基于ssl站点的httpd

CA：生成自签名证书 [root@CA~]#cd/etc/pki/CA/ [root@CACA]#(umask077;opensslgenrsa-outprivate/cakey.pem2048) GeneratingRSAprivatekey,2048bitlongmodulus ....................................+++ .....+++ eis65537(0x10001) [root@CACA]#ls certscrlnewcertsprivate [root@CACA]#ls-lprivate/cakey.pem -rw-------.1rootroot1679Aug816:19private/cakey.pem 2、修改默认选项，可以不修改，经常使用的话就修改一下 [root@CACA]#vim../tls/openssl.cnf [req_distinguished_name] countryName=CountryName(2lettercode) countryName_default=CN#修改的 countryName_min=2 countryName_max=2 stateOrProvinceName=StateorProvinceName(fullname) stateOrProvinceName_default=shanxi#修改的 localityName=LocalityName(eg,city) localityName_default=xi\'an#修改的 0.organizationName=OrganizationName(eg,company) 0.organizationName_default=kcw9527#修改的 #wecandothisbutitisnotneedednormally:-) #1.organizationName=SecondOrganizationName(eg,company) #1.organizationName_default=WorldWideWebPtyLtd organizationalUnitName=OrganizationalUnitName(eg,section) #organizationalUnitName_default= organizationalUnitName_default=Tech#修改的 先给自己生成一个自签证书 [root@CACA]#opensslreq-new-x509-keyprivate/cakey.pem-outcacert.pem-days3656 Youareabouttobeaskedtoenterinformationthatwillbeincorporated intoyourcertificaterequest.

