rubycas 服务器搭建(二)
19.测试跳转能力
http://10.16.13.37:443/login?service=http://www.baidu.com
转成
http://www.baidu.com/?ticket=ST-1381732159rEABBFFFF234FFFFB7B
没问题
20.测试https
https://10.16.13.37:443/login?service=http://www.baidu.com
会报ssl错误
21
生成ssl证书
openssl genrsa -des3 -out root.key 输入密码 testpass
openssl req -new -key root.key -out root.csr
输出内容为:
[lenin@archer ~]$ openssl req -new -key root.key -out root.csr
Enter pass phrase for root.key: ← 输入前面创建的密码
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter ‘.’, the field will be left blank.
—–
Country Name (2 letter code) [AU]:CN ← 国家代号,中国输入CN
State or Province Name (full name) [Some-State]:BeiJing ← 省的全名,拼音
Locality Name (eg, city) []:BeiJing ← 市的全名,拼音
Organization Name (eg, company) [Internet Widgits Pty Ltd]:MyCompany Corp. ← 公司英文名
Organizational Unit Name (eg, section) []: ← 可以不输入
Common Name (eg, YOUR name) []: ← 此时不输入
Email Address []:admin@mycompany.com ← 电子邮箱,可随意填
Please enter the following ‘extra’ attributes
to be sent with your certificate request
A challenge password []: ← 可以不输入
An optional company name []: ← 可以不输入
创建一个自当前日期起为期十年的根证书root.crt:
openssl x509 -req -days 3650 -sha1 -extensions v3_ca -signkey root.key -in root.csr -out root.crt
创建服务器证书密钥server.key:
openssl genrsa –des3 -out server.key 2048
创建服务器证书的申请文件server.csr:
openssl req -new -key server.key -out server.csr
创建自当前日期起有效期为期两年的服务器证书server.crt:
openssl x509 -req -days 730 -sha1 -extensions v3_req -CA root.crt -CAkey root.key -CAserial root.srl -CAcreateserial -in server.csr -out server.crt
创建客户端证书密钥文件client.key:
openssl genrsa -des3 -out client.key 2048
创建一个自当前日期起有效期为两年的客户端证书client.crt:
openssl x509 -req -days 730 -sha1 -extensions v3_req -CA root.crt -CAkey root.key -CAserial root.srl -CAcreateserial -in client.csr -out client.crt
将客户端证书文件client.crt和客户端证书密钥文件client.key合并成客户端证书安装包client.pfx:
openssl pkcs12 -export -in client.crt -inkey client.key -out client.pfx
.crt文件和.key可以合到一个文件里面,把2个文件合成了一个.pem文件(直接拷贝过去就行了)
把server.crt server.key合并成server.pem
[root@openstack ~]# cat server.crt > server.pem
[root@openstack ~]# cat server.key >> server.pem
22.使用ssl服务,修改配置
ssl_cert: /home/zengwenjie/server.pem
重启服务
ruby /usr/local/rvm/gems/ruby-1.9.2-p180/bin/rubycas-server
会要求你输入gem的密码
23
现在访问
https://10.16.13.37:443/login
没有问题了
使用 php代码对接登录测试无误