韌館-LearnHouse

Apache伺服器憑證申請與安裝

由於客戶回報說要提供https的支援,因此開始Survey如何讓Android使用https的protocol和公司的產品溝通

首先就是要申請一張憑證進行測試,這裡老王賣瓜工商服務一下,可以找我之前的東家『網際威信-HiTRIST』進行申請

但由於我不只要測試Android平台,還需要讓iOS也能支援,而iOS卻有Root CA的限制,請參閱here

需要Apple trust的Root CA所認得的憑證鏈才能進行合法憑證測試,一般free的測試憑證都不在Apple的允許名單內

申請了幾家提供免費15~30天的測試憑證,目前知道的有台網(TWCA)所提供的免費測試的憑證是有在Apple的名單內

以下開始進入本篇主題,如何產置金鑰、CSR、取回憑證並進行apache設定與安裝:

先聲明以下作法原則上是適用於任何Web Server,但不同的Server有其自己提供的建置方式

以IIS來說,就有其更方便的產製方法,讀者可以自行google,這裡是以Apache的申請與建置為例

在開始之前,請先準備好keytool.exe與openssl.exe這兩支工具程式,keytool.exe可以在你裝的Java SDK底下的bin找到,而openssl.exe則可以在Apache安裝目錄下的bin找到

Step1. 產製金鑰

keytool.exe -genkey -alias key01 -keyalg RSA -keysize 2048 -keystore LearnHouse.keystore -storepass 12345678 -keypass 12345678

-genkey 產製金鑰

-alias 所產製金鑰的別名

-keyalg 指定採用的演算法

-keysize 指定金鑰對長度

-keystore 指定keystore 檔案名稱

-storepass 指定keystore 存取密碼

-keypass 設定金鑰存取密碼

Step2. 按如下畫面完成憑證申請資料填寫

Step3. 產製憑證請求檔CSR

keytool.exe -certreq -alias key01 -file cert.csr -keystore LearnHouse.keystore -storepass 12345678 -keypass 12345678

Step4. 將產生的cert.csr提交給申請的公司,接下來就等待憑證核發下來

Step5. 收到中繼憑證與伺服器憑證

Step6. 取出keystore的加密金鑰

keytool.exe -importkeystore -srckeystore LearnHouse.keystore -destkeystore intermediate.p12 -deststoretype PKCS12
openssl.exe pkcs12 -in intermediate.p12 -out extracted.pem -nodes

用記事本開啟extracted.pem,可能內容如下:

Bag Attributes
    friendlyName: key01
    localKeyID: 54 69 6D 65 20 31 34 31 32 36 31 31 35 37 34 32 34 35
Key Attributes: <No Attributes>
-----BEGIN RSA PRIVATE KEY-----
MIIEowIBAAKCAQEAkKX5H93/OpVmFwQ7ycZBlIMKAm/3qfdaWbMQnKIVpXcssCd3
REGrUZnBaCFxIhjkuWL4TgW4LYsYrttEVnb0+HT5fn6STMo3pGYUUxwnZ03wTlE9
xPW5zluasc8VWIPWcvlTFRo+UuYoCN1YXc9QHv0lwwuO5vSFsRRtfjsOU7BuKSPo
0QhCjW2ri/6CnJHgHb8YuGG/VPEj4l5bfpF4xgbray+knRsG3YSu9mvZCspUGEAt
2OoLFsetj1lVlE7qtSc9N2mdiZF82dcTfa9hy1UKDRfv4mz75H+V7Q37n8bvK1F/
OVn1J2YCqZL4SLcipgUQitoH6fQzPvALHBm47wIDAQABAoIBAA0/1rDvkbhZBO/o
yF00Fr+2vQz6GpJsAM+kkkn2osr0PpioFMmgxkOENO4H2igIZbMBeMMUzQkG66zg
ksLkxI2ZkVzf1SDJiQ06+HOgaY+R2Qgjcuf+phVb2LCeylLASL1hTxXowHqxcEtX
kweMvMcJ4xKZlW5cSX6t41WjrS1HIXX6Cfxadhhn/F51wQgWIbKvDO7Jiz34Pw2T
aeU9maOx8h4cvITMhFX/rQBX6HK5/BpxODV7XVSwiZDthQQd01DjhBgFKu0e3xVx
BaVp5saYeVIlASV7DI5lGXP3mGp76ubAHS5WXOqeC6v9U09JapfOdaYBbbUzfVuS
vliok1ECgYEA07/5P8C4gD+U5n4Ln+g6Mea80Q1m1YC9fQwnQYdCRvk1qp4BVSwz
MmKpDfP5vbnzDZ+R9MRhrzGyWh5P9TItnl/ng5qgJZjq6QH6E42K8BxIBAHCCWIx
4B7Szs0+72bFUdQWsj6PBFvztwgf+c2uIy9BwtaiVmz9SPqxUDPb4FcCgYEAruBA
9yxaZrUhXJjW46ZDOE7xlE75SqeS66GdFshLBTkckqKrco7XUgxn7p+OF0eyRDFo
Cyn1dChiHoqew/nInrxqSS0sR7IkKMpBQVZh7jrJ/RrjIR4Yepiy4fIBcC4TKwXR
rs9mM5QCVs1fv414ONrkVZLSrcBLB9Eu/1X4rSkCgYEAkM6OE40mH35bw6ybIoXb
llim84fotUVPUH7JMcTgDE1M6BsZ6jdJ48EYv1QDjD3n+38Of4b1Dqw7velQ4Oup
ys7nMlbCAjQrIaGadVislTuh/Ct/mI8wcIZjv80YpvtvIWCbDNY/U8nWR2slAt4n
oiQlIqtJZTUvmYLnU2PDkA0CgYBmRdC4vb/BAX2ZYemLCdmWPNUcH3O8LXTHSaVN
haYaT+Rd/bS3MsLKwWanL7kx9ERVjW+D1+4tGNEJe5iOlK635wlh8oFLDOwIzwCK
7bIoWUl4NRlQbQFz8YnsilQ8/zVGnAida74hvBYCHeo5ZMtCtQGE6nE8HJHE6JnL
ysO8wQKBgB27GuqiPP/Gw/PCeX8BJ+vZ/2TyK9ZeP3tGypDvrE7Ws0hvR6gTdjpj
