首页 > 代码库 > [Linux] centos 6.5 httpd 自建CA 认证 实现 https 服务

[Linux] centos 6.5 httpd 自建CA 认证 实现 https 服务

httpd 自建CA 认证 实现 https 服务

 

需要的软件: httpd mod_ssl openssl

本文将CA证书服务器和 httpd服务器放到一台物理机器上实现的, 可以作为学习的参考.

本文测试主机IP192.168.1.100/24

 

[root@jinyongri CA]# httpd -v #httpd版本Server version: Apache/2.2.15 (Unix)Server built:   Jul 23 2014 14:15:00[root@jinyongri CA]# uname -r #内核版本2.6.32-431.el6.i686[root@jinyongri CA]# uname -a #发型版本Linux jinyongri.com 2.6.32-431.el6.i686 #1 SMP Fri Nov 22 00:26:36 UTC 2013 i686 i686 i386 GNU/Linux              ###################################开始干活##############################################[root@jinyongri ~]# cd /etc/pki/CA/ #切换到证书目录之下[root@jinyongri CA]# (umask 077; openssl genrsa -out private/cakey.pem 2048) #生成自建CA用私钥  Generating RSA private key, 2048 bit long modulus......+++.....+++e is 65537 (0x10001)  [root@jinyongri CA]# openssl req -new -x509 -key private/cakey.pem -days 3655 -out cacert.pem #提交自签证书申请You are about to be asked to enter information that will be incorporatedinto your certificate request.What you are about to enter is what is called a Distinguished Name or a DN.There are quite a few fields but you can leave some blankFor some fields there will be a default value,If you enter ‘.‘, the field will be left blank.-----Country Name (2 letter code) [XX]:CN #国家State or Province Name (full name) []:ShangHai #省份Locality Name (eg, city) [Default City]:ShangHai #城市Organization Name (eg, company) [Default Company Ltd]:jinyongri Ltd #公司名Organizational Unit Name (eg, section) []:SA #部门名称Common Name (eg, your name or your server‘s hostname) []:ca.jinyongri.com #主机名Email Address []:admin@jinyongri.com #管理员邮箱    [root@jinyongri CA]# mkdir /etc/httpd/conf/ssl -p #建立存放httpd服务器私钥和证书的目录[root@jinyongri CA]# (umask 077; openssl genrsa 1024 > /etc/httpd/conf/ssl/httpd.key) #创建httpd私钥  Generating RSA private key, 1024 bit long modulus........++++++............++++++e is 65537 (0x10001)  [root@jinyongri CA]# cd /etc/httpd/conf/ssl/ #切换到存放httpd私钥目录下[root@jinyongri ssl]# openssl req -new -key ./httpd.key -out ./httpd.csr #提交httpd证书申请  You are about to be asked to enter information that will be incorporatedinto your certificate request.What you are about to enter is what is called a Distinguished Name or a DN.There are quite a few fields but you can leave some blankFor some fields there will be a default value,If you enter ‘.‘, the field will be left blank.-----Country Name (2 letter code) [XX]:CN State or Province Name (full name) []:ShangHaiLocality Name (eg, city) [Default City]:ShangHaiOrganization Name (eg, company) [Default Company Ltd]:jinyongri LtdOrganizational Unit Name (eg, section) []:SACommon Name (eg, your name or your server‘s hostname) []:www.jinyongri.comEmail Address []:  Please enter the following ‘extra‘ attributesto be sent with your certificate requestA challenge password []:An optional company name []:jinyongri Ltd  [root@jinyongri ssl]# touch /etc/pki/CA/{index.txt,crlnumber}[root@jinyongri ssl]# echo 01 > /etc/pki/CA/serial[root@jinyongri ssl]# openssl ca -in httpd.csr -out httpd.crt -days 3655 #生成httpd证书Using configuration from /etc/pki/tls/openssl.cnfCheck that the request matches the signatureSignature okCertificate Details:        Serial Number: 1 (0x1)        Validity            Not Before: Sep 29 12:16:18 2014 GMT            Not After : Oct  1 12:16:18 2024 GMT        Subject:            countryName               = CN            stateOrProvinceName       = ShangHai            organizationName          = jinyongri Ltd            organizationalUnitName    = SA            commonName                = www.jinyongri.com        X509v3 extensions:            X509v3 Basic Constraints:                 CA:FALSE            Netscape Comment:                 OpenSSL Generated Certificate            X509v3 Subject Key Identifier:                 BB:A2:68:13:FB:EA:BB:A8:52:D9:6A:AB:02:43:94:40:28:74:72:2A            X509v3 Authority Key Identifier:                 keyid:5A:68:9C:F6:D1:5D:51:36:A5:95:3C:28:B1:7F:76:F9:9E:69:48:56  Certificate is to be certified until Oct  1 12:16:18 2024 GMT (3655 days)Sign the certificate? [y/n]:y    1 out of 1 certificate requests certified, commit? [y/n]yWrite out database with 1 new entriesData Base Updated  [root@jinyongri ssl]# yum install -y mod_ssl #安装httpd的mod_ssl模块[root@jinyongri ssl]# rpm -ql mod_ssl #看一下都生成了哪些文件/etc/httpd/conf.d/ssl.conf/usr/lib/httpd/modules/mod_ssl.so/var/cache/mod_ssl/var/cache/mod_ssl/scache.dir/var/cache/mod_ssl/scache.pag/var/cache/mod_ssl/scache.sem  [root@jinyongri ssl]# vim /etc/httpd/conf.d/ssl.conf##配置实用ssl的虚拟主机#   ServerName#   DocumentRoot#配置证书和私钥#    SSLCertificatFile 证书文件#    SSLCertificatKeyFile 密钥文件<VirtualHost _default_:443>DocumentRoot "/var/www/html"  #网页根目录ServerName   [root@jinyongri ssl]# httpd -t #检测配置文件语法错误Syntax OK[root@jinyongri ssl]# service httpd restart #重启httpd服务Stopping httpd:                                            [  OK  ]Starting httpd:                                            [  OK  ][root@jinyongri CA]# cp /etc/pki/CA/cacert.pem /etc/pki/CA/cacert.crt#复制一个CA服务器认证证书, 以便于windows来安装

  

 使用window7客户端来检测

修改C:\Windows\System32\drivers\etc\hosts 添加如下内容, 自己的web服务器ip和测试用域名

 # Copyright (c) 1993-2009 Microsoft Corp.## This is a sample HOSTS file used by Microsoft TCP/IP for Windows.## This file contains the mappings of IP addresses to host names. Each# entry should be kept on an individual line. The IP address should# be placed in the first column followed by the corresponding host name.# The IP address and the host name should be separated by at least one# space.## Additionally, comments (such as these) may be inserted on individual# lines or following the machine name denoted by a ‘#‘ symbol.## For example:##      102.54.94.97     rhino.acme.com          # source server#       38.25.63.10     x.acme.com              # x client host # localhost name resolution is handled within DNS itself.#127.0.0.1       localhost#::1             localhost192.168.1.100www.jinyongri.com #添加这一行,要根据自己的ip和域名来配置

  

注意: 这个域名要和注册CA证书的域名一致, 否则会出错, 

如果无法修改请配置当前用户对该文件的写入权限.

 

把刚才复制好的/etc/pki/CA/cacert.crt CA服务器证书下载windows客户端上

 

 

[Linux] centos 6.5 httpd 自建CA 认证 实现 https 服务