环境:  Ubuntu14.04,apache2.4.7, openssl1.0.1f

安装apache2

apt-get install apache2 -y

一般openssl默认已经安装

开启apache的ssl模块和ssl站点

a2enmod ssl

a2ensite default-ssl.conf

创建证书目录

mkdir /etc/apache2/certs

进入目录创建证书和秘钥

cd /etc/apache2/certs

/usr/lib/ssl/misc/CA.sh -newca

root@bogon:/etc/apache2/certs# /usr/lib/ssl/misc/CA.sh -newca

CA certificate filename (or enter to create)

Making CA certificate ...

Generating a 2048 bit RSA private key

.............................................................................................+++

..+++

writing new private key to './demoCA/private/./cakey.pem'

Enter PEM pass phrase:

Verifying - Enter PEM pass phrase:

-----

You are about to be asked to enter information that will be incorporated

into your certificate request.

What you are about to enter is what is called a Distinguished Name or aDN.

There are quite a few fields but you can leave some blank

For some fields there will be a defaultvalue,

If you enter '.', the field will be left blank.

-----

Country Name (2 letter code) [AU]:CN

State or Province Name (full name) [Some-State]:Beijing

Locality Name (eg, city) []:Beijing

OrganizationName (eg, company) [Internet Widgits Pty Ltd]:PWRD

Organizational Unit Name (eg, section) []:OPS

Common Name (e.g. server FQDN or YOUR name) []:10.1.1.128

Email Address []:jailman@sina.com

Please enter the following 'extra' attributes

to be sent with your certificate request

Achallenge password []:111111

An optional company name []:pwrd

Using configuration from /usr/lib/ssl/openssl.cnf

Enter pass phrase for ./demoCA/private/./cakey.pem:

Check that the request matches the signature

Signature ok

Certificate Details:

Serial Number: 14695213526817228816 (0xcbefe2d81474c810)

Validity

Not Before: Jan  5 05:30:34 2017 GMT

Not After : Jan  5 05:30:34 2020 GMT

Subject:

countryName               = CN

stateOrProvinceName       = Beijing

organizationName          = PWRD

organizationalUnitName    = OPS

commonName                = 10.1.1.128

emailAddress              = jailman@sina.com

X509v3 extensions:

X509v3 Subject Key Identifier:

50:CA:37:3C:45:11:0E:E1:BA:E7:80:74:66:D0:98:B9:21:8E:13:BD

X509v3 Authority KeyIdentifier:

keyid:50:CA:37:3C:45:11:0E:E1:BA:E7:80:74:66:D0:98:B9:21:8E:13:BD

X509v3 Basic Constraints:

CA:TRUE

Certificate is to be certified until Jan 5 05:30:34 2020 GMT (1095 days)

Write out database with 1 new entries

Data Base Updated

tree命令查看一下

root@bogon:/etc/apache2/certs# tree

.

└── demoCA

├── cacert.pem

├── careq.pem

├── certs

├── crl

├── index.txt

├── index.txt.attr

├── index.txt.old

├── newcerts

│   └── CBEFE2D81474C810.pem

├── private

│   └── cakey.pem

└── serial

5directories, 8 files

生成服务器证书(密码全部设置为111111)

a)    生成私钥:        openssl genrsa -des3 -out server.key2048

b)    生成csr文件:     openssl req -new -keyserver.key -out server.csr

c)    生成证书&签名:   openssl ca -in server.csr-out server.crt

#遇到下列不成功时修改vim demoCA/index.txt.attr中unique_subject =no

failed to update database

TXT_DB error number 2

上述执行结果

root@bogon:/etc/apache2/certs# openssl genrsa -des3 -out server.key 2048

Generating RSA private key, 2048 bit long modulus

........................................+++

............................+++

eis 65537 (0x10001)

Enter pass phrase for server.key:

Verifying - Enter pass phrase for server.key:

root@bogon:/etc/apache2/certs# openssl req -new -key server.key -outserver.csr

Enter pass phrase for server.key:

You are about to be asked to enter information that will be incorporated

into your certificate request.

What you are about to enter is what is called a Distinguished Name or aDN.

There are quite a few fields but you can leave some blank

For some fields there will be a default value,

If you enter '.', the field will be left blank.

