环境:  Ubuntu14.04,apache2.4.7, openssl1.0.1f

安装apache2

apt-get install apache2 -y

一般openssl默认已经安装

开启apache的ssl模块和ssl站点

a2enmod ssl

a2ensite default-ssl.conf

创建证书目录

mkdir /etc/apache2/certs

进入目录创建证书和秘钥

cd /etc/apache2/certs

/usr/lib/ssl/misc/CA.sh -newca

root@bogon:/etc/apache2/certs# /usr/lib/ssl/misc/CA.sh -newca

CA certificate filename (or enter to create)

Making CA certificate ...

Generating a 2048 bit RSA private key

.............................................................................................+++

..+++

writing new private key to './demoCA/private/./cakey.pem'

Enter PEM pass phrase:

Verifying - Enter PEM pass phrase:

-----

You are about to be asked to enter information that will be incorporated

into your certificate request.

What you are about to enter is what is called a Distinguished Name or aDN.

There are quite a few fields but you can leave some blank

For some fields there will be a defaultvalue,

If you enter '.', the field will be left blank.

-----

Country Name (2 letter code) [AU]:CN

State or Province Name (full name) [Some-State]:Beijing

Locality Name (eg, city) []:Beijing

OrganizationName (eg, company) [Internet Widgits Pty Ltd]:PWRD

Organizational Unit Name (eg, section) []:OPS

Common Name (e.g. server FQDN or YOUR name) []:10.1.1.128

Email Address []:jailman@sina.com

Please enter the following 'extra' attributes

to be sent with your certificate request

Achallenge password []:111111

An optional company name []:pwrd

Using configuration from /usr/lib/ssl/openssl.cnf

Enter pass phrase for ./demoCA/private/./cakey.pem:

Check that the request matches the signature

Signature ok

Certificate Details:

Serial Number: 14695213526817228816 (0xcbefe2d81474c810)

Validity

Not Before: Jan  5 05:30:34 2017 GMT

Not After : Jan  5 05:30:34 2020 GMT

Subject:

countryName               = CN

stateOrProvinceName       = Beijing

organizationName          = PWRD

organizationalUnitName    = OPS

commonName                = 10.1.1.128

emailAddress              = jailman@sina.com

X509v3 extensions:

X509v3 Subject Key Identifier:

50:CA:37:3C:45:11:0E:E1:BA:E7:80:74:66:D0:98:B9:21:8E:13:BD

X509v3 Authority KeyIdentifier:

keyid:50:CA:37:3C:45:11:0E:E1:BA:E7:80:74:66:D0:98:B9:21:8E:13:BD

X509v3 Basic Constraints:

CA:TRUE

Certificate is to be certified until Jan 5 05:30:34 2020 GMT (1095 days)

Write out database with 1 new entries

Data Base Updated

tree命令查看一下

root@bogon:/etc/apache2/certs# tree

.

└── demoCA

├── cacert.pem

├── careq.pem

├── certs

├── crl

├── index.txt

├── index.txt.attr

├── index.txt.old

├── newcerts

│   └── CBEFE2D81474C810.pem

├── private

│   └── cakey.pem

└── serial

5directories, 8 files

生成服务器证书(密码全部设置为111111)

a)    生成私钥:        openssl genrsa -des3 -out server.key2048

b)    生成csr文件:     openssl req -new -keyserver.key -out server.csr

c)    生成证书&签名:   openssl ca -in server.csr-out server.crt

#遇到下列不成功时修改vim demoCA/index.txt.attr中unique_subject =no

failed to update database

TXT_DB error number 2

上述执行结果

root@bogon:/etc/apache2/certs# openssl genrsa -des3 -out server.key 2048

Generating RSA private key, 2048 bit long modulus

........................................+++

............................+++

eis 65537 (0x10001)

Enter pass phrase for server.key:

Verifying - Enter pass phrase for server.key:

root@bogon:/etc/apache2/certs# openssl req -new -key server.key -outserver.csr

Enter pass phrase for server.key:

You are about to be asked to enter information that will be incorporated

into your certificate request.

What you are about to enter is what is called a Distinguished Name or aDN.

There are quite a few fields but you can leave some blank

For some fields there will be a default value,

If you enter '.', the field will be left blank.

