openssl实现https访问web网页

一．相关介绍

1.什么是CA
认证中心（CA─Certificate Authority）做为权威的、可信赖的、公正的第三方机构，专门负责发放并管理全部参与网上交易的实体所需的数字证书。它做为一个权威机构，对密钥进行有效地管理，颁发证书证实密钥的有效性，并将公开密钥同某一个实体（消费者、商户、银行）联系在一块儿。能够创建起安全程度极高的加解密和身份认证系统，从而使信息除发送方和接收方外，不被其余方知悉；保证传输过程当中不被篡改；发送方确信接收方不是假冒的（身份的真实性和不可假装性）；发送方不可否认 本身的发送行为（不可抵赖性）。
2,oppenssl的基本使用

       1 OpenSSL：SSL的开源实现  

       2      libcrypto：通用加密库，提供了各类加密函数  

       3      libssl：TLS/SSL协议的实现,基于会话的、实现了身份认证、数据机密性和会话完整性的TLS/SSL库  

       4      openssl：多用途的命令行工具；可以实现私有证书颁发机构；即在公司内部实现身份的验证；  

       5 openssl：  

       6      genrsa:经过RSA算法，生成密钥(私钥和公钥)  

       7      req:申请和生成证书  

       8      -new：生成新的证书  

       9      -x509：互联网经常使用的一种标准  

       10      -in：证书的位置(签署证书及证书请求经常用到)  

       11      -out：证书的存放位置  

       12      -days：证书的有效期限

二．具体配置

（1）Web

[root@tx1 ~]# cd /var/www/html/

[root@tx1 html]# echo "hello client" > index.html

[root@tx1 html]# service httpd restart

Stopping httpd:                                            [FAILED]

Starting httpd:                                            [  OK  ]

[root@tx1 ~]# openssl genrsa 1024 > newhttps.key////网站生成本身的私钥

Generating RSA private key, 1024 bit long modulus

.++++++

............++++++

e is 65537 (0x10001)

[root@tx1 ~]# openssl req -new -key newhttps.key -days 365 -out newhttps.csr

//生成一个证书请求

You are about to be asked to enter information that will be incorporated

into your certificate request.

What you are about to enter is what is called a Distinguished Name or a DN.

There are quite a few fields but you can leave some blank

For some fields there will be a default value,

If you enter '.', the field will be left blank.

-----

Country Name (2 letter code) [GB]:CN

State or Province Name (full name) [Berkshire]:jilin

Locality Name (eg, city) [Newbury]:tonghua

Organization Name (eg, company) [My Company Ltd]:tongshi

Organizational Unit Name (eg, section) []:student

Common Name (eg, your name or your server's hostname) []:tx1.test.com

Email Address []:tx1@.com

Please enter the following 'extra' attributes

to be sent with your certificate request

A challenge password []:

An optional company name []:

（2）CA的配置（这里采用排错的方法）

@1.[root@tx1 ~]# openssl ca -in newhttps.csr -out newhttps.crt  //签发证书

Using configuration from /etc/pki/tls/openssl.cnf

Error opening CA private key ../../CA/private/cakey.pem

4048:error:02001002:system library:fopen:No such file or directory:bss_file.c:352:fopen('../../CA/private/cakey.pem','r')

4048:error:20074002:BIO routines:FILE_CTRL:system lib:bss_file.c:354:

unable to load CA private key

//系统报错，说没有找到CA的私钥，同时使用了相对路径的方式

//先修改为为绝对路径

[root@tx1 ~]# vim /etc/pki/tls/openssl.cnf

45 dir = /etc/pki/CA

@2.[root@tx1 ~]# openssl ca -in newhttps.csr -out newhttps.crt

Using configuration from /etc/pki/tls/openssl.cnf

Error opening CA private key /etc/pki/CA/private/cakey.pem

4061:error:02001002:system library:fopen:No such file or directory:bss_file.c:352:fopen('/etc/pki/CA/private/cakey.pem','r')

4061:error:20074002:BIO routines:FILE_CTRL:system lib:bss_file.c:354:

unable to load CA private key

//系统报错，说/etc/pki/CA/private/cakey.pem

//这个CA的私钥文件不存在

//解决办法，生成这个私钥

[root@tx1 ~]# openssl genrsa 1024 > /etc/pki/CA/private/cakey.pem //生成CA的私钥

Generating RSA private key, 1024 bit long modulus

......................................++++++

......++++++

e is 65537 (0x10001)

@3.[root@tx1 ~]# openssl ca -in newhttps.csr -out newhttps.crt

Using configuration from /etc/pki/tls/openssl.cnf

Error opening CA certificate /etc/pki/CA/cacert.pem

4069:error:02001002:system library:fopen:No such file or directory:bss_file.c:352:fopen('/etc/pki/CA/cacert.pem','r')

4069:error:20074002:BIO routines:FILE_CTRL:system lib:bss_file.c:354:

unable to load certificate

//系统报错，说找不到CA的证书/etc/pki/CA/cacert.pem

//解决办法，生成一个自签名证书

[root@tx1 ~]# openssl req -new -key /etc/pki/CA/private/cakey.pem -x509 -days 365 -out /etc/pki/CA/cacert.pem

You are about to be asked to enter information that will be incorporated

into your certificate request.