WhatyouareabouttoenteriswhatiscalledaDistinguishedNameoraDN. Therearequiteafewfieldsbutyoucanleavesomeblank Forsomefieldstherewillbeadefaultvalue, Ifyouenter\'.\',thefieldwillbeleftblank. ----- CountryName(2lettercode)[CN]:#这一块就是刚才在配置文件修改的默认值 StateorProvinceName(fullname)[shanxi]:# LocalityName(eg,city)[xian]:# OrganizationName(eg,company)[kcw9527]:# OrganizationalUnitName(eg,section)[Tech]:# CommonName(eg,yournameoryourserver\'shostname)[]:ca.test.com#这里很重要哦这里是发给那个服务器的证书名字要和你的server名一样哦！不一致会有警告！这里测试发给自己的所以是ca.test.com EmailAddress[]:admin@admin.com# 要想成为一个私有的ca服务器还要修改几个默认选项 [CA_default] dir=/etc/pki/CA#Whereeverythingiskept certs=$dir/certs#Wheretheissuedcertsarekept crl_dir=$dir/crl#Wheretheissuedcrlarekept database=$dir/index.txt#databaseindexfile. #unique_subject=no#Setto\'no\'toallowcreationof #severalctificateswithsamesubject. new_certs_dir=$dir/newcerts#defaultplacefornewcerts. certificate=$dir/cacert.pem#TheCAcertificate#避免修改所以一开始创建就这个名字 serial=$dir/serial#Thecurrentserialnumber crlnumber=$dir/crlnumber#thecurrentcrlnumber crl=$dir/crl.pem#ThecurrentCRL private_key=$dir/private/cakey.pem#Theprivatekey#这就是刚才为毛放私钥到这个目录下的原因 RANDFILE=$dir/private/.rand#privaterandomnumberfile 创建目录和文件 [root@CACA]#ls cacert.pemcertscrlnewcertsprivate [root@CACA]#touchindex.txt [root@CACA]#echo01>serial 这个时候CA已经创建好了 Httpdserver端创建一对密钥把公钥发个CA [root@kcw~]#cd/etc/httpd/ [root@kcwhttpd]#mkdirssl#创建一个专门的ssl目录 [root@kcwhttpd]#cdssl/ [root@kcwssl]#(umask077;opensslgenrsa2048>httpd.key) GeneratingRSAprivatekey,2048bitlongmodulus ..............+++ .............................................................................+++ eis65537(0x10001) 再下来生成证书签署请求 [root@kcwssl]#opensslreq-new-keyhttpd.key-outhttpd.csr Youareabouttobeaskedtoenterinformationthatwillbeincorporated intoyourcertificaterequest. WhatyouareabouttoenteriswhatiscalledaDistinguishedNameoraDN. Therearequiteafewfieldsbutyoucanleavesomeblank Forsomefieldstherewillbeadefaultvalue, Ifyouenter\'.\',thefieldwillbeleftblank. ----- CountryName(2lettercode)[XX]:CN#注意一定要和你CA服务器信息一致因为是私有 StateorProvinceName(fullname)[]:shanxi# LocalityName(eg,city)[DefaultCity]:xi\'an# OrganizationName(eg,company)[DefaultCompanyLtd]:kcw9527# OrganizationalUnitName(eg,section)[]:Tech# CommonName(eg,yournameoryourserver\'shostname)[]:www.test.com#注意这个是你给那个虚拟主机颁发的在多个虚拟主机上只能有一个 EmailAddress[]:admin@admin.com Pleaseenterthefollowing\'extra\'attributes tobesentwithyourcertificaterequest Achallengepassword[]: Anoptionalcompanyname[]: [root@kcwssl]#ls httpd.csrhttpd.key 复制签署请求证书到CA服务器 [root@kcwssl]#scphttpd.csrroot@10.52.115.106:/tmp#记着在/etc/hosts做解析不然很慢 root@10.52.115.106\'spassword: httpd.csr100%10451.0KB/s00:00 回到CA服务器签署 [root@CA~]#opensslca-in/tmp/httpd.csr-out/tmp/httpd.crt-days3560 Usingconfigurationfrom/etc/pki/tls/openssl.cnf Checkthattherequestmatchesthesignature Signatureok CertificateDetails: SerialNumber:1(0x1) Validity NotBefore:Aug821:15:472014GMT NotAfter:May721:15:472024GMT Subject: countryName=CN stateOrProvinceName=shanxi organizationName=kcw9527 organizationalUnitName=Tech commonName=www.test.com emailAddress=admin@admin.com X509v3extensions: X509v3BasicConstraints: CA:FALSE NetscapeComment: OpenSSLGeneratedCertificate X509v3SubjectKeyIdentifier: DE:4A:B8:24:99:4D:E4:4B:E6:F0:37:D8:D9:70:88:0F:1E:C9:CD:EA X509v3AuthorityKeyIdentifier: keyid:EE:D9:8A:92:FF:FC:54:59:2E:33:3A:84:99:3B:B2:53:6F:44:33:4F CertificateistobecertifieduntilMay721:15:472024GMT(3560days) Signthecertificate?[y/n]:y# 1outof1certificaterequestscertified,commit?[y/n]y# Writeoutdatabasewith1newentries DataBaseUpdated [root@CA~]#cd/etc/pki/CA/ [root@CACA]#ls cacert.pemcertscrlindex.txtindex.txt.attrindex.txt.oldnewcertsprivateserialserial.old [root@CACA]#catindex.txt V240507211547Z01unknown/C=CN/ST=shanxi/O=kcw9527/OU=Tech/CN=www.test.com/emailAddress=admin@admin.com [root@CACA]#catserial 02 OK证书做好了发给请求者即可 回到httpdserver把生成的复制回来 [root@kcwssl]#scp10.52.115.106:/tmp/httpd.crt./ root@10.52.115.106\'spassword: httpd.crt100%45894.5KB/s00:00 开始配置ssl.conf配置文件 [root@kcwssl]#cd/etc/httpd/conf.d/ [root@kcwconf.d]#ls READMEssl.confwelcome.conf [root@kcwconf.d]#cpssl.confssl.conf.bak#修改之前先备份 修改ssl.conf如下 <VirtualHost10.52.113.167:443> ServerNamewww.test.com DocumentRoot"/var/www/html" SSLCertificateFile/etc/httpd/ssl/httpd.crt#证书 SSLCertificateKeyFile/etc/httpd/ssl/httpd.key#私钥文件 OK检查语法保存退出 [root@kcwconf]#httpd-t SyntaxOK [root@kcwconf]#/etc/init.d/httpdrestart Stoppinghttpd:[FAILED] Startinghttpd:[OK] [root@kcwconf]#netstat-antlp|grephttpd tcp00:::80:::*LISTEN2782/httpd tcp00:::443:::*LISTEN2782/httpd 测试 www.test.com

用https来试试

这样服务器发来得证书没问题。但是客户端没有信任ca所以复制CA服务器证书到客户端

客户端装载证书

改个名叫cacert.crt

然后安装证书

测试

可以看见哦了