1.

testing ! ...

1

1 原文参考链接: http://showerlee.blog.51cto.com/2047005/1266712

很久没有更新LAMP的相关文档了,刚好最近单位做项目需要用到apache的SSL虚拟主机双向认证,刚好之前在做LAMP的时候顺带做过SSL模块加载,SO参考了google大量文档,用了半天时间搞定,这里总结出来给大家分享一下。

该方案是为了实现apache下实现SSL虚拟主机双向认证,从而实现可信任用户才能访问具体虚拟站点,实现了数据加密以及双向可靠认证。

我的博客新站已经建好,更多新的内容即将在新站更新。。

欢迎访问     http://www.showerlee.com

LINUX操作系统:  centOS6.3 64bit(安装系统默认开发包)

APACHE:         httpd-2.4.4

SSL:            ssl.ca-0.1

解决方案:

一.关闭iptables和SELINUX

# service iptables stop

# setenforce 0

# vi /etc/sysconfig/selinux

---------------

SELINUX=disabled

---------------

二.编译安装apache

1.安装pcre依赖包

# wget http://sourceforge.net/projects/pcre/files/pcre/8.32/pcre-8.32.tar.gz/download

# tar -xzvf pcre-8.32.tar.gz

# cd pcre-8.32

# ./configure --prefix=/usr/local/pcre

# make && make install

2.apache配置:

1).下载apache与apr编译包

# wget http://archive.apache.org/dist/httpd/httpd-2.4.3-deps.tar.bz2

# wget http://archive.apache.org/dist/httpd/httpd-2.4.4.tar.bz2

2).将apache与apr编译包整合

注:httpd-2.4.3-deps.tar.bz2已集成APR,安装apache前检查pcre是否安装成功.

# tar jxvf httpd-2.4.4.tar.bz2

# tar jxvf httpd-2.4.3-deps.tar.bz2

# cp -rf httpd-2.4.3/* httpd-2.4.4

3).编译安装(加载mod_ssl模块)

# cd httpd-2.4.4

# ./configure --prefix=/usr/local/apache2 --enable-so --enable-rewrite  -enable-ssl=static -with-ssl=/usr/local/ssl -enable-mods-shared=all --with-pcre=/usr/local/pcre/bin/pcre-config

# make && make install

注:编译过程中如果报错:

----------------------------------

checking for OpenSSL version >= 0.9.7… FAILED

configure: WARNING:  OpenSSL version is too old

no

checking whether to enable mod_ssl…  configure: error: mod_ssl has been requested but can not be built due to  prerequisite failures

-----------------------------------

解决办法

# yum install openssl-devel -y

# yum update openssl -y

三.SSL单向认证配置

1.加载ssl配置文件:

# vi /usr/local/apache2/conf/httpd.conf

搜索"Include conf/extra/httpd-ssl.conf", 并将这行前面的"#"去掉

2.配置ssl:

# vi /usr/local/apache2/conf/extra/httpd-ssl.conf

搜索"shmcb:/usr/local/apache2/logs/ssl_scache(512000)",并将这行加"#"注释掉

确认以下几行配置无误:

----------------------------

Listen 443

SSLEngine on

SSLCertificateFile "/usr/local/apache2/conf/server.crt"

SSLCertificateKeyFile "/usr/local/apache2/conf/server.key"

SSLCACertificateFile "/usr/local/apache2/conf/ca.crt"

----------------------------

3.证书配置:

1).下载并解压ssl证书生成压缩包:

# cd /usr/local/apache2/conf

# wget http://www.openssl.org/contrib/ssl.ca-0.1.tar.gz

# tar zxvf ssl.ca-0.1.tar.gz

# cd ssl.ca-0.1

2).利用ssl内脚本生成根证书:

# ./new-root-ca.sh

---------------------------------------------------

No Root CA key round. Generating one

Generating RSA private key, 1024 bit  long modulus

………………………++++++

….++++++

e is 65537 (0×10001)

Enter  pass phrase for ca.key: (输入一个密码)

Verifying – Enter pass phrase for ca.key:  (再输入一次密码)

……

Self-sign the root CA… (签署根证书)

Enter pass phrase for  ca.key: (输入刚刚设置的密码)

……..

