centos 6.5 httpd 自建CA 認證 實現 https 服務

標籤：httpd 自建ca 認證 實現 https 服務

httpd 自建CA 認證 實現 https 服務

需要的軟體: httpd mod_ssl openssl

[[email protected] CA]# httpd -v #httpd版本Server version: Apache/2.2.15 (Unix)Server built:   Jul 23 2014 14:15:00[[email protected] CA]# uname -r #核心版本2.6.32-431.el6.i686[[email protected] CA]# uname -a #髮型版本Linux jinyongri.com 2.6.32-431.el6.i686 #1 SMP Fri Nov 22 00:26:36 UTC 2013 i686 i686 i386 GNU/Linux###################################開始幹活##############################################[[email protected] ~]# cd /etc/pki/CA/ #切換到認證目錄之下[[email protected] CA]# (umask 077; openssl genrsa -out private/cakey.pem 2048) #產生自建CA用私密金鑰Generating RSA private key, 2048 bit long modulus......+++.....+++e is 65537 (0x10001)[[email protected] CA]# openssl req -new -x509 -key private/cakey.pem -days 3655 -out cacert.pem #提交自簽認證申請You are about to be asked to enter information that will be incorporatedinto your certificate request.What you are about to enter is what is called a Distinguished Name or a DN.There are quite a few fields but you can leave some blankFor some fields there will be a default value,If you enter ‘.‘, the field will be left blank.-----Country Name (2 letter code) [XX]:CN #國家State or Province Name (full name) []:ShangHai #省份Locality Name (eg, city) [Default City]:ShangHai #城市Organization Name (eg, company) [Default Company Ltd]:jinyongri Ltd #公司名Organizational Unit Name (eg, section) []:SA #部門名稱Common Name (eg, your name or your server‘s hostname) []:ca.jinyongri.com #主機名稱Email Address []:[email protected] #管理員郵箱[[email protected] CA]# mkdir /etc/httpd/conf/ssl -p #建立存放httpd伺服器私密金鑰和認證的目錄[[email protected] CA]# (umask 077; openssl genrsa 1024 > /etc/httpd/conf/ssl/httpd.key) #建立httpd私密金鑰Generating RSA private key, 1024 bit long modulus........++++++............++++++e is 65537 (0x10001)[[email protected] CA]# cd /etc/httpd/conf/ssl/ #切換到存放httpd私密金鑰目錄下[[email protected] ssl]# openssl req -new -key ./httpd.key -out ./httpd.csr #提交httpd認證申請You are about to be asked to enter information that will be incorporatedinto your certificate request.What you are about to enter is what is called a Distinguished Name or a DN.There are quite a few fields but you can leave some blankFor some fields there will be a default value,If you enter ‘.‘, the field will be left blank.-----Country Name (2 letter code) [XX]:CN State or Province Name (full name) []:ShangHaiLocality Name (eg, city) [Default City]:ShangHaiOrganization Name (eg, company) [Default Company Ltd]:jinyongri LtdOrganizational Unit Name (eg, section) []:SACommon Name (eg, your name or your server‘s hostname) []:www.jinyongri.comEmail Address []:Please enter the following ‘extra‘ attributesto be sent with your certificate requestA challenge password []:An optional company name []:jinyongri Ltd[[email protected] ssl]# touch /etc/pki/CA/{index.txt,crlnumber}[[email protected] ssl]# echo 01 > /etc/pki/CA/serial[[email protected] ssl]# openssl ca -in httpd.csr -out httpd.crt -days 3655 #產生httpd認證Using configuration from /etc/pki/tls/openssl.cnfCheck that the request matches the signatureSignature okCertificate Details:        Serial Number: 1 (0x1)        Validity            Not Before: Sep 29 12:16:18 2014 GMT            Not After : Oct  1 12:16:18 2024 GMT        Subject:            countryName               = CN            stateOrProvinceName       = ShangHai            organizationName          = jinyongri Ltd            organizationalUnitName    = SA            commonName                = www.jinyongri.com        X509v3 extensions:            X509v3 Basic Constraints:                 CA:FALSE            Netscape Comment:                 OpenSSL Generated Certificate            X509v3 Subject Key Identifier:                 BB:A2:68:13:FB:EA:BB:A8:52:D9:6A:AB:02:43:94:40:28:74:72:2A            X509v3 Authority Key Identifier:                 keyid:5A:68:9C:F6:D1:5D:51:36:A5:95:3C:28:B1:7F:76:F9:9E:69:48:56Certificate is to be certified until Oct  1 12:16:18 2024 GMT (3655 days)Sign the certificate? [y/n]:y1 out of 1 certificate requests certified, commit? [y/n]yWrite out database with 1 new entriesData Base Updated[[email protected] ssl]# yum install -y mod_ssl #安裝httpd的mod_ssl模組[[email protected] ssl]# rpm -ql mod_ssl #看一下都產生了哪些檔案/etc/httpd/conf.d/ssl.conf/usr/lib/httpd/modules/mod_ssl.so/var/cache/mod_ssl/var/cache/mod_ssl/scache.dir/var/cache/mod_ssl/scache.pag/var/cache/mod_ssl/scache.sem[[email protected] ssl]# vim /etc/httpd/conf.d/ssl.conf##配置實用ssl的虛擬機器主機#   ServerName#   DocumentRoot#配置認證和私密金鑰#    SSLCertificatFile 認證檔案#    SSLCertificatKeyFile 密鑰檔案<VirtualHost _default_:443>DocumentRoot "/var/www/html"  #網頁根目錄ServerName [[email protected] ssl]# httpd -t #檢測設定檔語法錯誤Syntax OK[[email protected] ssl]# service httpd restart #重啟httpd服務Stopping httpd:                                            [  OK  ]Starting httpd:                                            [  OK  ][[email protected] CA]# cp /etc/pki/CA/cacert.pem /etc/pki/CA/cacert.crt#複製一個CA伺服器認證認證, 以便於windows來安裝