qoSccciGrTVUK/vzNHVBAnHcB02TG7RrFEHEQIKOfumZInTGUcI9avKLAeC2zqD0
UbFVDlIpqv4EZNtpQb2+JIAZUNK5031wh5Zgj/AvY+4AWawgjAGO
-----END RSA PRIVATE KEY-----
Bag Attributes
    friendlyName: key01
    localKeyID: 54 69 6D 65 20 31 34 31 32 36 31 31 35 37 34 32 34 35
subject=/C=TW/ST=Taiwan/L=Tainan/O=LearnHouse/OU=SW/CN=learn-house.idv.tw
issuer=/C=TW/ST=Taiwan/L=Tainan/O=LearnHouse/OU=SW/CN=learn-house.idv.tw
-----BEGIN CERTIFICATE-----
MIIDezCCAmOgAwIBAgIEBCzwYzANBgkqhkiG9w0BAQsFADBuMQswCQYDVQQGEwJU
VzEPMA0GA1UECBMGVGFpd2FuMQ8wDQYDVQQHEwZUYWluYW4xEzARBgNVBAoTCkxl
YXJuSG91c2UxCzAJBgNVBAsTAlNXMRswGQYDVQQDExJsZWFybi1ob3VzZS5pZHYu
dHcwHhcNMTQxMDA2MTUyNjExWhcNMTUwMTA0MTUyNjExWjBuMQswCQYDVQQGEwJU
VzEPMA0GA1UECBMGVGFpd2FuMQ8wDQYDVQQHEwZUYWluYW4xEzARBgNVBAoTCkxl
YXJuSG91c2UxCzAJBgNVBAsTAlNXMRswGQYDVQQDExJsZWFybi1ob3VzZS5pZHYu
dHcwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQCQpfkf3f86lWYXBDvJ
xkGUgwoCb/ep91pZsxCcohWldyywJ3dEQatRmcFoIXEiGOS5YvhOBbgtixiu20RW
dvT4dPl+fpJMyjekZhRTHCdnTfBOUT3E9bnOW5qxzxVYg9Zy+VMVGj5S5igI3Vhd
z1Ae/SXDC47m9IWxFG1+Ow5TsG4pI+jRCEKNbauL/oKckeAdvxi4Yb9U8SPiXlt+
kXjGButrL6SdGwbdhK72a9kKylQYQC3Y6gsWx62PWVWUTuq1Jz03aZ2JkXzZ1xN9
r2HLVQoNF+/ibPvkf5XtDfufxu8rUX85WfUnZgKpkvhItyKmBRCK2gfp9DM+8Asc
GbjvAgMBAAGjITAfMB0GA1UdDgQWBBSUPceelS5BJM2UtgWC9kSl7WpQXDANBgkq
hkiG9w0BAQsFAAOCAQEAg/62MBvWtF27863mPwjNGHzhE/SQprs6xMCTEYi0W2Rh
ZymuKxLoict5lGeWSPIKzXrAKkm3vYGQxqw2Lxm+EORI8odNHi9ESpjmFJgaSlHh
jC0RqvvrL5D7j0PH5HZOH/rImrHuPtJ21ek9pr9FpeEUuaFoAQay1WOO5ieQ+PKG
r7j7Ny+t4TBi7opIbbWAJ8aJVf5dnFcKnHX7IUScb96ISW1Bp5LAGJYmWfWOTum2
Tce3Q1uMi8XkfM6KN3FdneKeU59A9esT5yt732CtkLo5AhqOH1hgn9A7eqOqNi06
9lB6LJg7AvNZ40YOo2obO2pdZ34yI5KXzr7+rdOJGQ==
-----END CERTIFICATE-----

