环境:  Ubuntu14.04,apache2.4.7, openssl1.0.1f

安装apache2

apt-get install apache2 -y

一般openssl默认已经安装

开启apache的ssl模块和ssl站点

a2enmod ssl

a2ensite default-ssl.conf

创建证书目录

mkdir /etc/apache2/certs

进入目录创建证书和秘钥

cd /etc/apache2/certs

/usr/lib/ssl/misc/CA.sh -newca

root@bogon:/etc/apache2/certs# /usr/lib/ssl/misc/CA.sh -newca

CA certificate filename (or enter to create)

Making CA certificate ...

Generating a 2048 bit RSA private key

.............................................................................................+++

..+++

writing new private key to './demoCA/private/./cakey.pem'

Enter PEM pass phrase:

Verifying - Enter PEM pass phrase:

-----

You are about to be asked to enter information that will be incorporated

into your certificate request.

What you are about to enter is what is called a Distinguished Name or aDN.

There are quite a few fields but you can leave some blank

For some fields there will be a defaultvalue,

If you enter '.', the field will be left blank.

-----

Country Name (2 letter code) [AU]:CN

State or Province Name (full name) [Some-State]:Beijing

Locality Name (eg, city) []:Beijing

OrganizationName (eg, company) [Internet Widgits Pty Ltd]:PWRD

Organizational Unit Name (eg, section) []:OPS

Common Name (e.g. server FQDN or YOUR name) []:10.1.1.128

Email Address []:jailman@sina.com

Please enter the following 'extra' attributes

to be sent with your certificate request

Achallenge password []:111111

An optional company name []:pwrd

Using configuration from /usr/lib/ssl/openssl.cnf

Enter pass phrase for ./demoCA/private/./cakey.pem:

Check that the request matches the signature

Signature ok

Certificate Details:

Serial Number: 14695213526817228816 (0xcbefe2d81474c810)

Validity

Not Before: Jan  5 05:30:34 2017 GMT

Not After : Jan  5 05:30:34 2020 GMT

Subject:

countryName               = CN

stateOrProvinceName       = Beijing

organizationName          = PWRD

organizationalUnitName    = OPS

commonName                = 10.1.1.128

emailAddress              = jailman@sina.com

X509v3 extensions:

X509v3 Subject Key Identifier:

50:CA:37:3C:45:11:0E:E1:BA:E7:80:74:66:D0:98:B9:21:8E:13:BD

X509v3 Authority KeyIdentifier:

keyid:50:CA:37:3C:45:11:0E:E1:BA:E7:80:74:66:D0:98:B9:21:8E:13:BD

X509v3 Basic Constraints:

CA:TRUE

Certificate is to be certified until Jan 5 05:30:34 2020 GMT (1095 days)

Write out database with 1 new entries

Data Base Updated

tree命令查看一下

root@bogon:/etc/apache2/certs# tree

.

└── demoCA

├── cacert.pem

├── careq.pem

├── certs

├── crl

├── index.txt

├── index.txt.attr

├── index.txt.old

├── newcerts

│   └── CBEFE2D81474C810.pem

├── private

│   └── cakey.pem

└── serial

5directories, 8 files

生成服务器证书(密码全部设置为111111)

a)    生成私钥:        openssl genrsa -des3 -out server.key2048

b)    生成csr文件:     openssl req -new -keyserver.key -out server.csr

c)    生成证书&签名:   openssl ca -in server.csr-out server.crt

#遇到下列不成功时修改vim demoCA/index.txt.attr中unique_subject =no

failed to update database

TXT_DB error number 2

上述执行结果

root@bogon:/etc/apache2/certs# openssl genrsa -des3 -out server.key 2048

Generating RSA private key, 2048 bit long modulus

........................................+++

............................+++

eis 65537 (0x10001)

Enter pass phrase for server.key:

Verifying - Enter pass phrase for server.key:

root@bogon:/etc/apache2/certs# openssl req -new -key server.key -outserver.csr

Enter pass phrase for server.key:

You are about to be asked to enter information that will be incorporated

into your certificate request.

What you are about to enter is what is called a Distinguished Name or aDN.

There are quite a few fields but you can leave some blank

For some fields there will be a default value,

If you enter '.', the field will be left blank.