使用window7用戶端來檢測

修改C:\Windows\System32\drivers\etc\hosts 添加如下內容, 自己的web伺服器ip和測試用網域名稱

# Copyright (c) 1993-2009 Microsoft Corp.

#

# This is a sample HOSTS file used by Microsoft TCP/IP for Windows.

#

# This file contains the mappings of IP addresses to host names. Each

# entry should be kept on an individual line. The IP address should

# be placed in the first column followed by the corresponding host name.

# The IP address and the host name should be separated by at least one

# space.

#

# Additionally, comments (such as these) may be inserted on individual

# lines or following the machine name denoted by a ‘#‘ symbol.

#

# For example:

#

#      102.54.94.97     rhino.acme.com          # source server

#       38.25.63.10     x.acme.com              # x client host

# localhost name resolution is handled within DNS itself.

#127.0.0.1       localhost

#::1             localhost

192.168.1.100www.jinyongri.com #添加這一行,要根據自己的ip和網域名稱來配置

注意: 這個網域名稱要和註冊CA認證的網域名稱一致, 否則會出錯, 

如果無法修改請配置目前使用者對該檔案的寫入許可權.

把剛才複製好的/etc/pki/CA/cacert.crt CA伺服器憑證下載windows用戶端上

650) this.width=650;" src="http://s3.51cto.com/wyfs02/M01/4B/4C/wKiom1QpWM7jInfdAAlttD0UHek609.jpg" style="float:none;" title="1.jpg" alt="wKiom1QpWM7jInfdAAlttD0UHek609.jpg" />

650) this.width=650;" src="http://s3.51cto.com/wyfs02/M02/4B/4F/wKioL1QpWP3ig5-PAAPMT3ot2kg686.jpg" style="float:none;" title="2.jpg" alt="wKioL1QpWP3ig5-PAAPMT3ot2kg686.jpg" />

650) this.width=650;" src="http://s3.51cto.com/wyfs02/M02/4B/4C/wKiom1QpWNfR0PRcAAE4u39G8lU883.jpg" style="float:none;" title="3.jpg" alt="wKiom1QpWNfR0PRcAAE4u39G8lU883.jpg" />

650) this.width=650;" src="http://s3.51cto.com/wyfs02/M00/4B/4F/wKioL1QpWQSA8uWoAAFv4Zx6wgA215.jpg" style="float:none;" title="4.jpg" alt="wKioL1QpWQSA8uWoAAFv4Zx6wgA215.jpg" />

650) this.width=650;" src="http://s3.51cto.com/wyfs02/M00/4B/4C/wKiom1QpWNyhxQGUAAFA48l_WqQ365.jpg" style="float:none;" title="5.jpg" alt="wKiom1QpWNyhxQGUAAFA48l_WqQ365.jpg" />

650) this.width=650;" src="http://s3.51cto.com/wyfs02/M01/4B/4F/wKioL1QpWQiS4VClAARf_pnF-EM917.jpg" style="float:none;" title="10.jpg" alt="wKioL1QpWQiS4VClAARf_pnF-EM917.jpg" />

本文出自 “帝國金菜園子” 部落格，請務必保留此出處http://diguojin.blog.51cto.com/5034509/1559549

centos 6.5 httpd 自建CA 認證 實現 https 服務