环境:  Ubuntu14.04,apache2.4.7, openssl1.0.1f

安装apache2

apt-get install apache2 -y

一般openssl默认已经安装

开启apache的ssl模块和ssl站点

a2enmod ssl

a2ensite default-ssl.conf

创建证书目录

mkdir /etc/apache2/certs

进入目录创建证书和秘钥

cd /etc/apache2/certs

/usr/lib/ssl/misc/CA.sh -newca

root@bogon:/etc/apache2/certs# /usr/lib/ssl/misc/CA.sh -newca

CA certificate filename (or enter to create)

Making CA certificate ...

Generating a 2048 bit RSA private key

.............................................................................................+++

..+++

writing new private key to './demoCA/private/./cakey.pem'

Enter PEM pass phrase:

Verifying - Enter PEM pass phrase:

-----

You are about to be asked to enter information that will be incorporated

into your certificate request.

What you are about to enter is what is called a Distinguished Name or aDN.

There are quite a few fields but you can leave some blank

For some fields there will be a defaultvalue,

If you enter '.', the field will be left blank.

-----

Country Name (2 letter code) [AU]:CN

State or Province Name (full name) [Some-State]:Beijing

Locality Name (eg, city) []:Beijing

OrganizationName (eg, company) [Internet Widgits Pty Ltd]:PWRD

Organizational Unit Name (eg, section) []:OPS

Common Name (e.g. server FQDN or YOUR name) []:10.1.1.128

Email Address []:jailman@sina.com

Please enter the following 'extra' attributes

to be sent with your certificate request

Achallenge password []:111111

An optional company name []:pwrd

Using configuration from /usr/lib/ssl/openssl.cnf

Enter pass phrase for ./demoCA/private/./cakey.pem:

Check that the request matches the signature

Signature ok

Certificate Details:

Serial Number: 14695213526817228816 (0xcbefe2d81474c810)

Validity

Not Before: Jan  5 05:30:34 2017 GMT

Not After : Jan  5 05:30:34 2020 GMT

Subject:

countryName               = CN

stateOrProvinceName       = Beijing

organizationName          = PWRD

organizationalUnitName    = OPS

commonName                = 10.1.1.128

emailAddress              = jailman@sina.com

X509v3 extensions:

X509v3 Subject Key Identifier:

50:CA:37:3C:45:11:0E:E1:BA:E7:80:74:66:D0:98:B9:21:8E:13:BD

X509v3 Authority KeyIdentifier:

keyid:50:CA:37:3C:45:11:0E:E1:BA:E7:80:74:66:D0:98:B9:21:8E:13:BD

X509v3 Basic Constraints:

CA:TRUE

Certificate is to be certified until Jan 5 05:30:34 2020 GMT (1095 days)

Write out database with 1 new entries

Data Base Updated

tree命令查看一下

root@bogon:/etc/apache2/certs# tree

.

└── demoCA

├── cacert.pem

├── careq.pem

├── certs

├── crl

├── index.txt

├── index.txt.attr

├── index.txt.old

├── newcerts

│   └── CBEFE2D81474C810.pem

├── private

│   └── cakey.pem

└── serial

5directories, 8 files

生成服务器证书(密码全部设置为111111)

a)    生成私钥:        openssl genrsa -des3 -out server.key2048

b)    生成csr文件:     openssl req -new -keyserver.key -out server.csr

c)    生成证书&签名:   openssl ca -in server.csr-out server.crt

#遇到下列不成功时修改vim demoCA/index.txt.attr中unique_subject =no

failed to update database

TXT_DB error number 2

上述执行结果

root@bogon:/etc/apache2/certs# openssl genrsa -des3 -out server.key 2048

Generating RSA private key, 2048 bit long modulus

........................................+++

............................+++

eis 65537 (0x10001)

Enter pass phrase for server.key:

Verifying - Enter pass phrase for server.key:

root@bogon:/etc/apache2/certs# openssl req -new -key server.key -outserver.csr

Enter pass phrase for server.key:

You are about to be asked to enter information that will be incorporated

into your certificate request.

What you are about to enter is what is called a Distinguished Name or aDN.

There are quite a few fields but you can leave some blank

For some fields there will be a default value,

If you enter '.', the field will be left blank.

