基于ssl站點(diǎn)的httpd

CA：生成自簽名證書 [root@CA~]#cd/etc/pki/CA/ [root@CACA]#(umask077;opensslgenrsa-outprivate/cakey.pem2048) GeneratingRSAprivatekey,2048bitlongmodulus ....................................+++ .....+++ eis65537(0x10001) [root@CACA]#ls certscrlnewcertsprivate [root@CACA]#ls-lprivate/cakey.pem -rw-------.1rootroot1679Aug816:19private/cakey.pem 2、修改默認(rèn)選項(xiàng)，可以不修改，經(jīng)常使用的話就修改一下 [root@CACA]#vim../tls/openssl.cnf [req_distinguished_name] countryName=CountryName(2lettercode) countryName_default=CN#修改的 countryName_min=2 countryName_max=2 stateOrProvinceName=StateorProvinceName(fullname) stateOrProvinceName_default=shanxi#修改的 localityName=LocalityName(eg,city) localityName_default=xi\'an#修改的 0.organizationName=OrganizationName(eg,company) 0.organizationName_default=kcw9527#修改的 #wecandothisbutitisnotneedednormally:-) #1.organizationName=SecondOrganizationName(eg,company) #1.organizationName_default=WorldWideWebPtyLtd organizationalUnitName=OrganizationalUnitName(eg,section) #organizationalUnitName_default= organizationalUnitName_default=Tech#修改的 先給自己生成一個(gè)自簽證書 [root@CACA]#opensslreq-new-x509-keyprivate/cakey.pem-outcacert.pem-days3656 Youareabouttobeaskedtoenterinformationthatwillbeincorporated intoyourcertificaterequest.

創(chuàng)新互聯(lián)公司專注于銅鼓網(wǎng)站建設(shè)服務(wù)及定制，我們擁有豐富的企業(yè)做網(wǎng)站經(jīng)驗(yàn)。 熱誠為您提供銅鼓營銷型網(wǎng)站建設(shè)，銅鼓網(wǎng)站制作、銅鼓網(wǎng)頁設(shè)計(jì)、銅鼓網(wǎng)站官網(wǎng)定制、微信小程序定制開發(fā)服務(wù)，打造銅鼓網(wǎng)絡(luò)公司原創(chuàng)品牌,更為您提供銅鼓網(wǎng)站排名全網(wǎng)營銷落地服務(wù)。