複製從-----BEGIN RSA PRIVATE KEY-----到-----END RSA PRIVATE KEY-----的字串到新開的記事本並貼上,儲存成Server.key
此即為加密金鑰。

Step7. 設定Apache修改httpd.conf

取消註解 #LoadModule ssl_module modules/mod_ssl.so

取消註解 #Include conf/extra/httpd-ssl.conf

Step8. 設定Apache修改httpd-ssl.conf

SSLCertificateFile "D:/certificate/server.crt" //伺服器憑證存放的路徑

SSLCertificateKeyFile "D:/certificate/server.key" //Step6所取出的金鑰

SSLCertificateChainFile "D:/certificate/CA_chain.cer" //中繼憑證

若提供的中繼憑證有兩張的話,可以將兩張併成一張,以台網為例:

用記事本各別開啟uca_1.cer與uca_2.cer,按順序貼完uca_1.cer後貼uca_2.cer,如下:


-----BEGIN CERTIFICATE-----
MIIFHzCCBAegAwIBAgIQdMGHU/futOojjYQWtax2RjANBgkqhkiG9w0BAQUFADBv
MQswCQYDVQQGEwJTRTEUMBIGA1UEChMLQWRkVHJ1c3QgQUIxJjAkBgNVBAsTHUFk
ZFRydXN0IEV4dGVybmFsIFRUUCBOZXR3b3JrMSIwIAYDVQQDExlBZGRUcnVzdCBF
eHRlcm5hbCBDQSBSb290MB4XDTEyMDcxMTAwMDAwMFoXDTIwMDUzMDEwNDgzOFow
dDELMAkGA1UEBhMCVFcxFzAVBgNVBAoTDlRBSVdBTi1DQSBJTkMuMR4wHAYDVQQL
ExVTU0wgU2VjdXJpdHkgU2VydmljZXMxLDAqBgNVBAMTI1RXQ0EgU2VjdXJlIENl
cnRpZmljYXRpb24gQXV0aG9yaXR5MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIB
CgKCAQEAvHXOioRPVNbPLf3u0gnQamkfsCrfY1Cq/y50ftrTwtM55HOkEdiMfHz5
Tcug6X8/om0UCRjw/ypVNnWu43OaAgjSIhrUM13bF2RB/Hwd7fiHEhjELBABgri8
HTyzR7kvvw8teHhwS7k922hwK1hW/RKi/wK1Y51CrSkU3ntRuSRBTp6oYntC54kU
mLSlhaAvNqRNTXRPckFhAjpAL286Zr6UHGs3tM88S6UfUMMeUB0rQEADEnjw+6sS
VJFqc2AhUItYKk13ocHP+YcOPjZiwAVFXuGe0b8/ow/eVf4sOoWoULpT39rncAOE
/OP8nefZNcepEGd7kxbCpm/lvckrswIDAQABo4IBsDCCAawwHwYDVR0jBBgwFoAU
rb2YejS0Jvf6xCZU7wO94CTLVBowHQYDVR0OBBYEFCP1OFDy3vR7Pu/9q6tRMQMN
uPkdMA4GA1UdDwEB/wQEAwIBBjASBgNVHRMBAf8ECDAGAQH/AgEAMDQGA1UdJQQt
MCsGCCsGAQUFBwMBBggrBgEFBQcDAgYKKwYBBAGCNwoDAwYJYIZIAYb4QgQBMBQG
A1UdIAQNMAswCQYHYIEeAwEIBTBEBgNVHR8EPTA7MDmgN6A1hjNodHRwOi8vY3Js
LnVzZXJ0cnVzdC5jb20vQWRkVHJ1c3RFeHRlcm5hbENBUm9vdC5jcmwwgbMGCCsG
AQUFBwEBBIGmMIGjMD8GCCsGAQUFBzAChjNodHRwOi8vY3J0LnVzZXJ0cnVzdC5j
b20vQWRkVHJ1c3RFeHRlcm5hbENBUm9vdC5wN2MwOQYIKwYBBQUHMAKGLWh0dHA6
Ly9jcnQudXNlcnRydXN0LmNvbS9BZGRUcnVzdFVUTlNHQ0NBLmNydDAlBggrBgEF
BQcwAYYZaHR0cDovL29jc3AudXNlcnRydXN0LmNvbTANBgkqhkiG9w0BAQUFAAOC
AQEAoZQgPoyG1QrMh8fh0k0xsmHvnB5YX6a5hZlE9TRaRlw/YluhUTOI1MULwxwL
D9+TY+aAYPuvXinQVPz4ICMLT02XAxDm5XhCU26B8jzdWRcPhgRaxNt246+ISrTi
sIKs3AU0eZpE/GAsFO8TSnKof9m6ht/UhQeOXIzwOAjIXNKgH4rIBdzg4s7kNLf0
