openssl創建證書，很是詳細配置ssl+apache

時間 2019-11-13

標籤 openssl 創建證書很是詳細配置 ssl+apache ssl apache 欄目 SSL 简体版

原文原文鏈接

一，什麼是sslphp

SSL證書經過在客戶端瀏覽器和Web服務器之間創建一條SSL安全通道（Secure socket layer(SSL)安全協議是由Netscape Communication公司設計開發。該安全協議主要用來提供對用戶和服務器的認證；對傳送的數據進行加密和隱藏；確保數據在傳送中不被改變，即數據的完整性，現已成爲該領域中全球化的標準。因爲SSL技術已創建到全部主要的瀏覽器和WEB服務器程序中，所以，僅需安裝服務器證書就能夠激活該功能了）。即經過它能夠激活SSL協議，實現數據信息在客戶端和服務器之間的加密傳輸，能夠防止數據信息的泄露。保證了雙方傳遞信息的安全性，並且用戶能夠經過服務器證書驗證他所訪問的網站是不是真實可靠。html

安全套接字層 (SSL) 技術經過加密信息和提供鑑權，保護您的網站安全。一份 SSL 證書包括一個公共密鑰和一個私用密鑰。公共密鑰用於加密信息，私用密鑰用於解譯加密的信息。瀏覽器指向一個安全域時，SSL 同步確認服務器和客戶端，並建立一種加密方式和一個惟一的會話密鑰。它們能夠啓動一個保證消息的隱私性和完整性的安全會話。nginx

首先要有一個主證書，而後用主證書來簽發服務器證書和客戶證書，服務器證書和客戶證書是平級關係，SSL所使用的證書能夠本身生成，也能夠經過一個商業性CA（如Verisign 或 Thawte）簽署證書。簽發證書的問題：若是使用的是商業證書，具體的簽署方法請查看相關銷售商的說明；若是是知己簽發的證書，可使用openssl 自帶的CA.sh腳本工具。若是不爲單獨的客戶端簽發證書，客戶端證書能夠不用生成，客戶端與服務器端使用相同的證書。git

二，安裝所要的軟件web

openssl ：wget http://www.openssl.org/source/openssl-1.0.0a.tar.gzapache

apache： wget http://www.apache.org/dist/httpd/httpd-2.2.16.tar.gzwindows

三，安裝瀏覽器

在正式安裝前，請不要直接看下面的安裝，請看最後一部分，那是我安裝時候所遇到的問題，這樣可使你少走很多彎路，我安裝的時候，就走了很多彎路。安全

1，安裝openssl服務器

tar zxvf openssl-1.0.0a.tar.gz
cd openssl-1.0.0a
./config --prefix=/usr/local/openssl
make && make install

2,安裝apache

若是你已經安裝了apache，你又不想從新編譯的話，請參考mod_ssl模塊的安裝，也就是添加ssl模塊而已。

tar zxvf httpd-2.2.16.tar.gz
cd httpd-2.2.16
./configure --prefix=/usr/local/apache --enable-ssl --enable-rewrite --enable-so --with-ssl=/usr/local/openssl
make && make install

若是你是yum install ,apt-get,pacman這樣的軟件管理工具進行安裝的話，上面的二步能夠省掉。

3，建立主證書

在/usr/local/apache/conf/下面建個目錄ssl

3.1，mkdir ssl

3.2，cp /openssl的安裝目錄/ssl/misc/CA.sh /usr/local/apache/conf/ssl/

3.3 用CA.sh來建立證書

查看複製打印 ?

