目前分類:HTML - SSL (6)

瀏覽方式: 標題列表 簡短摘要

這一篇文章 GnuPG (GPG) In Win32 免費檔案加解密軟體概念與實作 大致說明了 GnuPG 對於產生一組私鑰 ( Private Key:secring.GPG )& 公鑰( Public Key:pubring.GPG ),與匯出公鑰 polinwei.asc 及匯入客戶公鑰 partnerid.asc 的完整過程。接下來,我們找個檔案,實際來測試看看。會用到的指令有:

加密:C:\gnupg\gpg --encrypt --armor --recipient [public key] --output encryptedfilename unencryptedfilename

解密:C:\gnupg\gpg --always-trust --passphrase-fd 0 --output C:\gnupg\Decrypt\unencryptedfilename  -u "[USER-ID]" --no-tty --decrypt C:\gnupg\Encrypt\encryptedfilename < [passphrase.file]

客戶要給我們的檔案 test.txt

He said, " I'm sorry I doubted you. Now I realize there is greatness even in a small mouse. "
他說: " 很抱歉. 我那時懷疑你, 現在我了解即使是一隻小老鼠也有他偉大之處. "

 

實作:還記得我們匯出公鑰時的資訊吧(如下)

/** 下面是這一組Key的資訊 **/
pub  1024D/FBA68168 2013-06-11 polin.wei <polin.wei@xxx.com>
        Key fingerprint = 925A 54A5 03DA 5CFD ECE5  F01C A5DC 98A3 FBA6 8168
sub  2048g/9E6074F7 2013-06-11 [expires: 2023-06-09] <=用這一組來指定 9E6074F7 匯出公鑰

而我們給客戶的檔案polinwei.asc就有這些資訊,讓客戶先以此金鑰作加密( Sign ),再寄給我們作解密即可。

 

客戶端:

C:\gnupg\gpg --encrypt --armor --recipient 9E6074F7 --output test.encryp.txt test.txt

此時會針對 9E6074F7 的公鑰,產生一個加密檔案 test.encryp.txt,內容會像下面這樣,再將這個檔案 test.encryp.txt 傳給我們即可。

 
-----BEGIN PGP MESSAGE-----
Version: GnuPG v1.2.0 (MingW32)

hQIOA0W37H+eYHT3EAgArwioRbUxmP80hO0a5il61ahLPSqJndgGbdXWa9kNE2lq
1jsTpiMPZkeJzw9zo/xE41sBhOdpIggsD1zryul9wUCHOjkiOEGGGyEnxqFUtYHH
6Ie0pfjdAguTT1Ym/rJhGveGNnsBrDnV/CkOrWcELJyRCM6WjSne4WbLPjelvC6w
UiJHjvuzJrCW6Xs6qhziFMoqE7sT7jn7xZPqlrxO22DAWJUQ9ZMJev/A5PPlbtpb
NA1loXRToJ7X7Eazh+oxa30D3Bqta7E6UPg9X4yBJfqfCIJkqjHgzeXFks7Kddd7
t4PPYGYyWbR5F6bW6QHdbwnE2WtNFHNskMM27GaznwgAvX1aRZsB+G+mGjrIBol6
XTQaDhk/hkGStxnd69zTEEhENTvHsFZ2ovsoBNtJLqoZ/k5HsETO4rYSz/KKoZLt
wvTdWHG5aVfU7k96V7NXh13JNOXiOPAWli9G9hnLqY3bZh2lENhaXt7D4fAwxZc0
LXR4mZPy1Vjvskuf2g9E5b+oqfy0LttANAaKWdH/M9Kia/skE3hbEjad/Y//vN3x
BZeOePevn3tLgQmvtapfzZz4682+s/mTDkSAOpgtSCuO3hYB1up+biIqc33dQ8Ui
u4yYaA0xWQsH+Ba2IHmQTkDLIjtFdaa6m8/afMnYR2eqg6nX7MmYjmbTXxZIt2oc
Z9LAKgE37zFFxn4wtvNbRUx8tS7B55CDoKUdl3KivQyfhXF1a9mh7zwqOzTIoIi9
bEdYHKDpEFycjpmgpUj4TPPJyOIU91X9M1cARtK7QLQbinUK0A9l/q3wADPmvCU/
uUJ/LnKoSOxJMkv3sK2Mcnp8w+RUPC6ZrQYrR8SmHo+PJqFddD0L5jtlHtQD877v
96RF32IJE3wfSZGPwXwGhsa2SdXy9d+xYcGzEowvkld0Jb3fRbZu03OmXTAOW6fY
MtjridBEWgXe4wsY2e5y/R4hIUHbLr3J8VUKPa55j3YKpeOBG4E8YMSbZ4GkhA==
=emqr
-----END PGP MESSAGE-----

