Apache https服务器配置笔记

Posted 2020-06-22

环境：centos6.5

两台主机，一个是CA签证 一个是apache服务器

第一步：apache上安装ssl支持

    yum install -y mod_ssl

    然后httpd -M就能看到ssl模块了

    ssl_module (shared)

第二步：在CA机器上生成自签证书

先生成私钥

 [[email protected] CA]# cd /etc/pki/CA

 [[email protected] CA]# (umask 077;openssl genrsa -out private/cakey.pem 2048)

Generating RSA private key, 2048 bit long modulus

..........................................................+++

...................................................................+++

e is 65537 (0x10001)

这样就是成功了 

生成自签证书

[[email protected] CA]# openssl req -new -x509 -key private/cakey.pem -out cacert.pem -days 3650

You are about to be asked to enter information that will be incorporated

into your certificate request.

What you are about to enter is what is called a Distinguished Name or a DN.

There are quite a few fields but you can leave some blank

For some fields there will be a default value,

If you enter ‘.‘, the field will be left blank.

-----

Country Name (2 letter code) [XX]:CN

State or Province Name (full name) []:GD

Locality Name (eg, city) [Default City]:gz

Organization Name (eg, company) [Default Company Ltd]:hu

Organizational Unit Name (eg, section) []:hu

Common Name (eg, your name or your server‘s hostname) []:ca.8.com

Email Address []:a

[[email protected] CA]# openssl req -new -x509 -key private/cakey.pem -out cacert.pem -days 3650

You are about to be asked to enter information that will be incorporated

into your certificate request.

What you are about to enter is what is called a Distinguished Name or a DN.

There are quite a few fields but you can leave some blank

For some fields there will be a default value,

If you enter ‘.‘, the field will be left blank.

-----

Country Name (2 letter code) [XX]:CN

State or Province Name (full name) []:gd

Locality Name (eg, city) [Default City]:gz

Organization Name (eg, company) [Default Company Ltd]:hu

Organizational Unit Name (eg, section) []:hu

Common Name (eg, your name or your server‘s hostname) []:ca.920.com

Email Address []:[email protected]

到这里，自签证书就生成完毕了

第三步：新建证书数据库

    

[[email protected] CA]# touch index.txt        #证书数据库

[[email protected] CA]# echo 01 serial         #序列号  

第四步：在apache机器上生成一堆密钥

[[email protected] ~]# mkdir /etc/httpd/ssl

[[email protected] ~]# (umask 077;openssl genrsa 1024 > httpd.key)

Generating RSA private key, 1024 bit long modulus

....++++++

.......++++++

e is 65537 (0x10001)

生成CA证书请求

注意，这里一定要跟CA上面输入的一直，hostname例外

[[email protected] ssl]# openssl req -new -key httpd.key -out http.csr

You are about to be asked to enter information that will be incorporated

into your certificate request.

What you are about to enter is what is called a Distinguished Name or a DN.

There are quite a few fields but you can leave some blank

For some fields there will be a default value,

If you enter ‘.‘, the field will be left blank.

-----

Country Name (2 letter code) [XX]:CN

State or Province Name (full name) []:GD

Locality Name (eg, city) [Default City]:^C

[[email protected] ssl]# openssl req -new -key httpd.key -out http.csr

You are about to be asked to enter information that will be incorporated

into your certificate request.

What you are about to enter is what is called a Distinguished Name or a DN.

There are quite a few fields but you can leave some blank

For some fields there will be a default value,

If you enter ‘.‘, the field will be left blank.

-----

Country Name (2 letter code) [XX]:CN

State or Province Name (full name) []:gd

Locality Name (eg, city) [Default City]:gz

Organization Name (eg, company) [Default Company Ltd]:hu

Organizational Unit Name (eg, section) []:hu

Common Name (eg, your name or your server‘s hostname) []:qq.com

Email Address []:[email protected]

Please enter the following ‘extra‘ attributes

to be sent with your certificate request

A challenge password []:

An optional company name []:

然后将此http.csr拷贝到CA服务器上签名

第五步：在CA上签名

[[email protected] CA]# openssl ca -in /tmp/http.csr -out /tmp/http.rt -days 3650

Using configuration from /etc/pki/tls/openssl.cnf

Check that the request matches the signature

Signature ok

Certificate Details:

        Serial Number: 1 (0x1)

        Validity

            Not Before: Feb 13 10:03:52 2015 GMT

            Not After : Feb 10 10:03:52 2025 GMT

        Subject:

            countryName               = CN

            stateOrProvinceName       = gd

            organizationName          = hu

            organizationalUnitName    = hu

            commonName                = qq.com

            emailAddress              = [email protected]

        X509v3 extensions:

            X509v3 Basic Constraints: 

                CA:FALSE

            Netscape Comment: 

                OpenSSL Generated Certificate

            X509v3 Subject Key Identifier: 

                A5:7E:50:2A:8C:4D:B5:E3:DB:72:D7:F8:CE:E2:20:B0:F9:FD:18:0D

            X509v3 Authority Key Identifier: 

                keyid:45:71:85:FA:99:EE:F1:0E:0F:EC:AB:6D:8C:F7:1F:A2:32:DF:31:6A

Certificate is to be certified until Feb 10 10:03:52 2025 GMT (3650 days)

Sign the certificate? [y/n]:y

1 out of 1 certificate requests certified, commit? [y/n]y

Write out database with 1 new entries

Data Base Updated

签名成功

[[email protected] CA]# cat /etc/pki/CA/index.txt

V       250210100352Z           01      unknown /C=CN/ST=gd/O=hu/OU=hu/CN=qq.com/[email protected]

可以看到数据库更新了

本文出自 “飞一般的爱情故事” 博客，请务必保留此出处http://niubdada.blog.51cto.com/3511133/1750637