WhatyouareabouttoenteriswhatiscalledaDistinguishedNameoraDN. Therearequiteafewfieldsbutyoucanleavesomeblank Forsomefieldstherewillbeadefaultvalue, Ifyouenter\'.\',thefieldwillbeleftblank. ----- CountryName(2lettercode)[CN]:#這一塊就是剛才在配置文件修改的默認(rèn)值 StateorProvinceName(fullname)[shanxi]:# LocalityName(eg,city)[xian]:# OrganizationName(eg,company)[kcw9527]:# OrganizationalUnitName(eg,section)[Tech]:# CommonName(eg,yournameoryourserver\'shostname)[]:ca.test.com#這里很重要哦這里是發(fā)給那個(gè)服務(wù)器的證書名字要和你的server名一樣哦！不一致會(huì)有警告！這里測試發(fā)給自己的所以是ca.test.com EmailAddress[]:admin@admin.com# 要想成為一個(gè)私有的ca服務(wù)器還要修改幾個(gè)默認(rèn)選項(xiàng) [CA_default] dir=/etc/pki/CA#Whereeverythingiskept certs=$dir/certs#Wheretheissuedcertsarekept crl_dir=$dir/crl#Wheretheissuedcrlarekept database=$dir/index.txt#databaseindexfile. #unique_subject=no#Setto\'no\'toallowcreationof #severalctificateswithsamesubject. new_certs_dir=$dir/newcerts#defaultplacefornewcerts. certificate=$dir/cacert.pem#TheCAcertificate#避免修改所以一開始創(chuàng)建就這個(gè)名字 serial=$dir/serial#Thecurrentserialnumber crlnumber=$dir/crlnumber#thecurrentcrlnumber crl=$dir/crl.pem#ThecurrentCRL private_key=$dir/private/cakey.pem#Theprivatekey#這就是剛才為毛放私鑰到這個(gè)目錄下的原因 RANDFILE=$dir/private/.rand#privaterandomnumberfile 創(chuàng)建目錄和文件 [root@CACA]#ls cacert.pemcertscrlnewcertsprivate [root@CACA]#touchindex.txt [root@CACA]#echo01>serial 這個(gè)時(shí)候CA已經(jīng)創(chuàng)建好了 Httpdserver端創(chuàng)建一對密鑰把公鑰發(fā)個(gè)CA [root@kcw~]#cd/etc/httpd/ [root@kcwhttpd]#mkdirssl#創(chuàng)建一個(gè)專門的ssl目錄 [root@kcwhttpd]#cdssl/ [root@kcwssl]#(umask077;opensslgenrsa2048>httpd.key) GeneratingRSAprivatekey,2048bitlongmodulus ..............+++ .............................................................................+++ eis65537(0x10001) 再下來生成證書簽署請求 [root@kcwssl]#opensslreq-new-keyhttpd.key-outhttpd.csr Youareabouttobeaskedtoenterinformationthatwillbeincorporated intoyourcertificaterequest. WhatyouareabouttoenteriswhatiscalledaDistinguishedNameoraDN. Therearequiteafewfieldsbutyoucanleavesomeblank Forsomefieldstherewillbeadefaultvalue, Ifyouenter\'.\',thefieldwillbeleftblank. ----- CountryName(2lettercode)[XX]:CN#注意一定要和你CA服務(wù)器信息一致因?yàn)槭撬接?StateorProvinceName(fullname)[]:shanxi# LocalityName(eg,city)[DefaultCity]:xi\'an# OrganizationName(eg,company)[DefaultCompanyLtd]:kcw9527# OrganizationalUnitName(eg,section)[]:Tech# CommonName(eg,yournameoryourserver\'shostname)[]:www.test.com#注意這個(gè)是你給那個(gè)虛擬主機(jī)頒發(fā)的在多個(gè)虛擬主機(jī)上只能有一個(gè) EmailAddress[]:admin@admin.com Pleaseenterthefollowing\'extra\'attributes tobesentwithyourcertificaterequest Achallengepassword[]: Anoptionalcompanyname[]: [root@kcwssl]#ls httpd.csrhttpd.key 復(fù)制簽署請求證書到CA服務(wù)器 [root@kcwssl]#scphttpd.csrroot@10.52.115.106:/tmp#記著在/etc/hosts做解析不然很慢 root@10.52.115.106\'spassword: httpd.csr100%10451.0KB/s00:00 回到CA服務(wù)器簽署 [root@CA~]#opensslca-in/tmp/httpd.csr-out/tmp/httpd.crt-days3560 Usingconfigurationfrom/etc/pki/tls/openssl.cnf Checkthattherequestmatchesthesignature Signatureok CertificateDetails: SerialNumber:1(0x1) Validity NotBefore:Aug821:15:472014GMT NotAfter:May721:15:472024GMT Subject: countryName=CN stateOrProvinceName=shanxi organizationName=kcw9527 organizationalUnitName=Tech commonName=www.test.com emailAddress=admin@admin.com X509v3extensions: X509v3BasicConstraints: CA:FALSE NetscapeComment: OpenSSLGeneratedCertificate X509v3SubjectKeyIdentifier: DE:4A:B8:24:99:4D:E4:4B:E6:F0:37:D8:D9:70:88:0F:1E:C9:CD:EA X509v3AuthorityKeyIdentifier: keyid:EE:D9:8A:92:FF:FC:54:59:2E:33:3A:84:99:3B:B2:53:6F:44:33:4F CertificateistobecertifieduntilMay721:15:472024GMT(3560days) Signthecertificate?[y/n]:y# 1outof1certificaterequestscertified,commit?[y/n]y# Writeoutdatabasewith1newentries DataBaseUpdated [root@CA~]#cd/etc/pki/CA/ [root@CACA]#ls cacert.pemcertscrlindex.txtindex.txt.attrindex.txt.oldnewcertsprivateserialserial.old [root@CACA]#catindex.txt V240507211547Z01unknown/C=CN/ST=shanxi/O=kcw9527/OU=Tech/CN=www.test.com/emailAddress=admin@admin.com [root@CACA]#catserial 02 OK證書做好了發(fā)給請求者即可 回到httpdserver把生成的復(fù)制回來 [root@kcwssl]#scp10.52.115.106:/tmp/httpd.crt./ root@10.52.115.106\'spassword: httpd.crt100%45894.5KB/s00:00 開始配置ssl.conf配置文件 [root@kcwssl]#cd/etc/httpd/conf.d/ [root@kcwconf.d]#ls READMEssl.confwelcome.conf [root@kcwconf.d]#cpssl.confssl.conf.bak#修改之前先備份 修改ssl.conf如下 <VirtualHost10.52.113.167:443> ServerNamewww.test.com DocumentRoot"/var/www/html" SSLCertificateFile/etc/httpd/ssl/httpd.crt#證書 SSLCertificateKeyFile/etc/httpd/ssl/httpd.key#私鑰文件 OK檢查語法保存退出 [root@kcwconf]#httpd-t SyntaxOK [root@kcwconf]#/etc/init.d/httpdrestart Stoppinghttpd:[FAILED] Startinghttpd:[OK] [root@kcwconf]#netstat-antlp|grephttpd tcp00:::80:::*LISTEN2782/httpd tcp00:::443:::*LISTEN2782/httpd 測試 www.test.com

用https來試試

這樣服務(wù)器發(fā)來得證書沒問題。但是客戶端沒有信任ca所以復(fù)制CA服務(wù)器證書到客戶端

客戶端裝載證書

改個(gè)名叫cacert.crt

然后安裝證書

測試

可以看見哦了