What you are about to enter is what is called a Distinguished Name or a DN.

There are quite a few fields but you can leave some blank

For some fields there will be a default value,

If you enter '.', the field will be left blank.

-----

Country Name (2 letter code) [GB]:CN

State or Province Name (full name) [Berkshire]:jilin

Locality Name (eg, city) [Newbury]:tonghua

Organization Name (eg, company) [My Company Ltd]:tongshi

Organizational Unit Name (eg, section) []:student

Common Name (eg, your name or your server's hostname) []:tx1.test.com

Email Address []:tx1@.com

@4.[root@tx1 ~]# openssl ca -in newhttps.csr -out newhttps.crt

Using configuration from /etc/pki/tls/openssl.cnf

I am unable to access the /etc/pki/CA/newcerts directory

/etc/pki/CA/newcerts: No such file or directory

//系统报错，说没有/etc/pki/CA/newcerts目录

//解决办法，建立该目录

[root@tx1 ~]# mkdir /etc/pki/CA/newcerts

@5.[root@tx1 ~]# openssl ca -in newhttps.csr -out newhttps.crt

Using configuration from /etc/pki/tls/openssl.cnf

/etc/pki/CA/index.txt: No such file or directory

unable to open '/etc/pki/CA/index.txt'

4097:error:02001002:system library:fopen:No such file or directory:bss_file.c:352:fopen('/etc/pki/CA/index.txt','r')

4097:error:20074002:BIO routines:FILE_CTRL:system lib:bss_file.c:354:

//说没有/etc/pki/CA/index.txt

//解决建立这个文件

[root@tx1 ~]# touch /etc/pki/CA/index.txt

@6.[root@tx1 ~]# openssl ca -in newhttps.csr -out newhttps.crt

Using configuration from /etc/pki/tls/openssl.cnf

/etc/pki/CA/serial: No such file or directory

error while loading serial number

4103:error:02001002:system library:fopen:No such file or directory:bss_file.c:352:fopen('/etc/pki/CA/serial','r')

4103:error:20074002:BIO routines:FILE_CTRL:system lib:bss_file.c:354:

//没有找到序列号

//解决办法,向/etc/pki/CA/serial导入初始化序列号

[root@tx1 ~]# echo 00 > /etc/pki/CA/serial

@7.[root@tx1 ~]# openssl ca -in newhttps.csr -out newhttps.crt

Using configuration from /etc/pki/tls/openssl.cnf

Check that the request matches the signature

Signature ok

Certificate Details:

       Serial Number: 0 (0x0)

       Validity

           Not Before: Jul 27 02:38:37 2013 GMT

           Not After : Jul 27 02:38:37 2014 GMT

       Subject:

           countryName               = CN

           stateOrProvinceName       = jilin

           organizationName          = tongshi

           organizationalUnitName    = student

           commonName                = tx1.test.com

           emailAddress              = tx1@.com

       X509v3 extensions:

           X509v3 Basic Constraints:

               CA:FALSE

           Netscape Comment:

               OpenSSL Generated Certificate

           X509v3 Subject Key Identifier:

               63:CF:FA:50:A6:69:F9:3E:84:A5:7F:B8:D5:1E:C2:60:F2:B9:06:F9

           X509v3 Authority Key Identifier:

               keyid:DB:FE:54:C0:B5:FE:F8:08:7A:00:48:E5:DE:22:29:6E:AD:24:47:43

Certificate is to be certified until Jul 27 02:38:37 2014 GMT (365 days)

Sign the certificate? [y/n]:y

1 out of 1 certificate requests certified, commit? [y/n]y

Write out database with 1 new entries

Data Base Updated

[root@tx1 ~]# scp newhttps.crt 192.168.8.71:/root

root@192.168.8.71's password:

newhttps.crt                                  100% 3201     3.1KB/s   00:00  

（3）Web

[root@tx1 ~]#  yum install  mod_ssl -y

[root@tx1 ~]# vim /etc/httpd/conf.d/ssl.conf

112 SSLCertificateFile /etc/pki/tls/certs/newhttps.crt

119 SSLCertificateKeyFile /etc/pki/tls/private/newhttps.key

[root@tx1 ~]# cp newhttps.key /etc/pki/tls/private/newhttps.key

[root@tx1 ~]# cp newhttps.crt /etc/pki/tls/certs/newhttps.crt

[root@tx1 ~]# service httpd restart

Stopping httpd:                                            [  OK  ]

Starting httpd:                                            [  OK  ]

三．客户端验证

1.访问

2.开始导入CA的证书

3.再次访问