-----

Country Name (2 letter code) [AU]:CN

State or Province Name (full name) [Some-State]:Beijing

Locality Name (eg, city) []:Beijing

Organization Name (eg, company) [Internet Widgits Pty Ltd]:PWRD

Organizational Unit Name (eg, section) []:OPS

Common Name (e.g. server FQDN or YOUR name) []:10.1.1.128

Email Address []:jailman@sina.com

Please enter the following 'extra' attributes

to be sent with your certificate request

Achallenge password []:111111

An optional company name []:pwrd

root@bogon:/etc/apache2/certs# openssl ca -in server.csr -out server.crt

Using configuration from /usr/lib/ssl/openssl.cnf

Enter pass phrase for ./demoCA/private/cakey.pem:

Check that the request matches the signature

Signature ok

Certificate Details:

Serial Number: 14695213526817228817 (0xcbefe2d81474c811)

Validity

Not Before: Jan  5 05:39:32 2017 GMT

Not After : Jan  5 05:39:32 2018 GMT

Subject:

countryName               = CN

stateOrProvinceName       = Beijing

organizationName          = PWRD

organizationalUnitName    = OPS

commonName                = 10.1.1.128

emailAddress              = jailman@sina.com

X509v3 extensions:

X509v3 Basic Constraints:

CA:FALSE

Netscape Comment:

OpenSSL GeneratedCertificate

X509v3 Subject Key Identifier:

FB:32:4F:A6:6D:01:D3:00:98:00:BF:0A:2E:E5:E6:90:CC:E0:E4:8B

X509v3 Authority KeyIdentifier:

keyid:50:CA:37:3C:45:11:0E:E1:BA:E7:80:74:66:D0:98:B9:21:8E:13:BD

Certificate is to be certified until Jan 5 05:39:32 2018 GMT (365 days)

Sign the certificate? [y/n]:y

1out of 1 certificate requests certified, commit? [y/n]y

Write out database with 1 new entries

Data Base Updated

生成客户端证书(密码全部设置为111111)

a)    生成私钥:        openssl genrsa -des3 -out client.key2048

b)    生成csr文件:     openssl req -new -keyclient.key -out client.csr

c)    生成证书&签名:   openssl ca -in client.csr-out client.crt

上述命令执行结果:

root@bogon:/etc/apache2/certs# openssl genrsa -des3 -out client.key 2048

Generating RSA private key, 2048 bit long modulus

...........................................................................................+++

............................+++

eis 65537 (0x10001)

Enter pass phrase for client.key:

Verifying - Enter pass phrase for client.key:

root@bogon:/etc/apache2/certs# openssl req -new -key client.key -outclient.csr

Enter pass phrase for client.key:

You are about to be asked to enter information that will be incorporated

intoyour certificate request.

What you are about to enter is what is called a Distinguished Name or aDN.

There are quite a few fields but you can leave some blank

For some fields there will be a default value,

If you enter '.', the field will be left blank.

-----

Country Name (2 letter code) [AU]:CN

State or Province Name (full name) [Some-State]:Beijing

Locality Name (eg, city) []:Beijing

Organization Name (eg, company) [Internet Widgits Pty Ltd]:PWRD

Organizational Unit Name (eg, section) []:OPS

Common Name (e.g. server FQDN or YOUR name) []:10.1.1.128

Email Address []:jailman@sina.com

Please enter the following 'extra' attributes

to be sent with your certificate request

Achallenge password []:111111

An optional company name []:pwrd

root@bogon:/etc/apache2/certs# openssl ca -in client.csr -out client.crt

Using configuration from /usr/lib/ssl/openssl.cnf

Enter pass phrase for ./demoCA/private/cakey.pem:

Check that the request matches the signature

Signature ok

Certificate Details:

Serial Number: 14695213526817228818 (0xcbefe2d81474c812)

Validity

Not Before: Jan  5 05:43:35 2017 GMT

Not After : Jan  5 05:43:35 2018 GMT

Subject:

countryName               = CN

stateOrProvinceName       = Beijing

organizationName          = PWRD

organizationalUnitName    = OPS

commonName                = 10.1.1.128

emailAddress              = jailman@sina.com

X509v3 extensions:

X509v3 Basic Constraints:

CA:FALSE

Netscape Comment:

OpenSSL GeneratedCertificate

X509v3 Subject Key Identifier:

78:4C:B0:9E:BA:EE:BD:E2:88:55:F4:06:B4:57:5E:74:71:E0:1B:2D

X509v3 Authority KeyIdentifier:

keyid:50:CA:37:3C:45:11:0E:E1:BA:E7:80:74:66:D0:98:B9:21:8E:13:BD

Certificate is to be certified until Jan 5 05:43:35 2018 GMT (365 days)

Sign the certificate? [y/n]:y

1out of 1 certificate requests certified, commit? [y/n]y

Write out database with 1 new entries

Data Base Updated

查看上述两步生成的证书和秘钥

root@bogon:/etc/apache2/certs# ls

client.crt  client.key  server.crt server.key

client.csr  demoCA      server.csr

*生成浏览器支持的.pfx(.p12)证书

a)   openssl pkcs12 -export -clcerts -in client.crt -inkey client.key -outclient.p12

执行结果

root@bogon:/etc/apache2/certs# openssl pkcs12 -export -clcerts -inclient.crt -inkey client.key -out client.p12

Enterpass phrase for client.key:

EnterExport Password:

Verifying- Enter Export Password:

生成不带密码验证的client/server.key.unsecure

如果你想要把数字证书用于Nginx、Apache等Web服务器,你会发现启动nginx服务器时会要求你输入数字证书密码,

这是因为在设置私钥key时将密码写入了key文件,导致Nginx/Apache等系列服务器在启动时要求Enter PEM pass phrase。

我们需要做的是剥离这个密码,利用如下OpenSSL命令生成server.key.unsecure文件

openssl rsa -in server.key -outserver.key.unsecure

最终的结果:

root@bogon:/etc/apache2/certs# tree

.

├──client.crt

├──client.csr

├──client.key

├──client.p12

├──demoCA

│??├── cacert.pem

│??├── careq.pem

│??├── certs

│??├── crl

│??├── index.txt

│??├── index.txt.attr

│??├── index.txt.attr.old

│??├── index.txt.old

│??├── newcerts

│??│?? ├── CBEFE2D81474C810.pem

│??│?? ├── CBEFE2D81474C811.pem

│??│?? └── CBEFE2D81474C812.pem

│??├── private

│??│?? └── cakey.pem

│??├── serial

│??└── serial.old

├──server.crt

├──server.csr

└──server.key

5directories, 19 files

配置apache2 https

vim/etc/apache2/sites-enabled/default-ssl.conf

<IfModule mod_ssl.c>

<VirtualHost_default_:443>

ServerAdminwebmaster@localhost

DocumentRoot/var/www/html

ErrorLog${APACHE_LOG_DIR}/error.log

CustomLog${APACHE_LOG_DIR}/access.log combined

SSLEngineon

SSLCertificateFile    /etc/apache2/certs/server.crt

SSLCertificateKeyFile/etc/apache2/certs/server.key

SSLCACertificateFile/etc/apache2/certs/demoCA/cacert.pem

SSLVerifyClientrequire

SSLVerifyDepth  10

<FilesMatch"\.(cgi|shtml|phtml|php)$">

SSLOptions+StdEnvVars

</FilesMatch>

<Directory/usr/lib/cgi-bin>

SSLOptions+StdEnvVars

</Directory>

BrowserMatch"MSIE [2-6]" \

nokeepalivessl-unclean-shutdown \

downgrade-1.0force-response-1.0

BrowserMatch"MSIE [17-9]" ssl-unclean-shutdown

</VirtualHost>

</IfModule>

serviceapache2 restart

root@bogon:/etc/apache2/sites-enabled#service apache2 restart

*Restarting web server apache2                                                      Apache needs to decrypt your SSL Keys for bogon.localdomain:443 (RSA)

Pleaseenter passphrase:

输入密码启动

证书导出到本地准备写入加密锁

root@bogon:/etc/apache2/certs# szclient.p12

打开USB锁管理软件

输入PIN登录

这里实际上我们已经提前将加密锁初始化为了PKI锁

点击导入,选择证书,输入证书密码,其他默认

Win10提示导入成功

导入后的效果

USB加密锁保持插入,访问测试站点https://10.1.1.128,有证书提示

点击确定输入PIN码

忽略安全提示

成功访问

不插key的情况下访问结果

我使用的是ET199加密锁,加上运费一共花了29元

HTTPS双向认证+USB硬件加密锁(加密狗)配置的更多相关文章

  1. httpd设置HTTPS双向认证

    去年用tomcat.jboss配置过HTTPS双向认证,那时候主要用的是JDK自带的keytool工具.这次是用httpd + openssl,区别比较大 在网上搜索了很多文章,发现全面介绍的不多,或 ...

  2. Android Https双向认证 + GRPC

    keywords:android https 双向认证android GRPC https 双向认证 ManagedChannel channel = OkHttpChannelBuilder.for ...

