绝对蓝屏 [ ihweb ] (黄华栋) <ihweb@cnfug.org>
相信大家对Apache 不会陌生。Apache 强大而稳定,已经在Internet 上的webserver占据了很大的份量。
大家有没有想到令Apache的连接更安全呢?加装mod_ssl 吧。以下文章是以FreeBSD 4.8 stable
为平台,安装Apache+mod_ssl 和自定义SSL证书的过程。
Apache1.3.27+mod_ssl 可以用ports 安装,简单省事。
FBSD# cd /usr/ports/www/apache13-modssl/
FBSD# make install
>> mod_ssl-2.8.14-1.3.27.tar.gz doesn't seem to exist
in /usr/ports/distfiles/.
>> Attempting to fetch from http://www.modssl.org/source/.
Receiving mod_ssl-2.8.14-1.3.27.tar.gz (754179 bytes): 100%
(ETA 00:00)
754179 bytes transferred in 47.2 seconds (15.62 kBps)
===> Extracting for apache+mod_ssl-1.3.27+2.8.14
>> Checksum OK for apache_1.3.27.tar.gz.
>> Checksum OK for mod_ssl-2.8.14-1.3.27.tar.gz.
===> Patching for apache+mod_ssl-1.3.27+2.8.14
===> Applying mod_ssl-2.8.14 extension
Configuring mod_ssl/2.8.14 for Apache/1.3.27
+ Apache location: ../apache_1.3.27 (Version 1.3.27)
+ Auxiliary patch tool: ./etc/patch/patch (local)
+ Applying packages to Apache source tree:
o Extended API (EAPI)
o Distribution Documents
o SSL Module Source
o SSL Support
o SSL Configuration Additions
o SSL Module Documentation
o Addons
Done: source extension and patches successfully applied.
……….
当你看到
===> Compressing manual pages for apache+mod_ssl-1.3.27+2.8.14
===> Registering installation for apache+mod_ssl-1.3.27+2.8.14
===> SECURITY REPORT:
This port has installed the following startup scripts which
may cause
these network services to be started at boot time.
/usr/local/etc/rc.d/apache.sh-dist
If there are vulnerabilities in these programs there may
be a security
risk to the system. FreeBSD makes no guarantee about the
security of
ports included in the Ports Collection. Please type 'make
deinstall'
to deinstall the port if this is a concern.
For more information, and contact details about the security
status of this software, see the following webpage:
http://www.apache.org/
FBSD#
的时候,恭喜啦,安装已经顺利完成啦!!是不是十分简单啊?启动看看。
FBSD# /usr/local/etc/rc.d/apache.sh start
OK,连上去看看。
https://ssl.kingisme.com/index.html.en
1、询问是否要通过安全连接查看网页
2、接收到证书
3、(留心红色圈住的地方)
其实在一般的应用中,这样已经卓卓有余了,可能大家看到
中的证书信息不是自己的老不高兴(起码我就是如此)老想改成自己的。
下面我就一步一步教大家如何安装自己的证书。
1、先建立一个 CA 的证书
首先为 CA 创建一个 RSA 私用密钥。
FBSD# cd /usr/local/etc/apache
FBSD#mkdir ssl (建立临时的目录)
FBSD#cd ssl
FBSD# /usr/bin/openssl genrsa -out ca.key 1024
Generating RSA private key, 1024 bit long modulus
..................................++++++
.......................................................++++++
e is 65537 (0x10001)
2、利用 CA 的 RSA 密钥创建一个自签署的 CA 证书(基于X.509协议)
FBSD# /usr/bin/openssl req -new -x509 -days
3650 -key ca.key -out ca.crt
You are about to be asked to enter information that will be
incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished
Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [AU]:CN
State or Province Name (full name) [Some-State]:GuangDong
Locality Name (eg, city) []:GuangZhou
Organization Name (eg, company) [Internet Widgits Pty Ltd]:Kingisme.com
xBSD Studio
