CentOS下利用httpd openssl来实现网站的httpscentos.docx

1、CentOS下利用httpd openssl来实现网站的httpscentosCentOS下利用httpd+openssl来实现网站的httpscentos 下面呢我们来讲一下具体步骤配置CA服务器=1.配置CA 172.16.1.2 生成CA自己的公钥 私钥 CA对自己进行证书自签名 (用脚本生成)rootCA # vim /etc/pki/tls/fdir = /etc/CA # Where everything is kept 第45行basicConstraints=CA:TRUE # 自签署的证书可以使用 第178行rootCA # vim /etc/pki/tls/misc/CAC

2、ATOP=/etc/CA #第42行rootCA # /etc/pki/tls/misc/CA -newcaCA certificate filename (or enter to create)Making CA certificate .Generating a 1024 bit RSA private key.+.+writing new private key to ././CA/private/./cakey.pem #私钥Enter PEM pass phrase:123456 #保护CA私钥Verifying - Enter PEM pass phrase:123456-You

3、are about to be asked to enter information that will be incorporated into your certificate request.What you are about to enter is what is called a Distinguished Name or a DN.There are quite a few fields but you can leave some blankFor some fields there will be a default value,If you enter ., the fie

4、ld will be left blank.-Country Name (2 letter code) GB:CN #身份信息State or Province Name (full name) Berkshire:BEIJINGLocality Name (eg, city) Newbury:HDOrganization Name (eg, company) My Company Ltd:UPLOOKINGOrganizational Unit Name (eg, section) :ITCommon Name (eg, your name or your servers hostname)

5、 :CAEmail Address :CAPlease enter the following extra attributes to be sent with your certificate requestA challenge password :An optional company name :Using configuration from /etc/pki/tls/fEnter pass phrase for ././CA/private/./cakey.pem:123456 #使用私钥自签名Check that the request matches the signature

6、Signature okCertificate Details: Serial Number: 0 (0x0) Validity Not Before: Mar 5 01:40:50 2012 GMT Not After : Mar 5 01:40:50 2015 GMT Subject: countryName = CN stateOrProvinceName = BEIJING organizationName = UPLOOKING organizationalUnitName = IT commonName = CA emailAddress = CA X509v3 extension

7、s: X509v3 Basic Constraints: CA:TRUE Netscape Comment: OpenSSL Generated Certificate X509v3 Subject Key Identifier: 61:D5:3A:C7:5C:0F:66:FE:D5:EF:5D:A1:94:8F:FD:C2:E5:94:7D:D3 X509v3 Authority Key Identifier: keyid:61:D5:3A:C7:5C:0F:66:FE:D5:EF:5D:A1:94:8F:FD:C2:E5:94:7D:D3Certificate is to be certi

8、fied until Mar 5 01:40:50 2015 GMT (1095 days)Write out database with 1 new entriesData Base UpdatedrootCA # ls /etc/CA/private/cakey.pem #CA私钥rootCA # ls /etc/CA/cacert.pem #CA证书rootCA # ls /etc/CA/careq.pem #CA证书请求配置web服务器=web 生成自己的私钥rootwww # openssl genrsa -des3 -out /etc/httpd/conf.d/server.key

9、 #使用des3保护私钥Generating RSA private key, 512 bit long modulus.+.+e is 65537 (0x10001)Enter pass phrase for /etc/httpd/conf.d/server.key:123456Verifying - Enter pass phrase for /etc/httpd/conf.d/server.key:123456生成证书请求（使用身份标识公钥）rootwww # openssl req -new -key /etc/httpd/conf.d/server.key -out /tmp/ser

10、ver.csrEnter pass phrase for /etc/httpd/conf.d/server.key:123456You are about to be asked to enter information that will be incorporated into your certificaterequest. What you are about to enter is what is called a Distinguished Name or a DN.There are quite a few fields but you can leave some blankF

11、or some fields there will be a default value,If you enter ., the field will be left blank.-Country Name (2 letter code) GB:CN #这部分信息要与CA一致 !State or Province Name (full name) Berkshire:BEIJINGLocality Name (eg, city) Newbury:HDOrganization Name (eg, company) My Company Ltd:UPLOOKINGOrganizational Un

12、it Name (eg, section) :IT-Common Name (eg, your name or your servers hostname) :Email Address :Please enter the following extra attributes to be sent with your certificate requestA challenge password :An optional company name :将证书请求发送给CArootwww # scp /tmp/server.csr CA:/tmp/CA服务器对证书请求进行数字签名= rootCA

13、# openssl ca -keyfile /etc/CA/private/cakey.pem -cert /etc/CA/cacert.pem -in /tmp/server.csr -out /tmp/server.crt /etc/CA/private/cakey.pem （这是ca的私钥） /tmp/server.csr （httpserver的证书请求文件） /etc/CA/cacert.pem (ca的证书) /tmp/server.crt （生成的httpserver的证书的名字）Using configuration from /etc/pki/tls/fEnter pass

14、phrase for /etc/CA/private/cakey.pem:Check that the request matches the signatureSignature okCertificate Details: Serial Number: 1 (0x1) Validity Not Before: Mar 5 02:20:56 2012 GMT Not After : Mar 5 02:20:56 2013 GMT Subject: countryName = CN stateOrProvinceName = BEIJING organizationName = UPLOOKI

15、NG organizationalUnitName = IT commonName = emailAddress = X509v3 extensions: X509v3 Basic Constraints: CA:TRUE Netscape Comment: OpenSSL Generated Certificate X509v3 Subject Key Identifier: D0:6E:C7:7D:FC:BE:0D:62:CA:B9:A2:E0:2A:9A:27:32:39:0B:91:F8 X509v3 Authority Key Identifier: keyid:61:D5:3A:C

16、7:5C:0F:66:FE:D5:EF:5D:A1:94:8F:FD:C2:E5:94:7D:D3Certificate is to be certified until Mar 5 02:20:56 2013 GMT (365 days)Sign the certificate? y/n:y1 out of 1 certificate requests certified, commit? y/nyWrite out database with 1 new entriesData Base Updated将签名后的数字证书颁发给webrootCA # scp /tmp/server.crt

17、:/etc/httpd/conf.d/配置web支持ssl实现https=rootwww # yum install httpd mod_sslrootwww # vim /etc/httpd/conf.d/ssl.confSSLCertificateFile /etc/httpd/conf.d/server.crtSSLCertificateKeyFile /etc/httpd/conf.d/server.keyrootwww # netstat -tunpl | grep 443tcp 0 0 :443 :* LISTEN 2000/httpdClient下载CA证书并导入到浏览器，然后访问www服务器=client需要下载CA证书并导入浏览器，使用https访问web，浏览器验证web数字证书是否由CA颁发 打开firefox，编辑->首选项->高级-> 加密->查看证书->导入