Apache HTTPS Server Configuration note

Environment: centos6.5

Two hosts, one CA visa, one Apache server.

First step: Install SSL support on Apache

Yum Install-y mod_ssl

And then httpd-m can see the SSL module.

Ssl_module (Shared)

Step two: Generate a self-signed certificate on the CA machine

Mr. Cheng Private key

[Email protected] ca]# CD/ETC/PKI/CA

[[Email protected] ca]# (umask 077;openssl genrsa-out PRIVATE/CAKEY.PEM 2048)

Generating RSA private key, 2048 bit long modulus

..........................................................+++

...................................................................+++

E is 65537 (0x10001)

That's how it works.

Generate self-signed certificates

[email protected] ca]# OpenSSL req-new-x509-key private/cakey.pem-out cacert.pem-days 3650

You is about-to is asked to-enter information that'll be incorporated

into your certificate request.

What's about-to-enter is called a distinguished Name or a DN.

There is quite a few fields but can leave some blank

For some fields there would be a default value,

If you enter '. ', the field would be a left blank.

-----

Country Name (2 letter code) [XX]:CN

State or province name (full name) []:GD

Locality Name (eg, city) [Default City]:gz

Organization Name (eg, company) [Default company Ltd]:hu

Organizational Unit Name (eg, section) []:hu

Common name (eg, your name or your server ' s hostname) []:ca.8.com

Email Address []:a

[email protected] ca]# OpenSSL req-new-x509-key private/cakey.pem-out cacert.pem-days 3650

You is about-to is asked to-enter information that'll be incorporated

into your certificate request.

What's about-to-enter is called a distinguished Name or a DN.

There is quite a few fields but can leave some blank

For some fields there would be a default value,

If you enter '. ', the field would be a left blank.

-----

Country Name (2 letter code) [XX]:CN

State or province name (full name) []:GD

Locality Name (eg, city) [Default City]:gz

Organization Name (eg, company) [Default company Ltd]:hu

Organizational Unit Name (eg, section) []:hu

Common name (eg, your name or your server ' s hostname) []:ca.920.com

Email Address []:[email protected]

Here, the self-signed certificate is generated.

Step three: Create a new certificate database

[email protected] ca]# Touch Index.txt #证书数据库

[Email protected] ca]# echo serial #序列号

Fourth step: Generate a bunch of keys on the Apache machine

[Email protected] ~]# Mkdir/etc/httpd/ssl

[Email protected] ~]# (umask 077;openssl genrsa > Httpd.key)

Generating RSA private key, 1024x768 bit long modulus

....++++++

.......++++++

E is 65537 (0x10001)

Generate a CA certificate request

Note that this must be entered with the CA above all the time, hostname exception

[email protected] ssl]# OpenSSL req-new-key httpd.key-out HTTP.CSR

You is about-to is asked to-enter information that'll be incorporated

into your certificate request.

What's about-to-enter is called a distinguished Name or a DN.

There is quite a few fields but can leave some blank

For some fields there would be a default value,

If you enter '. ', the field would be a left blank.

-----

Country Name (2 letter code) [XX]:CN

State or province name (full name) []:GD

Locality Name (eg, city) [Default city]:^c

[email protected] ssl]# OpenSSL req-new-key httpd.key-out HTTP.CSR

You is about-to is asked to-enter information that'll be incorporated

into your certificate request.

What's about-to-enter is called a distinguished Name or a DN.

There is quite a few fields but can leave some blank

For some fields there would be a default value,

If you enter '. ', the field would be a left blank.

-----

Country Name (2 letter code) [XX]:CN

State or province name (full name) []:GD

Locality Name (eg, city) [Default City]:gz

Organization Name (eg, company) [Default company Ltd]:hu

Organizational Unit Name (eg, section) []:hu

Common name (eg, your name or your server ' s hostname) []:qq.com

Email Address []:[email protected]

Please enter the following ' extra ' attributes

To is sent with your certificate request

A Challenge Password []:

An optional company name []:

This HTTP.CSR is then copied to the CA server for signature

Fifth step: Sign on the CA

[email protected] ca]# OpenSSL ca-in/tmp/http.csr-out/tmp/http.rt-days 3650

Using Configuration From/etc/pki/tls/openssl.cnf

Check that the request matches the signature

Signature OK

Certificate Details:

Serial number:1 (0x1)

Validity

Not Before:feb 10:03:52 GMT

Not After:feb 10:03:52 2025 GMT

Subject:

CountryName = CN

Stateorprovincename = GD

OrganizationName = Hu

Organizationalunitname = Hu

CommonName = qq.com

EmailAddress = [email protected]

X509v3 Extensions:

X509v3 Basic Constraints:

Ca:false

Netscape Comment:

OpenSSL Generated Certificate

X509v3 Subject Key Identifier:

a5:7e:50:2a:8c:4d:b5:e3:db:72:d7:f8:ce:e2:20:b0:f9:fd:18:0d

X509v3 Authority Key Identifier:

keyid:45:71:85:fa:99:ee:f1:0e:0f:ec:ab:6d:8c:f7:1f:a2:32:df:31:6a

Certificate is to be certified until 10:03:52 2025 GMT (3650 days)

Sign the certificate? [Y/n]:y

1 out of 1 certificate requests certified, commit? [Y/n]y

Write out database with 1 new entries

Data Base Updated

Signature successful

[Email protected] ca]# Cat/etc/pki/ca/index.txt

V 250210100352Z Unknown/c=cn/st=gd/o=hu/ou=hu/cn=qq.com/[email protected]

You can see that the database is updated

This article is from the "Flying Love Story" blog, please be sure to keep this source http://niubdada.blog.51cto.com/3511133/1750637

Apache HTTPS Server Configuration note