Apache的web服务的ssl证书申请配置,这里是自签证书!!!
关于ssl证书相关原理啥的,请先自行搜索了解下。
操作系统环境,如下:
[root@localhost ~]# cat /etc/issue CentOS release 6.4 (Final) Kernel \r on an \m [root@localhost ~]# uname -r 2.6.32-358.el6.x86_64 [root@localhost ~]# uname -m x86_64 [root@localhost ~]#
IP 角色 192.168.33.132 CA证书服务器签发端 192.168.33.131 证书申请端
由于web服务是Apache,所以在证书申请端已经安装了httpd服务。
# yum install httpd -y //如源码编译安装的httpd,加入enable-ssl
CA证书服务器签发端,操作,步骤如下:
[root@node2-zxl CA]# pwd /etc/pki/CA [root@node2-zxl CA]# ls certs crl newcerts private
生成自签证书
生成私钥 [root@node2-zxl CA]# (umask 077; openssl genrsa -out private/cakey.pem 2048) Generating RSA private key, 2048 bit long modulus ...........................................................................+++ ................................+++ e is 65537 (0x10001) [root@node2-zxl CA]# ls -l private/ total 4 -rw-------. 1 root root 1679 Mar 3 21:07 cakey.pem
生成自签证书 修改openssl.cnf文件,生成过程中减少二次输入相关内容 [root@node2-zxl pki]# vim /etc/pki/tls/openssl.cnf 130 countryName_default = CN//修改为CN 135 stateOrProvinceName_default = Beijing//省份名称 138 localityName_default = Beijing//城市名称 141 0.organizationName_default = zxl//组织名称 148 organizationalUnitName_default = Tech//部门名称
[root@node2-zxl CA]# pwd /etc/pki/CA [root@node2-zxl CA]# openssl req -new -x509 -key private/cakey.pem -out cacert.pem -days 365 You are about to be asked to enter information that will be incorporated into your certificate request. What you are about to enter is what is called a Distinguished Name or a DN. There are quite a few fields but you can leave some blank For some fields there will be a default value, If you enter ‘.‘, the field will be left blank. ----- Country Name (2 letter code) [CN]: State or Province Name (full name) [Beijing]: Locality Name (eg, city) [Beijing]: Organization Name (eg, company) [zxl]: Organizational Unit Name (eg, section) [Tech]: Common Name (eg, your name or your server‘s hostname) []:ca.zxl.com Email Address []:1987277672@qq.com [root@node2-zxl CA]# ls cacert.pem certs crl newcerts private [root@node2-zxl CA]# ll cacert.pem -rw-r--r--. 1 root root 1403 Mar 3 21:22 cacert.pem
[root@node2-zxl CA]# pwd /etc/pki/CA [root@node2-zxl CA]# vim ../tls/openssl.cnf 42 dir = /etc/pki/CA //修改CA证书路径
如果certs crl newcerts目录不存在手动创建目录即可
[root@node2-zxl CA]# ls certs/ crl/ newcerts/ certs/: crl/: newcerts/: [root@node2-zxl CA]# touch index.txt [root@node2-zxl CA]# echo 01 > serial [root@node2-zxl CA]# ls cacert.pem certs crl index.txt newcerts private serial
证书申请端,操作步骤如下:
[root@localhost ~]# yum install mod_ssl -y [root@localhost ~]# rpm -ql mod_ssl /etc/httpd/conf.d/ssl.conf /usr/lib64/httpd/modules/mod_ssl.so /var/cache/mod_ssl /var/cache/mod_ssl/scache.dir /var/cache/mod_ssl/scache.pag /var/cache/mod_ssl/scache.sem
可以通过-M参数查看模块是否有ssl_module (shared)
[root@localhost ~]# httpd -M|grep ssl_module ssl_module (shared) Syntax OK
[root@localhost httpd]# mkdir /etc/httpd/ssl//用于存放证书的目录 [root@localhost httpd]# cd ssl/ [root@localhost ssl]# ls
[root@localhost ssl]# (umask 077; openssl genrsa 2048 > httpd.key)// Generating RSA private key, 2048 bit long modulus .........................+++ ........+++ e is 65537 (0x10001) [root@localhost ssl]# ll total 4 -rw------- 1 root root 1675 Mar 4 22:05 httpd.key
证书签署请求
[root@localhost ssl]# pwd /etc/httpd/ssl [root@localhost ssl]# openssl req -new -key httpd.key -out httpd.csr//生成证书请求,由于是自签证书,所以一下信息必须和CA服务器签发一致。 You are about to be asked to enter information that will be incorporated into your certificate request. What you are about to enter is what is called a Distinguished Name or a DN. There are quite a few fields but you can leave some blank For some fields there will be a default value, If you enter ‘.‘, the field will be left blank. ----- Country Name (2 letter code) [XX]:CN //两个字母的国家代号 State or Province Name (full name) []:Beijing //省份名称 Locality Name (eg, city) [Default City]:Beijing //城市名称 Organization Name (eg, company) [Default Company Ltd]:zxl //公司名称 Organizational Unit Name (eg, section) []:Tech //部门名称 Common Name (eg, your name or your server‘s hostname) []:www.zxl.com //我这里就一个www.zxl.com,如要使用bbs.zxl.com,这里可以填写为*.zxl.com Email Address []:1987277627@qq.com //邮箱 Please enter the following ‘extra‘ attributes to be sent with your certificate request A challenge password []: //无 An optional company name []: //无
注:由于是自签证书,所以以上信息必须要和CA服务器端信息一致,不然无法签发成功
证书申请端服务器上的证书签署请求发送到CA服务器端
[root@localhost ssl]# pwd /etc/httpd/ssl [root@localhost ssl]# ls httpd.csr httpd.key [root@localhost ssl]# scp httpd.csr root@192.168.33.132:/opt/ root@192.168.33.132‘s password: httpd.csr 100% 1045 1.0KB/s 00:00
CA证书服务器签发端,操作,步骤如下:
[root@node2-zxl ~]# openssl ca -in /opt/httpd.csr -out /opt/httpd.crt -days 365//签发证书一年365天,信息内容如下: Using configuration from /etc/pki/tls/openssl.cnf Check that the request matches the signature Signature ok Certificate Details: Serial Number: 1 (0x1) Validity Not Before: Mar 3 13:58:01 2016 GMT Not After : Mar 3 13:58:01 2017 GMT Subject: countryName = CN stateOrProvinceName = Beijing organizationName = zxl organizationalUnitName = Tech commonName = www.zxl.com emailAddress = 1987277627@qq.com X509v3 extensions: X509v3 Basic Constraints: CA:FALSE Netscape Comment: OpenSSL Generated Certificate X509v3 Subject Key Identifier: 0D:15:BB:9D:B9:2D:8F:09:E7:BA:94:18:03:F9:7C:1A:57:C6:B6:96 X509v3 Authority Key Identifier: keyid:6D:3B:91:4E:73:C7:16:34:C7:70:7D:E4:18:24:F8:0A:D8:32:F4:E0 Certificate is to be certified until Mar 3 13:58:01 2017 GMT (365 days) Sign the certificate? [y/n]:y 1 out of 1 certificate requests certified, commit? [y/n]y Write out database with 1 new entries Data Base Updated
[root@node2-zxl ~]# cd /etc/pki/CA/ [root@node2-zxl CA]# ls cacert.pem crl index.txt.attr newcerts serial certs index.txt index.txt.old private serial.old [root@node2-zxl CA]# cat index.txt//相关信息 V170303135801Z01unknown/C=CN/ST=Beijing/O=zxl/OU=Tech/CN=www.zxl.com/emailAddress=1987277627@qq.com [root@node2-zxl CA]# cat serial//下次签发编号为02 02
CA服务器端的证书发放给证书请求方
[root@node2-zxl opt]# pwd /opt [root@node2-zxl opt]# ls httpd.crt httpd.csr [root@node2-zxl opt]# scp httpd.crt root@192.168.33.131:/etc/httpd/ssl The authenticity of host ‘192.168.33.131 (192.168.33.131)‘ can‘t be established. RSA key fingerprint is 34:fc:c0:cc:11:05:7d:a3:48:60:3d:93:91:35:7d:0e. Are you sure you want to continue connecting (yes/no)? yes Warning: Permanently added ‘192.168.33.131‘ (RSA) to the list of known hosts. root@192.168.33.131‘s password: httpd.crt 100% 4588 4.5KB/s 00:00
证书申请端查看发放的证书
[root@localhost ~]# ls /etc/httpd/ssl/httpd.crt -l -rw-r--r-- 1 root root 4588 Mar 4 22:32 /etc/httpd/ssl/httpd.crt [root@localhost conf.d]# pwd /etc/httpd/conf.d [root@localhost conf.d]# cp ssl.conf ssl.conf.bak [root@localhost conf.d]# vi ssl.conf 105 SSLCertificateFile /etc/httpd/ssl/httpd.crt//签发的证书文件 112 SSLCertificateKeyFile /etc/httpd/ssl/httpd.key//私钥文件key
检查语法
[root@localhost conf.d]# httpd -t Syntax OK
[root@localhost conf.d]# service httpd restart Stopping httpd: [ OK ] Starting httpd: [ OK ]
查看443端口
[root@localhost ~]# netstat -ntpl|grep httpd tcp 0 0 :::80 :::* LISTEN 1941/httpd tcp 0 0 :::443 :::* LISTEN 1941/httpd
在window端,
C:\Windows\System32\drivers\etc\hosts文件在末尾添加内容如下:
192.168.33.131 www.zxl.com
打开浏览器访问
安装证书,吧CA服务器端的cacert.pem文件拿到本地,怎么拿,方法你懂的。
[root@node2-zxl CA]# pwd /etc/pki/CA [root@node2-zxl CA]# ls cacert.pem //数字证书 cacert.pem [root@node2-zxl CA]#
把cacert.pem文件改成cacert.crt即可,然后安装
打开浏览器再次访问即可
本文出自 “村里的男孩” 博客,转载请与作者联系!
原文:http://noodle.blog.51cto.com/2925423/1747766