…….. (下面开始签署)

Country Name (2 letter code)  [MY]:CN

State or Province Name (full name) [Perak]:JiangSu

Locality Name  (eg, city) [Sitiawan]:NanJing

Organization Name (eg, company) [My Directory  Sdn Bhd]:example Co.,Ltd

Organizational Unit Name (eg, section)  [Certification Services Division]:example

Common Name (eg, MD Root CA)  []:example

Email Address []:info@example.com

--------------------------------------------------

这样就生成了ca.key和ca.crt两个文件

3).生成服务端证书:

# ./new-server-cert.sh server

注:证书名为server

----------------------------------------------------

……

……

Country Name (2 letter code) [MY]:CN

State or  Province Name (full name) [Perak]:JiangSu

Locality Name (eg, city)  [Sitiawan]:NanJing

Organization Name (eg, company) [My Directory Sdn  Bhd]:example Co.,Ltd

Organizational Unit Name (eg, section) [Secure Web  Server]:example

Common Name (eg, www.domain.com)  []:www.example.com

Email Address  []:info@example.com

-----------------------------------------------------

这样就生成了server.csr和server.key这两个文件。

4).签署服务端证书:

#  ./sign-server-cert.sh server

-------------------------------------------------

CA signing: server.csr ->  server.crt:

Using configuration from ca.config

Enter pass phrase for  ./ca.key: (输入上面设置的根证书密码)

Check that the request matches the  signature

Signature ok

The Subject’s Distinguished Name is as  follows

countryName   RINTABLE:’CN’

stateOrProvinceName   RINTABLE:’JiangSu’

localityName   RINTABLE:’NanJing’

organizationName   RINTABLE:’example Co.,Ltd’

organizationalUnitName:PRINTABLE:’example’

commonName   RINTABLE:’www.example.com’

emailAddress  :IA5STRING:’info@example.com’

Certificate is to be certified until Jul 16  12:55:34 2005 GMT (365 days)

Sign the certificate? [y/n]:y

1 out of 1  certificate requests certified, commit? [y/n]y

Write out database with 1 new  entries

Data Base Updated

CA verifying: server.crt <-> CA  cert

server.crt: OK

-------------------------------------------

注:如果这里出现错误,最好重新来过,删除ssl.ca-0.1这个目录,从解压缩处重新开始。

下面要按照httpd-ssl.conf的设置,将证书放在适当的位置。

5).配置证书相关权限和路径:

# cd /usr/local/apache2/conf/ssl.ca-0.1

# chmod 644 server.key server.crt ca.crt

# mv server.key ..

# mv server.crt ..

# mv ca.crt ..

4.配置https实现SSL虚拟主机单向加密

1).加载虚拟主机配置文件:

# vi /usr/local/apache2/conf/httpd.conf

搜索"Include conf/extra/httpd-vhosts.conf", 并将这行前面的"#"去掉

2).让www.example.com虚拟主机实现https访问

# vi /usr/local/apache2/conf/extra/httpd-vhosts.conf

添加如下内容:

---------------------------

<VirtualHost *:443>

DocumentRoot "/usr/local/apache2/htdocs/www.example.com/"

ServerAlias www.example.com

SSLEngine on

SSLCertificateFile "/usr/local/apache2/conf/server.crt"

SSLCertificateKeyFile "/usr/local/apache2/conf/server.key"

SSLCACertificateFile "/usr/local/apache2/conf/ca.crt"

</VirtualHost>

----------------------------

# cd /usr/local/apache2/htdocs

# mkdir www.example.com

# cd www.example.com/

# echo "this is a test SSL web page" > index.html

3).启动服务:

# /usr/local/apache2/bin/apachectl start

4).查看SSL端口是否打开:

# lsof -i:443

---------------------------------

COMMAND    PID   USER   FD   TYPE  DEVICE SIZE/OFF NODE NAME

httpd   125366   root    6u  IPv6 6351523      0t0  TCP *:https (LISTEN)

httpd   125885 daemon    6u  IPv6 6351523      0t0  TCP *:https (LISTEN)

httpd   125886 daemon    6u  IPv6 6351523      0t0  TCP *:https (LISTEN)

httpd   125887 daemon    6u  IPv6 6351523      0t0  TCP *:https (LISTEN)

httpd   125946 daemon    6u  IPv6 6351523      0t0  TCP *:https (LISTEN)

---------------------------------

5).浏览器输入 https://www.example.com

注:需配置本机HOST文件

如图:

四.SSL双向认证配置:

1.为客户端生成一个证书:

# /usr/local/apache2/conf/ssl.ca-0.1

# ./new-user-cert.sh client1

-----------------------------------------

No client1.key round. Generating one

Generating RSA private key, 1024 bit long modulus

...........++++++

...++++++

e is 65537 (0x10001)

Fill in certificate data

You are about to be asked to enter information that will be incorporated

into your certificate request.

