環境為CentOS 7.3、httpd2.4.6 一 搭建證書 說明: 1 生成私鑰 2 生成自簽證書 3 為CA提供所需的目錄及文件 (1)所需目錄,如果無,則創建 (2)所需文件 (3) 4 在client上進行如下操作 (1)創建放置公鑰私鑰的文件夾 (2)生成自己的私鑰 (3)請CA為自己生 ...
環境為CentOS 7.3、httpd2.4.6
一 搭建證書
說明:
CA 主機為192.168.29.3
client主機為 192.168.29.1001 生成私鑰
[root@centos7 ~]# (umask 077 ; openssl genrsa -out /etc/pki/CA/private/cakey.pem 4096)
Generating RSA private key, 4096 bit long modulus
.....................++
...........................................................................................................................................................................................++
e is 65537 (0x10001)2 生成自簽證書
[root@centos7 ~]# openssl req -new -x509 -key /etc/pki/CA/private/cakey.pem -out /etc/pki/CA/cacert.pem -days 365
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [XX]:CN
State or Province Name (full name) []:BeiJing
Locality Name (eg, city) [Default City]:BeiJing
Organization Name (eg, company) [Default Company Ltd]:Company
Organizational Unit Name (eg, section) []:OPS
Common Name (eg, your name or your server's hostname) []:www.test.com
Email Address []:
[root@centos7 ~]#3 為CA提供所需的目錄及文件
(1)所需目錄,如果無,則創建
/etc/pki/CA/certs/
/etc/pki/CA/crl/
/etc/pki/CA/newcerts/(2)所需文件
[root@centos7 ~]# touch /etc/pki/CA/serial #序列號文件
[root@centos7 ~]# touch /etc/pki/CA/index.txt #資料庫文件(3)
[root@centos7 ~]# echo 01 > /etc/pki/CA/serial #維護ca的序列號4 在client上進行如下操作
(1)創建放置公鑰私鑰的文件夾
[root@CentOS7 ~]# mkdir /etc/httpd/ssl(2)生成自己的私鑰
[root@CentOS7 ~]# (umask 077; openssl genrsa -out /etc/httpd/ssl/httpd.key 2048)
Generating RSA private key, 2048 bit long modulus
.......................................+++
...................................+++
e is 65537 (0x10001)
[root@CentOS7 ~]#(3)請CA為自己生成公鑰
[root@CentOS7 ~]# openssl req -new -key /etc/httpd/ssl/httpd.key -out /etc/httpd/ssl/httpd.csr -days 365
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [XX]:CN
State or Province Name (full name) []:BeiJing
Locality Name (eg, city) [Default City]:BeiJing
Organization Name (eg, company) [Default Company Ltd]:Company
Organizational Unit Name (eg, section) []:OPS
Common Name (eg, your name or your server's hostname) []:www.test.com
Email Address []:
Please enter the following 'extra' attributes
to be sent with your certificate request
A challenge password []:
An optional company name []:(4)把生成的公鑰發送給CA
[root@CentOS7 ~]# scp /etc/httpd/ssl/httpd.csr [email protected]:/tmp/
The authenticity of host '192.168.29.3 (192.168.29.3)' can't be established.
ECDSA key fingerprint is f2:2e:89:a2:8d:22:22:9c:a9:f8:c9:19:18:d3:b6:c4.
Are you sure you want to continue connecting (yes/no)? yes
Warning: Permanently added '192.168.29.3' (ECDSA) to the list of known hosts.
[email protected]'s password:
httpd.csr 100% 1005 1.0KB/s 00:00 5 在CA主機上為client簽證
[root@centos7 ~]# openssl ca -in /tmp/httpd.csr -out /etc/pki/CA/certs/httpd.crt -days 365
Using configuration from /etc/pki/tls/openssl.cnf
Check that the request matches the signature
Signature ok
Certificate Details:
Serial Number: 1 (0x1)
Validity
Not Before: Jun 3 02:54:23 2017 GMT
Not After : Jun 3 02:54:23 2018 GMT
Subject:
countryName = CN
stateOrProvinceName = BeiJing
organizationName = Company
organizationalUnitName = OPS
commonName = www.test.com
X509v3 extensions:
X509v3 Basic Constraints:
CA:FALSE
Netscape Comment:
OpenSSL Generated Certificate
X509v3 Subject Key Identifier:
5D:A9:5A:90:29:F3:3A:7F:76:BE:21:78:14:80:E5:FB:5E:03:D8:D9
X509v3 Authority Key Identifier:
keyid:9E:1E:F3:84:4D:D0:79:E2:BD:DD:A8:50:29:6C:BA:0C:21:60:CA:96
Certificate is to be certified until Jun 3 02:54:23 2018 GMT (365 days)
Sign the certificate? [y/n]:y
1 out of 1 certificate requests certified, commit? [y/n]y
Write out database with 1 new entries
Data Base Updated6 把簽署的證書發給client
[root@centos7 ~]# scp /etc/pki/CA/certs/httpd.crt [email protected]:/etc/httpd/ssl/
The authenticity of host '192.168.29.100 (192.168.29.100)' can't be established.
ECDSA key fingerprint is 32:16:f3:2d:78:65:9f:a0:31:6c:dc:b9:24:e7:5a:8f.
Are you sure you want to continue connecting (yes/no)? yes
Warning: Permanently added '192.168.29.100' (ECDSA) to the list of known hosts.
[email protected]'s password:
httpd.crt 100% 5711 5.6KB/s 00:00 二 HTTPS配置
7 安裝mod_ssl模塊
[root@CentOS7 ~]# yum install mod_ssl -y8 修改配置文件/etc/httpd/conf.d/ssl.conf
DocumentRoot "/data/https"
ServerName www.test.com:443
<Directory "data/https">
AllowOverride None
Require all granted
</Directory>
SSLCertificateFile /etc/httpd/ssl/httpd.crt
SSLCertificateKeyFile /etc/httpd/ssl/httpd.crt註意:
並修該/etc/httpd/ssl/httpd.crt、/etc/httpd/ssl/httpd.crt兩個文件的屬性,確保apach為可讀就行,當然也可放在預設文件夾下,就不需要修改許可權了。
[root@CentOS7 ~]#chmod +r /etc/httpd/ssl/httpd.key9 檢查語法
[root@CentOS7 ~]# httpd -t
Syntax OK10 修給預設頁面
[root@CentOS7 ~]# echo "www.test.com" > /data/https/index.html11 啟動http服務
[root@CentOS7 ~]# systemctl start httpd.service12 把CA 的自簽證書傳到桌面
[root@centos7 ~]# sz /etc/pki/CA/cacert.pem
改名為cacert.crt
雙擊導入IE瀏覽器
13 配置DNS解析
www.test.com 為192.168.29.100或者 修改windows 下的C:\Windows\Systeme32\drivers\etc\hosts文件
192.168.29.100 www.test.com 14 打開IE瀏覽器測試
輸入https://www.test.com
好了 成功了 好用成就感呀!!