-----

Country Name (2 letter code) [AU]:CN

State or Province Name (full name) [Some-State]:Beijing

Locality Name (eg, city) []:Beijing

Organization Name (eg, company) [Internet Widgits Pty Ltd]:PWRD

Organizational Unit Name (eg, section) []:OPS

Common Name (e.g. server FQDN or YOUR name) []:10.1.1.128

Email Address []:jailman@sina.com

Please enter the following 'extra' attributes

to be sent with your certificate request

Achallenge password []:111111

An optional company name []:pwrd

root@bogon:/etc/apache2/certs# openssl ca -in server.csr -out server.crt

Using configuration from /usr/lib/ssl/openssl.cnf

Enter pass phrase for ./demoCA/private/cakey.pem:

Check that the request matches the signature

Signature ok

Certificate Details:

Serial Number: 14695213526817228817 (0xcbefe2d81474c811)

Validity

Not Before: Jan  5 05:39:32 2017 GMT

Not After : Jan  5 05:39:32 2018 GMT

Subject:

countryName               = CN

stateOrProvinceName       = Beijing

organizationName          = PWRD

organizationalUnitName    = OPS

commonName                = 10.1.1.128

emailAddress              = jailman@sina.com

X509v3 extensions:

X509v3 Basic Constraints:

CA:FALSE

Netscape Comment:

OpenSSL GeneratedCertificate

X509v3 Subject Key Identifier:

FB:32:4F:A6:6D:01:D3:00:98:00:BF:0A:2E:E5:E6:90:CC:E0:E4:8B

X509v3 Authority KeyIdentifier:

keyid:50:CA:37:3C:45:11:0E:E1:BA:E7:80:74:66:D0:98:B9:21:8E:13:BD

Certificate is to be certified until Jan 5 05:39:32 2018 GMT (365 days)

Sign the certificate? [y/n]:y

1out of 1 certificate requests certified, commit? [y/n]y

Write out database with 1 new entries

Data Base Updated

生成客户端证书(密码全部设置为111111)

a)    生成私钥:        openssl genrsa -des3 -out client.key2048

b)    生成csr文件:     openssl req -new -keyclient.key -out client.csr

c)    生成证书&签名:   openssl ca -in client.csr-out client.crt

上述命令执行结果:

root@bogon:/etc/apache2/certs# openssl genrsa -des3 -out client.key 2048

Generating RSA private key, 2048 bit long modulus

...........................................................................................+++

............................+++

eis 65537 (0x10001)

Enter pass phrase for client.key:

Verifying - Enter pass phrase for client.key:

root@bogon:/etc/apache2/certs# openssl req -new -key client.key -outclient.csr

Enter pass phrase for client.key:

You are about to be asked to enter information that will be incorporated

intoyour certificate request.

What you are about to enter is what is called a Distinguished Name or aDN.

There are quite a few fields but you can leave some blank

For some fields there will be a default value,

If you enter '.', the field will be left blank.

-----

Country Name (2 letter code) [AU]:CN

State or Province Name (full name) [Some-State]:Beijing

Locality Name (eg, city) []:Beijing

Organization Name (eg, company) [Internet Widgits Pty Ltd]:PWRD

Organizational Unit Name (eg, section) []:OPS

Common Name (e.g. server FQDN or YOUR name) []:10.1.1.128

Email Address []:jailman@sina.com

Please enter the following 'extra' attributes

to be sent with your certificate request

Achallenge password []:111111

An optional company name []:pwrd

root@bogon:/etc/apache2/certs# openssl ca -in client.csr -out client.crt

Using configuration from /usr/lib/ssl/openssl.cnf

Enter pass phrase for ./demoCA/private/cakey.pem:

Check that the request matches the signature

Signature ok

Certificate Details:

Serial Number: 14695213526817228818 (0xcbefe2d81474c812)

Validity

Not Before: Jan  5 05:43:35 2017 GMT

Not After : Jan  5 05:43:35 2018 GMT

Subject:

countryName               = CN

stateOrProvinceName       = Beijing

organizationName          = PWRD

organizationalUnitName    = OPS

commonName                = 10.1.1.128

emailAddress              = jailman@sina.com

X509v3 extensions:

X509v3 Basic Constraints:

CA:FALSE

Netscape Comment:

OpenSSL GeneratedCertificate

X509v3 Subject Key Identifier:

78:4C:B0:9E:BA:EE:BD:E2:88:55:F4:06:B4:57:5E:74:71:E0:1B:2D

X509v3 Authority KeyIdentifier:

keyid:50:CA:37:3C:45:11:0E:E1:BA:E7:80:74:66:D0:98:B9:21:8E:13:BD

Certificate is to be certified until Jan 5 05:43:35 2018 GMT (365 days)