What you are about to enter is what is called a Distinguished Name or a DN.

There are quite a few fields but you can leave some blank

For some fields there will be a default value,

If you enter '.', the field will be left blank.

-----

Common Name (eg, John Doe) []:client1

Email Address []:info@example.com

You may now run ./sign-user-cert.sh to get it signed

-------------------------------------------

2.签署该证书:

# ./sign-user-cert.sh client1

--------------------------------------

CA signing: client1.csr -> client1.crt:

Using configuration from ca.config

Enter pass phrase for ./ca.key: (输入ca根认证密码)

Check that the request matches the signature

Signature ok

The Subject's Distinguished Name is as follows

commonName            :PRINTABLE:'client1'

emailAddress          :IA5STRING:'info@example.com'

Certificate is to be certified until Aug  8 08:41:51 2014 GMT (365 days)

Sign the certificate? [y/n]:y

1 out of 1 certificate requests certified, commit? [y/n]y

Write out database with 1 new entries

Data Base Updated

CA verifying: client1.crt <-> CA cert

client1.crt: OK

------------------------------------

3.将该客户端证书转换成浏览器可识别的.p12格式

# ./p12.sh client1

-------------------------------------

Enter Export Password: (输入ca根认证密码)

Verifying - Enter Export Password: (确认)

The certificate for client1 has been collected into a pkcs12 file.

You can download to your browser and import it.

--------------------------------------

# ll client1.p12

--------------------------------------

-rw-r--r-- 1 root root 2601 8月   8 16:44 client1.p12

--------------------------------------

4.将该p12文件分发给可信任的客户端,实现双向证书加密功能

注:此处将该文件传送到本机作为示例,实际线上可以利用程序实现证书认证下载

# sz client1.p12

5.配置https实现SSL虚拟主机双向加密

# vi /usr/local/apache2/conf/extra/httpd-vhosts.conf

添加如下内容:

----------------------------

<VirtualHost *:443>

DocumentRoot "/usr/local/apache2/htdocs/www.example.com/"

ServerAlias www.example.com

SSLEngine on

SSLCertificateFile "/usr/local/apache2/conf/server.crt"

SSLCertificateKeyFile "/usr/local/apache2/conf/server.key"

SSLCACertificateFile  "/usr/local/apache2/conf/ca.crt"

SSLVerifyClient require

SSLVerifyDepth 10

</VirtualHost>

----------------------------

6.测试结果

1).使用Chrome浏览器输入 https://www.example.com

未导入客户端证书,提示SSL连接出错

2).SO导入证书:

a.windows下运行该证书文件

b.进入证书导入向导,一路下一步即可完成操作

这里输入ca根证书密码

重新使用Chrome浏览器输入 https://www.example.com

提示

大功告成...

本文出自 “一路向北” 博客,请务必保留此出处http://showerlee.blog.51cto.com/2047005/1266712

1

2 .基于apache双向ssl虚拟主机服务配置: http://881955.blog.51cto.com/871955/1652747

因为公司需要最近一直研究apache双向认证的问题,公司只有一台服务器,这台服务器上部署着wiki知识库,owncloud私有云,phpmyadmin,zendaopms。现在想实现owncloud需要证书认证的方式才能访问,其他三个可以通过http访问。想要实现这样的环境需要用到apache双向ssl的配置还有apache虚拟主机的知识。

软件环境 
Apache Httpd 2.2.16  
openssl-1.0.0e.tar.gz
SSL-Tools(http://www.openssl.org/contrib/ssl.ca-0.1.tar.gz )

1、  安装openssl

#tar zxvf openssl-1.0.0e.tar.gz
#cd openssl-1.0.0e.tar.gz
#./config –prefix=/usr/local/openssl
#make 
#make install

