title: 信息安全实践Lab1-自建CA证书搭建https服务器
date: 2021-12-21 02:44:40
tags: 信息安全
categories: 信息安全实践

信息安全实践Lab1-自建CA证书搭建https服务器

搭建https服务器

本机环境： Ubuntu 20.04 OpenSSL 1.1.1f Firefox Browser 79.0(64-bit)

安装OpenSSL

$sudo apt-get install openssl

自建CA

建立myCA目录用于存放CA相关信息

cd && mkdir -p myCA/signedcerts && mkdir myCA/private && cd myCA

myCA 用于存放 CA 根证书，证书数据库，以及后续服务器生成的证书，密钥以及请求
signedcerts:保存签名证书的 copy
private: 包含私钥

配置myCA相关参数，在myCA目录下进行

echo '01'>serial && touch index.txt

创建caconfig.cnf文件

sudo apt-get install vim
vim ~/myCA/caconfig.cnf

caconfig.cnf文件内容如下：

注意文件中两个地方的username需要换成你自己的用户名。

# My sample caconfig.cnf file.
#
# Default configuration to use when one is not provided on the command line.
#
[ ca ]
default_ca      = local_ca
#
#
# Default location of directories and files needed to generate certificates.
#
[ local_ca ]
dir             = /home/username/myCA                    # 这里要将username替换为你的用户名
certificate     = $dir/cacert.pem
database        = $dir/index.txt
new_certs_dir   = $dir/signedcerts
private_key     = $dir/private/cakey.pem
serial          = $dir/serial
#
#
# Default expiration and encryption policies for certificates.
#
default_crl_days        = 365
default_days            = 1825
default_md              = SHA256
#
policy          = local_ca_policy
x509_extensions = local_ca_extensions
#
#
# Default policy to use when generating server certificates.  The following
# fields must be defined in the server certificate.
#
[ local_ca_policy ]
commonName              = supplied
stateOrProvinceName     = supplied
countryName             = supplied
emailAddress            = supplied
organizationName        = supplied
organizationalUnitName  = supplied
#
#
# x509 extensions to use when generating server certificates.
#
[ local_ca_extensions ]
subjectAltName          = DNS:localhost
basicConstraints        = CA:false
nsCertType              = server
#
#
# The default root certificate generation policy.
#
[ req ]
default_bits    = 2048
default_keyfile = /home/username/myCA/private/cakey.pem  # 这里要将username替换为你的用户名
default_md      = SHA256
#
prompt                  = no
distinguished_name      = root_ca_distinguished_name
x509_extensions         = root_ca_extensions
#
#
# Root Certificate Authority distinguished name.  Change these fields to match
# your local environment!
#
[ root_ca_distinguished_name ]
commonName              = MyOwn Root Certificate Authority # CA机构名
stateOrProvinceName     = JS                               # CA所在省份
countryName             = CN                               # CA所在国家（仅限2个字符）
emailAddress            = XXXX@XXX.com                     # 邮箱
organizationName        = XXX                              #
organizationalUnitName  = XXX                              #
#
[ root_ca_extensions ]
basicConstraints        = CA:true

生成CA根证书和密钥

export OPENSSL_CONF=~/myCA/caconfig.cnf       #该命令用于给环境变量 OPENSSL_CONF 赋值为caconfig.cnf。
openssl req -x509 -newkey rsa:2048 -out cacert.pem -outform PEM -days 1825             # 生成 CA 根证书和密钥

该命令需要用户设置密码。不要忘记。
以上步骤生成了 CA 自签名根证书，和 RSA 公/私密钥对。证书的格式是 PEM，有效期是1825天。

/myCA/cacert.pem: CA 根证书
/myCA/private/cakey.pem： CA 私钥

创建服务器公私钥

生成服务器配置文件exampleserver.cnf

vim ~/myCA/exampleserver.cnf

exampleserver.cnf文件内容如下

#
# exampleserver.cnf
#
[ req ]
prompt             = no
distinguished_name = server_distinguished_name
[ server_distinguished_name ]
commonName              = localhost          # 服务器域名
stateOrProvinceName     = JS                 # 服务器所在省份
countryName             = CN                 # 服务器所在国家（仅限2个字符）
emailAddress            = XXXX@XXX.com       # 邮箱
organizationName        = XXX                #
organizationalUnitName  = XXX                #

