CentOS7下配置证书,搭建web服务器
Posted zjc801
tags:
篇首语:本文由小常识网(cha138.com)小编为大家整理,主要介绍了CentOS7下配置证书,搭建web服务器相关的知识,希望对你有一定的参考价值。
1)环境:
node1:192.168.10.41 ,CA服务器
node2:192.168.10.42 , web服务器
node3:192.168.10.43 ,客户端
================以下在CA证书服务器上配置==============
2)配置CA服务器(node1):
a)yum install openssl /安装CA组件
vim /etc/pki/tls/openssl.conf
certificate = $dir/ca.crt 证书保存位置
private_key = $dir/private/ca.key /私钥保存
[ req_distinguished_name ]
countryName = Country Name (2 letter code)
countryName_default = CN
countryName_min = 2
countryName_max = 2
stateOrProvinceName = State or Province Name (full name)
stateOrProvinceName_default = SHANXI
localityName = Locality Name (eg, city)
localityName_default = XIAN
0.organizationName = Organization Name (eg, company)
0.organizationName_default = CONTOSO
#准备文件
cd /etc/pki/CA
touch index.txt
echo 00 > index.txt
#生成私钥:
[root@node1 CA](umask 077;openssl genrsa -out private/ca.key -des3 2048)
#CA生成CA自签名证书
[root@node1 CA]openssl req -new -x509 -days 7300 -key private/ca.key >ca.crt
Enter pass phrase for private/ca.key: #输入密码
Country Name (2 letter code) [CN]: #回车
State or Province Name (full name) [SHANXI]:#回车
Locality Name (eg, city) [XIAN]:#回车
Organization Name (eg, company) [CONTOSO]:#回车
Organizational Unit Name (eg, section) []:IT #写入部门名称
Common Name (eg, your name or your servers hostname) []:node1.contoso.com #服务器名称,一定能解析。
Email Address []:ca@aiops.net.cn #可写可不写
==============以下在web服务器node2上配置============
[root@node2]yum install -y httpd mod_ssl
[root@node2]echo "this is test web" > /var/www/html/index.html
[root@node2]openssl genrsa -out /etc/httpd/httpd.key /生成web私钥
[root@node2]openssl req -new -key /etc/httpd/httpd.key -out /tmp/httpd.csr /生成web证书申请的请求文件
Country Name (2 letter code) [XX]:CN #与CA一致
State or Province Name (full name) []:SHANXI #与CA一致
Locality Name (eg, city) [Default City]:XIAN #与CA一致
Organization Name (eg, company) [Default Company Ltd]:CONTOSO #与CA一致
Organizational Unit Name (eg, section) []:web #自己填写
Common Name (eg, your name or your servers hostname) []:www.contoso.com #与主机名称一致
Email Address []:web@123.com
Please enter the following extra attributes
to be sent with your certificate request
A challenge password []: #回车
An optional company name []:#回车
[root@node2] scp /tmp/httpd.csr node1:/tmp /发送请求文件到CA服务器
============以下在CA服务器上操作==============
[root@node1 CA]# openssl ca -in /tmp/httpd.csr -out /tmp/httpd.crt /CA服务器给web服务器颁发证书(注意操作目录在/etc/pki/CA)
[root@node1 CA]# scp /tmp/httpd.crt node2:/etc/httpd/ 拷贝证书文件到web服务器
===========以下在web服务器上操作===========
[root@node2] yum install -y mod_ssl /为apache安装支持文件
[root@node2 conf.d]# vim www.conf
DocumentRoot /var/www/html
ServerName www.contoso.com
ServerAlias www.contoso.com
RewriteEngine On
RewriteRule ^(.*)$ https://www.contoso.com$1 [R=301,L]
</VirtualHost>
<VirtualHost 192.168.10.42:443>
DocumentRoot /var/www/html
ServerName www.contoso.com
ServerAlias www.contoso.com
SSLEngine on
SSLCertificateFile /etc/httpd/httpd.crt
SSLCertificateKeyFile /etc/httpd/httpd.key
</VirtualHost>
=========客户端验证========
scp node1:/etc/pki/CA/ca.crt . /从CA服务器拷贝证书到本地任意位置
cat ca.srt >> /etc/pki/tls/certs/ca-bundle.crt
curl http://www.contoso.com
===========配置nginx============
yum install Nginx
[root@node2 nginx]# cat nginx.conf
vim nginx.conf /修改以下参数
listen 80;
server_name www.aiops.net.cn aiops.net.cn;
#root /usr/share/nginx/html;
return 301 https://www.aiops.net.cn/$request_uri;
listen 443 ssl;
server_name www.aiops.net.cn;
root /usr/share/nginx/html; 开启
ssl on; 开启ssl
ssl_certificate "/etc/nginx/cert/nginx.crt";
ssl_certificate_key "/etc/nginx/cert/nginx.key";
# ssl_session_cache shared:SSL:1m;
ssl_session_timeout 10m;
ssl_protocols SSLv2 SSLv3 TLSv1;
客户端测试通apache一样
以上是关于CentOS7下配置证书,搭建web服务器的主要内容,如果未能解决你的问题,请参考以下文章