2、  Httpd的安装

#tar zxvf httpd-2.2.16.tar.gz 
#cd httpd-2.2.16 
#./configure
--prefix=/usr/local/apache2
--with-included-apr  --enable-mods-shared=most  --enable-ssl
 --enable-rewrite  --enable-so --with-ssl=/usr/local/openssl
#make 
#make install

此步骤在/apache/httpd目录中安装httpd服务(通过参数--prefix指定),同时使用--with-ssl指定刚才所安装OpenSSL的路径,用于将mod_ssl静态的编译到httpd服务中。

3.制作证书

我们必须手工来生成SSL用到的证书,对证书不熟悉的人,有一个工具可以使用:http://www.openssl.org/contrib/ssl.ca-0.1.tar.gz 。下面是如何通过这个工具来生成证书的过程:

#cpssl.ca-0.1.tar.gz /usr/local/apache/httpd/conf 
#cd/usr/local/apache/conf 
#tar zxvfssl.ca-0.1.tar.gz 
#cd ssl.ca-0.1 
#./new-root-ca.sh (生成根证书) 
No Root CA keyround. Generating one 
Generating RSAprivate key, 1024 bit long modulus 
...........................++++++ 
....++++++ 
e is 65537(0x10001) 
Enter pass phrasefor ca.key: (输入一个密码) 
Verifying - Enterpass phrase for ca.key: (再输入一次密码) 
...... 
Self-sign the rootCA... (签署根证书) 
Enter pass phrasefor ca.key: (输入刚刚设置的密码) 
........ 
........ (下面开始签署) 
Country Name (2letter code) [MY]:CN 
State or ProvinceName (full name) [Perak]:Beijing//随你喜欢 
Locality Name (eg,city) [Sitiawan]:Beijing//随你喜欢 
Organization Name(eg, company) [My Directory Sdn Bhd]:chosen//随你喜欢 
Organizational UnitName (eg, section) [Certification Services Division]:tech//随你喜欢 
Common Name (eg, MDRoot CA) []:tech//随你喜欢 
Email Address []:di.wang@chosenglobal.com//随你喜欢 
这样就生成了ca.key和ca.crt两个文件,下面还要为我们的服务器生成一个证书: 
#./new-server-cert.sh server (这个证书的名字是server) 
...... 
...... 
Country Name (2letter code) [MY]:CN 
State or ProvinceName (full name) [Perak]:Beijing 
Locality Name (eg,city) [Sitiawan]: Beijing
Organization Name(eg, company) [My Directory Sdn Bhd]:chosen 
Organizational UnitName (eg, section) [Secure Web Server]:tech
Common Name (eg,www.domain.com) []:tech
Email Address []:di.wang@chosenglobal.com
这样就生成了server.csr和server.key这两个文件。 
还需要签署一下才能使用的: 
#./sign-server-cert.sh server 
CA signing:server.csr -> server.crt: 
Using configurationfrom ca.config 
Enter pass phrasefor ./ca.key: (输入上面设置的根证书密码) 
Check that therequest matches the signature 
Signature ok 
The Subject'sDistinguished Name is as follows 
countryName:PRINTABLE:'CN' 
stateOrProvinceName:PRINTABLE:'Beijing' 
localityName:PRINTABLE:’Beijing’ 
organizationName:PRINTABLE:'chosen' 
organizationalUnitName:PRINTABLE:'chosen' 
commonName:PRINTABLE:'tech' 
emailAddress:IA5STRING:' di.wang@chosenglobal.com ' 
Certificate is tobe certified until Jan 19 21:59:46 2011 GMT (365 days) 
Sign thecertificate? [y/n]:y 
1 out of 1certificate requests certified, commit? [y/n]y 
Write out databasewith 1 new entries 
Data Base Updated 
CA verifying:server.crt <-> CA cert 
server.crt: OK

4、配置证书相关权限和路径:

# cd /usr/local/apache2/conf/ssl.ca-0.1

# chmod 644 server.key  server.crt  ca.crt

5、SSL双向认证配置

为客户端生成一个证书:

# /usr/local/apache2/conf/ssl.ca-0.1

# ./new-user-cert.sh client1

-----------------------------------------

No client1.key round. Generating one

Generating RSA private key, 1024 bit long modulus

...........++++++

...++++++

e is 65537 (0x10001)

Fill in certificate data

You are about to be asked to enter information that will beincorporated

into your certificate request.

