Различия
Здесь показаны различия между двумя версиями данной страницы.
| Предыдущая версия справа и слева Предыдущая версия Следующая версия | Предыдущая версия | ||
|
abills:docs:manual:admin_cert_auth [2011/01/17 12:16] pigich |
abills:docs:manual:admin_cert_auth [2015/12/05 17:50] (текущий) |
||
|---|---|---|---|
| Строка 6: | Строка 6: | ||
| default_ca = CA # The default ca section | default_ca = CA # The default ca section | ||
| [ CA ] | [ CA ] | ||
| - | dir = /usr/home/pigich/SSL/ # Where everything is kept | + | dir = /usr/abills/Certs/ # Where everything is kept |
| certs = $dir/certs # Where the issued certs are kept | certs = $dir/certs # Where the issued certs are kept | ||
| crl_dir = $dir/crl # Where the issued crl are kept | crl_dir = $dir/crl # Where the issued crl are kept | ||
| Строка 14: | Строка 14: | ||
| serial = $dir/serial # The current serial number | serial = $dir/serial # The current serial number | ||
| #crlnumber = $dir/crlnumber # the current crl number must be | #crlnumber = $dir/crlnumber # the current crl number must be | ||
| - | # commented out to leave a V1 CRL | + | # commented out to leave а V1 CRL |
| crl = $dir/CA/ca.crl # The current CRL | crl = $dir/CA/ca.crl # The current CRL | ||
| private_key = $dir/CA/ca.key # The private key | private_key = $dir/CA/ca.key # The private key | ||
| Строка 23: | Строка 23: | ||
| preserve = no # keep passed DN ordering | preserve = no # keep passed DN ordering | ||
| policy = policy_match | policy = policy_match | ||
| + | | ||
| # For the CA policy | # For the CA policy | ||
| [ policy_match ] | [ policy_match ] | ||
| Строка 93: | Строка 93: | ||
| [ crl_ext ] | [ crl_ext ] | ||
| authorityKeyIdentifier=keyid:always,issuer:always | authorityKeyIdentifier=keyid:always,issuer:always | ||
| + | |||
| + | |||
| + | cd /usr/abills/Certs/ && mkdir {CA,server,user} | ||
| + | |||
| + | echo "01" > serial | ||
| + | touch index.txt | ||
| + | |||
| + | **Создаем сертификат организации** | ||
| + | Создаем ключ и самподписанный СА сертификат | ||
| + | |||
| + | openssl genrsa – rand /var/log/messages -out ./CA/ca.key -camellia256 2048 | ||
| + | | ||
| + | openssl req -new -key ./CA/ca.key -out ./CA/ca.csr | ||
| + | | ||
| + | openssl x509 -req -signkey ./CA/ca.key -in ./CA/ca.csr -extfile /etc/ssl/openssl.cnf -out ./CA/ca.crt | ||
| + | |||
| + | Проверка | ||
| + | openssl x509 -in ca.crt -text | ||
| + | |||
| + | **Теперь создаем сертификат сервера** | ||
| + | |||
| + | openssl genrsa -rand /var/log/messages -out ./server/freebsd.local.com.key -camellia256 2048 | ||
| + | |||
| + | COMMON NAME вводим **ДНС имя серверу** | ||
| + | Пароль тот же что и для частного ключа freebsd.local.com.key | ||
| + | |||
| + | openssl req -new -key ./server/freebsd.local.com.key -config /etc/ssl/openssl.cnf -out ./server freebsd.local.com.csr | ||
| + | |||
| + | и подписываем его сертификатом организации | ||
| + | |||
| + | openssl ca -in ./server/freebsd.local.com.csr -cert ./CA/ca.crt -keyfile ./CA/ca.key -out ./server/freebsd.local.com.crt -config /etc/ssl/openssl.cnf -days 365 | ||
| + | |||
| + | **Создаем сертификат клиента** | ||
| + | |||
| + | openssl genrsa -rand /var/log/messages -out ./user/client.key -camellia256 2048 | ||
| + | |||
| + | openssl req -new -key /user/client.key -out ./user/client.csr | ||
| + | |||
| + | и подписываем его сертификатом организации | ||
| + | |||
| + | openssl ca -in ./user/client.csr -cert ./CA/ca.crt -keyfile ./CA/ca.key -out ./user/client.crt -extensions client -config /etc/ssl/openssl.cnf | ||
| + | |||
| + | Экспортируем в формат читаємий IE, Mozilla... | ||
| + | |||
| + | openssl pkcs12 -export -clcerts -in ./user/client.crt -inkey ./user/client.key -out ./user/client.p12 | ||
| + | или | ||
| + | openssl pkcs12 -export -clcerts -in ./user/certificates/client.crt -inkey ./user/keys/client.key -out ./user/certificates/client.p12 -name "test certificate" | ||
| + | |||
| + | Копируем файл client.p12 на компьютер клиента | ||
| + | |||
| + | Редактируем конфиг /usr/abills/misc/apache/abills_httpd.conf | ||
| + | |||
| + | Вставляем между <IfModule ssl_module> </IfModule ssl_module> | ||
| + | |||
| + | <Location /admin> | ||
| + | SSLVerifyClient require | ||
| + | SSLVerifyDepth 10 | ||
| + | </Location> | ||
| + | |||
| + | Изменяем путь к сертификатам | ||
| + | |||
| + | SSLCertificateFile /usr/abills/Certs/server/freebsd.local.com.crt | ||
| + | SSLCertificateKeyFile /usr/abills/Certs/server/freebsd.local.com.key | ||
| + | SSLCACertificateFile /usr/abills/Certs/CA/ca.crt | ||
| + | | ||
| + | Перезапускаем веб сервер | ||
| + | | ||
| + | /usr/local/etc/rc.d/apache22 restart | ||
| + | |||
| + | смотрим лог ошибок | ||
| + | |||
| + | **Добавляем сертификат на стороне клиента** | ||
| + | |||
| + | Для для работы в Internet Explorer, GoogleChrome запускаем freebsd.local.com.p12 | ||
| + | |||
| + | Для Mozilla FireFox | ||
| + | |||
| + | {{http://abills.net.ua/img/1mozilla.jpg?380x200}} | ||
| + | \\ | ||
| + | {{http://abills.net.ua/img/2mozilla.jpg?380x200}} | ||
| + | |||
| + | Дополнительные ссылки по авторизации с помощью сертификатов | ||
| + | |||
| + | http://www.linuxconfig.org/apache-web-server-ssl-authentication \\ | ||
| + | http://www.cafesoft.com/products/cams/ps/docs30/admin/ConfiguringApache2ForSSLTLSMutualAuthentication.html \\ | ||
| + | http://www.symantec.com/connect/articles/apache-2-ssltls-step-step-part-3 \\ | ||
| + | |||
| + | |||