Sign the certificate? [y/n]:y

1out of 1 certificate requests certified, commit? [y/n]y

Write out database with 1 new entries

Data Base Updated

查看上述两步生成的证书和秘钥

root@bogon:/etc/apache2/certs# ls

client.crt  client.key  server.crt server.key

client.csr  demoCA      server.csr

*生成浏览器支持的.pfx(.p12)证书

a)   openssl pkcs12 -export -clcerts -in client.crt -inkey client.key -outclient.p12

执行结果

root@bogon:/etc/apache2/certs# openssl pkcs12 -export -clcerts -inclient.crt -inkey client.key -out client.p12

Enterpass phrase for client.key:

EnterExport Password:

Verifying- Enter Export Password:

生成不带密码验证的client/server.key.unsecure

如果你想要把数字证书用于Nginx、Apache等Web服务器,你会发现启动nginx服务器时会要求你输入数字证书密码,

这是因为在设置私钥key时将密码写入了key文件,导致Nginx/Apache等系列服务器在启动时要求Enter PEM pass phrase。

我们需要做的是剥离这个密码,利用如下OpenSSL命令生成server.key.unsecure文件

openssl rsa -in server.key -outserver.key.unsecure

最终的结果:

root@bogon:/etc/apache2/certs# tree

.

├──client.crt

├──client.csr

├──client.key

├──client.p12

├──demoCA

│??├── cacert.pem

│??├── careq.pem

│??├── certs

│??├── crl

│??├── index.txt

│??├── index.txt.attr

│??├── index.txt.attr.old

│??├── index.txt.old

│??├── newcerts

│??│?? ├── CBEFE2D81474C810.pem

│??│?? ├── CBEFE2D81474C811.pem

│??│?? └── CBEFE2D81474C812.pem

│??├── private

│??│?? └── cakey.pem

│??├── serial

│??└── serial.old

├──server.crt

├──server.csr

└──server.key

5directories, 19 files

配置apache2 https

vim/etc/apache2/sites-enabled/default-ssl.conf

<IfModule mod_ssl.c>

<VirtualHost_default_:443>

ServerAdminwebmaster@localhost

DocumentRoot/var/www/html

ErrorLog${APACHE_LOG_DIR}/error.log

CustomLog${APACHE_LOG_DIR}/access.log combined

SSLEngineon

SSLCertificateFile    /etc/apache2/certs/server.crt

SSLCertificateKeyFile/etc/apache2/certs/server.key

SSLCACertificateFile/etc/apache2/certs/demoCA/cacert.pem

SSLVerifyClientrequire

SSLVerifyDepth  10

<FilesMatch"\.(cgi|shtml|phtml|php)$">

SSLOptions+StdEnvVars

</FilesMatch>

<Directory/usr/lib/cgi-bin>

SSLOptions+StdEnvVars

</Directory>

BrowserMatch"MSIE [2-6]" \

nokeepalivessl-unclean-shutdown \

downgrade-1.0force-response-1.0

BrowserMatch"MSIE [17-9]" ssl-unclean-shutdown

</VirtualHost>

</IfModule>

serviceapache2 restart

root@bogon:/etc/apache2/sites-enabled#service apache2 restart

*Restarting web server apache2                                                      Apache needs to decrypt your SSL Keys for bogon.localdomain:443 (RSA)

Pleaseenter passphrase:

输入密码启动

证书导出到本地准备写入加密锁

root@bogon:/etc/apache2/certs# szclient.p12

打开USB锁管理软件

输入PIN登录

这里实际上我们已经提前将加密锁初始化为了PKI锁

点击导入,选择证书,输入证书密码,其他默认

Win10提示导入成功

导入后的效果

USB加密锁保持插入,访问测试站点https://10.1.1.128,有证书提示

点击确定输入PIN码

忽略安全提示

成功访问

不插key的情况下访问结果

我使用的是ET199加密锁,加上运费一共花了29元

HTTPS双向认证+USB硬件加密锁(加密狗)配置的更多相关文章

  1. httpd设置HTTPS双向认证

    去年用tomcat.jboss配置过HTTPS双向认证,那时候主要用的是JDK自带的keytool工具.这次是用httpd + openssl,区别比较大 在网上搜索了很多文章,发现全面介绍的不多,或 ...

  2. Android Https双向认证 + GRPC

    keywords:android https 双向认证android GRPC https 双向认证 ManagedChannel channel = OkHttpChannelBuilder.for ...

