版权声明:可以任意转载,转载时请务必以超链接形式标明文章原始出处和作者信息及本声明。
https://windtear.net/archives/2004/02/11/000412.html
http://windtear.net/archives/2004/02/11/000412.html
2003年11月17日 效命了一年的mail.ipcn.org的证书过期了
今天我觉得重做一下证书 怕麻烦 那就给10年吧
cd /etc/httpd/conf
vi Makefile
/usr/bin/openssl req -new -key $(KEY) -x509 -days 3650 -out $(CRT)
[Wed Feb 11 02:03:32 /etc/httpd/conf]
root@ipcn.org# make genkey
umask 77 ; \
/usr/bin/openssl genrsa -des3 1024 > /etc/httpd/conf/ssl.key/server.key
Generating RSA private key, 1024 bit long modulus
.....++++++
..............................++++++
e is 65537 (0x10001)
Enter PEM pass phrase:
Verifying password - Enter PEM pass phrase:
防止启动apache询问密码
cd ssl.key/
mv server.key server.key.cryp
openssl rsa -in server.key.cryp -out server.key
root@ipcn.org# openssl rsa -in server.key.cryp -out server.key
read RSA key
Enter PEM pass phrase:
writing RSA key
[Wed Feb 11 02:06:19 /etc/httpd/conf/ssl.key]
root@ipcn.org# cd ..
[Wed Feb 11 02:06:56 /etc/httpd/conf]
root@ipcn.org# make certreq
umask 77 ; \
/usr/bin/openssl req -new -key /etc/httpd/conf/ssl.key/server.key \
-out /etc/httpd/conf/ssl.csr/server.csr
Using configuration from /usr/share/ssl/openssl.cnf
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [GB]:CN
State or Province Name (full name) [Berkshire]:Bei Jing
Locality Name (eg, city) [Newbury]:Bei Jing
Organization Name (eg, company) [My Company Ltd]:IPCN
Organizational Unit Name (eg, section) []:IPCN
Common Name (eg, your name or your server's hostname) []:mail.ipcn.org
Email Address []:windtear@ipcn.org
Please enter the following 'extra' attributes
to be sent with your certificate request
A challenge password []:
An optional company name []:
[Wed Feb 11 02:08:03 /etc/httpd/conf]
root@ipcn.org# make testcert
umask 77 ; \
/usr/bin/openssl req -new -key /etc/httpd/conf/ssl.key/server.key -x509 \
-days 3650 -out /etc/httpd/conf/ssl.crt/server.crt
Using configuration from /usr/share/ssl/openssl.cnf
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [GB]:CN
State or Province Name (full name) [Berkshire]:Bei Jing
Locality Name (eg, city) [Newbury]:Bei Jing
Organization Name (eg, company) [My Company Ltd]:IPCN
Organizational Unit Name (eg, section) []:IPCN
Common Name (eg, your name or your server's hostname) []:mail.ipcn.org
Email Address []:windtear@ipcn.org
[Wed Feb 11 02:08:34 /etc/httpd/conf]
root@ipcn.org# /etc/rc.d/init.d/httpd restart
Stopping httpd: [ OK ]
Starting httpd: [ OK ]
大功告成
总结:先做 key 再做 csr 然后签署证书 crt
具体 apache 根据脚本内容 做 key 做 crt 就够了 (所谓签署 殊途同归而已)
用户浏览器安装的就是 crt 如果用户从浏览器 把crt 按 base64编码导出的话 是和服务器一样的
ie 提供了三种导出编码
DER 编码二进制 X.509 (.cer)
Base64 编码 X.509 (.cer)
加密消息语法标准 - PKCS #7 证书(.P7B)
=====
下面提供查看的方法
openssl rsa -noout -text -in ssl.key/server.key
如果
openssl rsa -noout -text -in ssl.key/server.key.cryp
则先要密码然后才输出结果
查看证书:
openssl req -noout -text -in ssl.csr/server.csr
openssl x509 -noout -text -in ssl.crt/server.crt
httpd.conf 配置
AddType application/x-x509-ca-cert .crt
AddType application/x-pkcs7-crl .crl
ErrorLog logs/error_log
TransferLog logs/access_log
SSLEngine on
SSLCertificateFile /etc/httpd/conf/ssl.crt/server.crt
SSLCertificateKeyFile /etc/httpd/conf/ssl.key/server.key
......
启动
apachectl startssl
或
/etc/rc.d/init.d/httpd
......
# Find the installed modules and convert their names into arguments httpd
# can use.
moduleargs() {
moduledir=/usr/lib/apache
moduleargs=`
/usr/bin/find ${moduledir} -type f -perm -0100 -name "*.so" \
| env -i tr '[:lower:]' '[:upper:]' | awk '{\
gsub(/.*\//,"");\
gsub(/^MOD_/,"");\
gsub(/^LIB/,"");\
gsub(/\.SO$/,"");\
print "-DHAVE_" $0}'`
echo ${moduleargs}
}
......
start() {
echo -n $"Starting $prog: "
daemon $httpd `moduleargs` $OPTIONS
RETVAL=$?
echo
[ $RETVAL = 0 ] && touch /var/lock/subsys/httpd
return $RETVAL
}
......
