在 vsftpd.conf 設定檔中加入:
引用:
|
ssl_enable=YES
ssl_tlsv1=YES
rsa_cert_file=憑證所在地
rsa_private_key_file=Private Key 所在地
|
重新啟動 vsftpd,然後使用有支援 TLS 的 ftp client (eg. FlashFXP) 即可。若要確認所傳輸的資料是否有加密,可是使 tcpdump 等 sniffer 來確認。總之,Server 端的設定並不難,比較麻煩的是你必須要知道什麼是 Certification,以及如何建立。
使用 OpenSSL 產生數位憑證
一、產生 CA 憑證
FC5 或 RHEL4 等用 rpm 安裝的 openssl 可能會有事先建立 /etc/pki/CA 這個目錄,必須要先把這個目錄手動刪除才能夠重新建立新的 CA。而新建立的 CA 憑證,將放置在 /etc/pki/CA 中,以下介紹如何產生出最上層的 CA 憑證。
1.修改 /etc/pki/tls/openssl.cnf。
dir= /etc/pki/CA #設定存取 CA 憑證的路徑
預設_days= 365 #設定憑證可使用之天數
預設_bits = 2048 #設定金鑰長度(bits)
2.執行 CA 憑證產生程式。
cd /etc/pki/tls/misc
這個步驟一定要做,因為 /etc/pki/tls/misc/CA 這支 script 是使用相對路徑的方式來存取 /etc/pki/CA 這個目錄,所以要先把目前的工作目錄切到 /etc/pki/tls/misc。
./CA -newca
CA certificate filename (or enter to create)
[enter]
Making CA certificate ...
Generating a 2048 bit RSA private key
.............................................................++++++
..++++++
writing new private key to '/etc/pki/CA/private/./cakey.pem'
Enter PEM pass phrase:[設定通行碼]
Verifying - Enter PEM pass phrase:[確認通行碼]
-----
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a 預設 value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [GB]:TW
State or Province Name (full name) [Berkshire]:Taiwan
Locality Name (eg, city) [Newbury]:Taipei
Organization Name (eg, company) [My Company Ltd]:slime_ca
Organizational Unit Name (eg, section) []:mis
Common Name (eg, your name or your server's hostname) []:slime_ca
Email Address []:slime@slime.com.tw
3. 確認 CA 憑證及金鑰是否產生。
cd /etc/pki/CA
ls
cacert.pem certs crl index.txt newcerts private serial
可見「cacert.pem」即是最上層的 CA 憑證,而「private」目錄即是存放最上層 CA 的私鑰。
4設定 CA 憑證的存取權限。
chmod 755 /etc/pki/CA
chmod -R 400 /etc/pki/CA/*
二、以 CA 產生次級憑證
在製作完最上層的 CA 憑證後,我們便可以最上層的 CA 憑證為依據,來產生要實際佈署到 Server(eg. apache) 上的次級憑證。
1. 製作 private key、CSR(Certificate Signing Request)
CSR 就類似於 public key,可以把它想成是還沒被最上層的 CA 簽名過的 public key。而 CA 簽名過的 public key 就稱為憑證(certificate)。
假設目前的工作目錄是:/etc/pki/
openssl req -nodes -new -keyout slime_key.pem \
-out slime_req.pem -days 365
-keyout:Private key 之檔名(slime_key.pem)
-out:CSR 之檔名(slime_req.pem)
Generating a 2048 bit RSA private key
..........................................................+++
................................................................................................+++
writing new private key to 'slime_key.pem'
-----
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a 預設 value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [TW]:TW
State or Province Name (full name) [TAIWAN]:Taiwan
Locality Name (eg, city) []:Taipei
Organization Name (eg, company) []:slime_ca <= 要與最上層的 CA 一致
Organizational Unit Name (eg, section) []:mis
Common Name (eg, YOUR name) []:
www.slime.com.tw
#Common Name 請輸入您所欲使用之名稱,如此憑證產生後欲使用在 Email
#簽章,則必須填入 email 名稱;若此憑證欲使用在 https,則必須填網址。
Email Address []:slime@slime.com.tw
Please enter the following 'extra' attributes
to be sent with your certificate request
A challenge password []:
An optional company name []:
#以上兩項輸入空白即可。
2. 簽署次級憑證
openssl ca -out slime_cert.pem -infiles slime_req.pem
Using configuration from /etc/pki/tls/openssl.cnf
Enter pass phrase for /etc/pki/CA/private/cakey.pem:[輸入CA通行碼]
Check that the request matches the signature
Signature ok
Certificate Details:
Serial Number: 1 (0x1)
Validity
Not Before: Feb 24 14:34:58 2005 GMT
Not After : Feb 22 14:34:58 2015 GMT
Subject:
countryName = TW
stateOrProvinceName = Taiwan
localityName = Taipei
organizationName = slime_ca
organizationalUnitName = mis
commonName =
www.slime.com.tw
emailAddress =
slime@slime.com.tw
X509v3 extensions:
X509v3 Basic Constraints:
CA:FALSE
Netscape Comment:
OpenSSL Generated Certificate
X509v3 Subject Key Identifier:
EC:88:66
E:FF:79:CE:81:C2:EE:93:BF:9A:65:92:3B:AC:2C:CD:7E
X509v3 Authority Key Identifier:
keyid:37:AA:42:CF:FA
9:73:C7:80:E5:0C:E2:9F:7B:95:86:40:66:72:C5
DirName:/C=TW/ST=Taiwan/L=Taichung/O=Tung-hai University/OU=ISLAB/CN=ISLAB_CA/emailAddress=blave@islab.csie.thu.edu.tw
serial:00
Certificate is to be certified until Feb 22 14:34:58 2015 GMT (3650 days)
Sign the certificate? [y/n]:y
1 out of 1 certificate requests certified, commit? [y/n]y
Write out database with 1 new entries
Data Base Updated
3. 確認憑證是否產生:slime_cert.pem、slime_req.pem 及 slime_key.pem 分別為剛剛所產生出來的已簽署次級憑證、CSR 及 Private Key。