  3. https双向认证訪问管理后台,採用USBKEY进行系统訪问的身份鉴别,KEY的证书长度大于128位,使用USBKEY登录

    近期项目需求,须要实现用USBKEY识别用户登录,採用https双向认证訪问管理后台管理界面,期间碰到过一些小问题,写出来给大家參考下. 1:前期准备工作 USBKEY 硬件:我买的是飞天诚信 epa ...

  4. Keytool配置 Tomcat的HTTPS双向认证

    Keytool配置 Tomcat的HTTPS双向认证 证书生成 keytool 简介 Keytool是一个Java数据证书的管理工具, Keytool将密钥(key)和证书(certificates) ...

  5. HTTPS 双向认证构建移动设备安全体系

    HTTPS 双向认证构建移动设备安全体系 对于一些高安全性要求的企业内项目,我们有时希望能够对客户端进行验证.这个时候我们可以使用Https的双向认证机制来实现这个功能. 单向认证:保证server是 ...

  6. Tomcat 配置 HTTPS双向认证

    Tomcat 配置 HTTPS 双向认证指引说明: � 本文档仅提供 Linux 操作系统下的指引 � 在阅读本指引前请您在 Linux 部署 JDK 和 Tomcatserver为了 Tomcat ...

  7. Https双向认证Android客户端配置

    Https .cer证书转换为BKS证书 公式https://blog.csdn.net/zww986736788/article/details/81708967 keytool -importce ...

  8. 双向认证 HTTPS双向认证

    [微信支付]微信小程序支付开发者文档 https://pay.weixin.qq.com/wiki/doc/api/wxa/wxa_api.php?chapter=4_3 HTTPS双向认证使用说明 ...

  9. nodejs之https双向认证

    说在前面 之前我们总结了https的相关知识,如果不懂可以看我另一篇文章:白话理解https 有关证书生成可以参考:自签证书生成 正题 今天使用nodejs来实现https双向认证 话不多说,直接进入 ...

随机推荐

  1. bzoj2555: SubString sam+lct

    题意:懒得写背景了,给你一个字符串init,要求你支持两个操作 (1):在当前字符串的后面插入一个字符串 (2):询问字符串s在当前字符串中出现了几次?(作为连续子串) 你必须在线支持这些操作. 题解 ...

  2. ACM-选人问题(救济金发放)

    n(n<20)个人站成一圈,逆时针编号为1-n.有两个官员,A从1开始逆时针数,B从n开 始顺时针数.在每一轮中,官员A数k个就停下来,官员B数m个就停下来(注意有可能两个 官员停在同一个人上) ...

  3. Linux上部署多个tomcat端口设置

    在Linux上部署多个tomcat主要是防止端口冲突的问题, tomcat服务器需配置三个端口才能启动,安装时默认启用了这三个端口,当要运行多个tomcat服务时需要修改这三个端口,不能相同.端口一: ...

  4. 关于ORA-06508 , ORA-04068异常的详细说明

    参考:程序包调用报ORA-06508: PL/SQL: 无法找到正在调用的程序单元 出现这种情况的原因是因为,对于全局变量,每一个session会生成一个本地copy,如果程序重新编译的话,就会因程序 ...

  5. python爬虫---urllib库的基本用法

    urllib是python自带的请求库,各种功能相比较之下也是比较完备的,urllib库包含了一下四个模块: urllib.request   请求模块 urllib.error   异常处理模块 u ...

  6. [poj 2453] An Easy Problem

    An Easy Problem Time Limit: 1000MS   Memory Limit: 65536K Total Submissions: 8371   Accepted: 5009 D ...

  7. 小程序证书申请FAQ

    1. 帮别人开发小程序, 先把你的微信号加到成员里, 并给予开发者权限,体验者权限,登录,数据分析,开发管理,开发设置 2. 需要https, 不能用windows2003,必须2008以上,用IIS ...

  8. 转:Linux环境变量设置方法总结 PATH、LD_LIBRARY_PATH

    转:  https://www.linuxidc.com/Linux/2017-03/142338.htm 文章写比较全  转载记录 Linux环境变量设置方法总结 PATH.LD_LIBRARY_P ...

  9. JS--script标签注意细节

    1)在使用<script>标签嵌入js代码时,记住不要在代码中的任何地方出现</script>字符串.例如: <script type="text/javasc ...

  10. Spring Boot 如何极简入门?

    Spring Boot已成为当今最流行的微服务开发框架,本文是如何使用Spring Boot快速开始Web微服务开发的指南,我们将创建一个可运行的包含内嵌Web容器(默认使用的是Tomcat)的可运行 ...