首页 > 代码库 > [Linux] centos 6.5 httpd 自建CA 认证 实现 https 服务
[Linux] centos 6.5 httpd 自建CA 认证 实现 https 服务
httpd 自建CA 认证 实现 https 服务
需要的软件: httpd mod_ssl openssl
本文将CA证书服务器和 httpd服务器放到一台物理机器上实现的, 可以作为学习的参考.
本文测试主机IP192.168.1.100/24
[root@jinyongri CA]# httpd -v #httpd版本Server version: Apache/2.2.15 (Unix)Server built: Jul 23 2014 14:15:00[root@jinyongri CA]# uname -r #内核版本2.6.32-431.el6.i686[root@jinyongri CA]# uname -a #发型版本Linux jinyongri.com 2.6.32-431.el6.i686 #1 SMP Fri Nov 22 00:26:36 UTC 2013 i686 i686 i386 GNU/Linux ###################################开始干活##############################################[root@jinyongri ~]# cd /etc/pki/CA/ #切换到证书目录之下[root@jinyongri CA]# (umask 077; openssl genrsa -out private/cakey.pem 2048) #生成自建CA用私钥 Generating RSA private key, 2048 bit long modulus......+++.....+++e is 65537 (0x10001) [root@jinyongri CA]# openssl req -new -x509 -key private/cakey.pem -days 3655 -out cacert.pem #提交自签证书申请You are about to be asked to enter information that will be incorporatedinto your certificate request.What you are about to enter is what is called a Distinguished Name or a DN.There are quite a few fields but you can leave some blankFor some fields there will be a default value,If you enter ‘.‘, the field will be left blank.-----Country Name (2 letter code) [XX]:CN #国家State or Province Name (full name) []:ShangHai #省份Locality Name (eg, city) [Default City]:ShangHai #城市Organization Name (eg, company) [Default Company Ltd]:jinyongri Ltd #公司名Organizational Unit Name (eg, section) []:SA #部门名称Common Name (eg, your name or your server‘s hostname) []:ca.jinyongri.com #主机名Email Address []:admin@jinyongri.com #管理员邮箱 [root@jinyongri CA]# mkdir /etc/httpd/conf/ssl -p #建立存放httpd服务器私钥和证书的目录[root@jinyongri CA]# (umask 077; openssl genrsa 1024 > /etc/httpd/conf/ssl/httpd.key) #创建httpd私钥 Generating RSA private key, 1024 bit long modulus........++++++............++++++e is 65537 (0x10001) [root@jinyongri CA]# cd /etc/httpd/conf/ssl/ #切换到存放httpd私钥目录下[root@jinyongri ssl]# openssl req -new -key ./httpd.key -out ./httpd.csr #提交httpd证书申请 You are about to be asked to enter information that will be incorporatedinto your certificate request.What you are about to enter is what is called a Distinguished Name or a DN.There are quite a few fields but you can leave some blankFor some fields there will be a default value,If you enter ‘.‘, the field will be left blank.-----Country Name (2 letter code) [XX]:CN State or Province Name (full name) []:ShangHaiLocality Name (eg, city) [Default City]:ShangHaiOrganization Name (eg, company) [Default Company Ltd]:jinyongri LtdOrganizational Unit Name (eg, section) []:SACommon Name (eg, your name or your server‘s hostname) []:www.jinyongri.comEmail Address []: Please enter the following ‘extra‘ attributesto be sent with your certificate requestA challenge password []:An optional company name []:jinyongri Ltd [root@jinyongri ssl]# touch /etc/pki/CA/{index.txt,crlnumber}[root@jinyongri ssl]# echo 01 > /etc/pki/CA/serial[root@jinyongri ssl]# openssl ca -in httpd.csr -out httpd.crt -days 3655 #生成httpd证书Using configuration from /etc/pki/tls/openssl.cnfCheck that the request matches the signatureSignature okCertificate Details: Serial Number: 1 (0x1) Validity Not Before: Sep 29 12:16:18 2014 GMT Not After : Oct 1 12:16:18 2024 GMT Subject: countryName = CN stateOrProvinceName = ShangHai organizationName = jinyongri Ltd organizationalUnitName = SA commonName = www.jinyongri.com X509v3 extensions: X509v3 Basic Constraints: CA:FALSE Netscape Comment: OpenSSL Generated Certificate X509v3 Subject Key Identifier: BB:A2:68:13:FB:EA:BB:A8:52:D9:6A:AB:02:43:94:40:28:74:72:2A X509v3 Authority Key Identifier: keyid:5A:68:9C:F6:D1:5D:51:36:A5:95:3C:28:B1:7F:76:F9:9E:69:48:56 Certificate is to be certified until Oct 1 12:16:18 2024 GMT (3655 days)Sign the certificate? [y/n]:y 1 out of 1 certificate requests certified, commit? [y/n]yWrite out database with 1 new entriesData Base Updated [root@jinyongri ssl]# yum install -y mod_ssl #安装httpd的mod_ssl模块[root@jinyongri ssl]# rpm -ql mod_ssl #看一下都生成了哪些文件/etc/httpd/conf.d/ssl.conf/usr/lib/httpd/modules/mod_ssl.so/var/cache/mod_ssl/var/cache/mod_ssl/scache.dir/var/cache/mod_ssl/scache.pag/var/cache/mod_ssl/scache.sem [root@jinyongri ssl]# vim /etc/httpd/conf.d/ssl.conf##配置实用ssl的虚拟主机# ServerName# DocumentRoot#配置证书和私钥# SSLCertificatFile 证书文件# SSLCertificatKeyFile 密钥文件<VirtualHost _default_:443>DocumentRoot "/var/www/html" #网页根目录ServerName [root@jinyongri ssl]# httpd -t #检测配置文件语法错误Syntax OK[root@jinyongri ssl]# service httpd restart #重启httpd服务Stopping httpd: [ OK ]Starting httpd: [ OK ][root@jinyongri CA]# cp /etc/pki/CA/cacert.pem /etc/pki/CA/cacert.crt#复制一个CA服务器认证证书, 以便于windows来安装
使用window7客户端来检测
修改C:\Windows\System32\drivers\etc\hosts 添加如下内容, 自己的web服务器ip和测试用域名
# Copyright (c) 1993-2009 Microsoft Corp.## This is a sample HOSTS file used by Microsoft TCP/IP for Windows.## This file contains the mappings of IP addresses to host names. Each# entry should be kept on an individual line. The IP address should# be placed in the first column followed by the corresponding host name.# The IP address and the host name should be separated by at least one# space.## Additionally, comments (such as these) may be inserted on individual# lines or following the machine name denoted by a ‘#‘ symbol.## For example:## 102.54.94.97 rhino.acme.com # source server# 38.25.63.10 x.acme.com # x client host # localhost name resolution is handled within DNS itself.#127.0.0.1 localhost#::1 localhost192.168.1.100www.jinyongri.com #添加这一行,要根据自己的ip和域名来配置
注意: 这个域名要和注册CA证书的域名一致, 否则会出错,
如果无法修改请配置当前用户对该文件的写入权限.
把刚才复制好的/etc/pki/CA/cacert.crt CA服务器证书下载windows客户端上
[Linux] centos 6.5 httpd 自建CA 认证 实现 https 服务
声明:以上内容来自用户投稿及互联网公开渠道收集整理发布,本网站不拥有所有权,未作人工编辑处理,也不承担相关法律责任,若内容有误或涉及侵权可进行投诉: 投诉/举报 工作人员会在5个工作日内联系你,一经查实,本站将立刻删除涉嫌侵权内容。