-----

Country Name (2 letter code) [AU]:CN

State or Province Name (full name) [Some-State]:Beijing

Locality Name (eg, city) []:Beijing

Organization Name (eg, company) [Internet Widgits Pty Ltd]:PWRD

Organizational Unit Name (eg, section) []:OPS

Common Name (e.g. server FQDN or YOUR name) []:10.1.1.128

Email Address []:jailman@sina.com

Please enter the following 'extra' attributes

to be sent with your certificate request

Achallenge password []:111111

An optional company name []:pwrd

root@bogon:/etc/apache2/certs# openssl ca -in server.csr -out server.crt

Using configuration from /usr/lib/ssl/openssl.cnf

Enter pass phrase for ./demoCA/private/cakey.pem:

Check that the request matches the signature

Signature ok

Certificate Details:

Serial Number: 14695213526817228817 (0xcbefe2d81474c811)

Validity

Not Before: Jan  5 05:39:32 2017 GMT

Not After : Jan  5 05:39:32 2018 GMT

Subject:

countryName               = CN

stateOrProvinceName       = Beijing

organizationName          = PWRD

organizationalUnitName    = OPS

commonName                = 10.1.1.128

emailAddress              = jailman@sina.com

X509v3 extensions:

X509v3 Basic Constraints:

CA:FALSE

Netscape Comment:

OpenSSL GeneratedCertificate

X509v3 Subject Key Identifier:

FB:32:4F:A6:6D:01:D3:00:98:00:BF:0A:2E:E5:E6:90:CC:E0:E4:8B

X509v3 Authority KeyIdentifier:

keyid:50:CA:37:3C:45:11:0E:E1:BA:E7:80:74:66:D0:98:B9:21:8E:13:BD

Certificate is to be certified until Jan 5 05:39:32 2018 GMT (365 days)

Sign the certificate? [y/n]:y

1out of 1 certificate requests certified, commit? [y/n]y

Write out database with 1 new entries

Data Base Updated

生成客户端证书(密码全部设置为111111)

a)    生成私钥:        openssl genrsa -des3 -out client.key2048

b)    生成csr文件:     openssl req -new -keyclient.key -out client.csr

c)    生成证书&签名:   openssl ca -in client.csr-out client.crt

上述命令执行结果:

root@bogon:/etc/apache2/certs# openssl genrsa -des3 -out client.key 2048

Generating RSA private key, 2048 bit long modulus

...........................................................................................+++

............................+++

eis 65537 (0x10001)

Enter pass phrase for client.key:

Verifying - Enter pass phrase for client.key:

root@bogon:/etc/apache2/certs# openssl req -new -key client.key -outclient.csr

Enter pass phrase for client.key:

You are about to be asked to enter information that will be incorporated

intoyour certificate request.

What you are about to enter is what is called a Distinguished Name or aDN.

There are quite a few fields but you can leave some blank

For some fields there will be a default value,

If you enter '.', the field will be left blank.

-----

Country Name (2 letter code) [AU]:CN

State or Province Name (full name) [Some-State]:Beijing

Locality Name (eg, city) []:Beijing

Organization Name (eg, company) [Internet Widgits Pty Ltd]:PWRD

Organizational Unit Name (eg, section) []:OPS

Common Name (e.g. server FQDN or YOUR name) []:10.1.1.128

Email Address []:jailman@sina.com

Please enter the following 'extra' attributes

to be sent with your certificate request

Achallenge password []:111111

An optional company name []:pwrd

root@bogon:/etc/apache2/certs# openssl ca -in client.csr -out client.crt

Using configuration from /usr/lib/ssl/openssl.cnf

Enter pass phrase for ./demoCA/private/cakey.pem:

Check that the request matches the signature

Signature ok

Certificate Details:

Serial Number: 14695213526817228818 (0xcbefe2d81474c812)

Validity

Not Before: Jan  5 05:43:35 2017 GMT

Not After : Jan  5 05:43:35 2018 GMT

Subject:

countryName               = CN

stateOrProvinceName       = Beijing

organizationName          = PWRD

organizationalUnitName    = OPS

commonName                = 10.1.1.128

emailAddress              = jailman@sina.com

X509v3 extensions:

X509v3 Basic Constraints:

CA:FALSE

Netscape Comment:

OpenSSL GeneratedCertificate

X509v3 Subject Key Identifier:

78:4C:B0:9E:BA:EE:BD:E2:88:55:F4:06:B4:57:5E:74:71:E0:1B:2D

X509v3 Authority KeyIdentifier:

keyid:50:CA:37:3C:45:11:0E:E1:BA:E7:80:74:66:D0:98:B9:21:8E:13:BD

Certificate is to be certified until Jan 5 05:43:35 2018 GMT (365 days)

