https CA自签名证书,并给Webserver颁发证书
Posted
tags:
篇首语:本文由小常识网(cha138.com)小编为大家整理,主要介绍了https CA自签名证书,并给Webserver颁发证书相关的知识,希望对你有一定的参考价值。
**CA主机执行命令**
[[email protected] ~]# cd /etc/pki/CA
[[email protected] CA]# touch index.txt
[[email protected] CA]# echo 01 > serial
生成私钥文件
[[email protected] CA]# (umask 077;openssl genrsa -out private/cakey.pem 2048)
Generating RSA private key, 2048 bit long modulus
.......................................+++
.....................................................................+++
e is 65537 (0x10001)
[[email protected] CA]# openssl req -new -x509 -key private/cakey.pem -out cacert.pem -days 3650
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter ‘.‘, the field will be left blank.
-----
Country Name (2 letter code) [XX]:CN
State or Province Name (full name) []:beijing
Locality Name (eg, city) [Default City]:beijing
Organization Name (eg, company) [Default Company Ltd]:magedu.com
Organizational Unit Name (eg, section) []:Opt
Common Name (eg, your name or your server‘s hostname) []:ca.magedu.com **颁发者名**
Email Address []:[email protected]
[[email protected] CA]# tree .
.
├── cacert.pem
├── certs
├── crl
├── httpd.csr
├── index.txt
├── newcerts
├── private
│?? └── cakey.pem
└── serial
4 directories, 5 files
[[email protected] CA]# openssl ca -in httpd.csr -out certs/httpd.crt -days 700
Using configuration from /etc/pki/tls/openssl.cnf
Check that the request matches the signature
Signature ok
Certificate Details:
Serial Number: 1 (0x1)
Validity
Not Before: Jan 27 19:08:15 2018 GMT
Not After : Dec 28 19:08:15 2019 GMT
Subject:
countryName = CN
stateOrProvinceName = beijing
organizationName = magedu.com
organizationalUnitName = Opt
commonName = *.magedu.com
emailAddress = [email protected]
X509v3 extensions:
X509v3 Basic Constraints:
CA:FALSE
Netscape Comment:
OpenSSL Generated Certificate
X509v3 Subject Key Identifier:
17:2B:8B:4F:9D:7A:0C:6B:33:05:1B:8A:49:94:A5:B2:41:72:47:1C
X509v3 Authority Key Identifier:
keyid:EA:25:41:70:B4:61:A0:15:29:97:C6:60:4B:E9:B4:C1:8A:FA:3D:B7
Certificate is to be certified until Dec 28 19:08:15 2019 GMT (700 days)
Sign the certificate? [y/n]:y
1 out of 1 certificate requests certified, commit? [y/n]y
Write out database with 1 new entries
Data Base Updated
[[email protected] CA]# scp c
cacert.pem certs/ crl/
[[email protected] CA]# scp certs/httpd.crt 192.168.64.103:/etc/httpd/conf.d/ssl
The authenticity of host ‘192.168.64.103 (192.168.64.103)‘ can‘t be established.
RSA key fingerprint is SHA256:9m0dbsLLKTd4m4JYuBNwUB9D6Zk8jLIO5ySUs9nhCRc.
RSA key fingerprint is MD5:1a:f2:be:d3:9e:6e:df:83:a8:a4:1f:a8:c0:33:cd:b8.
Are you sure you want to continue connecting (yes/no)? yes
Warning: Permanently added ‘192.168.64.103‘ (RSA) to the list of known hosts.
[email protected]‘s password:
httpd.crt 100% 3870 6.4MB/s 00:00
[[email protected] CA]# tree .
.
├── cacert.pem
├── certs
│?? └── httpd.crt
├── crl
├── httpd.csr
├── index.txt
├── index.txt.attr
├── index.txt.old
├── newcerts
│?? └── 01.pem
├── private
│?? └── cakey.pem
├── serial
└── serial.old
4 directories, 10 files
[[email protected] CA]# scp cacert.pem 192.168.64.103:/etc/httpd/conf.d/ssl
[email protected]‘s password:
Permission denied, please try again.
[email protected]‘s password:
cacert.pem 100% 1424 3.2MB/s 00:00
**webserver主机执行命令**
[[email protected] CA]# mkdir /etc/httpd/conf.d/ssl
[[email protected] CA]# cd /etc/httpd/conf.d/ssl
[[email protected] ssl]# (umask 077;openssl genrsa -out httpd.key)
Generating RSA private key, 1024 bit long modulus
...........++++++
....++++++
e is 65537 (0x10001)
[[email protected] ssl]# openssl req -new -key httpd.key -out httpd.csr
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter ‘.‘, the field will be left blank.
-----
Country Name (2 letter code) [XX]:CN
State or Province Name (full name) []:beijing
Locality Name (eg, city) [Default City]:bj
Organization Name (eg, company) [Default Company Ltd]:magedu.com
Organizational Unit Name (eg, section) []:Opt
Common Name (eg, your name or your server‘s hostname) []:*.magedu.com **webserver服务名,即是颁发给**
Email Address []:[email protected]
Please enter the following ‘extra‘ attributes
to be sent with your certificate request
A challenge password []:
An optional company name []:
[[email protected] ssl]# scp httpd.csr 192.168.64.104:/etc/pki/CA
[email protected]‘s password:
httpd.csr 100% 696 0.7KB/s 00:00
[[email protected] ssl]# tree .
.
├── cacert.pem
├── httpd.crt
├── httpd.csr
└── httpd.key
0 directories, 4 files
vim /etc/httpd/conf.d/ssl.conf
servername www.magedu.com:443
SSLCertificateKeyFile /etc/httpd/conf.d/ssl/httpd.key
# Server Certificate Chain:
# Point SSLCertificateChainFile at a file containing the
# concatenation of PEM encoded CA certificates which form the
# certificate chain for the server certificate. Alternatively
# the referenced file can be the same as SSLCertificateFile
# when the CA certificates are directly appended to the server
# certificate for convinience.
#SSLCertificateChainFile /etc/pki/tls/certs/server-chain.crt
# Certificate Authority (CA):
# Set the CA certificate verification path where to find CA
# certificates for client authentication or alternatively one
# huge file containing all of them (file must be PEM encoded)
SSLCACertificateFile /etc/httpd/conf.d/ssl/cacert.pem
以上是关于https CA自签名证书,并给Webserver颁发证书的主要内容,如果未能解决你的问题,请参考以下文章
如何使用未知 CA 自签名的证书让 Android Volley 执行 HTTPS 请求?
Socket.io + SSL + 自签名 CA 证书在连接时出错