[root@BlackGhost ssl]# ./CA.sh -newca //創建主證書
CA certificate filename (or enter to create)
Making CA certificate ...
Generating a 1024 bit RSA private key
............++++++
......++++++
writing new private key to './demoCA/private/./cakey.pem'
Enter PEM pass phrase:
Verifying - Enter PEM pass phrase:
Verify failure
Enter PEM pass phrase:
Verifying - Enter PEM pass phrase:
-----
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [AU]:cn
State or Province Name (full name) [Some-State]:cn
Locality Name (eg, city) []:cn
Organization Name (eg, company) [Internet Widgits Pty Ltd]:cn
Organizational Unit Name (eg, section) []:cn
Common Name (eg, YOUR name) []:localhost
Email Address []:xtaying@gmail.com
Please enter the following 'extra' attributes
to be sent with your certificate request
A challenge password []:******************
An optional company name []:
Using configuration from /etc/ssl/openssl.cnf
Enter pass phrase for ./demoCA/private/./cakey.pem: //填的是上面的PEM密碼
Check that the request matches the signature
Signature ok
Certificate Details:
Serial Number:
89:11:9f:a6:ca:03:63:ab
Validity
Not Before: Aug 7 12:35:28 2010 GMT
Not After : Aug 6 12:35:28 2013 GMT
Subject:
countryName = cn
stateOrProvinceName = cn
organizationName = cn
organizationalUnitName = cn
commonName = localhost
emailAddress = xtaying@gmail.com
X509v3 extensions:
X509v3 Subject Key Identifier:
26:09:F3:D5:26:13:00:1F:3E:CC:86:1D:E4:EE:37:06:65:15:4E:76
X509v3 Authority Key Identifier:
keyid:26:09:F3:D5:26:13:00:1F:3E:CC:86:1D:E4:EE:37:06:65:15:4E:76
DirName:/C=cn/ST=cn/O=cn/OU=cn/CN=localhost/emailAddress=xtaying@gmail.com
serial:89:11:9F:A6:CA:03:63:AB
X509v3 Basic Constraints:
CA:TRUE
Certificate is to be certified until Aug 6 12:35:28 2013 GMT (1095 days)
Write out database with 1 new entries
Data Base Updated

[root@BlackGhost ssl]# ./CA.sh -newca   //創建主證書
CA certificate filename (or enter to create)

Making CA certificate ...
Generating a 1024 bit RSA private key
............++++++
......++++++
writing new private key to './demoCA/private/./cakey.pem'
Enter PEM pass phrase:
Verifying - Enter PEM pass phrase:
Verify failure
Enter PEM pass phrase:
Verifying - Enter PEM pass phrase:
-----
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [AU]:cn
State or Province Name (full name) [Some-State]:cn
Locality Name (eg, city) []:cn
Organization Name (eg, company) [Internet Widgits Pty Ltd]:cn
Organizational Unit Name (eg, section) []:cn
Common Name (eg, YOUR name) []:localhost
Email Address []:xtaying@gmail.com

Please enter the following 'extra' attributes
to be sent with your certificate request
A challenge password []:******************
An optional company name []:
Using configuration from /etc/ssl/openssl.cnf
Enter pass phrase for ./demoCA/private/./cakey.pem:       //填的是上面的PEM密碼
Check that the request matches the signature
Signature ok
Certificate Details:
 Serial Number:
 89:11:9f:a6:ca:03:63:ab
 Validity
 Not Before: Aug  7 12:35:28 2010 GMT
 Not After : Aug  6 12:35:28 2013 GMT
 Subject:
 countryName               = cn
 stateOrProvinceName       = cn
 organizationName          = cn
 organizationalUnitName    = cn
 commonName                = localhost
 emailAddress              = xtaying@gmail.com
 X509v3 extensions:
 X509v3 Subject Key Identifier:
 26:09:F3:D5:26:13:00:1F:3E:CC:86:1D:E4:EE:37:06:65:15:4E:76
 X509v3 Authority Key Identifier:
 keyid:26:09:F3:D5:26:13:00:1F:3E:CC:86:1D:E4:EE:37:06:65:15:4E:76
 DirName:/C=cn/ST=cn/O=cn/OU=cn/CN=localhost/emailAddress=xtaying@gmail.com
 serial:89:11:9F:A6:CA:03:63:AB

 X509v3 Basic Constraints:
 CA:TRUE
Certificate is to be certified until Aug  6 12:35:28 2013 GMT (1095 days)

Write out database with 1 new entries
Data Base Updated

安裝成功的話，會在ssl目錄下面產生一個文件夾demoCA

4 生成服務器私鑰和服務器證書

查看複製打印 ?