Sign the certificate? [y/n]:y

1out of 1 certificate requests certified, commit? [y/n]y

Write out database with 1 new entries

Data Base Updated

查看上述两步生成的证书和秘钥

root@bogon:/etc/apache2/certs# ls

client.crt  client.key  server.crt server.key

client.csr  demoCA      server.csr

*生成浏览器支持的.pfx(.p12)证书

a)   openssl pkcs12 -export -clcerts -in client.crt -inkey client.key -outclient.p12

执行结果

root@bogon:/etc/apache2/certs# openssl pkcs12 -export -clcerts -inclient.crt -inkey client.key -out client.p12

Enterpass phrase for client.key:

EnterExport Password:

Verifying- Enter Export Password:

生成不带密码验证的client/server.key.unsecure

如果你想要把数字证书用于Nginx、Apache等Web服务器,你会发现启动nginx服务器时会要求你输入数字证书密码,

这是因为在设置私钥key时将密码写入了key文件,导致Nginx/Apache等系列服务器在启动时要求Enter PEM pass phrase。

我们需要做的是剥离这个密码,利用如下OpenSSL命令生成server.key.unsecure文件

openssl rsa -in server.key -outserver.key.unsecure

最终的结果:

root@bogon:/etc/apache2/certs# tree

.

├──client.crt

├──client.csr

├──client.key

├──client.p12

├──demoCA

│??├── cacert.pem

│??├── careq.pem

│??├── certs

│??├── crl

│??├── index.txt

│??├── index.txt.attr

│??├── index.txt.attr.old

│??├── index.txt.old

│??├── newcerts

│??│?? ├── CBEFE2D81474C810.pem

│??│?? ├── CBEFE2D81474C811.pem

│??│?? └── CBEFE2D81474C812.pem

│??├── private

│??│?? └── cakey.pem

│??├── serial

│??└── serial.old

├──server.crt

├──server.csr

└──server.key

5directories, 19 files

配置apache2 https

vim/etc/apache2/sites-enabled/default-ssl.conf

<IfModule mod_ssl.c>

<VirtualHost_default_:443>

ServerAdminwebmaster@localhost

DocumentRoot/var/www/html

ErrorLog${APACHE_LOG_DIR}/error.log

CustomLog${APACHE_LOG_DIR}/access.log combined

SSLEngineon

SSLCertificateFile    /etc/apache2/certs/server.crt

SSLCertificateKeyFile/etc/apache2/certs/server.key

SSLCACertificateFile/etc/apache2/certs/demoCA/cacert.pem

SSLVerifyClientrequire

SSLVerifyDepth  10

<FilesMatch"\.(cgi|shtml|phtml|php)$">

SSLOptions+StdEnvVars

</FilesMatch>

<Directory/usr/lib/cgi-bin>

SSLOptions+StdEnvVars

</Directory>

BrowserMatch"MSIE [2-6]" \

nokeepalivessl-unclean-shutdown \

downgrade-1.0force-response-1.0

BrowserMatch"MSIE [17-9]" ssl-unclean-shutdown

</VirtualHost>

</IfModule>

serviceapache2 restart

root@bogon:/etc/apache2/sites-enabled#service apache2 restart

*Restarting web server apache2                                                      Apache needs to decrypt your SSL Keys for bogon.localdomain:443 (RSA)

Pleaseenter passphrase:

输入密码启动

证书导出到本地准备写入加密锁

root@bogon:/etc/apache2/certs# szclient.p12

打开USB锁管理软件

输入PIN登录

这里实际上我们已经提前将加密锁初始化为了PKI锁

点击导入,选择证书,输入证书密码,其他默认

Win10提示导入成功

导入后的效果

USB加密锁保持插入,访问测试站点https://10.1.1.128,有证书提示

点击确定输入PIN码

忽略安全提示

成功访问

不插key的情况下访问结果

我使用的是ET199加密锁,加上运费一共花了29元

HTTPS双向认证+USB硬件加密锁(加密狗)配置的更多相关文章

  1. httpd设置HTTPS双向认证

    去年用tomcat.jboss配置过HTTPS双向认证,那时候主要用的是JDK自带的keytool工具.这次是用httpd + openssl,区别比较大 在网上搜索了很多文章,发现全面介绍的不多,或 ...

  2. Android Https双向认证 + GRPC

    keywords:android https 双向认证android GRPC https 双向认证 ManagedChannel channel = OkHttpChannelBuilder.for ...