生成服务器证书和密钥

export OPENSSL_CONF=~/myCA/exampleserver.cnf   # 该命令设置环境变量 OPENSSL_CONF，使得 openssl 更换配置文件。
openssl req -newkey rsa:2048 -keyout tempkey.pem -keyform PEM -out tempreq.pem -outform PEM

同样的，需要输入密码短语。
之后，有2种对临时秘钥的操作，选择其一即可
1.将临时私钥转换为 unencrypted key，即秘钥不加密状态。

openssl rsa -in tempkey.pem -out server_key.pem

需要输入密码短语。

2.如果希望将 key 保持为加密状态，直接改名

mv tempkey.pem server_key.pem

两者的区别是，第二种需要在服务器启动时输入私钥的密码短语，否则会导致服务器启动失败，但第二种安全性高于第一种，可以更好的保护秘钥。

使用CA key对服务器证书签名

export OPENSSL_CONF=~/myCA/caconfig.cnf
openssl ca -in tempreq.pem -out server_crt.pem

删除临时证书和密码文件

rm -f tempkey.pem && rm -f tempreq.pem

现在，自签名的服务器证书和密钥对便产生了：

server_crt.pem : 服务器证书文件
server_key.pem : 服务器密钥文件

配置Apache

安装apache2

sudo apt-get update
sudo apt-get install apache2

建立ssl配置文件，lab-ssl.conf

sudo vim /etc/apache2/sites-available/lab-ssl.conf

lab-ssl.conf文件内容如下：

注意这里有两处username需要换成你的用户名。

<IfModule mod_ssl.c><VirtualHost _default_:443>ServerAdmin webmaster@localhostDocumentRoot /var/www/html# Available loglevels: trace8, ..., trace1, debug, info, notice, warn,# error, crit, alert, emerg.# It is also possible to configure the loglevel for particular# modules, e.g.#LogLevel info ssl:warnErrorLog ${APACHE_LOG_DIR}/error.logCustomLog ${APACHE_LOG_DIR}/access.log combined# For most configuration files from conf-available/, which are# enabled or disabled at a global level, it is possible to# include a line for only one particular virtual host. For example the# following line enables the CGI configuration for this host only# after it has been globally disabled with "a2disconf".#Include conf-available/serve-cgi-bin.conf#   SSL Engine Switch:#   Enable/Disable SSL for this virtual host.SSLEngine on#   A self-signed (snakeoil) certificate can be created by installing#   the ssl-cert package. See#   /usr/share/doc/apache2/README.Debian.gz for more info.#   If both key and certificate are stored in the same file, only the#   SSLCertificateFile directive is needed.#SSLCertificateFile   /etc/ssl/certs/ssl-cert-snakeoil.pem#SSLCertificateKeyFile /etc/ssl/private/ssl-cert-snakeoil.key# 网站证书和私钥地址SSLCertificateFile    /home/username/myCA/server_crt.pem # 这里的username需要换成你的用户名SSLCertificateKeyFile /home/username/myCA/server_key.pem # 这里的username需要换成你的用户名#   Server Certificate Chain:#   Point SSLCertificateChainFile at a file containing the#   concatenation of PEM encoded CA certificates which form the#   certificate chain for the server certificate. Alternatively#   the referenced file can be the same as SSLCertificateFile#   when the CA certificates are directly appended to the server#   certificate for convinience.#SSLCertificateChainFile /etc/apache2/ssl.crt/server-ca.crt#   Certificate Authority (CA):#   Set the CA certificate verification path where to find CA#   certificates for client authentication or alternatively one#   huge file containing all of them (file must be PEM encoded)#   Note: Inside SSLCACertificatePath you need hash symlinks#       to point to the certificate files. Use the provided#        Makefile to update the hash symlinks after changes.#SSLCACertificatePath /etc/ssl/certs/#SSLCACertificateFile /etc/apache2/ssl.crt/ca-bundle.crt#   Certificate Revocation Lists (CRL):#   Set the CA revocation path where to find CA CRLs for client#   authentication or alternatively one huge file containing all#   of them (file must be PEM encoded)#   Note: Inside SSLCARevocationPath you need hash symlinks#        to point to the certificate files. Use the provided#        Makefile to update the hash symlinks after changes.#SSLCARevocationPath /etc/apache2/ssl.crl/#SSLCARevocationFile /etc/apache2/ssl.crl/ca-bundle.crl#   Client Authentication (Type):#   Client certificate verification type and depth.  