What you are about to enter is what is called a DistinguishedName or a DN.

There are quite a few fields but you can leave some blank

For some fields there will be a default value,

If you enter '.', the field will be left blank.

-----

Common Name (eg, John Doe) []:client1

Email Address []:di.wang@chosenglobal.com

You may now run ./sign-user-cert.sh to get it signed

-------------------------------------------

签署该证书:

# ./sign-user-cert.sh client1

--------------------------------------

CA signing: client1.csr -> client1.crt:

Using configuration from ca.config

Enter pass phrase for ./ca.key: (输入ca根认证密码)

Check that the request matches the signature

Signature ok

The Subject's Distinguished Name is as follows

commonName           :PRINTABLE:'client1'

emailAddress         :IA5STRING:'info@example.com'

Certificate is to be certified until Aug  8 08:41:512014 GMT (365 days)

Sign the certificate? [y/n]:y

1 out of 1 certificate requests certified, commit? [y/n]y

Write out database with 1 new entries

Data Base Updated

CA verifying: client1.crt <-> CA cert

client1.crt: OK

------------------------------------

将该客户端证书转换成浏览器可识别的.p12格式

# ./p12.sh client1

-------------------------------------

Enter Export Password: (输入ca根认证密码)

Verifying - Enter Export Password: (确认)

The certificate for client1 has been collected into a pkcs12file.

You can download to your browser and import it.

--------------------------------------

# ll client1.p12

--------------------------------------

-rw-r--r-- 1 root root 2601 8月   8 16:44 client1.p12

--------------------------------------

将该p12文件分发给可信任的客户端,实现双向证书加密功能

注:此处将该文件传送到本机作为示例,实际线上可以利用程序实现证书认证下载

配置https实现SSL虚拟主机双向加密

# vi /usr/local/apache2/conf/extra/httpd-vhosts.conf

添加如下内容:

----------------------------

<VirtualHost *:443>

DocumentRoot"/usr/local/apache2/htdocs"

ServerAliashttps://10.10.10.1

SSLEngine on

SSLCertificateFile"/usr/local/ssl.ca/server.crt"

SSLCertificateKeyFile "/usr/local/ssl.ca/server.key"

SSLCACertificateFile "/usr/local/ssl.ca/ca.crt"

SSLVerifyClient require

SSLVerifyDepth 10

</VirtualHost>----------------------------

6、测试结果

1).使用Chrome浏览器输入 https://10.10.10.1/owncloud

未导入客户端证书,提示SSL连接出错

2).SO导入证书:

a.windows下运行该证书文件

b.进入证书导入向导,一路下一步即可完成操作

重新使用Chrome浏览器输入 http://10.10.10.1/owncloud

提示

参考资料:

http://blog.csdn.net/passwordport/article/details/8005292  apache2 ssl 双向认证

http://www.showerlee.com/archives/1211  Centos6.3下apache实现SSL虚拟主机双向认证

http://honghuihun.iteye.com/blog/1137204  linux下apache-ssl配置

1

1

1

1

1

基于apache双向ssl虚拟主机服务配置: http://881955.blog.51cto.com/871955/1652747

因为公司需要最近一直研究apache双向认证的问题,公司只有一台服务器,这台服务器上部署着wiki知识库,owncloud私有云,phpmyadmin,zendaopms。现在想实现owncloud需要证书认证的方式才能访问,其他三个可以通过http访问。想要实现这样的环境需要用到apache双向ssl的配置还有apache虚拟主机的知识。

软件环境 
Apache Httpd 2.2.16  
openssl-1.0.0e.tar.gz
SSL-Tools(http://www.openssl.org/contrib/ssl.ca-0.1.tar.gz )

1、  安装openssl

#tar zxvf openssl-1.0.0e.tar.gz
#cd openssl-1.0.0e.tar.gz
#./config –prefix=/usr/local/openssl
#make 
#make install

2、  Httpd的安装

#tar zxvf httpd-2.2.16.tar.gz 
#cd httpd-2.2.16 
#./configure
--prefix=/usr/local/apache2
--with-included-apr  --enable-mods-shared=most  --enable-ssl
 --enable-rewrite  --enable-so --with-ssl=/usr/local/openssl
#make 
#make install