[root@BlackGhost ssl]# openssl genrsa -des3 -out server.key 1024 //產生服務器私鑰
Generating RSA private key, 1024 bit long modulus
.....................++++++
.........++++++
e is 65537 (0x10001)
Enter pass phrase for server.key:
Verifying - Enter pass phrase for server.key:
[root@BlackGhost ssl]# openssl req -new -key server.key -out server.csr //生成服務器證書
Enter pass phrase for server.key:
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [AU]:cn
State or Province Name (full name) [Some-State]:cn
Locality Name (eg, city) []:cn
Organization Name (eg, company) [Internet Widgits Pty Ltd]:cn
Organizational Unit Name (eg, section) []:cn
Common Name (eg, YOUR name) []:localhost //要填全域名
Email Address []:xtaying@gmail.com
Please enter the following 'extra' attributes
to be sent with your certificate request
A challenge password []:*****************
An optional company name []:

[root@BlackGhost ssl]# openssl genrsa -des3 -out server.key 1024    //產生服務器私鑰
Generating RSA private key, 1024 bit long modulus
.....................++++++
.........++++++
e is 65537 (0x10001)
Enter pass phrase for server.key:
Verifying - Enter pass phrase for server.key:
[root@BlackGhost ssl]# openssl req -new -key server.key -out server.csr      //生成服務器證書
Enter pass phrase for server.key:
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [AU]:cn
State or Province Name (full name) [Some-State]:cn
Locality Name (eg, city) []:cn
Organization Name (eg, company) [Internet Widgits Pty Ltd]:cn
Organizational Unit Name (eg, section) []:cn
Common Name (eg, YOUR name) []:localhost     //要填全域名
Email Address []:xtaying@gmail.com

Please enter the following 'extra' attributes
to be sent with your certificate request
A challenge password []:*****************
An optional company name []:

4.1 對產生的服務器證書進行簽證

cp server.csr newseq.pem

查看複製打印 ?