Types are#   none, optional, require and optional_no_ca.  Depth is a#   number which specifies how deeply to verify the certificate#   issuer chain before deciding the certificate is not valid.#SSLVerifyClient require#SSLVerifyDepth  10#   SSL Engine Options:#   Set various options for the SSL engine.#   o FakeBasicAuth:#   Translate the client X.509 into a Basic Authorisation.  This means that#    the standard Auth/DBMAuth methods can be used for access control.  The#     user name is the `one line' version of the client's X.509 certificate.#  Note that no password is obtained from the user. Every entry in the user#   file needs this password: `xxj31ZMTZzkVA'.#   o ExportCertData:#  This exports two additional environment variables: SSL_CLIENT_CERT and#     SSL_SERVER_CERT. These contain the PEM-encoded certificates of the#     server (always existing) and the client (only existing when client#     authentication is used). This can be used to import the certificates#   into CGI scripts.#   o StdEnvVars:#     This exports the standard SSL/TLS related `SSL_*' environment variables.#     Per default this exportation is switched off for performance reasons,#  because the extraction step is an expensive operation and is usually#   useless for serving static content. So one usually enables the#     exportation for CGI and SSI requests only.#   o OptRenegotiate:#    This enables optimized SSL connection renegotiation handling when SSL#  directives are used in per-directory context.#SSLOptions +FakeBasicAuth +ExportCertData +StrictRequire<FilesMatch "\.(cgi|shtml|phtml|php)$">SSLOptions +StdEnvVars</FilesMatch><Directory /usr/lib/cgi-bin>SSLOptions +StdEnvVars</Directory>#   SSL Protocol Adjustments:#   The safe and default but still SSL/TLS standard compliant shutdown#   approach is that mod_ssl sends the close notify alert but doesn't wait for#   the close notify alert from client. When you need a different shutdown#   approach you can use one of the following variables:#   o ssl-unclean-shutdown:#   This forces an unclean shutdown when the connection is closed, i.e. no#     SSL close notify alert is send or allowed to received.  This violates#  the SSL/TLS standard but is needed for some brain-dead browsers. Use#   this when you receive I/O errors because of the standard approach where#    mod_ssl sends the close notify alert.#   o ssl-accurate-shutdown:#  This forces an accurate shutdown when the connection is closed, i.e. a#     SSL close notify alert is send and mod_ssl waits for the close notify#  alert of the client. This is 100% SSL/TLS standard compliant, but in#   practice often causes hanging connections with brain-dead browsers. Use#    this only for browsers where you know that their SSL implementation#    works correctly.#   Notice: Most problems of broken clients are also related to the HTTP#   keep-alive facility, so you usually additionally want to disable#   keep-alive for those clients, too. Use variable "nokeepalive" for this.#   Similarly, one has to force some clients to use HTTP/1.0 to workaround#   their broken HTTP/1.1 implementation. Use variables "downgrade-1.0" and#   "force-response-1.0" for this.# BrowserMatch "MSIE [2-6]" \#       nokeepalive ssl-unclean-shutdown \#     downgrade-1.0 force-response-1.0</VirtualHost>
</IfModule># vim: syntax=apache ts=4 sw=4 sts=4 sr noet

启动ssl服务

sudo a2ensite /etc/apache2/sites-available/lab-ssl.conf
sudo a2enmod ssl

让浏览器信任我们自建的CA

打开 FireFox 浏览器，依次选择“编辑”----“首选项”----“隐私与安全”----“证书”----“查看证书”----“证书机构”，点击导入，选择 myCA 目录下的根证书“cacert.pem”, 导入。

在浏览器地址栏输入 https://localhost