RHEL5中http学习笔记(待续)
Oracle的锁表和解锁方法。RHEL5中http中ssl模块的配置,主要是证书、私钥的制作。
[
| 
2007/10/19 15:13]
| 2007/10/19 15:13]
RHEL5中http中ssl模块的配置,主要是证书、私钥的制作。
rhel4和rhel5中位置发生了点变化,所以证书创建位置也有所不同。
RHEL4的路径:
[root@minot conf]# pwd
/etc/httpd/conf
[root@minot conf]# tree ./
./
|-- Makefile -> ../../../usr/share/ssl/certs/Makefile
|-- httpd.conf
|-- magic
|-- ssl.crl
| `-- Makefile.crl
|-- ssl.crt
| |-- Makefile.crt
| `-- server.crt
|-- ssl.csr
|-- ssl.key
| `-- server.key
`-- ssl.prm
5 directories, 7 files
[root@minot conf]# make
This makefile allows you to create:
o public/private key pairs
o SSL certificate signing requests (CSRs)
o self-signed SSL test certificates
To create a key pair, run "make SOMETHING.key".
To create a CSR, run "make SOMETHING.csr".
To create a test certificate, run "make SOMETHING.crt".
To create a key and a test certificate in one file, run "make SOMETHING.pem".
To create a key for use with Apache, run "make genkey".
To create a CSR for use with Apache, run "make certreq".
To create a test certificate for use with Apache, run "make testcert".
Examples:
make server.key
make server.csr
make server.crt
make stunnel.pem
make genkey
make certreq
make testcert
RHEL5的路径:
[root@server certs]# pwd
/etc/pki/tls/certs
[root@server certs]# tree ./
./
|-- Makefile
|-- ca-bundle.crt
|-- localhost.crt
|-- make-dummy-cert
|-- server.crt
`-- server.csr
0 directories, 6 files
[root@server certs]# make
This makefile allows you to create:
o public/private key pairs
o SSL certificate signing requests (CSRs)
o self-signed SSL test certificates
To create a key pair, run "make SOMETHING.key".
To create a CSR, run "make SOMETHING.csr".
To create a test certificate, run "make SOMETHING.crt".
To create a key and a test certificate in one file, run "make SOMETHING.pem".
To create a key for use with Apache, run "make genkey".
To create a CSR for use with Apache, run "make certreq".
To create a test certificate for use with Apache, run "make testcert".
To create a test certificate with serial number other than zero, add SERIAL=num
Examples:
make server.key
make server.csr
make server.crt
make stunnel.pem
make genkey
make certreq
make testcert
make server.crt SERIAL=1
make stunnel.pem SERIAL=2
make testcert SERIAL=3
描述:这台提供服务https的主机名是server.rhel5.com。原有的配置文件/etc/httpd/conf.d/ssl.conf
[root@server conf.d]# httpd -S
VirtualHost configuration:
wildcard NameVirtualHosts and _default_ servers:
_default_:443 server.rhel5.com (/etc/httpd/conf.d/ssl.conf:81)
Syntax OK
[root@server conf.d]# cat ssl.conf
.............
SSLCertificateFile /etc/pki/tls/certs/locale.crt
SSLCertificateKeyFile /etc/pki/tls/private/locale.key
..................