[root@BlackGhost ssl]# ./CA.sh -sign //爲服務器證書籤名
Using configuration from /etc/ssl/openssl.cnf
Enter pass phrase for ./demoCA/private/cakey.pem:
Check that the request matches the signature
Signature ok
Certificate Details:
Serial Number:
89:11:9f:a6:ca:03:63:ac
Validity
Not Before: Aug 7 12:39:41 2010 GMT
Not After : Aug 7 12:39:41 2011 GMT
Subject:
countryName = cn
stateOrProvinceName = cn
localityName = cn
organizationName = cn
organizationalUnitName = cn
commonName = localhost
emailAddress = xtaying@gmail.com
X509v3 extensions:
X509v3 Basic Constraints:
CA:FALSE
Netscape Comment:
OpenSSL Generated Certificate
X509v3 Subject Key Identifier:
FE:20:56:04:8E:B6:BE:3E:3A:E1:DA:A6:4A:3A:E1:16:93:1D:3F:81
X509v3 Authority Key Identifier:
keyid:26:09:F3:D5:26:13:00:1F:3E:CC:86:1D:E4:EE:37:06:65:15:4E:76
Certificate is to be certified until Aug 7 12:39:41 2011 GMT (365 days)
Sign the certificate? [y/n]:y
1 out of 1 certificate requests certified, commit? [y/n]y
Write out database with 1 new entries
Data Base Updated
Certificate:
Data:
Version: 3 (0x2)
Serial Number:
89:11:9f:a6:ca:03:63:ac
Signature Algorithm: sha1WithRSAEncryption
Issuer: C=cn, ST=cn, O=cn, OU=cn, CN=localhost/emailAddress=xtaying@gmail.com
Validity
Not Before: Aug 7 12:39:41 2010 GMT
Not After : Aug 7 12:39:41 2011 GMT
Subject: C=cn, ST=cn, L=cn, O=cn, OU=cn, CN=localhost/emailAddress=xtaying@gmail.com
Subject Public Key Info:
Public Key Algorithm: rsaEncryption
Public-Key: (1024 bit)
Modulus:
00:ce:d5:a8:df:d1:e7:ee:92:d1:d1:78:20:a9:6d:
0a:1b:f6:09:dd:13:29:ef:72:1d:17:54:dd:1c:8d:
28:27:69:fe:70:3b:fa:2b:a3:45:40:80:ea:0e:5b:
a7:bd:40:d0:cd:bc:2c:74:03:8b:f7:6c:5e:1f:09:
5d:c6:8a:05:ea:b8:72:fc:79:8b:62:62:38:0b:42:
28:7e:0d:fc:e7:bb:b0:87:66:6a:b2:35:92:91:b9:
78:9c:b6:76:01:0b:2a:74:df:5f:a1:8b:31:61:90:
93:f9:20:db:46:59:12:2e:9b:59:c0:32:4e:92:14:
a1:7e:52:7b:cc:02:5e:e2:45
Exponent: 65537 (0x10001)
X509v3 extensions:
X509v3 Basic Constraints:
CA:FALSE
Netscape Comment:
OpenSSL Generated Certificate
X509v3 Subject Key Identifier:
FE:20:56:04:8E:B6:BE:3E:3A:E1:DA:A6:4A:3A:E1:16:93:1D:3F:81
X509v3 Authority Key Identifier:
keyid:26:09:F3:D5:26:13:00:1F:3E:CC:86:1D:E4:EE:37:06:65:15:4E:76
Signature Algorithm: sha1WithRSAEncryption
09:a0:16:43:a2:93:11:a7:ab:f5:17:b7:36:35:84:9f:3b:37:
32:33:3f:93:63:b0:4c:bb:d1:b4:9b:4f:37:78:62:f4:ac:ff:
28:b0:63:71:2e:9a:7c:f4:40:2e:b1:5f:ae:49:e7:e2:6f:de:
cf:30:cc:9a:08:26:26:24:c5:00:03:32:20:48:41:b1:29:8f:
5d:3d:2a:78:54:0e:a8:76:07:6c:7f:23:42:75:c2:fb:83:1d:
70:44:5e:8c:90:cf:b4:23:b7:23:5b:06:05:32:58:e3:af:1c:
be:1d:50:7b:fd:37:66:ba:9c:ec:bb:af:ee:b6:04:f7:c5:2e:
59:22
-----BEGIN CERTIFICATE-----
MIIC2jCCAkOgAwIBAgIJAIkRn6bKA2OsMA0GCSqGSIb3DQEBBQUAMGoxCzAJBgNV
BAYTAmNuMQswCQYDVQQIEwJjbjELMAkGA1UEChMCY24xCzAJBgNVBAsTAmNuMRIw
EAYDVQQDEwlsb2NhbGhvc3QxIDAeBgkqhkiG9w0BCQEWEXh0YXlpbmdAZ21haWwu
Y29tMB4XDTEwMDgwNzEyMzk0MVoXDTExMDgwNzEyMzk0MVowdzELMAkGA1UEBhMC
Y24xCzAJBgNVBAgMAmNuMQswCQYDVQQHDAJjbjELMAkGA1UECgwCY24xCzAJBgNV
BAsMAmNuMRIwEAYDVQQDDAlsb2NhbGhvc3QxIDAeBgkqhkiG9w0BCQEWEXh0YXlp
bmdAZ21haWwuY29tMIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQDO1ajf0efu
ktHReCCpbQob9gndEynvch0XVN0cjSgnaf5wO/oro0VAgOoOW6e9QNDNvCx0A4v3
bF4fCV3GigXquHL8eYtiYjgLQih+Dfznu7CHZmqyNZKRuXictnYBCyp031+hizFh
kJP5INtGWRIum1nAMk6SFKF+UnvMAl7iRQIDAQABo3sweTAJBgNVHRMEAjAAMCwG
CWCGSAGG+EIBDQQfFh1PcGVuU1NMIEdlbmVyYXRlZCBDZXJ0aWZpY2F0ZTAdBgNV
HQ4EFgQU/iBWBI62vj464dqmSjrhFpMdP4EwHwYDVR0jBBgwFoAUJgnz1SYTAB8+
zIYd5O43BmUVTnYwDQYJKoZIhvcNAQEFBQADgYEACaAWQ6KTEaer9Re3NjWEnzs3
MjM/k2OwTLvRtJtPN3hi9Kz/KLBjcS6afPRALrFfrknn4m/ezzDMmggmJiTFAAMy
IEhBsSmPXT0qeFQOqHYHbH8jQnXC+4MdcERejJDPtCO3I1sGBTJY468cvh1Qe/03
Zrqc7Luv7rYE98UuWSI=
-----END CERTIFICATE-----
Signed certificate is in newcert.pem

[root@BlackGhost ssl]# ./CA.sh -sign     //爲服務器證書籤名
Using configuration from /etc/ssl/openssl.cnf
Enter pass phrase for ./demoCA/private/cakey.pem:
Check that the request matches the signature
Signature ok
Certificate Details:
 Serial Number:
 89:11:9f:a6:ca:03:63:ac
 Validity
 Not Before: Aug  7 12:39:41 2010 GMT
 Not After : Aug  7 12:39:41 2011 GMT
 Subject:
 countryName               = cn
 stateOrProvinceName       = cn
 localityName              = cn
 organizationName          = cn
 organizationalUnitName    = cn
 commonName                = localhost
 emailAddress              = xtaying@gmail.com
 X509v3 extensions:
 X509v3 Basic Constraints:
 CA:FALSE
 Netscape Comment:
 OpenSSL Generated Certificate
 X509v3 Subject Key Identifier:
 FE:20:56:04:8E:B6:BE:3E:3A:E1:DA:A6:4A:3A:E1:16:93:1D:3F:81
 X509v3 Authority Key Identifier:
 keyid:26:09:F3:D5:26:13:00:1F:3E:CC:86:1D:E4:EE:37:06:65:15:4E:76