此步骤在/apache/httpd目录中安装httpd服务(通过参数--prefix指定),同时使用--with-ssl指定刚才所安装OpenSSL的路径,用于将mod_ssl静态的编译到httpd服务中。

3.制作证书

我们必须手工来生成SSL用到的证书,对证书不熟悉的人,有一个工具可以使用:http://www.openssl.org/contrib/ssl.ca-0.1.tar.gz 。下面是如何通过这个工具来生成证书的过程:

#cpssl.ca-0.1.tar.gz /usr/local/apache/httpd/conf 
#cd/usr/local/apache/conf 
#tar zxvfssl.ca-0.1.tar.gz 
#cd ssl.ca-0.1 
#./new-root-ca.sh (生成根证书) 
No Root CA keyround. Generating one 
Generating RSAprivate key, 1024 bit long modulus 
...........................++++++ 
....++++++ 
e is 65537(0x10001) 
Enter pass phrasefor ca.key: (输入一个密码) 
Verifying - Enterpass phrase for ca.key: (再输入一次密码) 
...... 
Self-sign the rootCA... (签署根证书) 
Enter pass phrasefor ca.key: (输入刚刚设置的密码) 
........ 
........ (下面开始签署) 
Country Name (2letter code) [MY]:CN 
State or ProvinceName (full name) [Perak]:Beijing//随你喜欢 
Locality Name (eg,city) [Sitiawan]:Beijing//随你喜欢 
Organization Name(eg, company) [My Directory Sdn Bhd]:chosen//随你喜欢 
Organizational UnitName (eg, section) [Certification Services Division]:tech//随你喜欢 
Common Name (eg, MDRoot CA) []:tech//随你喜欢 
Email Address []:di.wang@chosenglobal.com//随你喜欢 
这样就生成了ca.key和ca.crt两个文件,下面还要为我们的服务器生成一个证书: 
#./new-server-cert.sh server (这个证书的名字是server) 
...... 
...... 
Country Name (2letter code) [MY]:CN 
State or ProvinceName (full name) [Perak]:Beijing 
Locality Name (eg,city) [Sitiawan]: Beijing
Organization Name(eg, company) [My Directory Sdn Bhd]:chosen 
Organizational UnitName (eg, section) [Secure Web Server]:tech
Common Name (eg,www.domain.com) []:tech
Email Address []:di.wang@chosenglobal.com
这样就生成了server.csr和server.key这两个文件。 
还需要签署一下才能使用的: 
#./sign-server-cert.sh server 
CA signing:server.csr -> server.crt: 
Using configurationfrom ca.config 
Enter pass phrasefor ./ca.key: (输入上面设置的根证书密码) 
Check that therequest matches the signature 
Signature ok 
The Subject'sDistinguished Name is as follows 
countryName:PRINTABLE:'CN' 
stateOrProvinceName:PRINTABLE:'Beijing' 
localityName:PRINTABLE:’Beijing’ 
organizationName:PRINTABLE:'chosen' 
organizationalUnitName:PRINTABLE:'chosen' 
commonName:PRINTABLE:'tech' 
emailAddress:IA5STRING:' di.wang@chosenglobal.com ' 
Certificate is tobe certified until Jan 19 21:59:46 2011 GMT (365 days) 
Sign thecertificate? [y/n]:y 
1 out of 1certificate requests certified, commit? [y/n]y 
Write out databasewith 1 new entries 
Data Base Updated 
CA verifying:server.crt <-> CA cert 
server.crt: OK

4、配置证书相关权限和路径:

# cd /usr/local/apache2/conf/ssl.ca-0.1

# chmod 644 server.key  server.crt  ca.crt

5、SSL双向认证配置

为客户端生成一个证书:

# /usr/local/apache2/conf/ssl.ca-0.1

# ./new-user-cert.sh client1

-----------------------------------------

No client1.key round. Generating one

Generating RSA private key, 1024 bit long modulus

...........++++++

...++++++

e is 65537 (0x10001)

Fill in certificate data

You are about to be asked to enter information that will beincorporated

into your certificate request.

What you are about to enter is what is called a DistinguishedName or a DN.

There are quite a few fields but you can leave some blank

For some fields there will be a default value,

If you enter '.', the field will be left blank.