现有的证书只可以通过localhost.localdomain来访问,意味着只可以本机访问。所以我们就去创建匹配自己主机名的证书。
由于对ssl的理论知识不够,这里只描述创建过程,对于理论知识正在恶补中。SSH权威指南正在看。加密和证书这里看得头晕,尤其关于私钥,公钥,CA等等,逻辑不清。
1:保证自己进入下面的目录:
[root@server certs]# pwd
/etc/pki/tls/certs
2:创建私钥:
[root@server certs]# make server.key
umask 77 ; \
/usr/bin/openssl genrsa -des3 1024 > server.key
Generating RSA private key, 1024 bit long modulus
.++++++
...++++++
e is 65537 (0x10001)
Enter pass phrase: 输入密码
Verifying - Enter pass phrase: 再次输入密码
3:重写私钥,清除密码,保证httpd启动时不必输入密码
[root@rhce conf]# openssl rsa -in server.key -out server.key
Enter pass phrase for server.key:
writing RSA key
4:证书签发请求(Certificate Signing Request) (CSR)
[root@server certs]# make server.csr
umask 77 ; \
/usr/bin/openssl req -utf8 -new -key server.key -out server.csr
Enter pass phrase for server.key:
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [GB]:CN
State or Province Name (full name) [Berkshire]:ShangHai
Locality Name (eg, city) [Newbury]:ShangHai
Organization Name (eg, company) [My Company Ltd]:kook.com
Organizational Unit Name (eg, section) []:
Common Name (eg, your name or your server's hostname) []:server.rhel5.com
Email Address []:kook@kook.com
Please enter the following 'extra' attributes
to be sent with your certificate request
A challenge password []:liujia
An optional company name []:kook
5:由于我们不能申请上级CA授权认证,自己给自己创建个CA吧。
[root@server certs]# openssl x509 -in server.csr -req -signkey server.key -days 365 -out server.crt
Signature ok
subject=/C=CN/ST=ShangHai/L=ShangHai/O=kook.com/CN=server.rhel5.com/emailAddress=kook@kook.com
Getting Private key
6:如上操作后,我们产生了3个文件。
[root@server certs]# ls server.*
server.crt server.csr server.key
最后,需要调整/etc/httpd/conf.d/ssl.conf正确引用我们创建的证书。然后启动服务。
[root@server conf.d]# cat ssl.conf
.............
SSLCertificateFile /etc/pki/tls/certs/server.crt
SSLCertificateKeyFile /etc/pki/tls/certs/server.key
..................
自己注意调整其它地方,如#DocumentRoot的注释等。
如下效果:
本文链接:http://www.52zhe.cn/read.php/118.htm
本文作者:kook(若就博客内所涉及的技术问题交流,请用下面的MSN或Gmail联系我)
联系方式:(MSN:kook#live.com) (Google talk:kookliu)
没有版权:GNU,转载时请注明“转载人”欠本人一顿饭,来日见面之时兑现!谢谢合作!
rhel4和rhel5中位置发生了点变化,所以证书创建位置也有所不同。
RHEL4的路径:
[root@minot conf]# pwd
/etc/httpd/conf
[root@minot conf]# tree ./
./
|-- Makefile -> ../../../usr/share/ssl/certs/Makefile
|-- httpd.conf
|-- magic
|-- ssl.crl
| `-- Makefile.crl
|-- ssl.crt
| |-- Makefile.crt
| `-- server.crt
|-- ssl.csr
|-- ssl.key
| `-- server.key
`-- ssl.prm
5 directories, 7 files
[root@minot conf]# make
This makefile allows you to create:
o public/private key pairs
o SSL certificate signing requests (CSRs)
o self-signed SSL test certificates
To create a key pair, run "make SOMETHING.key".
To create a CSR, run "make SOMETHING.csr".
To create a test certificate, run "make SOMETHING.crt".
To create a key and a test certificate in one file, run "make SOMETHING.pem".
To create a key for use with Apache, run "make genkey".
To create a CSR for use with Apache, run "make certreq".
To create a test certificate for use with Apache, run "make testcert".
Examples:
make server.key
make server.csr
make server.crt
make stunnel.pem
make genkey
make certreq
make testcert
RHEL5的路径:
[root@server certs]# pwd
/etc/pki/tls/certs
[root@server certs]# tree ./
./
|-- Makefile
|-- ca-bundle.crt
|-- localhost.crt
|-- make-dummy-cert
|-- server.crt
`-- server.csr
0 directories, 6 files
[root@server certs]# make
This makefile allows you to create:
o public/private key pairs
o SSL certificate signing requests (CSRs)
o self-signed SSL test certificates
To create a key pair, run "make SOMETHING.key".
To create a CSR, run "make SOMETHING.csr".
To create a test certificate, run "make SOMETHING.crt".
To create a key and a test certificate in one file, run "make SOMETHING.pem".