 

本機端:

C:\gnupg\gpg.exe --always-trust --passphrase-fd 0 --output C:\gnupg\Decrypt\test.txt  -u "polin.wei" --no-tty --decrypt C:\gnupg\Encrypt\test.encryp.txt < passphrase.file

這裡有兩個參數要說明一下:

--passphrase-fd 0 : 是將 secret key (Private key) 的 Passphrase 以檔案 passphrase.file 方式傳入,這樣就不用每次都提示要你輸入了。-u "polin.wei"        : 則是 [USER-ID],這應該是唯一的值。
passphrase.file     : 檔案裡的內容,沒忘了吧,我們在GnuPG (GPG) In Win32 免費檔案加解密軟體概念與實作 輸入的是 polin 。

C:\gnupg>C:\gnupg\gpg.exe --always-trust --passphrase-fd 0 --output C:\gnupg\Decrypt\test.txt  -u "polin.wei" --no-tty --decrypt C:\gnupg\Encrypt\test.encryp.txt < passphrase.file

gpg: encrypted with 2048-bit ELG-E key, ID 9E6074F7, created 2013-06-11
      "polin.wei <polin.wei@xxx.com>"

執行完指令後,就可以將加密檔 test.encryp.txt ,還原成 test.txt 正常的檔案了。 您也試試吧!!

 

 

 

 

文章標籤

MIS 發表在 痞客邦 留言(0) 人氣()

  當商業檔案如 EDI (850,860,810...) 在 FTP 協定中傳輸時,若被別人截取,那資料就會外洩。若能在傳輸前先加密,到客戶端時再作解密,這就保險多了。檔案加解密的軟體很,GnuPG (GPG) 是一套完全免費的軟體( GnuPG is the GNU project's complete and free implementation of the OpenPGP standard as defined by RFC4880 . ),也有在實務的商務中使用,安全性很高值得一用。

GnuPG 概念:

GPG, like PGP (Pretty Good Privacy), uses a key pair. This means that when you generate a key, you will create a public copy as well as private copy. The private copy is your copy used to decrypt an incoming file as well sign an outgoing file (but for our purposes, we are only using it to decrypt). The public key is the key you give to the public, which is used to encrypt the files coming to you. First we will create your own key.
 
These keys are stored in key rings. For GPG, they are stored in the directory that the GPG files were copied into. They are both named with a .GPG extension, and are called pubring.GPG and secring.GPG (to denote the public key ring and the private key ring, respectively).

原文的意思主要是說:GPG 會產生一組 Key ,一個是私鑰 ( Private Key:secring.GPG ) 用來解碼檔案,以及傳出檔案時作簽章 ( sign );一個是公鑰( Public Key:pubring.GPG )是要給客戶的,當客戶要傳檔案給你時,用此公鑰作加密。兩個檔案都是以 .GPG 作為附檔名。

GnuPG 實作:

  那要如何建立這一組Key:私鑰 ( Private Key:secring.GPG )& 公鑰( Public Key:pubring.GPG ),下面一個步驟一個步聚來作解說:

step 01: 環境設定

先到 GnuPG 的下載網站: 下載軟體 gnupg-w32cli-1.2.0.zip. (ftp://ftp.gnupg.org/GnuPG/binary/gnupg-w32cli-1.2.0.zip),這裡使用gnupg-w32cli-1.2.0 版。在 Windows 平台,可以用 7Z 解壓,並將解開的目錄放在 C:\gnupg

再到 開始(Start) > 控制(Control Panel) > 系統(System). 選擇 進階(Advanced tab) 並編輯環境變數中的 Path 參數。

EnvironmentVariables  

step 02: 產生私鑰 ( Private Key:secring.GPG )& 公鑰( Public Key:pubring.GPG )

C:\gnupg> c:\gnupg\gpg --gen-key
gpg (GnuPG) 1.2.0; Copyright (C) 2002 Free Software Foundation, Inc.
This program comes with ABSOLUTELY NO WARRANTY.
This is free software, and you are welcome to redistribute it
under certain conditions. See the file COPYING for details.

gpg: keyring `c:/gnupg\secring.gpg' created
gpg: keyring `c:/gnupg\pubring.gpg' created
Please select what kind of key you want:
   (1) DSA and ElGamal (default) <= 選擇預設即可
   (2) DSA (sign only)
   (5) RSA (sign only)
Your selection?
DSA keypair will have 1024 bits.

About to generate a new ELG-E keypair.
              minimum keysize is  768 bits
              default keysize is 1024 bits
    highest suggested keysize is 2048 bits
What keysize do you want? (1024) 2048 <= 輸入 2048
Requested keysize is 2048 bits

Please specify how long the key should be valid.
         0 = key does not expire
      <n>  = key expires in n days
      <n>w = key expires in n weeks
      <n>m = key expires in n months
      <n>y = key expires in n years
Key is valid for? (0) 10y <= 有效時間10年, 若為0則不失效
Key expires at 06/09/23 10:01:10
Is this correct (y/n)? y <=輸入y表示正確無誤

You need a User-ID to identify your key; the software constructs the user id
from Real Name, Comment and Email Address in this form:
    "Heinrich Heine (Der Dichter) <heinrichh@duesseldorf.de>"

Real name: polin.wei <=這是 USER-ID 作加/解密時要指定用的
Email address: polin.wei@xxx.com
Comment:
You selected this USER-ID:
    "polin.wei <polin.wei@xxx.com>"

Change (N)ame, (C)omment, (E)mail or (O)kay/(Q)uit? O <=確定輸入 O
You need a Passphrase to protect your secret key. polin <=保護 Secret key 的密碼

/** 接下來就是產生這一組Key的過程了**/
We need to generate a lot of random bytes. It is a good idea to perform
some other action (type on the keyboard, move the mouse, utilize the
disks) during the prime generation; this gives the random number
generator a better chance to gain enough entropy.
+++++++++++++++.+++++....++++++++++++++++++++.+++++++++++++++++++++++++.++++++++
++++++++++++.+++++.+++++.++++++++++++++++++++.++++++++++..++++++++++>+++++......
.......>+++++................................................................+++
++
We need to generate a lot of random bytes. It is a good idea to perform
some other action (type on the keyboard, move the mouse, utilize the
disks) during the prime generation; this gives the random number
generator a better chance to gain enough entropy.
+++++...++++++++++.++++++++++.+++++..+++++..++++++++++.+++++++++++++++++++++++++
+++++.++++++++++.+++++++++++++++++++++++++...++++++++++++++++++++.++++++++++++++
+>..++++++++++.....>..+++++.............................>.+++++....<.+++++......
................................................................................
................................................................................
............................................+++++^^^
gpg: c:/gnupg\trustdb.gpg: trustdb created
public and secret key created and signed.
key marked as ultimately trusted.

/** 下面是這一組Key的資訊 **/
pub  1024D/FBA68168 2013-06-11 polin.wei <polin.wei@xxx.com>
        Key fingerprint = 925A 54A5 03DA 5CFD ECE5  F01C A5DC 98A3 FBA6 8168
sub  2048g/9E6074F7 2013-06-11 [expires: 2023-06-09]

PS: 若要修改secret key Passphrase , 指令如下:

usage: gpg [options] --edit-key user-id [commands]

C:\gnupg>gpg --edit-key polin.wei

gpg (GnuPG) 1.2.0; Copyright (C) 2002 Free Software Foundation, Inc.
This program comes with ABSOLUTELY NO WARRANTY.
This is free software, and you are welcome to redistribute it
under certain conditions. See the file COPYING for details.

Secret key is available.

gpg: checking the trustdb
gpg: checking at depth 0 signed=0 ot(-/q/n/m/f/u)=0/0/0/0/0/1
gpg: next trustdb check due at 2023-06-09
pub  1024D/FBA68168  created: 2013-06-11 expires: 2023-06-09 trust: u/u
sub  2048g/9E6074F7  created: 2013-06-11 expires: 2023-06-09
(1). polin.wei <polin.wei@xxx.com>

Command> passwd

Key is protected.

//先輸入原來的密碼

You need a passphrase to unlock the secret key for

user: "polin.wei <polin.wei@xxx.com>"

1024-bit DSA key, ID 53FA0BBC, created 2013-05-23

/**再輸入新的密碼,若連續按兩次 Enter 鍵,則密碼為空,系統會告知this is probably a *bad* idea! **/

Enter the new passphrase for this secret key.

You don't want a passphrase - this is probably a *bad* idea!

Do you really want to do this? yes

step 03: 匯出要給客戶的公鑰

利用 step 02 最後的資訊(如下)來匯出要給客戶的公鑰

/** 下面是這一組Key的資訊 **/
pub  1024D/FBA68168 2013-06-11 polin.wei <polin.wei@xxx.com>
        Key fingerprint = 925A 54A5 03DA 5CFD ECE5  F01C A5DC 98A3 FBA6 8168
sub  2048g/9E6074F7 2013-06-11 [expires: 2023-06-09] <=用這一組來指定 9E6074F7 匯出公鑰

C:\gnupg>gpg --export --output polinwei.asc 9E6074F7

這時會匯出一個檔名為 polinwei.asc 的公鑰,這就是要給客戶匯入用的;當然,客戶也會給你他的公鑰,你也必需匯入進來,並作信認 ( Trust )

 

step 04: 匯入客戶的金鑰( partnerid.asc 此為範例檔),並信認( Trust )

C:\gnupg>gpg --import partnerid.asc <=匯入客戶的金鑰

gpg: key 55FA0BBC: public key "Partner <edi.admin@Partner.com>" imported
gpg: Total number processed: 1
gpg:               imported: 1

 

C:\gnupg>gpg --edit-key 55FA0BBC <=指定要維護那一間客戶
gpg (GnuPG) 1.2.0; Copyright (C) 2002 Free Software Foundation, Inc.
This program comes with ABSOLUTELY NO WARRANTY.
This is free software, and you are welcome to redistribute it
under certain conditions. See the file COPYING for details.

gpg: checking the trustdb
gpg: checking at depth 0 signed=0 ot(-/q/n/m/f/u)=0/0/0/0/0/1
gpg: next trustdb check due at 2023-06-09
pub  1024D/55FA0BBC  created: 2013-05-23 expires: 2023-05-21 trust: -/-
sub  2048g/DD28189F  created: 2013-05-23 expires: 2023-05-21
(1). Partner <edi.admin@Partner.com>

Command> trust <= 對此客戶作信認
pub  1024D/55FA0BBC  created: 2013-05-23 expires: 2023-05-21 trust: -/-
sub  2048g/DD28189F  created: 2013-05-23 expires: 2023-05-21
(1). Partner <edi.admin@Partner.com>

Please decide how far you trust this user to correctly
verify other users' keys (by looking at passports,
checking fingerprints from different sources...)?

 1 = Don't know
 2 = I do NOT trust
 3 = I trust marginally
 4 = I trust fully
 5 = I trust ultimately
 m = back to the main menu

Your decision? 5 <= 選擇 5
Do you really want to set this key to ultimate trust? yes

pub  1024D/55FA0BBC  created: 2013-05-23 expires: 2023-05-21 trust: u/-
sub  2048g/DD28189F  created: 2013-05-23 expires: 2023-05-21
(1). Partner <edi.admin@Partner.com>
Please note that the shown key validity is not necessarily correct
unless you restart the program.

Command> quit <=離開

step 05: 檢查客戶的公鑰是否正確存在

C:\gnupg>gpg --list-keys
c:/gnupg\pubring.gpg
--------------------
pub  1024D/FBA68168 2013-06-11 polin.wei <polin.wei@xxx.com>
sub  2048g/9E6074F7 2013-06-11 [expires: 2023-06-09]

pub  1024D/55FA0BBC 2013-05-23 Partner <edi.admin@Partner.com>
sub  2048g/DD28189F 2013-05-23 [expires: 2023-05-21]

 

以上的步驟就是產生一組私鑰 ( Private Key:secring.GPG )& 公鑰( Public Key:pubring.GPG ),與匯出公鑰 polinwei.asc 及匯入客戶公鑰 partnerid.asc 的完整過程。

文章標籤

MIS 發表在 痞客邦 留言(0) 人氣()

從這幾篇文章:Certificate Authority(CA) 憑證簡介AppServ + OpenSSL Setup SSL(https) in Win32 憑證建立Generating Private Key with OpenSSL 建立主機私有憑證 我們大致可以瞭解憑證的概念與建立的過程,,我們可謂已經擁有了自己一 把私鑰 private keyserver-privatekey.pem)以及一份由Sinica CA所簽發出來的公鑰 certificateserver-publickey.cer)。以下接著將介紹使用private key與 certificate的基本應用,包括:文件加密(Encrypt)與解密 (Decrypt)、文件簽章(Sign Signature)與驗證簽章(Verify Signature)等應用。

 現在就來作一個簡單的測試,模擬在網路實務上的運用過程。測試旳步驟如下:

1. 自行建立CA (ca.key、ca.crt)
2. 建立 Private Key
3. 建立 Certificate Request(憑證要求)
4. 將 Certificate Request 送交 CA 來簽證此憑證
5. 建立一個測試檔案:certkey-test.txt 內容為 "this is 測試",並由對方經我方傳給他的公鑰 certificateserver-publickey.cer)作加密,存成加密檔:certkey-test.msg。
6. 作解密測試。

相對應的指令如下:

step 1:
genrsa -out ca.key 1024
req -new -x509 -days 3650 -key ca.key -out ca.crt -config ../conf/openssl.cnf

step 2:
genrsa -out server-privatekey.pem 1024
rsa -in server-privatekey.pem -inform pem -out server-privatekey.der -outform der

step 3:
req -new  -inform pem -in server-privatekey.pem -out server-publickey.csr -key server-privatekey.pem -config ../conf/openssl.cnf

step 4:
ca -in server-publickey.csr -out server-publickey.cer -cert ca.crt -keyfile ca.key -config ../conf/openssl.cnf

setp 5:
smime -encrypt -in certkey-test.txt -out certkey-test.msg server-publickey.cer

加密後的檔案內容會像下面這樣

MIME-Version: 1.0
Content-Disposition: attachment; filename="smime.p7m"
Content-Type: application/x-pkcs7-mime; smime-type=enveloped-data; name="smime.p7m"
Content-Transfer-Encoding: base64

MIIBegYJKoZIhvcNAQcDoIIBazCCAWcCAQAxggElMIIBIQIBADCBiTCBgzELMAkG
A1UEBhMCVFcxDzANBgNVBAgTBlRhaXdhbjELMAkGA1UEBxMCVFoxCzAJBgNVBAoT
AkdVMQwwCgYDVQQLEwNNSVMxFzAVBgNVBAMTDkNBIFJvb3QgQ2VudGVyMSIwIAYJ
KoZIhvcNAQkBFhNwb2xpbi53ZWlAZ21haWwuY29tAgEDMA0GCSqGSIb3DQEBAQUA
BIGA6lONXzR5PWSn1I7pJElitlQCMtVu2I1ikeC1TaaJvasvc9xb70mDLoV1tER0
P8fdI3ZRHflq3eOPJui19B6SlT6/o8BjPAb25mZUNVYlhZUSH4Vj0wmUk6UiJ868
rF3cBG9gYfdP3XLaXawvRC3fkZ6f33t+i2jMDGiKjljasIYwOQYJKoZIhvcNAQcB
MBoGCCqGSIb3DQMCMA4CAgCgBAgMmcm0JJTP9IAQIP0ReJQ06MOWD7tc+fMddw==

 

step 6:
smime -decrypt -in certkey-test.msg -recip server-publickey.cer -inkey server-privatekey.pem
或者
smime -decrypt -in certkey-test.msg -recip server-publickey.cer -inkey server-privatekey.der -keyform der

 

文章標籤

MIS 發表在 痞客邦 留言(0) 人氣()

這一篇文章主要是利用 OpenSSL 來建立主機私有憑證(Private Key),OpenSSL 的工具可以參考 AppServ + OpenSSL Setup SSL(https) in Win32 憑證建立 來快速取得,接下來的指令 "openssl genrsa" 將會產生四種不同類型的私有憑證(Private Key):

1. PEM 編碼, 沒有加密 (PEM encoding, no encryption)
2. DER 編碼, 沒有加密 (DER encoding, no encryption)
3. PEM 編碼, 以 DES 演算法作加密 (PEM encoding, DES encryption)
4. DER 編碼, 以 DES 演算法作加密 (DER encoding, DES encryption)

實作如下:

1.  產生主機私有憑證(Private Key),PEM 編碼, 沒有加密
OpenSSL> genrsa -out server-privatekey.pem 1024
Loading 'screen' into random state - done
Generating RSA private key, 1024 bit long modulus
......++++++
.................++++++
e is 65537 (0x10001)

2. 以產生好的 server-privatekey.pem 轉換成 DER 編碼, 沒有加密
OpenSSL> rsa -in server-privatekey.pem -inform pem -out server-privatekey.der -outform der
writing RSA key

3. 以產生好的 server-privatekey.pem 轉換成 PEM 編碼, 以 DES 演算法作加密
OpenSSL> rsa -in server-privatekey.pem -inform pem -out server-privatekey_des.pem -outform pem -des
writing RSA key
Enter PEM pass phrase:
Verifying - Enter PEM pass phrase:

要輸入至少4位元的英數字才可以
phrase is too short, needs to be at least 4 chars

Enter PEM pass phrase:
Verifying - Enter PEM pass phrase:

4. 以產生好的 server-privatekey.pem 轉換成 DER 編碼, 以 DES 演算法作加密
OpenSSL> rsa -in server-privatekey.pem -inform pem -out server-privatekey_des.der -outform der -des
writing RSA key
OpenSSL>

最後,因為主機憑證轉成 DER:server-privatekey.der 是無法直接打開來看的,若遺失原來的 PEM 檔,只剩 DER 檔,則可以執行下列指令產生:

rsa -in server-privatekey.der -inform der -out server-privatekey_pem.pem -outform pem

 

這時將會產生4個檔案:server-privatekey.der、server-privatekey.pem、server-privatekey_des.der、server-privatekey_des.pem

相關參考網站:

OpenSSL rsa

文章標籤

MIS 發表在 痞客邦 留言(0) 人氣()

Certificate Authority(CA) 憑證簡介 瞭解 CA 憑證的概念後,現在就先拿 Apache Httpd Server 來作網站的測試。免錢的 OpenSSL 就是一個好的工具,而 AppServ 套件本身即有 Apache、MySQL、PHP、phpMyAdmin 與 OpenSSL 工具,是最方便的軟體了。

一、準備檔案:
下載 AppServ 2.5.10


二、安裝 Apache Server 與設定:

1. 先行安裝AppServ,預設路徑應該安裝在 C:/AppServ/Apache2.2/,並先停止Apache伺服器。
2. 開啟C:\AppServ\Apache2.2\conf 內的 httpd.conf 作修改

把 LoadModule ssl_module modules/mod_ssl.so 的#註解拿掉
把 Include conf/extra/httpd-ssl.conf 的#註解拿掉

httpd.conf-mod_ssl.png  

三、在 C:\AppServ\Apache2.2\bin資料夾底下看見openssl.exe,滑鼠double click執行它,用它來作憑證

1. 輸入 genrsa -out server.key 1024 產生rsa私鑰(Server Private Key:server.key)

ServerPrivateKey.png  

2. 利用私鑰(Server Private Key:server.key)來產生簽署申請:輸入 req -new -out server.csr -key server.key -config ../conf/openssl.cnf 產生簽署申請

Country Name為國籍鍵入TW
State or Province Name為省份鍵入Taiwan
Locality Name為所在地
Organization Name為組織名稱
Organizational Unit Name為組織內單位
Common Name為domain name
Email Address為管理者的電子信箱
剩餘兩項可不填入

 ServerPrivateKeyForCASignRequest.png  

Step 3 & 4 是模擬 CA 第三方認證單位
3. 輸入 genrsa -out ca.key 1024 產生CA的rsa私鑰

4. 輸入 req -new -x509 -days 365 -key ca.key -out ca.crt -config ../conf/openssl.cnf 利用ca私鑰產生待會幫自己主機的簽署憑證,參數同step2上面設定

CACenter.png  

5. 接著於C:\AppServ\Apache2.2\bin資料夾內新建demoCA資料夾,並於demoCA資料夾內新增newcerts資料夾,與 index.txt跟serial檔案,並利用記事本開啟serial後鍵入01後存檔(這裡的值是參考C:\AppServ\Apache2.2 \conf\openssl.cnf 檔案裡 [ CA_default ] 這區段中的設定)

6. 利用step 3 &4 中模擬CA替網站簽署認證的檔案,私鑰:ca.key & 簽署憑證 ca.crt 兩個檔案來替自己的網站提出的簽署憑證申請檔: server.csr 作簽署憑證,產生憑證:server.crt
輸入ca -in server.csr -out server.crt -cert ca.crt -keyfile ca.key -config ../conf/openssl.cnf

詢問是否簽署都回答 Y

ServerPublicKey.png  

7. 將C:\AppServ\Apache2.2\bin底下的私鑰 server.key 及CA簽署過的公鑰 server.crt 兩個檔案複製至C:\AppServ\Apache2.2\conf資料夾底下

8.打開 C:\Appserv\Apache2.2\conf\extra\http-ssl.conf檔案,修改部份如下:


#   General setup for the virtual host
DocumentRoot "C:/AppServ/www"
ServerName www.xxx.com:443
ServerAdmin xxx.xxx@gmail.com
ErrorLog "C:/AppServ/Apache2.2/logs/error.log"
TransferLog "C:/AppServ/Apache2.2/logs/access.log"

#   Server Certificate:
SSLCertificateFile "C:/AppServ/Apache2.2/conf/server.crt"
#   Server Private Key:
SSLCertificateKeyFile "C:/AppServ/Apache2.2/conf/server.key"

CustomLog "C:/AppServ/Apache2.2/logs/ssl_request.log" \
          "%t %h %{SSL_PROTOCOL}x %{SSL_CIPHER}x \"%r\" %b"


再重啟 Apache Server 即可登入 https://localhost


Troubleshooting:

1. 若有 php_mbstring.dll 檔案遺失的警告,則開啟 C:\Windows\php.ini 將 extension=php_exif.dll 放置於 extension=php_mbstring.dll 之後即可解決

2. 在實做的過程中若電腦的 port:443 被佔用著,利用netstat -ano指 令可以看到是哪個pid去佔著這個port,再利用 process explorer(在Win 7&8 可以執行 Task manager -> Performance -> Resource Monitor)來觀看是哪個程式佔用著,再到服務 Services 關掉即可

參考:

AppServ + OpenSSL Setup in Win32

【php】利用openssl實作ssl網頁加密

HOWTO certificates
文章標籤

MIS 發表在 痞客邦 留言(1) 人氣()

何謂 CA ?

在網路蓬勃發展的時代,安全議題越來越受到重視,因此也有許多人提出如何將傳輸在網路上的資料進行加密傳送以增加安全性;然而有了憑證(certificate)的發明,除了用來將傳輸資料加密外,還可用來驗證資料傳送者與接收者的身份。

而若要瞭解 certificate,則首先必須知道何謂 CA(Certificate Authority)!

以下有兩段解釋:

certificate authority or certification authority (CA) is an entity which issues digital certificates for use by other parties. It is an example of a trusted third party. CAs are characteristic of many public key infrastructure (PKI) schemes.
憑證管理中心 (Certification Authority,CA)為具公信力第三者(Trusted ThirdParty) ,對個人及機關團體提供認證及憑證簽發管理等服務,以建立具有機密性、鑑別、完整性、不可否認性、接取控制及可用性而的資訊通信安全環境與機制。在建置營 運憑證管理中心時,須依憑證管理中心之營運政策及策略,制訂憑證政策與憑證實作準則,規範其運作規定與作法,一方面讓用戶瞭解在使用上的作業規定,另一方 面則藉此表明其在安全及公證性上的信賴度。



CA建置流程說明

從CA建置到憑證的簽署,這屬於使用者端的運用,步驟如下:

1. 自行建立CA(假設沒有花錢使用公用CA的情況下)
2. 建立 Private Key
3. 建立 Certificate Request(憑證要求)
4. 將 Certificate Request 送交 CA 來簽證此憑證


而在 CA server 的部分,這屬於第三方公證單位的運用,要介紹的重點在於:

1. 建置 CA server
2. 簽發憑證、報廢憑證
3. 設定 CA 簽證的 policy



CA server 種類

首先有些觀念必須說明,即是 CA server 的種類有兩種:

  • Self-Signed CA
    亦可稱為 root CA。由於此種 CA 所發的憑證(certificate)是不經由任何上層 CA 所認證,而是以「自行認證」的方式進行認證。因此像是最上層的商業 CA,或是自行架設內部認證用的 CA,都可以屬於此類。
  • Signed CA
    不 同於 Self-Signed CA,此種 CA 所發佈的憑證,可被上層的 CA 進行認證,而兩種 CA 的關係則是「Parent CA <==> Child CA」。 而通常設定上層 CA 時,除非是內部使用,不然使用商業 CA 是必須付費的!

 

MIS 發表在 痞客邦 留言(0) 人氣()