-----> 附
[Wed Feb 11 02:24:52 /etc/httpd/conf]
root@ipcn.org# openssl rsa -noout -text -in ssl.key/server.key.cryp
read RSA key
Enter PEM pass phrase:
Private-Key: (1024 bit)
modulus:
00:b7:b0:d8:7d:97:bd:f6:ae:90:9b:19:da:46:91:
7a:d1:5a:61:e5:1b:03:d4:f3:1c:50:72:ac:bd:20:
c9:78:0b:36:01:c7:f0:7d:6f:0f:9b:2b:72:fa:bb:
3c:86:64:b2:a6:36:75:fa:79:6d:86:d9:95:15:32:
ae:ba:fd:95:82:b3:ff:37:b7:73:b2:59:a2:a0:74:
d6:ff:b0:d2:43:b1:53:61:88:b9:fe:99:68:b9:c3:
2e:95:e0:cf:b3:81:09:e4:b6:75:39:3d:23:0c:7d:
f7:fe:82:96:42:40:a0:c8:67:4d:29:99:c6:70:e7:
8a:82:f1:61:bc:38:5f:a4:93
publicExponent: 65537 (0x10001)
privateExponent:
78:15:e8:b1:d2:6d:a1:c2:e5:4e:40:4c:6e:2d:d5:
38:df:f9:77:a9:7d:8b:cd:93:09:14:ae:d0:c5:8a:
70:2c:04:16:8d:fb:2e:45:58:d2:7c:49:22:99:1d:
2c:4e:d0:6b:d0:d6:b7:f4:82:21:d2:44:a0:23:0e:
0f:b8:8f:f0:51:bc:f7:0d:ea:b9:ef:a1:54:78:88:
2c:e3:42:28:5c:ee:b1:3a:48:1b:31:dc:51:5c:a1:
1b:06:6f:c4:a4:b0:2e:16:81:1c:15:a0:4d:a5:35:
22:ee:44:00:eb:77:86:89:7a:84:92:ec:77:d7:a2:
12:92:30:4e:45:7f:4a:e1
prime1:
00:ed:92:4c:7c:54:df:84:64:03:e2:fe:eb:c2:4d:
31:5b:04:99:df:7b:17:72:72:43:4d:de:c3:e1:24:
f2:13:41:7d:88:cd:1f:b4:36:14:05:4f:4f:a7:12:
01:89:d1:2b:55:2d:32:88:92:5c:fd:32:b7:ac:89:
2f:ed:79:10:6f
prime2:
00:c5:f0:95:38:19:28:f4:f7:13:89:3c:67:84:06:
2f:6d:ff:ba:3f:3d:01:86:da:e8:ef:cf:d5:96:27:
1d:c1:1e:98:9c:df:08:2a:a8:bd:11:b3:bf:8b:31:
5e:c2:a9:be:30:ed:30:15:e7:d7:90:cc:b3:f0:b8:
e6:9a:37:b8:1d
exponent1:
03:81:60:1d:89:87:0e:c6:07:04:a7:6c:45:1e:ac:
76:c2:57:9e:e3:8b:12:06:3b:95:ff:8e:76:58:fc:
35:6a:86:f6:a8:c8:29:f9:8e:4c:11:c2:84:1d:90:
e6:3e:ae:db:ff:e1:ba:00:26:dd:19:8d:7a:3f:3f:
f4:ca:0f:83
exponent2:
00:b7:11:64:a1:26:bb:f7:9c:50:88:3b:c2:ad:9b:
9e:e0:48:85:34:19:b3:40:cb:54:66:ff:bc:d6:0b:
c5:7c:28:55:13:b9:3f:6f:5c:f2:c8:dd:8b:09:2c:
97:2c:c9:1b:2b:5b:23:7f:0f:17:13:48:10:20:52:
92:8d:0d:7d:8d
coefficient:
1d:73:08:a0:d2:a8:4b:da:d5:e3:a9:3c:18:71:fb:
85:86:28:b7:93:06:0d:6a:73:74:a9:f7:e5:0d:bc:
4c:47:37:34:99:13:16:60:53:96:91:d0:f4:ea:e1:
9f:33:96:39:39:0a:e0:6d:13:fe:ab:81:52:b0:7c:
40:1c:d9:f1
[Wed Feb 11 02:26:32 /etc/httpd/conf]
root@ipcn.org# openssl req -noout -text -in ssl.csr/server.csr
Using configuration from /usr/share/ssl/openssl.cnf
Certificate Request:
Data:
Version: 0 (0x0)
Subject: C=CN, ST=Bei Jing, L=Bei Jing, O=IPCN, OU=IPCN,
CN=mail.ipcn.org/Email=windtear@ipcn.org
Subject Public Key Info:
Public Key Algorithm: rsaEncryption
RSA Public Key: (1024 bit)
Modulus (1024 bit):
00:b7:b0:d8:7d:97:bd:f6:ae:90:9b:19:da:46:91:
7a:d1:5a:61:e5:1b:03:d4:f3:1c:50:72:ac:bd:20:
c9:78:0b:36:01:c7:f0:7d:6f:0f:9b:2b:72:fa:bb:
3c:86:64:b2:a6:36:75:fa:79:6d:86:d9:95:15:32:
ae:ba:fd:95:82:b3:ff:37:b7:73:b2:59:a2:a0:74:
d6:ff:b0:d2:43:b1:53:61:88:b9:fe:99:68:b9:c3:
2e:95:e0:cf:b3:81:09:e4:b6:75:39:3d:23:0c:7d:
f7:fe:82:96:42:40:a0:c8:67:4d:29:99:c6:70:e7:
8a:82:f1:61:bc:38:5f:a4:93
Exponent: 65537 (0x10001)
Attributes:
a0:00
Signature Algorithm: md5WithRSAEncryption
22:63:ba:82:d5:c2:01:d3:fc:fa:82:b8:da:45:bc:8f:df:02:
be:d9:e5:18:28:e5:50:64:42:e2:25:86:01:8b:04:79:3e:b0:
a2:b1:ac:41:18:c3:c3:cc:c6:6c:6d:e3:2f:aa:0c:a7:23:89:
ff:83:56:8a:2f:f5:4a:88:cd:ae:1f:f0:3f:8f:42:ba:a1:d0:
6e:fb:af:ff:54:29:7e:0c:2b:06:a7:50:a0:7f:38:7d:5e:88:
2b:e8:b3:8d:8a:d4:c3:e2:7c:ae:c2:6f:80:e7:f7:d7:75:04:
bf:3e:a4:ae:79:94:c9:04:f7:7c:51:ba:55:23:49:13:b5:29:
3f:fd
[Wed Feb 11 02:27:25 /etc/httpd/conf]
root@ipcn.org#
[Wed Feb 11 02:24:59 /etc/httpd/conf]
root@ipcn.org# openssl x509 -noout -text -in ssl.crt/server.crt
Certificate:
Data:
Version: 3 (0x2)
Serial Number: 0 (0x0)
Signature Algorithm: md5WithRSAEncryption
Issuer: C=CN, ST=Bei Jing, L=Bei Jing, O=IPCN, OU=IPCN,
CN=mail.ipcn.org/Email=windtear@ipcn.org
Validity
Not Before: Feb 10 18:08:34 2004 GMT
Not After : Feb 7 18:08:34 2014 GMT
Subject: C=CN, ST=Bei Jing, L=Bei Jing, O=IPCN, OU=IPCN,
CN=mail.ipcn.org/Email=windtear@ipcn.org
Subject Public Key Info:
Public Key Algorithm: rsaEncryption
RSA Public Key: (1024 bit)
Modulus (1024 bit):
00:b7:b0:d8:7d:97:bd:f6:ae:90:9b:19:da:46:91:
7a:d1:5a:61:e5:1b:03:d4:f3:1c:50:72:ac:bd:20:
c9:78:0b:36:01:c7:f0:7d:6f:0f:9b:2b:72:fa:bb:
3c:86:64:b2:a6:36:75:fa:79:6d:86:d9:95:15:32:
ae:ba:fd:95:82:b3:ff:37:b7:73:b2:59:a2:a0:74:
d6:ff:b0:d2:43:b1:53:61:88:b9:fe:99:68:b9:c3:
2e:95:e0:cf:b3:81:09:e4:b6:75:39:3d:23:0c:7d:
f7:fe:82:96:42:40:a0:c8:67:4d:29:99:c6:70:e7:
8a:82:f1:61:bc:38:5f:a4:93
Exponent: 65537 (0x10001)
X509v3 extensions:
X509v3 Subject Key Identifier:
FB:CF:A0:13:BA:34:86:00:16:E1:47:98:B4:D6:3D:4E:D9:88:6F:74
X509v3 Authority Key Identifier:
keyid:FB:CF:A0:13:BA:34:86:00:16:E1:47:98:B4:D6:3D:4E:D9:88:6F:74
DirName:/C=CN/ST=Bei Jing/L=Bei Jing/O=IPCN/OU=IPCN
/CN=mail.ipcn.org/Email=windtear@ipcn.org
serial:00
X509v3 Basic Constraints:
CA:TRUE
Signature Algorithm: md5WithRSAEncryption
25:ba:3d:3b:c3:6c:66:79:06:5a:dd:44:2e:b5:46:35:3d:c2:
e9:1d:0d:97:6d:69:23:f7:9f:6d:e1:15:df:89:8f:06:56:0c:
11:ac:02:19:fb:f3:20:b3:86:e3:af:ec:1c:68:fa:64:7c:26:
4a:a8:63:31:6c:f3:4f:41:6c:2a:b4:66:07:1e:13:f9:af:2e:
a9:6f:3a:3b:08:20:69:a2:27:fb:0d:e2:f7:13:40:97:bf:b8:
ec:b4:ec:fe:34:77:2b:eb:ea:4a:44:be:37:30:88:8b:96:d6:
ad:7c:e7:95:18:03:59:61:73:79:24:21:b3:26:fb:9c:65:42:
75:06
|
|
