RHEL6.3实现基于加密的用户认证验证访问(2)

4、加密配置
 
[root@test1 conf]# (umask 077;openssl genrsa -des3 -out server.key)
 
Generating RSA private key, 512 bit long modulus
 
....++++++++++++
 
....++++++++++++
 
e is 65537 (0x10001)
 
Enter pass phrase for server.key:
 
Verifying - Enter pass phrase for server.key:
 
 
 
[root@test1 conf]# openssl req -new -key server.key -out server.csr
 
Enter pass phrase for server.key:
 
You are about to be asked to enter information that will be incorporated
 
into your certificate request.
 
What you are about to enter is what is called a Distinguished Name or a DN.
 
There are quite a few fields but you can leave some blank
 
For some fields there will be a default value,
 
If you enter '.', the field will be left blank.
 
-----
 
Country Name (2 letter code) [CN]:CN
 
State or Province Name (full name) []:
 
Locality Name (eg, city) [Beijing]:Beijing
 
Organization Name (eg, company) [Default Company Ltd]:Tianli
 
Organizational Unit Name (eg, section) []:
 
Common Name (eg, your name or your server's hostname) []:test1.demo.com
 
Email Address []:
 
 
 
Please enter the following 'extra' attributes
 
to be sent with your certificate request
 
A challenge password []:
 
An optional company name []:
 
[root@test1 conf]# openssl ca -in server.csr -out server.crt
 
Using configuration from /etc/pki/tls/openssl.cnf
 
Enter pass phrase for /etc/pki/CA/private/my-ca.key:
 
Check that the request matches the signature
 
Signature ok
 
Certificate Details:
 
        Serial Number: 3 (0x3)
 
        Validity
 
            Not Before: Jan 31 05:37:44 2013 GMT
 
            Not After : Jan 31 05:37:44 2014 GMT
 
        Subject:
 
            countryName              = CN
 
            stateOrProvinceName      = Hebei
 
            organizationName          = Default Company Ltd
 
            commonName                = test1.demo.com
 
        X509v3 extensions:
 
            X509v3 Basic Constraints:
 
                CA:FALSE
 
            Netscape Comment:
 
                OpenSSL Generated Certificate
 
            X509v3 Subject Key Identifier:
 
                CB:3D:6E:BD:48:ED:BD:FE:39:BD:27:C5:B5:57:19:96:79:11:23:14
 
            X509v3 Authority Key Identifier:
 
                keyid:4C:45:25:5F:60:7F:F8:6E:6F:B4:53:C4:FB:BD:A3:C6:82:AE:2A:62
 
 
 
Certificate is to be certified until Jan 31 05:37:44 2014 GMT (365 days)
 
Sign the certificate? [y/n]:y
 
 
 
 
 
1 out of 1 certificate requests certified, commit? [y/n]y
 
Write out database with 1 new entries
 
Data Base Updated
 
 
 
将httpd.conf中的这一段复制放到ssl.conf中并修改和添加SSL认证语句
 
NameVirtualHost 192.168.1.123:443
 
<VirtualHost 192.168.1.123:443>
 
    DocumentRoot /var/www/virt1
 
    SSLEngine on
 
    SSLCertificateFile /etc/httpd/conf/server.crt
 
    SSLCertificateKeyFile /etc/httpd/conf/server.key
 
    ServerName test1.demo.com
 
    ErrorLog logs/test1.demo.com-error.log
 
    <Directory /var/www/virt1>
 
    authName "realm"
 
    AuthType basic
 
    AuthUserFile /etc/httpd/conf/.htpasswd
 
    Require User aaa  bbb
 
    </Directory>
 
</VirtualHost>
 
注：需要将原httpd.conf文件中的这一段进行注释或屏蔽。
 
[root@test1 conf]# service httpd restart
 
Stopping httpd:                                            [  OK  ]
 
Starting httpd: [Thu Jan 31 01:29:41 2013] [warn] NameVirtualHost 192.168.1.123:80 has no VirtualHosts
 
Apache/2.2.15 mod_ssl/2.2.15 (Pass Phrase Dialog)
 
Some of your private key files are encrypted for security reasons.
 
In order to read them you have to provide the pass phrases.
 
 
 
Server test1.demo.com:443 (RSA)
 
Enter pass phrase:
 
 
 
OK: Pass Phrase Dialog successful.
 
                                                          [  OK  ]
 
[root@test1 conf]#