  3. https双向认证訪问管理后台,採用USBKEY进行系统訪问的身份鉴别,KEY的证书长度大于128位,使用USBKEY登录

    近期项目需求,须要实现用USBKEY识别用户登录,採用https双向认证訪问管理后台管理界面,期间碰到过一些小问题,写出来给大家參考下. 1:前期准备工作 USBKEY 硬件:我买的是飞天诚信 epa ...

  4. Keytool配置 Tomcat的HTTPS双向认证

    Keytool配置 Tomcat的HTTPS双向认证 证书生成 keytool 简介 Keytool是一个Java数据证书的管理工具, Keytool将密钥(key)和证书(certificates) ...

  5. HTTPS 双向认证构建移动设备安全体系

    HTTPS 双向认证构建移动设备安全体系 对于一些高安全性要求的企业内项目,我们有时希望能够对客户端进行验证.这个时候我们可以使用Https的双向认证机制来实现这个功能. 单向认证:保证server是 ...

  6. Tomcat 配置 HTTPS双向认证

    Tomcat 配置 HTTPS 双向认证指引说明: � 本文档仅提供 Linux 操作系统下的指引 � 在阅读本指引前请您在 Linux 部署 JDK 和 Tomcatserver为了 Tomcat ...

  7. Https双向认证Android客户端配置

    Https .cer证书转换为BKS证书 公式https://blog.csdn.net/zww986736788/article/details/81708967 keytool -importce ...

  8. 双向认证 HTTPS双向认证

    [微信支付]微信小程序支付开发者文档 https://pay.weixin.qq.com/wiki/doc/api/wxa/wxa_api.php?chapter=4_3 HTTPS双向认证使用说明 ...

  9. nodejs之https双向认证

    说在前面 之前我们总结了https的相关知识,如果不懂可以看我另一篇文章:白话理解https 有关证书生成可以参考:自签证书生成 正题 今天使用nodejs来实现https双向认证 话不多说,直接进入 ...

随机推荐

  1. 在react+redux+axios项目中使用async/await

    Async/Await Async/Await是尚未正式公布的ES7标准新特性.简而言之,就是让你以同步方法的思维编写异步代码.对于前端,异步任务代码的编写经历了 callback 到现在流行的 Pr ...

  2. 十、 持久层框架(MyBatis)

    一.基于MyBatis动态SQL语句 1.if标签 实体类Product的字段比较多的时候,为了应付各个字段的查询,那么就需要写多条SQL语句,这样就变得难以维护. 此时,就可以使用MyBatis动态 ...

  3. JQuary中的FullPage属性的用法

    $(document).ready(function(){ //常用方法    //$.fn.fullpage.moveSectionUp()   //向上滚动一页 //$.fn.fullpage.m ...

  4. oracle配置访问白名单教程

    出于提高数据安全性等目地,我们可能想要对oracle的访问进行限制,允许一些IP连接数据库或拒绝一些IP访问数据库. 当然使用iptables也能达到限制的目地,但是从监听端口变更限制仍可生效.只针对 ...

  5. VSS+SourceAnywhere for VSS搭建版本控制系统教程

    VSS:Microsoft Visual Source Safe,本教程使用VSS2005(好像2005就是官方更新的最后一版了). SourceAnywhere for VSS:分为服务端和客户端: ...

  6. MySQL(二) MySQL基本操作

    数据库的基本操作 启动关闭 MySQL 服务 MySQL 安装好后,默认是当 Windows 启动.停止时,MySQL 也自动.停止.不过,用户可以使用 Windows 下的服务管理器或从命令行使用 ...

  7. 【转载】offer经验

    http://www.cnblogs.com/figure9/archive/2013/01/09/2853649.html

  8. Win10系列:VC++调用自定义组件2

    (2)C#调用WinRT组件 在解决方案资源管理器中右键点击解决方案图标,选择添加一个Visual C#的Windows应用商店的空白应用程序项目,并命名为FileCS.接着右键点击FileCS项目的 ...

  9. 如何破解Visual studio 2013

    1.打开VS2013点击菜单栏中的帮助,选择注册产品. 2.如下图所示,你就可以看到你的VS是不是试用版了,很显然,现在我的还是试用版,还有20天的使用期限. 3.如下图所示,点击更改我的产品许可证. ...

  10. 修改Host,配置域名访问

    修改Host,配置域名访问   虽然我们已经能够通过localhost访问本地网站了,为了提高逼格,我们可以修改host文件,设置一个自己喜欢的域名指向本地网站,岂不是更高大上. 明确需求 通过配置, ...