-----

Common Name (eg, John Doe) []:client1

Email Address []:di.wang@chosenglobal.com

You may now run ./sign-user-cert.sh to get it signed

-------------------------------------------

签署该证书:

# ./sign-user-cert.sh client1

--------------------------------------

CA signing: client1.csr -> client1.crt:

Using configuration from ca.config

Enter pass phrase for ./ca.key: (输入ca根认证密码)

Check that the request matches the signature

Signature ok

The Subject's Distinguished Name is as follows

commonName           :PRINTABLE:'client1'

emailAddress         :IA5STRING:'info@example.com'

Certificate is to be certified until Aug  8 08:41:512014 GMT (365 days)

Sign the certificate? [y/n]:y

1 out of 1 certificate requests certified, commit? [y/n]y

Write out database with 1 new entries

Data Base Updated

CA verifying: client1.crt <-> CA cert

client1.crt: OK

------------------------------------

将该客户端证书转换成浏览器可识别的.p12格式

# ./p12.sh client1

-------------------------------------

Enter Export Password: (输入ca根认证密码)

Verifying - Enter Export Password: (确认)

The certificate for client1 has been collected into a pkcs12file.

You can download to your browser and import it.

--------------------------------------

# ll client1.p12

--------------------------------------

-rw-r--r-- 1 root root 2601 8月   8 16:44 client1.p12

--------------------------------------

将该p12文件分发给可信任的客户端,实现双向证书加密功能

注:此处将该文件传送到本机作为示例,实际线上可以利用程序实现证书认证下载

配置https实现SSL虚拟主机双向加密

# vi /usr/local/apache2/conf/extra/httpd-vhosts.conf

添加如下内容:

----------------------------

<VirtualHost *:443>

DocumentRoot"/usr/local/apache2/htdocs"

ServerAliashttps://10.10.10.1

SSLEngine on

SSLCertificateFile"/usr/local/ssl.ca/server.crt"

SSLCertificateKeyFile "/usr/local/ssl.ca/server.key"

SSLCACertificateFile "/usr/local/ssl.ca/ca.crt"

SSLVerifyClient require

SSLVerifyDepth 10

</VirtualHost>----------------------------

6、测试结果

1).使用Chrome浏览器输入 https://10.10.10.1/owncloud

未导入客户端证书,提示SSL连接出错

2).SO导入证书:

a.windows下运行该证书文件

b.进入证书导入向导,一路下一步即可完成操作

重新使用Chrome浏览器输入 http://10.10.10.1/owncloud

提示

参考资料:

http://blog.csdn.net/passwordport/article/details/8005292  apache2 ssl 双向认证

http://www.showerlee.com/archives/1211  Centos6.3下apache实现SSL虚拟主机双向认证

http://honghuihun.iteye.com/blog/1137204  linux下apache-ssl配置

1

1

1

1

1

1

1

Centos 7 环境下,如何使用 Apache 实现 SSL 虚拟主机 双向认证 的详细教程:的更多相关文章

  1. [原]生产环境下的nginx.conf配置文件(多虚拟主机)

    [原]生产环境下的nginx.conf配置文件(多虚拟主机) 2013-12-27阅读110 评论0 我的生产环境下的nginx.conf配置文件,做了虚拟主机设置的,大家可以根据需求更改,下载即可在 ...

  2. 【简书】在阿里云自带的CentOS + LAMP环境下部署一个Laravel项目

    在阿里云自带的CentOS + LAMP环境下部署一个Laravel项目 作者 DonnieZero 关注 2017.07.29 22:02* 字数 2218 阅读 5556评论 3喜欢 1赞赏 1 ...

  3. Centos 7环境下安装配置Hadoop 3.0 Beta1简记

    前言 由于以前已经写过一篇Centos 7环境下安装配置2.8的随笔,因此这篇写得精简些,只挑选一些重要环节记录一下. 安装环境为:两台主机均为Centos 7.*操作系统,两台机器配置分别为: 主机 ...

  4. Centos 7环境下安装配置MySQL 5.7

    安装步骤为: 1.由于Centos 7版中已经移除MySQL rpm,因此需要到其官方网站上下载rpm,下载完成后,使用以下命令,来安装MySQL的rpm配置. rpm -ivh *****[注释:* ...

