Apache下配置https双向认证，apachehttps认证

Apache下配置https双向认证，apachehttps认证

声明：以下涉及到的脚本分本人原创，出处如下:

http://blog.csdn.net/kunoy/article/details/8239653

1.Apache安装并开启ssl

略

2.创建证书

创建证书的步骤如下

2.1创建相关目录

这里apache目录位于/data/webapps/apache
在apache目录下创建ca目录（方便管理，可自定义）

mkdir /data/webapps/apache/ca

在ca目录下创建相关目录

cd /data/webapps/apache/ca
mkdirs conf newcerts private server users

2.2创建相关文件

在conf目录下创建openssl.conf

cd conf
vi openssl.conf

内容如下:

[ ca ]  
default_ca      = foo                                      # The default ca section  

[ foo ]  
dir            = /data/webapps/apache/ca                   # top dir  
database       = /data/webapps/apache/ca/index.txt         # index file.  
new_certs_dir  = /data/webapps/apache/ca/newcerts          # new certs dir  

certificate    = /data/webapps/apache/ca/private/ca.crt    # The CA cert  
serial         = /data/webapps/apache/ca/serial            # serial no file  
private_key    = /data/webapps/apache/ca/private/ca.key    # CA private key  
RANDFILE       =/data/webapps/apache/ca/private/.rand      # random number file

default_days   = 365                                       # how long to certify for  
default_crl_days= 30                                       # how long before next CRL  
default_md     = md5                                       # message digest method to use  
unique_subject = no                                        # Set to 'no' to allow creation of  
                                                           # several ctificates with same subject.  
policy         = policy_any                                # default policy      
[ policy_any ]  
countryName = match  
stateOrProvinceName = match  
organizationName = match  
organizationalUnitName = match  
localityName            = optional  
commonName              = supplied  
emailAddress            = optional

在ca目录创建1_create_ca.sh脚本

cd ..
vi 1_create_ca.sh

内容如下:

#!/bin/sh
basedir="/data/webapps/apache/ca"
# Generate the key.  
openssl genrsa -out private/ca.key  
# Generate a certificate request.  
openssl req -new -key private/ca.key -out private/ca.csr  
# Self signing key is bad... this could work with a third party signed key... registeryfly has them on for $16 but I'm too cheap lazy to get one on a lark.  
# I'm also not 100% sure if any old certificate will work or if you have to buy a special one that you can sign with. I could investigate further but since this  
# service will never see the light of an unencrypted Internet see the cheap and lazy remark.  
# So self sign our root key.  
openssl x509 -req -days 365 -in private/ca.csr -signkey private/ca.key -out private/ca.crt  
# Setup the first serial number for our keys... can be any 4 digit hex string... not sure if there are broader bounds but everything I've seen uses 4 digits.  
echo FACE > serial
# Create the CA's key database.  
touch index.txt
# Create a Certificate Revocation list for removing 'user certificates.'  
openssl ca -gencrl -out ${basedir}/private/ca.crl -crldays 7 -config "${basedir}/conf/openssl.conf"

创建2_create_server.sh

vi 2_create_server.sh

内容如下：

#!/bin/bash
basedir="/data/webapps/apache/ca"
# Create us a key. Don't bother putting a password on it since you will need it to start apache. If you have a better work around I'd love to hear it.  
openssl genrsa -out server/server.key  
# Take our key and create a Certificate Signing Request for it.  
openssl req -new -key server/server.key -out server/server.csr  
# Sign this bastard key with our bastard CA key.  
openssl ca -in server/server.csr -cert private/ca.crt -keyfile private/ca.key -out server/server.crt -config "${basedir}/conf/openssl.conf"

创建3_create_user.sh

vi 3_create_user.sh

内容如下：

#!/bin/sh  
# The base of where our SSL stuff lives.  
base="/data/webapps/apache/ca"  
# Were we would like to store keys... in this case we take the username given to us and store everything there.  
mkdir -p $base/users/  
# Let's create us a key for this user... yeah not sure why people want to use DES3 but at least let's make us a nice big key.  
openssl genrsa -des3 -out $base/users/client.key 1024  
# Create a Certificate Signing Request for said key.  
openssl req -new -key $base/users/client.key -out $base/users/client.csr  
# Sign the key with our CA's key and cert and create the user's certificate out of it.  
openssl ca -in $base/users/client.csr -cert $base/private/ca.crt -keyfile $base/private/ca.key -out $base/users/client.crt -config "${base}/conf/openssl.conf"  
# This is the tricky bit... convert the certificate into a form that most browsers will understand PKCS12 to be specific.  
# The export password is the password used for the browser to extract the bits it needs and insert the key into the user's keychain.  
# Take the same precaution with the export password that would take with any other password based authentication scheme.  
openssl pkcs12 -export -clcerts -in $base/users/client.crt -inkey $base/users/client.key -out $base/users/client.p12

2.3 按顺序执行脚本，创建所有证书

sh ./1_create_ca.sh
sh ./2_create_server.sh
sh ./3_create_user.sh

创建过程中如下注册信息需一致

Country Name:CN
State or Province Name:Shanghai    
Locality Name (eg, city):Shanghai
Organization Name (eg, company):pers
Organizational Unit Name:jack
Common Name:pers.jack
Email Address:qsjwork@163.com

2.4 配置apache

编辑%HTTPD_HOME%/conf/extra/http-ssl.conf文件
添加或修改如下内容:

SSLEngine on  
SSLCertificateFile "/data/webapps/apache/ca/server/server.crt" 
SSLCertificateKeyFile "/data/webapps/apache/ca/server/server.key"
SSLCACertificateFile "/data/webapps/apache/ca/private/ca.crt"
SSLVerifyClient require  
SSLVerifyDepth  10