To create a key for use with Apache, run "make genkey".
To create a CSR for use with Apache, run "make certreq".
To create a test certificate for use with Apache, run "make testcert".
To create a test certificate with serial number other than zero, add SERIAL=num
Examples:
make server.key
make server.csr
make server.crt
make stunnel.pem
make genkey
make certreq
make testcert
make server.crt SERIAL=1
make stunnel.pem SERIAL=2
make testcert SERIAL=3
描述:这台提供服务https的主机名是server.rhel5.com。原有的配置文件/etc/httpd/conf.d/ssl.conf
[root@server conf.d]# httpd -S
VirtualHost configuration:
wildcard NameVirtualHosts and _default_ servers:
_default_:443 server.rhel5.com (/etc/httpd/conf.d/ssl.conf:81)
Syntax OK
[root@server conf.d]# cat ssl.conf
.............
SSLCertificateFile /etc/pki/tls/certs/locale.crt
SSLCertificateKeyFile /etc/pki/tls/private/locale.key
..................
现有的证书只可以通过localhost.localdomain来访问,意味着只可以本机访问。所以我们就去创建匹配自己主机名的证书。
由于对ssl的理论知识不够,这里只描述创建过程,对于理论知识正在恶补中。SSH权威指南正在看。加密和证书这里看得头晕,尤其关于私钥,公钥,CA等等,逻辑不清。
1:保证自己进入下面的目录:
[root@server certs]# pwd
/etc/pki/tls/certs
2:创建私钥:
[root@server certs]# make server.key
umask 77 ; \
/usr/bin/openssl genrsa -des3 1024 > server.key
Generating RSA private key, 1024 bit long modulus
.++++++
...++++++
e is 65537 (0x10001)
Enter pass phrase: 输入密码
Verifying - Enter pass phrase: 再次输入密码
3:重写私钥,清除密码,保证httpd启动时不必输入密码
[root@rhce conf]# openssl rsa -in server.key -out server.key
Enter pass phrase for server.key:
writing RSA key
4:证书签发请求(Certificate Signing Request) (CSR)
[root@server certs]# make server.csr
umask 77 ; \
/usr/bin/openssl req -utf8 -new -key server.key -out server.csr
Enter pass phrase for server.key:
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [GB]:CN
State or Province Name (full name) [Berkshire]:ShangHai
Locality Name (eg, city) [Newbury]:ShangHai
Organization Name (eg, company) [My Company Ltd]:kook.com
Organizational Unit Name (eg, section) []:
Common Name (eg, your name or your server's hostname) []:server.rhel5.com
Email Address []:kook@kook.com
Please enter the following 'extra' attributes
to be sent with your certificate request
A challenge password []:liujia
An optional company name []:kook
5:由于我们不能申请上级CA授权认证,自己给自己创建个CA吧。
[root@server certs]# openssl x509 -in server.csr -req -signkey server.key -days 365 -out server.crt
Signature ok
subject=/C=CN/ST=ShangHai/L=ShangHai/O=kook.com/CN=server.rhel5.com/emailAddress=kook@kook.com
Getting Private key
6:如上操作后,我们产生了3个文件。
[root@server certs]# ls server.*
server.crt server.csr server.key
最后,需要调整/etc/httpd/conf.d/ssl.conf正确引用我们创建的证书。然后启动服务。
[root@server conf.d]# cat ssl.conf
.............
SSLCertificateFile /etc/pki/tls/certs/server.crt
SSLCertificateKeyFile /etc/pki/tls/certs/server.key
..................
自己注意调整其它地方,如#DocumentRoot的注释等。
如下效果:
本文链接:http://www.52zhe.cn/read.php/118.htm
本文作者:kook(若就博客内所涉及的技术问题交流,请用下面的MSN或Gmail联系我)
联系方式:(MSN:kook#live.com) (Google talk:kookliu)
没有版权:GNU,转载时请注明“转载人”欠本人一顿饭,来日见面之时兑现!谢谢合作!
mumumu
2009/07/08 11:07
分页: 1/1 
1 
1
