標籤:style blog http io os 使用 ar for 檔案
httpd 自建CA 認證 實現 https 服務
需要的軟體: httpd mod_ssl openssl
本文將Certificates Service器和 httpd伺服器放到一台物理機器上實現的, 可以作為學習的參考.
本文測試主機IP192.168.1.100/24
[[email protected] CA]# httpd -v #httpd版本Server version: Apache/2.2.15 (Unix)Server built: Jul 23 2014 14:15:00[[email protected] CA]# uname -r #核心版本2.6.32-431.el6.i686[[email protected] CA]# uname -a #髮型版本Linux jinyongri.com 2.6.32-431.el6.i686 #1 SMP Fri Nov 22 00:26:36 UTC 2013 i686 i686 i386 GNU/Linux ###################################開始幹活##############################################[[email protected] ~]# cd /etc/pki/CA/ #切換到認證目錄之下[[email protected] CA]# (umask 077; openssl genrsa -out private/cakey.pem 2048) #產生自建CA用私密金鑰 Generating RSA private key, 2048 bit long modulus......+++.....+++e is 65537 (0x10001) [[email protected] CA]# openssl req -new -x509 -key private/cakey.pem -days 3655 -out cacert.pem #提交自簽認證申請You are about to be asked to enter information that will be incorporatedinto your certificate request.What you are about to enter is what is called a Distinguished Name or a DN.There are quite a few fields but you can leave some blankFor some fields there will be a default value,If you enter ‘.‘, the field will be left blank.-----Country Name (2 letter code) [XX]:CN #國家State or Province Name (full name) []:ShangHai #省份Locality Name (eg, city) [Default City]:ShangHai #城市Organization Name (eg, company) [Default Company Ltd]:jinyongri Ltd #公司名Organizational Unit Name (eg, section) []:SA #部門名稱Common Name (eg, your name or your server‘s hostname) []:ca.jinyongri.com #主機名稱Email Address []:[email protected] #管理員郵箱 [[email protected] CA]# mkdir /etc/httpd/conf/ssl -p #建立存放httpd伺服器私密金鑰和認證的目錄[[email protected] CA]# (umask 077; openssl genrsa 1024 > /etc/httpd/conf/ssl/httpd.key) #建立httpd私密金鑰 Generating RSA private key, 1024 bit long modulus........++++++............++++++e is 65537 (0x10001) [[email protected] CA]# cd /etc/httpd/conf/ssl/ #切換到存放httpd私密金鑰目錄下[[email protected] ssl]# openssl req -new -key ./httpd.key -out ./httpd.csr #提交httpd認證申請 You are about to be asked to enter information that will be incorporatedinto your certificate request.What you are about to enter is what is called a Distinguished Name or a DN.There are quite a few fields but you can leave some blankFor some fields there will be a default value,If you enter ‘.‘, the field will be left blank.-----Country Name (2 letter code) [XX]:CN State or Province Name (full name) []:ShangHaiLocality Name (eg, city) [Default City]:ShangHaiOrganization Name (eg, company) [Default Company Ltd]:jinyongri LtdOrganizational Unit Name (eg, section) []:SACommon Name (eg, your name or your server‘s hostname) []:www.jinyongri.comEmail Address []: Please enter the following ‘extra‘ attributesto be sent with your certificate requestA challenge password []:An optional company name []:jinyongri Ltd [[email protected] ssl]# touch /etc/pki/CA/{index.txt,crlnumber}[[email protected] ssl]# echo 01 > /etc/pki/CA/serial[[email protected] ssl]# openssl ca -in httpd.csr -out httpd.crt -days 3655 #產生httpd認證Using configuration from /etc/pki/tls/openssl.cnfCheck that the request matches the signatureSignature okCertificate Details: Serial Number: 1 (0x1) Validity Not Before: Sep 29 12:16:18 2014 GMT Not After : Oct 1 12:16:18 2024 GMT Subject: countryName = CN stateOrProvinceName = ShangHai organizationName = jinyongri Ltd organizationalUnitName = SA commonName = www.jinyongri.com X509v3 extensions: X509v3 Basic Constraints: CA:FALSE Netscape Comment: OpenSSL Generated Certificate X509v3 Subject Key Identifier: BB:A2:68:13:FB:EA:BB:A8:52:D9:6A:AB:02:43:94:40:28:74:72:2A X509v3 Authority Key Identifier: keyid:5A:68:9C:F6:D1:5D:51:36:A5:95:3C:28:B1:7F:76:F9:9E:69:48:56 Certificate is to be certified until Oct 1 12:16:18 2024 GMT (3655 days)Sign the certificate? [y/n]:y 1 out of 1 certificate requests certified, commit? [y/n]yWrite out database with 1 new entriesData Base Updated [[email protected] ssl]# yum install -y mod_ssl #安裝httpd的mod_ssl模組[[email protected] ssl]# rpm -ql mod_ssl #看一下都產生了哪些檔案/etc/httpd/conf.d/ssl.conf/usr/lib/httpd/modules/mod_ssl.so/var/cache/mod_ssl/var/cache/mod_ssl/scache.dir/var/cache/mod_ssl/scache.pag/var/cache/mod_ssl/scache.sem [[email protected] ssl]# vim /etc/httpd/conf.d/ssl.conf##配置實用ssl的虛擬機器主機# ServerName# DocumentRoot#配置認證和私密金鑰# SSLCertificatFile 認證檔案# SSLCertificatKeyFile 密鑰檔案<VirtualHost _default_:443>DocumentRoot "/var/www/html" #網頁根目錄ServerName [[email protected] ssl]# httpd -t #檢測設定檔語法錯誤Syntax OK[[email protected] ssl]# service httpd restart #重啟httpd服務Stopping httpd: [ OK ]Starting httpd: [ OK ][[email protected] CA]# cp /etc/pki/CA/cacert.pem /etc/pki/CA/cacert.crt#複製一個CA伺服器認證認證, 以便於windows來安裝
使用window7用戶端來檢測
修改C:\Windows\System32\drivers\etc\hosts 添加如下內容, 自己的web伺服器ip和測試用網域名稱
# Copyright (c) 1993-2009 Microsoft Corp.## This is a sample HOSTS file used by Microsoft TCP/IP for Windows.## This file contains the mappings of IP addresses to host names. Each# entry should be kept on an individual line. The IP address should# be placed in the first column followed by the corresponding host name.# The IP address and the host name should be separated by at least one# space.## Additionally, comments (such as these) may be inserted on individual# lines or following the machine name denoted by a ‘#‘ symbol.## For example:## 102.54.94.97 rhino.acme.com # source server# 38.25.63.10 x.acme.com # x client host # localhost name resolution is handled within DNS itself.#127.0.0.1 localhost#::1 localhost192.168.1.100www.jinyongri.com #添加這一行,要根據自己的ip和網域名稱來配置
注意: 這個網域名稱要和註冊CA認證的網域名稱一致, 否則會出錯,
如果無法修改請配置目前使用者對該檔案的寫入許可權.
把剛才複製好的/etc/pki/CA/cacert.crt CA伺服器憑證下載windows用戶端上
[Linux] centos 6.5 httpd 自建CA 認證 實現 https 服務