Apache https服务器配置笔记
環(huán)境:centos6.5
兩臺主機,一個是CA簽證 一個是apache服務(wù)器
第一步:apache上安裝ssl支持
????yum install -y mod_ssl
????然后httpd -M就能看到ssl模塊了
????ssl_module (shared)
第二步:在CA機器上生成自簽證書
先生成私鑰
?[root@slave CA]#?cd?/etc/pki/CA
?[root@slave CA]# (umask 077;openssl genrsa -out private/cakey.pem 2048)
Generating RSA private key, 2048 bit long modulus
..........................................................+++
...................................................................+++
e is 65537 (0x10001)
這樣就是成功了?
生成自簽證書
[root@slave CA]# openssl req -new -x509 -key private/cakey.pem -out cacert.pem -days 3650
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [XX]:CN
State or Province Name (full name) []:GD
Locality Name (eg, city) [Default City]:gz
Organization Name (eg, company) [Default Company Ltd]:hu
Organizational Unit Name (eg, section) []:hu
Common Name (eg, your name or your server's hostname) []:ca.8.com
Email Address []:a
[root@slave CA]# openssl req -new -x509 -key private/cakey.pem -out cacert.pem -days 3650
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [XX]:CN
State or Province Name (full name) []:gd
Locality Name (eg, city) [Default City]:gz
Organization Name (eg, company) [Default Company Ltd]:hu
Organizational Unit Name (eg, section) []:hu
Common Name (eg, your name or your server's hostname) []:ca.920.com
Email Address []:admin@920.com
到這里,自簽證書就生成完畢了
第三步:新建證書數(shù)據(jù)庫
????
[root@slave CA]# touch index.txt????????#證書數(shù)據(jù)庫
[root@slave CA]# echo 01 serial?????????#序列號 ?
第四步:在apache機器上生成一堆密鑰
[root@nginx ~]# mkdir /etc/httpd/ssl
[root@nginx ~]# (umask 077;openssl genrsa 1024 > httpd.key)
Generating RSA private key, 1024 bit long modulus
....++++++
.......++++++
e is 65537 (0x10001)
生成CA證書請求
注意,這里一定要跟CA上面輸入的一直,hostname例外
[root@nginx ssl]# openssl req -new -key httpd.key -out http.csr
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [XX]:CN
State or Province Name (full name) []:GD
Locality Name (eg, city) [Default City]:^C
[root@nginx ssl]# openssl req -new -key httpd.key -out http.csr
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [XX]:CN
State or Province Name (full name) []:gd
Locality Name (eg, city) [Default City]:gz
Organization Name (eg, company) [Default Company Ltd]:hu
Organizational Unit Name (eg, section) []:hu
Common Name (eg, your name or your server's hostname) []:qq.com
Email Address []:admin@qq.com
Please enter the following 'extra' attributes
to be sent with your certificate request
A challenge password []:
An optional company name []:
然后將此http.csr拷貝到CA服務(wù)器上簽名
第五步:在CA上簽名
[root@slave CA]# openssl ca -in /tmp/http.csr -out /tmp/http.rt -days 3650
Using configuration from /etc/pki/tls/openssl.cnf
Check that the request matches the signature
Signature ok
Certificate Details:
? ? ? ? Serial Number: 1 (0x1)
? ? ? ? Validity
? ? ? ? ? ? Not Before: Feb 13 10:03:52 2015 GMT
? ? ? ? ? ? Not After : Feb 10 10:03:52 2025 GMT
? ? ? ? Subject:
? ? ? ? ? ? countryName ? ? ? ? ? ? ? = CN
? ? ? ? ? ? stateOrProvinceName ? ? ? = gd
? ? ? ? ? ? organizationName ? ? ? ? ?= hu
? ? ? ? ? ? organizationalUnitName ? ?= hu
? ? ? ? ? ? commonName ? ? ? ? ? ? ? ?= qq.com
? ? ? ? ? ? emailAddress ? ? ? ? ? ? ?= admin@qq.com
? ? ? ? X509v3 extensions:
? ? ? ? ? ? X509v3 Basic Constraints:?
? ? ? ? ? ? ? ? CA:FALSE
? ? ? ? ? ? Netscape Comment:?
? ? ? ? ? ? ? ? OpenSSL Generated Certificate
? ? ? ? ? ? X509v3 Subject Key Identifier:?
? ? ? ? ? ? ? ? A5:7E:50:2A:8C:4D:B5:E3:DB:72:D7:F8:CE:E2:20:B0:F9:FD:18:0D
? ? ? ? ? ? X509v3 Authority Key Identifier:?
? ? ? ? ? ? ? ? keyid:45:71:85:FA:99:EE:F1:0E:0F:EC:AB:6D:8C:F7:1F:A2:32:DF:31:6A
Certificate is to be certified until Feb 10 10:03:52 2025 GMT (3650 days)
Sign the certificate? [y/n]:y
1 out of 1 certificate requests certified, commit? [y/n]y
Write out database with 1 new entries
Data Base Updated
簽名成功
[root@slave CA]# cat /etc/pki/CA/index.txt
V ? ? ? 250210100352Z ? ? ? ? ? 01 ? ? ?unknown /C=CN/ST=gd/O=hu/OU=hu/CN=qq.com/emailAddress=admin@qq.com
可以看到數(shù)據(jù)庫更新了
轉(zhuǎn)載于:https://blog.51cto.com/niubdada/1750637
總結(jié)
以上是生活随笔為你收集整理的Apache https服务器配置笔记的全部內(nèi)容,希望文章能夠幫你解決所遇到的問題。
- 上一篇: Dubbo-Admin管理平台和Zook
- 下一篇: android 提高性能点