_DN_O} eq "Snake Oil, Ltd." " #            and %{SSL_CLIENT_S_DN_OU} in {"Staff", "CA", "Dev"} " #            and %{TIME_WDAY} >= 1 and %{TIME_WDAY} <= 5 " #            and %{TIME_HOUR} >= 8 and %{TIME_HOUR} <= 20       ) " #           or %{REMOTE_ADDR} =~ m/^192".76".162".[0-9]+$/ #</Location> #   SSL Engine Options: #   Set various options for the SSL engine. #   o FakeBasicAuth: #     Translate the client X.509 into a Basic Authorisation. This means that #     the standard Auth/DBMAuth methods can be used for access control. The #     user name is the `one line' version of the client's X.509 certificate. #     Note that no password is obtained from the user. Every entry in the user #     file needs this password: `xxj31ZMTZzkVA'. #   o ExportCertData: #     This exports two additional environment variables: SSL_CLIENT_CERT and #     SSL_SERVER_CERT. These contain the PEM-encoded certificates of the #     server (always existing) and the client (only existing when client #     authentication is used). This can be used to import the certificates #     into CGI scripts. #   o StdEnvVars: #     This exports the standard SSL/TLS related `SSL_*' environment variables. #     Per default this exportation is switched off for performance reasons, #     because the extraction step is an expensive operation and is usually #     useless for serving static content. So one usually enables the #     exportation for CGI and SSI requests only. #   o StrictRequire: #     This denies access when "SSLRequireSSL" or "SSLRequire" applied even #     under a "Satisfy any" situation, i.e. when it applies access is denied #     and no other module can change it. #   o OptRenegotiate: #     This enables optimized SSL connection renegotiation handling when SSL #     directives are used in per-directory context. #SSLOptions +FakeBasicAuth +ExportCertData +StrictRequire <FilesMatch "".(cgi|shtml|phtml|php)$">     SSLOptions +StdEnvVars </FilesMatch> <Directory "C:/Program Files/Apache Software Foundation/Apache2.2/cgi-bin">     SSLOptions +StdEnvVars </Directory> #   SSL Protocol Adjustments: #   The safe and default but still SSL/TLS standard compliant shutdown #   approach is that mod_ssl sends the close notify alert but doesn't wait for #   the close notify alert from client. When you need a different shutdown #   approach you can use one of the following variables: #   o ssl-unclean-shutdown: #     This forces an unclean shutdown when the connection is closed, i.e. no #     SSL close notify alert is send or allowed to received. This violates #     the SSL/TLS standard but is needed for some brain-dead browsers. Use #     this when you receive I/O errors because of the standard approach where #     mod_ssl sends the close notify alert. #   o ssl-accurate-shutdown: #     This forces an accurate shutdown when the connection is closed, i.e. a #     SSL close notify alert is send and mod_ssl waits for the close notify #     alert of the client. This is 100% SSL/TLS standard compliant, but in #     practice often causes hanging connections with brain-dead browsers. Use #     this only for browsers where you know that their SSL implementation #     works correctly. #   Notice: Most problems of broken clients are also related to the HTTP #   keep-alive facility, so you usually additionally want to disable #   keep-alive for those clients, too. Use variable "nokeepalive" for this. #   Similarly, one has to force some clients to use HTTP/1.0 to workaround #   their broken HTTP/1.1 implementation. Use variables "downgrade-1.0" and #   "force-response-1.0" for this. BrowserMatch ".*MSIE.*" "          nokeepalive ssl-unclean-shutdown "          downgrade-1.0 force-response-1.0 #   Per-Server Logging: #   The home of a custom SSL log file. Use this when you want a #   compact non-error SSL logfile on a virtual host basis. CustomLog "C:/Program Files/Apache Software Foundation/Apache2.2/logs/ssl_request_log" "           "%t %h %{SSL_PROTOCOL}x %{SSL_CIPHER}x ""%r"" %b" </VirtualHost>

（3）取消www.your.com.key的私鑰保護密碼；

此操做僅Win32的Apache須要。

Linux的Apache啓動時自動提示要求輸入服務器證書私鑰的保護密碼，而Win32的Apache沒有此功能，所以必須取消證書私鑰的保護密碼。

openssl rsa -in c:/ca/keys/www.your.com.key -outc:/ca/keys/www.your.com1.key ** 輸入lny.your.com的私鑰保護密碼。

（4）複製證書文件；

移動c:/ca/keys/www.your.com1.key到conf/server.key；

複製c:/ca/certs/www.your.com.crt到conf/server.crt；

合併c:/ca/certs/CA.YOUR.COM.crt和c:/ca/certs/CA.COM. crt證書從BEGIN CERTIFICATE開始的內容到PEM格式的證書鏈文件中，複製該證書鏈文件到conf/ca.crt。若是有P7B格式的證書鏈文件，能夠使用下列命名轉換成PEM格式的證書鏈文件。

openssl pkcs7 -in c:/ca/your.p7b -out ca.crt -print_certs

複製c:/ca/crl/your.crl到conf/ca.crl。

4       測試

（1）編輯客戶端hosts文件，增長服務器的域名；

192.168.100.1   www.your.com

注： windows上hosts文件位於C:\Windows\System32\drivers\etc目錄。

（2）複製並安裝我的證書my.pfx和my1.pfx；

（3）使用ie瀏覽器訪問服務器https://www.your.com，在彈出的證書選擇窗口中選擇my@your.cn證書，應能鏈接到服務器，輸出以下內容。

 

 

（4）使用ie瀏覽器訪問服務器https://www.your.com，在彈出的證書選擇窗口中選擇my1證書，應彈出下列錯誤窗口。

 

 

5       其餘證書管理

從我的證書中獲取私鑰

openssl pkcs12 -in c:/ca/certs/my.pfx -out my.key –nocerts ** 輸入我的證書的保護密碼； ** 指定我的證書私鑰的保護密碼。

從我的證書中獲取證書

openssl pkcs12 -in c:/ca/certs/my.pfx -out my.crt -nokeys ** 輸入我的證書的保護密碼。

 

(轉：http://www.blogjava.net/sham2k/articles/163985.html)