-----

Country Name (2 letter code) [AU]:CN

State or Province Name (full name) [Some-State]:Beijing

Locality Name (eg, city) []:Beijing

Organization Name (eg, company) [Internet Widgits Pty Ltd]:PWRD

Organizational Unit Name (eg, section) []:OPS

Common Name (e.g. server FQDN or YOUR name) []:10.1.1.128

Email Address []:jailman@sina.com

Please enter the following 'extra' attributes

to be sent with your certificate request

Achallenge password []:111111

An optional company name []:pwrd

root@bogon:/etc/apache2/certs# openssl ca -in server.csr -out server.crt

Using configuration from /usr/lib/ssl/openssl.cnf

Enter pass phrase for ./demoCA/private/cakey.pem:

Check that the request matches the signature

Signature ok

Certificate Details:

Serial Number: 14695213526817228817 (0xcbefe2d81474c811)

Validity

Not Before: Jan  5 05:39:32 2017 GMT

Not After : Jan  5 05:39:32 2018 GMT

Subject:

countryName               = CN

stateOrProvinceName       = Beijing

organizationName          = PWRD

organizationalUnitName    = OPS

commonName                = 10.1.1.128

emailAddress              = jailman@sina.com

X509v3 extensions:

X509v3 Basic Constraints:

CA:FALSE

Netscape Comment:

OpenSSL GeneratedCertificate

X509v3 Subject Key Identifier:

FB:32:4F:A6:6D:01:D3:00:98:00:BF:0A:2E:E5:E6:90:CC:E0:E4:8B

X509v3 Authority KeyIdentifier:

keyid:50:CA:37:3C:45:11:0E:E1:BA:E7:80:74:66:D0:98:B9:21:8E:13:BD

Certificate is to be certified until Jan 5 05:39:32 2018 GMT (365 days)

Sign the certificate? [y/n]:y

1out of 1 certificate requests certified, commit? [y/n]y

Write out database with 1 new entries

Data Base Updated

生成客户端证书(密码全部设置为111111)

a)    生成私钥:        openssl genrsa -des3 -out client.key2048

b)    生成csr文件:     openssl req -new -keyclient.key -out client.csr

c)    生成证书&签名:   openssl ca -in client.csr-out client.crt

上述命令执行结果:

root@bogon:/etc/apache2/certs# openssl genrsa -des3 -out client.key 2048

Generating RSA private key, 2048 bit long modulus

...........................................................................................+++

............................+++

eis 65537 (0x10001)

Enter pass phrase for client.key:

Verifying - Enter pass phrase for client.key:

root@bogon:/etc/apache2/certs# openssl req -new -key client.key -outclient.csr

Enter pass phrase for client.key:

You are about to be asked to enter information that will be incorporated

intoyour certificate request.

What you are about to enter is what is called a Distinguished Name or aDN.

There are quite a few fields but you can leave some blank

For some fields there will be a default value,

If you enter '.', the field will be left blank.

-----

Country Name (2 letter code) [AU]:CN

State or Province Name (full name) [Some-State]:Beijing

Locality Name (eg, city) []:Beijing

Organization Name (eg, company) [Internet Widgits Pty Ltd]:PWRD

Organizational Unit Name (eg, section) []:OPS

Common Name (e.g. server FQDN or YOUR name) []:10.1.1.128

Email Address []:jailman@sina.com

Please enter the following 'extra' attributes

to be sent with your certificate request

Achallenge password []:111111

An optional company name []:pwrd

root@bogon:/etc/apache2/certs# openssl ca -in client.csr -out client.crt

Using configuration from /usr/lib/ssl/openssl.cnf

Enter pass phrase for ./demoCA/private/cakey.pem:

Check that the request matches the signature

Signature ok

Certificate Details:

Serial Number: 14695213526817228818 (0xcbefe2d81474c812)

Validity

Not Before: Jan  5 05:43:35 2017 GMT

Not After : Jan  5 05:43:35 2018 GMT

Subject:

countryName               = CN

stateOrProvinceName       = Beijing

organizationName          = PWRD

organizationalUnitName    = OPS

commonName                = 10.1.1.128

emailAddress              = jailman@sina.com

X509v3 extensions:

X509v3 Basic Constraints:

CA:FALSE

Netscape Comment:

OpenSSL GeneratedCertificate

X509v3 Subject Key Identifier:

78:4C:B0:9E:BA:EE:BD:E2:88:55:F4:06:B4:57:5E:74:71:E0:1B:2D

X509v3 Authority KeyIdentifier:

keyid:50:CA:37:3C:45:11:0E:E1:BA:E7:80:74:66:D0:98:B9:21:8E:13:BD

Certificate is to be certified until Jan 5 05:43:35 2018 GMT (365 days)