RStfSXixE9oD27b//NpiwbF4ozEgDYNBuYq6E/o4TTejtdVVPzUGsMsXzN8ANV78
wX2JUF8YQewUenOg4fwuxQJ9vsYg6i7a/B3Cp+xrC2+qGeOn/P1383RdvCPYvrG6
2km3U2zAxgp5LZKK+tKccPkDXQ==
-----END CERTIFICATE-----
-----BEGIN CERTIFICATE-----
MIIEezCCA2OgAwIBAgIQftGpq77jb0bNa04pNJBW8zANBgkqhkiG9w0BAQUFADCB
kzELMAkGA1UEBhMCVVMxCzAJBgNVBAgTAlVUMRcwFQYDVQQHEw5TYWx0IExha2Ug
Q2l0eTEeMBwGA1UEChMVVGhlIFVTRVJUUlVTVCBOZXR3b3JrMSEwHwYDVQQLExho
dHRwOi8vd3d3LnVzZXJ0cnVzdC5jb20xGzAZBgNVBAMTElVUTiAtIERBVEFDb3Jw
IFNHQzAeFw05OTA2MjQxODU3MjFaFw0xOTA2MjQxOTA2MzBaMG8xCzAJBgNVBAYT
AlNFMRQwEgYDVQQKEwtBZGRUcnVzdCBBQjEmMCQGA1UECxMdQWRkVHJ1c3QgRXh0
ZXJuYWwgVFRQIE5ldHdvcmsxIjAgBgNVBAMTGUFkZFRydXN0IEV4dGVybmFsIENB
IFJvb3QwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQC39xoz5vIABC05
4E5b7R+8bA/Ntfojts7emxEzl6QpTH2Tn71KvJPtAxrjj8/lbVBa1pcplFqAsEl6
2y6V/bjKvzc4LR4+kUGtcFbH8E8/6DKedMrIkFTpxl8PeJ2aQDwOrGGqXhSPnoeh
alDc15pOrwWzpnGUnHGzUGAKxxOdOAeGAqjpqGkmGJCrTLBPI6s6T4TY386f4Wlv
u9dC12tE5Met7m1BX3JacQg3s3llpFmglDf3AC8NwpJy2tA4ctsUqEXEXSp9t7TW
xO6szRNEt8kr3UMAJfphuWlqWCMRt6czj1Z1WfXNKddGtworZbbTQm8Vsrh7++/p
XVPVNFonAgMBAAGjge0wgeowHwYDVR0jBBgwFoAUUzLRs89/+uDxoF2FTpLSnkUd
tE8wHQYDVR0OBBYEFK29mHo0tCb3+sQmVO8DveAky1QaMA4GA1UdDwEB/wQEAwIB
BjAPBgNVHRMBAf8EBTADAQH/MBEGA1UdIAQKMAgwBgYEVR0gADA9BgNVHR8ENjA0
MDKgMKAuhixodHRwOi8vY3JsLnVzZXJ0cnVzdC5jb20vVVROLURBVEFDb3JwU0dD
LmNybDA1BggrBgEFBQcBAQQpMCcwJQYIKwYBBQUHMAGGGWh0dHA6Ly9vY3NwLnVz
ZXJ0cnVzdC5jb20wDQYJKoZIhvcNAQEFBQADggEBADwlhyhsmL2dQhxeHmQPVn+W
PPO582kaafSkCNQgTbHyYyfhnwFDN7CxeudxyHoh7qg1wZ3mvGizRoCaPQRyPC9I
/eHMQncOsgU5pAD4NcKseMD9xxO8iyBNWjWvlMoysMZ50ZguO8JSRcGbtyYLywQa
9m6SROF8nMESeKYZAeLvYPt6V/MyKAa1uh2RGyhdZGpfU5wO1erMRb19RguvU0nG
zIAYW1utsWITYE45WVHEpobL8Q1t3t0xC1+jB6D7PkaqSXMEfYoLsC9GYo7hvVBl
KLHIdkr0IgMMVdT8DIdWfgtl74frfPclt80nTNs8CSlpF46LsEfo2mC3p2lm+ws=
-----END CERTIFICATE-----

儲存成檔案CA_chain.cer,也就是說中繼憑證有兩張或兩張以上,只要遵守越上層先貼,就可以將憑證鏈串起來

Step9. 重啟Apache

重啟Apache原則上就能使用https連線,若沒成功,可以看一下啟動時的log錯誤訊息google,或者直接在本文下方提問

最後這裡有一篇大學好友寫的一篇建立自簽憑證(self-signed)的作法,寫得非常詳細,很值得沒有想要花錢買憑證的使用者參考。

2014年10 月 posted by admin in 程式&軟體 and have No Comments

Place your comment

Please fill your data and comment below.
名稱:
信箱:
網站:
您的評論: