2005 6 17 Red Hat Linux 7.2 apache 1.3.20-16 IE 5.0 Apache1.3.20-16 www.cnca.net Guangdong Electronic Certification Authority
...1...1 (CSR)...2 CA...3 4.1...3 4.2...5...5 5.1...5 5.2 CA...6 5.2.1 CA...6 5.2.2 CA...6 5.2.3 Base64 CA...6 5.2.4 CA...7 5.3 SSL...7 5.4...7...8...8 7.1 CA...8 7.1.1 CA...8 7.1.2 CA...9 7.1.3 Base64 CA...9 7.1.4 CA...9 7.2 CRL...10 7.2.1 CRL...10 7.2.2 CRL...10 7.3...10...12...2 I
1 RSA...2 2...2 3...4 4...5 5 CA 1...6 6 CA 2...6 7 CA...7 8 Apache...8 9...8 10 CA...9 11...11 12...11 II
Digital Certificate Digital ID Internet Internet SSL WEB SSL apache WEB Red Hat Linux 7.2; apache 1.3.20-16 mod_ssl 2.8.4-9 openssl-0.9.6b-8 Win2000 IE5.0 http://www.cnca.net/ ( https://testca.netca.net/) 1
(CSR) 1. /test /etc/httpd/conf/ssl.crl/ 2. openssl genrsa des3 1024 >pri.key 4 pri.key des3 1024 512 1024 1 RSA 3. openssl req new key pri.key >server.csr ip email 2 2 2
CA 4.1 windows CA www.cnca.net certreq.arm 3
3 4
4.2 RA 1 server.cer 4 4 5.1 1. /test/ 2. apache /etc/httpd/conf/httpd.conf # SSL Cipher Suite SSLCipherSuite// //http://www.modssl.org/docs/2.8/ssl_reference.html - ToC9 ALL:!ADH:RC4+RSA:+HIGH:+MEDIUM:+LOW:+SSLv2:+EXP:+eNULL # Server Certificate SSLCertificateFile /test/server.cer # Server Private Key SSLCertificateKeyFile /test/pri.key 5
5.2 CA 5.2.1 CA www.cnca.net CA ServerCAChain.p7b 5.2.2 CA Windows ServerCAChain.p7b NETCA Guangdong Certificate Authority GDECA.cer Base64 X.509.cer NETCA Guangdong Server CA NETCA Root CA ServerCA.cer RootCA.cer 5 CA 1 6 CA 2 5.2.3 Base64 CA ServerCAChain.cer ServerCA.cer GDECA.cer RootCA.cer 6
ServerCAChain.cer 7 5.2.4 CA 7 CA 1) ServerCAChain.cer linux /test/ 2) httpd.conf SSLCertificateChainFile /test/servercachain.cer # Server Certificate Chain SSLCertificateChainFile /test/servercachain.cer 5.3 SSL httpd.conf # SSL Engine Switch SSLEngine on # SSL Cipher Suite SSLCipherSuite ALL:!ADH:RC4+RSA:+HIGH:+MEDIUM:+LOW:+SSLv2:+EXP:+eNULL 5.4 SSL 7
8 Apache SSL https Web 9 7.1 CA 7.1.1 CA www.cnca.net IE CA 8
7.1.2 CA IE Internet NETCA Guangdong Individual CA BASE64 IndiCA.cer NETCA Guangdong Certificate Authority NETCA Root CA GDECA.cer RootCA.cer 10 CA 7.1.3 Base64 CA Base64 IndiCAChain.cer 7.1.4 CA 1. IndiCAChain.cer linux /test/ 2. httpd.conf SSLCACertificatePath /test/ SSLCACertificateFile /test/indicachain.cer # Certificate Authority (CA) SSLCACertificatePath /test/ SSLCACertificateFile /test/indicachain.cer 9
7.2 CRL CRL CRL Distribute Point CRL Apache CRL CRL 7.2.1 CRL Apache CA CRL Base64 CRL CRL Base64 CRL Base64 -----BEGIN X509 CRL-----// MIIDMzCCApwCAQEwDQYJKoZIhvcNAQEEBQAweDELMAkGA1UEBhMCQ04xKT AnBgNVBAoTIE5F VENBIFRlc3QgQ2VydGlmaWNhdGUgQXV0aG9yaXR5MRswGQYDVQQLExJUZXN0I EluZGl2aWR1 YWwgQ0ExITAfBgNVBAMTGE5FVENBIFRlc3QgSW5kaXZpZHVhbCBDQRcNMDEx MjE0MDI1OTA0 vfqzbnutpvhhlvjcdg==// Base64 CRL -----END X509 CRL-----// www.cnca.net ---- CRL CRL MyTrustCA.crl /test/ /etc/httpd/conf/ssl.crl/ Makefile.crl /test/ Makefile /test/ make hash 7.2.2 CRL httpd.conf SSLCARevocationFile /test/mytrustca.crl // CRL WEB Server 7.3 httpd.conf SSLVerifyClient request 1. 2. URL https:// IP IE 10
11 CA 12 11
http://www.cnca.net http://www.apache-ssl.org http://www.modssl.org http://www.openssl.org 12
1 9 510630 020-38638302/03/05/06/07/15 020-38638308 38638309/38638310 38638311/38638312/38638313 http://www.cnca.net service@cnca.net sales@cnca.net