Environment: centos6.5
Two hosts, one CA visa, one Apache server.
First step: Install SSL support on Apache
Yum Install-y mod_ssl
And then httpd-m can see the SSL module.
Ssl_module (Shared)
Step two: Generate a self-signed certificate on the CA machine
Mr. Cheng Private key
[Email protected] ca]# CD/ETC/PKI/CA
[[Email protected] ca]# (umask 077;openssl genrsa-out PRIVATE/CAKEY.PEM 2048)
Generating RSA private key, 2048 bit long modulus
..........................................................+++
...................................................................+++
E is 65537 (0x10001)
That's how it works.
Generate self-signed certificates
[email protected] ca]# OpenSSL req-new-x509-key private/cakey.pem-out cacert.pem-days 3650
You is about-to is asked to-enter information that'll be incorporated
into your certificate request.
What's about-to-enter is called a distinguished Name or a DN.
There is quite a few fields but can leave some blank
For some fields there would be a default value,
If you enter '. ', the field would be a left blank.
-----
Country Name (2 letter code) [XX]:CN
State or province name (full name) []:GD
Locality Name (eg, city) [Default City]:gz
Organization Name (eg, company) [Default company Ltd]:hu
Organizational Unit Name (eg, section) []:hu
Common name (eg, your name or your server ' s hostname) []:ca.8.com
Email Address []:a
[email protected] ca]# OpenSSL req-new-x509-key private/cakey.pem-out cacert.pem-days 3650
You is about-to is asked to-enter information that'll be incorporated
into your certificate request.
What's about-to-enter is called a distinguished Name or a DN.
There is quite a few fields but can leave some blank
For some fields there would be a default value,
If you enter '. ', the field would be a left blank.
-----
Country Name (2 letter code) [XX]:CN
State or province name (full name) []:GD
Locality Name (eg, city) [Default City]:gz
Organization Name (eg, company) [Default company Ltd]:hu
Organizational Unit Name (eg, section) []:hu
Common name (eg, your name or your server ' s hostname) []:ca.920.com
Email Address []:[email protected]
Here, the self-signed certificate is generated.
Step three: Create a new certificate database
[email protected] ca]# Touch Index.txt #证书数据库
[Email protected] ca]# echo serial #序列号
Fourth step: Generate a bunch of keys on the Apache machine
[Email protected] ~]# Mkdir/etc/httpd/ssl
[Email protected] ~]# (umask 077;openssl genrsa > Httpd.key)
Generating RSA private key, 1024x768 bit long modulus
....++++++
.......++++++
E is 65537 (0x10001)
Generate a CA certificate request
Note that this must be entered with the CA above all the time, hostname exception
[email protected] ssl]# OpenSSL req-new-key httpd.key-out HTTP.CSR
You is about-to is asked to-enter information that'll be incorporated
into your certificate request.
What's about-to-enter is called a distinguished Name or a DN.
There is quite a few fields but can leave some blank
For some fields there would be a default value,
If you enter '. ', the field would be a left blank.
-----
Country Name (2 letter code) [XX]:CN
State or province name (full name) []:GD
Locality Name (eg, city) [Default city]:^c
[email protected] ssl]# OpenSSL req-new-key httpd.key-out HTTP.CSR
You is about-to is asked to-enter information that'll be incorporated
into your certificate request.
What's about-to-enter is called a distinguished Name or a DN.
There is quite a few fields but can leave some blank
For some fields there would be a default value,
If you enter '. ', the field would be a left blank.
-----
Country Name (2 letter code) [XX]:CN
State or province name (full name) []:GD
Locality Name (eg, city) [Default City]:gz
Organization Name (eg, company) [Default company Ltd]:hu
Organizational Unit Name (eg, section) []:hu
Common name (eg, your name or your server ' s hostname) []:qq.com
Email Address []:[email protected]
Please enter the following ' extra ' attributes
To is sent with your certificate request
A Challenge Password []:
An optional company name []:
This HTTP.CSR is then copied to the CA server for signature
Fifth step: Sign on the CA
[email protected] ca]# OpenSSL ca-in/tmp/http.csr-out/tmp/http.rt-days 3650
Using Configuration From/etc/pki/tls/openssl.cnf
Check that the request matches the signature
Signature OK
Certificate Details:
Serial number:1 (0x1)
Validity
Not Before:feb 10:03:52 GMT
Not After:feb 10:03:52 2025 GMT
Subject:
CountryName = CN
Stateorprovincename = GD
OrganizationName = Hu
Organizationalunitname = Hu
CommonName = qq.com
EmailAddress = [email protected]
X509v3 Extensions:
X509v3 Basic Constraints:
Ca:false
Netscape Comment:
OpenSSL Generated Certificate
X509v3 Subject Key Identifier:
a5:7e:50:2a:8c:4d:b5:e3:db:72:d7:f8:ce:e2:20:b0:f9:fd:18:0d
X509v3 Authority Key Identifier:
keyid:45:71:85:fa:99:ee:f1:0e:0f:ec:ab:6d:8c:f7:1f:a2:32:df:31:6a
Certificate is to be certified until 10:03:52 2025 GMT (3650 days)
Sign the certificate? [Y/n]:y
1 out of 1 certificate requests certified, commit? [Y/n]y
Write out database with 1 new entries
Data Base Updated
Signature successful
[Email protected] ca]# Cat/etc/pki/ca/index.txt
V 250210100352Z Unknown/c=cn/st=gd/o=hu/ou=hu/cn=qq.com/[email protected]
You can see that the database is updated
This article is from the "Flying Love Story" blog, please be sure to keep this source http://niubdada.blog.51cto.com/3511133/1750637
Apache HTTPS Server Configuration note