Certificate is to be certified until Aug  7 12:39:41 2011 GMT (365 days)
Sign the certificate? [y/n]:y

1 out of 1 certificate requests certified, commit? [y/n]y
Write out database with 1 new entries
Data Base Updated
Certificate:
 Data:
 Version: 3 (0x2)
 Serial Number:
 89:11:9f:a6:ca:03:63:ac
 Signature Algorithm: sha1WithRSAEncryption
 Issuer: C=cn, ST=cn, O=cn, OU=cn, CN=localhost/emailAddress=xtaying@gmail.com
 Validity
 Not Before: Aug  7 12:39:41 2010 GMT
 Not After : Aug  7 12:39:41 2011 GMT
 Subject: C=cn, ST=cn, L=cn, O=cn, OU=cn, CN=localhost/emailAddress=xtaying@gmail.com
 Subject Public Key Info:
 Public Key Algorithm: rsaEncryption
 Public-Key: (1024 bit)
 Modulus:
 00:ce:d5:a8:df:d1:e7:ee:92:d1:d1:78:20:a9:6d:
 0a:1b:f6:09:dd:13:29:ef:72:1d:17:54:dd:1c:8d:
 28:27:69:fe:70:3b:fa:2b:a3:45:40:80:ea:0e:5b:
 a7:bd:40:d0:cd:bc:2c:74:03:8b:f7:6c:5e:1f:09:
 5d:c6:8a:05:ea:b8:72:fc:79:8b:62:62:38:0b:42:
 28:7e:0d:fc:e7:bb:b0:87:66:6a:b2:35:92:91:b9:
 78:9c:b6:76:01:0b:2a:74:df:5f:a1:8b:31:61:90:
 93:f9:20:db:46:59:12:2e:9b:59:c0:32:4e:92:14:
 a1:7e:52:7b:cc:02:5e:e2:45
 Exponent: 65537 (0x10001)
 X509v3 extensions:
 X509v3 Basic Constraints:
 CA:FALSE
 Netscape Comment:
 OpenSSL Generated Certificate
 X509v3 Subject Key Identifier:
 FE:20:56:04:8E:B6:BE:3E:3A:E1:DA:A6:4A:3A:E1:16:93:1D:3F:81
 X509v3 Authority Key Identifier:
 keyid:26:09:F3:D5:26:13:00:1F:3E:CC:86:1D:E4:EE:37:06:65:15:4E:76