Sign the certificate? [y/n]:y

1out of 1 certificate requests certified, commit? [y/n]y

Write out database with 1 new entries

Data Base Updated

查看上述两步生成的证书和秘钥

root@bogon:/etc/apache2/certs# ls

client.crt  client.key  server.crt server.key

client.csr  demoCA      server.csr

*生成浏览器支持的.pfx(.p12)证书

a)   openssl pkcs12 -export -clcerts -in client.crt -inkey client.key -outclient.p12

执行结果

root@bogon:/etc/apache2/certs# openssl pkcs12 -export -clcerts -inclient.crt -inkey client.key -out client.p12

Enterpass phrase for client.key:

EnterExport Password:

Verifying- Enter Export Password:

生成不带密码验证的client/server.key.unsecure

如果你想要把数字证书用于Nginx、Apache等Web服务器,你会发现启动nginx服务器时会要求你输入数字证书密码,

这是因为在设置私钥key时将密码写入了key文件,导致Nginx/Apache等系列服务器在启动时要求Enter PEM pass phrase。

我们需要做的是剥离这个密码,利用如下OpenSSL命令生成server.key.unsecure文件

openssl rsa -in server.key -outserver.key.unsecure

最终的结果:

root@bogon:/etc/apache2/certs# tree

.

├──client.crt

├──client.csr

├──client.key

├──client.p12

├──demoCA

│??├── cacert.pem

│??├── careq.pem

│??├── certs

│??├── crl

│??├── index.txt

│??├── index.txt.attr

│??├── index.txt.attr.old

│??├── index.txt.old

│??├── newcerts

│??│?? ├── CBEFE2D81474C810.pem

│??│?? ├── CBEFE2D81474C811.pem

│??│?? └── CBEFE2D81474C812.pem

│??├── private

│??│?? └── cakey.pem

│??├── serial

│??└── serial.old

├──server.crt

├──server.csr

└──server.key

5directories, 19 files

配置apache2 https

vim/etc/apache2/sites-enabled/default-ssl.conf

<IfModule mod_ssl.c>

<VirtualHost_default_:443>

ServerAdminwebmaster@localhost

DocumentRoot/var/www/html

ErrorLog${APACHE_LOG_DIR}/error.log

CustomLog${APACHE_LOG_DIR}/access.log combined

SSLEngineon

SSLCertificateFile    /etc/apache2/certs/server.crt

SSLCertificateKeyFile/etc/apache2/certs/server.key

SSLCACertificateFile/etc/apache2/certs/demoCA/cacert.pem

SSLVerifyClientrequire

SSLVerifyDepth  10

<FilesMatch"\.(cgi|shtml|phtml|php)$">

SSLOptions+StdEnvVars

</FilesMatch>

<Directory/usr/lib/cgi-bin>

SSLOptions+StdEnvVars

</Directory>

BrowserMatch"MSIE [2-6]" \

nokeepalivessl-unclean-shutdown \

downgrade-1.0force-response-1.0

BrowserMatch"MSIE [17-9]" ssl-unclean-shutdown

</VirtualHost>

</IfModule>

serviceapache2 restart

root@bogon:/etc/apache2/sites-enabled#service apache2 restart

*Restarting web server apache2                                                      Apache needs to decrypt your SSL Keys for bogon.localdomain:443 (RSA)

Pleaseenter passphrase:

输入密码启动

证书导出到本地准备写入加密锁

root@bogon:/etc/apache2/certs# szclient.p12

打开USB锁管理软件

输入PIN登录

这里实际上我们已经提前将加密锁初始化为了PKI锁

点击导入,选择证书,输入证书密码,其他默认

Win10提示导入成功

导入后的效果

USB加密锁保持插入,访问测试站点https://10.1.1.128,有证书提示

点击确定输入PIN码

忽略安全提示

成功访问

不插key的情况下访问结果

我使用的是ET199加密锁,加上运费一共花了29元

HTTPS双向认证+USB硬件加密锁(加密狗)配置的更多相关文章

  1. httpd设置HTTPS双向认证

    去年用tomcat.jboss配置过HTTPS双向认证,那时候主要用的是JDK自带的keytool工具.这次是用httpd + openssl,区别比较大 在网上搜索了很多文章,发现全面介绍的不多,或 ...

  2. Android Https双向认证 + GRPC

    keywords:android https 双向认证android GRPC https 双向认证 ManagedChannel channel = OkHttpChannelBuilder.for ...