Organizational Unit Name (eg, section) []:ihweb.cnfug.org
Common Name (eg, YOUR name) []:ihweb
Email Address []:ihweb@cnfug.org
3、接着创建服务器证书签署请求,
为 Apache 创建一个 RSA 私用密钥:
FBSD# /usr/bin/openssl genrsa -out server.key
1024
Generating RSA private key, 1024 bit long modulus
.........................++++++
......................++++++
e is 65537 (0x10001)
4、用 server.key 生成证书签署请求 server.csr 文件
FBSD# /usr/bin/openssl req -new -key server.key
-out server.csr
You are about to be asked to enter information that will be
incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished
Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [AU]:CN
State or Province Name (full name) [Some-State]:GuangDong
Locality Name (eg, city) []:GuanZhou
Organization Name (eg, company) [Internet Widgits Pty Ltd]:Kingisme.com
xBSD Studio
Organizational Unit Name (eg, section) []:ihweb.cnfug.org
Common Name (eg, YOUR name) []:ihweb
Email Address []:ihweb@cnfug.org
Please enter the following 'extra' attributes
to be sent with your certificate request
A challenge password []: ? (这两个地方不用输入,直接敲回车)
An optional company name []:?(同上)
4、签署证书
需要用到脚本 sign.sh
到那里找sign.sh 呢?在这里
/usr/ports/www/apache13-modssl/work/mod_ssl-2.8.14-1.3.27/pkg.contrib/sign.sh
把他拷贝到我们刚才的目录下,然后开始。
FBSD#cp /usr/ports/www/apache13-modssl/work/mod_ssl-2.8.14-1.3.27/pkg.contrib/sign.sh
/usr/local/etc/apache/ssl
FBSD# ./sign.sh server.csr
CA signing: server.csr -> server.crt:
Using configuration from ca.config
Check that the request matches the signature
Signature ok
The Subject's Distinguished Name is as follows
countryName :PRINTABLE:'CN'
stateOrProvinceName :PRINTABLE:'GuangDong'
localityName :PRINTABLE:'GuanZhou'
organizationName :PRINTABLE:'Kingisme.com xBSD Studio'
organizationalUnitName:PRINTABLE:'ihweb.cnfug.org'
commonName :PRINTABLE:'ihweb'
emailAddress :IA5STRING:'ihweb@cnfug.org'
Certificate is to be certified until Jul 14 07:56:29 2004
GMT (365 days)
Sign the certificate? [y/n]:y
1 out of 1 certificate requests certified, commit? [y/n]y
Write out database with 1 new entries
Data Base Updated
CA verifying: server.crt <-> CA cert
server.crt: OK
FBSD#
至此,证书生成完毕。
现在需要做的工作是把server.crt 和server.key 拷贝到httpd.conf 里mod_ssl指定的位置,分别是/usr/local/etc/apache/ssl.crt
和/usr/local/etc/apache/ssl.key
5、拷贝新做好的证书到mod_ssl 的配置目录下,并设置好安全性。
FBSD#chmod 400 server.crt
FBSD#chmod 400 server.key
FBSD# cd /usr/local/etc/apache/ssl.crt/
FBSD# mv server.crt server.crt.old
FBSD# cp /usr/local/etc/apache/ssl/server.crt .
FBSD# cd /usr/local/etc/apache/ssl.key/
FBSD# mv server.key server.key.old
FBSD# cp /usr/local/etc/apache/ssl/server.key .
( 为了安全起见,一定要把/usr/local/etc/apache/ssl 这个临时目录删掉)
FBSD#rm –rf /usr/local/etc/apache/ssl (把这个临时目录删除)
6、把Apache 重起
FBSD# /usr/local/etc/rc.d/apache.sh stop
FBSD# /usr/local/etc/rc.d/apache.sh start
7、再次用浏览器查看
https://ssl.kingisme.com/
文章的最后,要感谢一位好友:红袖添香。如果没有她在过去的日子里对我手把手式的教导,我相信这文章是写不出来的。谨利用文章的一点点地方,说一声:“红姐姐,谢谢你。”
没想到红袖离开CU那么久了还有人记得她..呵呵~~