 Signature Algorithm: sha1WithRSAEncryption
 09:a0:16:43:a2:93:11:a7:ab:f5:17:b7:36:35:84:9f:3b:37:
 32:33:3f:93:63:b0:4c:bb:d1:b4:9b:4f:37:78:62:f4:ac:ff:
 28:b0:63:71:2e:9a:7c:f4:40:2e:b1:5f:ae:49:e7:e2:6f:de:
 cf:30:cc:9a:08:26:26:24:c5:00:03:32:20:48:41:b1:29:8f:
 5d:3d:2a:78:54:0e:a8:76:07:6c:7f:23:42:75:c2:fb:83:1d:
 70:44:5e:8c:90:cf:b4:23:b7:23:5b:06:05:32:58:e3:af:1c:
 be:1d:50:7b:fd:37:66:ba:9c:ec:bb:af:ee:b6:04:f7:c5:2e:
 59:22
-----BEGIN CERTIFICATE-----
MIIC2jCCAkOgAwIBAgIJAIkRn6bKA2OsMA0GCSqGSIb3DQEBBQUAMGoxCzAJBgNV
BAYTAmNuMQswCQYDVQQIEwJjbjELMAkGA1UEChMCY24xCzAJBgNVBAsTAmNuMRIw
EAYDVQQDEwlsb2NhbGhvc3QxIDAeBgkqhkiG9w0BCQEWEXh0YXlpbmdAZ21haWwu
Y29tMB4XDTEwMDgwNzEyMzk0MVoXDTExMDgwNzEyMzk0MVowdzELMAkGA1UEBhMC
Y24xCzAJBgNVBAgMAmNuMQswCQYDVQQHDAJjbjELMAkGA1UECgwCY24xCzAJBgNV
BAsMAmNuMRIwEAYDVQQDDAlsb2NhbGhvc3QxIDAeBgkqhkiG9w0BCQEWEXh0YXlp
bmdAZ21haWwuY29tMIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQDO1ajf0efu
ktHReCCpbQob9gndEynvch0XVN0cjSgnaf5wO/oro0VAgOoOW6e9QNDNvCx0A4v3
bF4fCV3GigXquHL8eYtiYjgLQih+Dfznu7CHZmqyNZKRuXictnYBCyp031+hizFh
kJP5INtGWRIum1nAMk6SFKF+UnvMAl7iRQIDAQABo3sweTAJBgNVHRMEAjAAMCwG
CWCGSAGG+EIBDQQfFh1PcGVuU1NMIEdlbmVyYXRlZCBDZXJ0aWZpY2F0ZTAdBgNV
HQ4EFgQU/iBWBI62vj464dqmSjrhFpMdP4EwHwYDVR0jBBgwFoAUJgnz1SYTAB8+
zIYd5O43BmUVTnYwDQYJKoZIhvcNAQEFBQADgYEACaAWQ6KTEaer9Re3NjWEnzs3
MjM/k2OwTLvRtJtPN3hi9Kz/KLBjcS6afPRALrFfrknn4m/ezzDMmggmJiTFAAMy
IEhBsSmPXT0qeFQOqHYHbH8jQnXC+4MdcERejJDPtCO3I1sGBTJY468cvh1Qe/03
Zrqc7Luv7rYE98UuWSI=
-----END CERTIFICATE-----
Signed certificate is in newcert.pem

cp newcert.pem server.crt

5,產生客戶端證書

生成客戶私鑰：
openssl genrsa -des3 -out client.key 1024

生成客戶證書
openssl req -new -key client.key -out client.csr

簽證：
openssl ca -in client.csr -out client.crt

轉換成pkcs12格式，爲客戶端安裝所用
openssl pkcs12 -export -clcerts -in client.crt -inkey client.key -out client.pfx

這一步根安裝服務器的證書差很少，不一樣的是簽證，最後安裝的時候，client.pfx的密碼要記住，在客戶端安裝的時候要用到的。

[root@BlackGhost ssl]# openssl pkcs12 -export -clcerts -in client.crt -inkey client.key -out client.pfx
Enter pass phrase for client.key:
Enter Export Password:
Verifying - Enter Export Password:

客戶端和服務器端均可以使用服務器端證書，因此這一步不作也行。

6，集中因此證書和私私鑰到一塊兒

#cp demoCA/cacert.pem cacert.pem

同時複製一份證書，改名爲ca.crt
#cp cacert.pem ca.crt

7，apache配置

vi /usr/local/apache/conf/extra/ssl.conf

查看複製打印 ?

ssl開啓
SSLEngine on
指定服務器證書位置
SSLCertificateFile /usr/local/apache/conf/ssl/server.crt
指定服務器證書key位置
SSLCertificateKeyFile /usr/local/apache/conf/ssl/server.key
證書目錄
SSLCACertificatePath /usr/local/apache/conf/ssl
根證書位置
SSLCACertificateFile /usr/local/apache/conf/ssl/cacert.pem
要求客戶擁有證書
SSLVerifyClient require
SSLVerifyDepth 1
SSLOptions +StdEnvVars
記錄log
CustomLog "/usr/local/apache/logs/ssl_request_log" \
"%t %h %{SSL_PROTOCOL}x %{SSL_CIPHER}x \"%r\" %b"

ssl開啓
SSLEngine on

指定服務器證書位置
SSLCertificateFile /usr/local/apache/conf/ssl/server.crt

指定服務器證書key位置
SSLCertificateKeyFile /usr/local/apache/conf/ssl/server.key

證書目錄
SSLCACertificatePath /usr/local/apache/conf/ssl

根證書位置
SSLCACertificateFile /usr/local/apache/conf/ssl/cacert.pem

要求客戶擁有證書
SSLVerifyClient require
SSLVerifyDepth  1
SSLOptions +StdEnvVars

記錄log
CustomLog "/usr/local/apache/logs/ssl_request_log" \
          "%t %h %{SSL_PROTOCOL}x %{SSL_CIPHER}x \"%r\" %b"

vi /usr/local/apache/conf/extra/httpd_vhosts.conf

查看複製打印 ?