  5. windows Apache 环境下配置支持HTTPS的SSL证书

    windows Apache 环境下配置支持HTTPS的SSL证书 1.准备工作 1)在设置Apache + SSL之前, 需要做: 安装Apache, 下载安装Apache时请下载带有SSL版本的A ...

  6. Apache HTTP Server 虚拟主机配置

    Apache HTTP Server 虚拟主机配置(三)     什么是虚拟主机 "虚拟主机"是指在一个机器上运行多个网站(比如:www.company1.com  和 www.c ...

  7. 在Apache中开启虚拟主机

    最近在自学LAMP,在Apache中尝试着开启虚拟主机的时候,遇到了挺多麻烦的,这里也顺便总结一下,在Apache中开启虚拟主机的时候,主要有下面几个步骤: 1.新建一个文件夹作为虚拟主机,用来存储网 ...

  8. CentOS 6.5环境下使用HAProxy+apache实现web服务的动静分离

    HAProxy提供高可用性.负载均衡以及基于TCP和HTTP应用的代理,支持虚拟主机,它是免费.快速并且可靠的一种解决方案.HAProxy特别适用于那些负载特大的web站点,这些站点通常又需要会话保持 ...

  9. CentOS 6下Apache的https虚拟主机实践

    题目:1.建立httpd服务器,要求: 提供两个基于名称的虚拟主机: (a)www1.buybybuy.com,页面文件目录为/web/vhosts/www1:错误日志为/var/log/httpd/ ...

随机推荐

  1. 20155209 2016-2017-2 《Java程序设计》第二周学习总结

    20155209 2016-2017-2 <Java程序设计>第二周学习总结 教材学习内容总结 类型总结:常用定义byte(符号%d):short(符号%d):int(符号%d):long ...

  2. (三)虚拟机与Linux新尝试——20155306白皎

    (三)虚拟机与Linux新尝试--20155306白皎 一.关于虚拟机的安装 在选择虚拟机的类型和版本时,Ubuntu只有32位,没有64位 解决:通过百度,后来也发现同学们好多遇到了这个问题,因此通 ...

  3. 20155317 王新玮 2006-2007-2 《Java程序设计》第4周学习总结

    20155317 王新玮 2006-2007-2 <Java程序设计>第4周学习总结 教材学习内容总结 第六章 继承共同行为 多个类中存在相同属性和行为时,将这些内容抽取到单独一个类中,那 ...

  4. 20155334 2016-2017-2 《Java程序设计》第四周学习总结

    20155334 2016-2017-2 <Java程序设计>第四周学习总结 教材学习内容总结 第六章:继承与多态 继承:面对对象中,子类继承父类,避免重复的行为定义 extends表示会 ...

  5. 20145209 实验一《Java开发环境的熟悉》实验报告

    20145209 实验一<Java开发环境的熟悉>实验报告 实验内容 1.使用JDK编译.运行简单的Java程序. 2.使用Eclipse 编辑.编译.运行.调试Java程序. 提交 Li ...

  6. Swift - 重写导航栏返回按钮

    // 重写导航栏返回按钮方法 func configBackBtn() -> Void { // 返回按钮 let backButton = UIButton(type: .custom) // ...

  7. sqlserver 导出数据到Excel

    1.导出非正式Excel EXEC master..xp_cmdshell 'bcp t.dbo.tcad out D:\MySelf\output\Temp.xls -c -q -S".& ...

  8. 【Windows定时关机】windows实现定时关机与取消

    背景:本人昨晚本来打算将电脑设置为晚上12点 30定时关机,结果写成了:12:30,所以就在刚才,我正玩游戏的时候, 电脑弹出提示:“windows将在一分钟内关闭”,我刚开始一脸懵逼,后来打开昨天敲 ...

  9. JVM知识(下)

    目录 方法区 类型信息 方法信息 类变量 引用类的类加载 类引用 堆(Heap) GC 定义对象 数组引用 栈 栈帧 操作数栈 帧数据 本次主要介绍,JVM的方法区,堆,栈.以下内容主要还是参考< ...

  10. Keil出错解决方法

    1.安装KEIL5后创建工程后出现这个报错 解决方法:打开下图目录的文件. Keil.STM32F1xx_DFP.pdsc文件是只读文件,必须将只读属性取消. 如下图所示,注释掉红色圆圈的哪一行,保存 ...