  3. https双向认证訪问管理后台,採用USBKEY进行系统訪问的身份鉴别,KEY的证书长度大于128位,使用USBKEY登录

    近期项目需求,须要实现用USBKEY识别用户登录,採用https双向认证訪问管理后台管理界面,期间碰到过一些小问题,写出来给大家參考下. 1:前期准备工作 USBKEY 硬件:我买的是飞天诚信 epa ...

  4. Keytool配置 Tomcat的HTTPS双向认证

    Keytool配置 Tomcat的HTTPS双向认证 证书生成 keytool 简介 Keytool是一个Java数据证书的管理工具, Keytool将密钥(key)和证书(certificates) ...

  5. HTTPS 双向认证构建移动设备安全体系

    HTTPS 双向认证构建移动设备安全体系 对于一些高安全性要求的企业内项目,我们有时希望能够对客户端进行验证.这个时候我们可以使用Https的双向认证机制来实现这个功能. 单向认证:保证server是 ...

  6. Tomcat 配置 HTTPS双向认证

    Tomcat 配置 HTTPS 双向认证指引说明: � 本文档仅提供 Linux 操作系统下的指引 � 在阅读本指引前请您在 Linux 部署 JDK 和 Tomcatserver为了 Tomcat ...

  7. Https双向认证Android客户端配置

    Https .cer证书转换为BKS证书 公式https://blog.csdn.net/zww986736788/article/details/81708967 keytool -importce ...

  8. 双向认证 HTTPS双向认证

    [微信支付]微信小程序支付开发者文档 https://pay.weixin.qq.com/wiki/doc/api/wxa/wxa_api.php?chapter=4_3 HTTPS双向认证使用说明 ...

  9. nodejs之https双向认证

    说在前面 之前我们总结了https的相关知识,如果不懂可以看我另一篇文章:白话理解https 有关证书生成可以参考:自签证书生成 正题 今天使用nodejs来实现https双向认证 话不多说,直接进入 ...

随机推荐

  1. HDU - 4436sam裸题

    题意:给你多个数字串,求本质不同的子串和(去掉前导零) 题解:建广义sam,刚开始一直想的是用l来计算,发现前导零对l的影响根本消不掉,所以不会做= =,原来应该是直接用一个新的数组表示到当前有多少个 ...

  2. Spring Boot常用注解

    SpringBoot注解大全   一.注解(annotations)列表 @SpringBootApplication:包含了@ComponentScan.@Configuration和@Enable ...

  3. PAT 1031 Hello World for U

    1031 Hello World for U (20 分)   Given any string of N (≥) characters, you are asked to form the char ...

  4. WebView中JS调用Android Method 遇到的坑整理

    WebView是android中常用的一个组件,其作用是展示网页,并让网页和android app进行一些业务逻辑上的交互. 其坑无数,相信用过的都知道,一个一个来解决吧. 1.怎么互调: <! ...

  5. Oracle Log Block Size

    Although the size of redo entries is measured in bytes, LGWR writes the redo to the log files on dis ...

  6. ActiveMQ queue和topic,持久订阅和非持久订阅

    消息的 destination 分为 queue 和 topic,而消费者称为 subscriber(订阅者).queue 中的消息只会发送给一个订阅者,而 topic 的消息,会发送给每一个订阅者. ...

  7. vmware自定义网段

    vmware会自动随机给分配192.168下的一个C段作为虚拟网卡(如VMnet8)的网段. 有时我们可能不想使用随机分配的网段而想使用指定网段 注意:配置成新网段后VMware会认为所有IP都没分配 ...

  8. Talend 从Excel导入Saleforce数据(二) TMAP是精髓

    TMap LookUp 经过测试的结果: ------------------------------------------ LookUp最好从CSV读数据,这样是最快了(20万记录1s).从Sal ...

  9. Sql server中 如何用sql语句创建视图

    1.视图的作用 视图的作用: 第一点:使用视图,可以定制用户数据,聚焦特定的数据. 解释: 在实际过程中,公司有不同角色的工作人员,我们以销售公司为例的话, 采购人员,可以需要一些与其有关的数据,而与 ...

  10. TCP/IP报文 三次握手 四次挥手

    1.TCP报文格式  TCP/IP协议的详细信息参看<TCP/IP协议详解>三卷本.下面是TCP报文格式图:图1 TCP报文格式  上图中有几个字段需要重点介绍下:  (1)序号:Seq序 ...