listen 443 https
NameVirtualHost *:443
<VirtualHost _default_:443>
DocumentRoot "/home/zhangy/www/metbee/trunk/src/web"
ServerName *:443
ErrorLog "/home/zhangy/apache/www.metbee.com-error.log"
CustomLog "/home/zhangy/apache/www.metbee.com-access.log" common
Include conf/extra/ssl.conf
</VirtualHost>

listen 443 https
 NameVirtualHost *:443
 <VirtualHost _default_:443>

 DocumentRoot "/home/zhangy/www/metbee/trunk/src/web"
 ServerName  *:443
 ErrorLog "/home/zhangy/apache/www.metbee.com-error.log"
 CustomLog "/home/zhangy/apache/www.metbee.com-access.log" common
 Include conf/extra/ssl.conf

 </VirtualHost>

vi /usr/local/apache/conf/httpd.conf把Include conf/extra/httpd-vhosts.conf前面的註釋去掉

啓動 /usr/local/apache/bin/apachectl -D SSL -k start

Server *:10000 (RSA)
Enter pass phrase:輸入的是server的密鑰

OK: Pass Phrase Dialog successful.

8,安裝客戶端證書

把ca.crt和client.pfx copy到客戶端，雙擊client.pfx就會進入證書的安裝嚮導，下一步就好了，中間會讓你輸入密碼

四，安裝所遇到的問題

1，生成的密碼不少，一會讓輸入密碼，會忘得，而且主證書的密碼和下面的證書的密碼不能重得，會報錯的，因此要搞個文本記下來。

2，升級openssl引起的問題

httpd: Syntax error on line 56 of /usr/local/apache/conf/httpd.conf: Cannot load /usr/local/apache/modules/libphp5.so into server: libssl.so.0.9.8: cannot open shared object file: No such file or directory

httpd: Syntax error on line 56 of /usr/local/apache/conf/httpd.conf: Cannot load /usr/local/apache/modules/libphp5.so into server: libcrypto.so.0.9.8: cannot open shared object file: No such file or directory

用ln -s來創建軟連接，就能夠了。不過這種方法不是萬能的，好比我把libpng從1.2升到1.4，libjpeg從7.0升到8.0結果是系統差點崩掉，用軟連接無論用，我把他們弄掉，從網上下的低版本重裝。

3，證書的國家名稱，省名要相同否則生成空證書，

The countryName field needed to be the same in the
CA certificate (cn) and the request (sh)

4，提示CommonName時，要添寫全域名，會提示警告

RSA server certificate CommonName (CN) `cn' does NOT match server name!?

5，相同的證書不能生成二次，名字不同也不行，也就是說server.cst和client.csr信息不能完相同，否則會報

failed to update database
TXT_DB error number 2

6，頁面瀏覽時，會看到提示，你的證書是不可信的，是由於我配置的不對，仍是本身建的證書就是不要信的呢？

7，當我加了SSLVerifyClient require SSLVerifyDepth 1 這二個配置時，在windows下面，要你輸入證書後，就能夠看到頁面了，但在用firefox就是不行呢？看下面的ssl_request_log日誌，192.168.18.3是用windows的IE瀏覽器

[09/Aug/2010:22:02:21 +0800] 127.0.0.1 TLSv1 DHE-RSA-CAMELLIA256-SHA "GET /robots.txt HTTP/1.1" 208
[09/Aug/2010:22:02:21 +0800] 127.0.0.1 TLSv1 DHE-RSA-CAMELLIA256-SHA "GET /robots.txt HTTP/1.1" 208
[09/Aug/2010:22:02:21 +0800] 127.0.0.1 TLSv1 DHE-RSA-CAMELLIA256-SHA "GET /robots.txt HTTP/1.1" 208
[09/Aug/2010:22:02:55 +0800] 192.168.18.3 TLSv1 RC4-MD5 "GET / HTTP/1.1" 1505
[09/Aug/2010:22:02:55 +0800] 192.168.18.3 TLSv1 RC4-MD5 "GET / HTTP/1.1" 1505
[09/Aug/2010:22:02:55 +0800] 192.168.18.3 TLSv1 RC4-MD5 "GET / HTTP/1.1" 1505

遇到確定不止這幾個，有的想不起來了。關於6，7，還請高手指教。謝謝