  3. https双向认证訪问管理后台,採用USBKEY进行系统訪问的身份鉴别,KEY的证书长度大于128位,使用USBKEY登录

    近期项目需求,须要实现用USBKEY识别用户登录,採用https双向认证訪问管理后台管理界面,期间碰到过一些小问题,写出来给大家參考下. 1:前期准备工作 USBKEY 硬件:我买的是飞天诚信 epa ...

  4. Keytool配置 Tomcat的HTTPS双向认证

    Keytool配置 Tomcat的HTTPS双向认证 证书生成 keytool 简介 Keytool是一个Java数据证书的管理工具, Keytool将密钥(key)和证书(certificates) ...

  5. HTTPS 双向认证构建移动设备安全体系

    HTTPS 双向认证构建移动设备安全体系 对于一些高安全性要求的企业内项目,我们有时希望能够对客户端进行验证.这个时候我们可以使用Https的双向认证机制来实现这个功能. 单向认证:保证server是 ...

  6. Tomcat 配置 HTTPS双向认证

    Tomcat 配置 HTTPS 双向认证指引说明: � 本文档仅提供 Linux 操作系统下的指引 � 在阅读本指引前请您在 Linux 部署 JDK 和 Tomcatserver为了 Tomcat ...

  7. Https双向认证Android客户端配置

    Https .cer证书转换为BKS证书 公式https://blog.csdn.net/zww986736788/article/details/81708967 keytool -importce ...

  8. 双向认证 HTTPS双向认证

    [微信支付]微信小程序支付开发者文档 https://pay.weixin.qq.com/wiki/doc/api/wxa/wxa_api.php?chapter=4_3 HTTPS双向认证使用说明 ...

  9. nodejs之https双向认证

    说在前面 之前我们总结了https的相关知识,如果不懂可以看我另一篇文章:白话理解https 有关证书生成可以参考:自签证书生成 正题 今天使用nodejs来实现https双向认证 话不多说,直接进入 ...

随机推荐

  1. (待解决,效率低下)47. Permutations II C++回溯法

    思路是在相似题Permutations的基础上,将结果放到set中,利用set容器不会出现重复元素的特性,得到所需结果 但是利用代码中的/* */部分通过迭代器遍历set将set中的元素放在一个新的v ...

  2. Consider defining a bean of type 'org.springframework.data.redis.connection.RedisConnectionFactory' in your configuration

    Description: Parameter 0 of method redisTemplate in com.liaojie.cloud.auth.server.config.redis.Redis ...

  3. [CodeForces - 447B] B - DZY Loves Strings

    B - DZY Loves Strings DZY loves collecting special strings which only contain lowercase letters. For ...

  4. iptables增加、删除、修改、查询、保存防火墙策略教程

    一.查看现有防火墙策略 iptables -L -n iptables -L -n --line-number #--line-number参数会显示策略编号,该编号在删除策略时使用 二.增加防火墙策 ...

  5. Eclipse导出WAR包

    参考: https://jingyan.baidu.com/article/ab0b56309110b4c15afa7de2.html

  6. chrome hosts

    # Go Hosts# 2017-05-02 02:13:04# Localhost (DO NOT REMOVE)127.0.0.1    localhost::1    localhost ip6 ...

  7. DLL的Export和Import及extern "C"

    今天使用Unrar.dll,在调用RARProcessFileW时,VS总是提示“error LNK2001: 无法解析的外部符号”. Unrar.dll中是使用 extern "C&quo ...

  8. Consecutive Subsequence CodeForces - 977F(dp)

    Consecutive Subsequence CodeForces - 977F 题目大意:输出一序列中的最大的连续数列的长度和与其对应的下标(连续是指 7 8 9这样的数列) 解题思路: 状态:把 ...

  9. asp.net 发送电子邮件本地测试正常,但服务器上异常的解决办法

    如题,这个问题曾经非常苦恼,代码肯定是没有问题的.在网上也查找了不少资料,按照他们的步骤做了,还是无效. 最后问题解决了,原来:我租用腾讯云服务器,腾讯为了防止垃圾邮件,禁止了邮件发送的25号端口,原 ...

  10. vue组件通信方式总结

    对于vue来说,组件之间的消息传递是非常重要的,下面是我对组件之间消息传递的各种方式的总结,总共有8种方式. 1. props和$emit 父组件向子组件传递数据是通过prop传递的,子组件传递数据给 ...