CentOS下利用httpdopenssl来实现网站的httpscentos.doc

1、CentOS 下利用 httpd+openssl来实现网站的httpscentos下面呢我们来讲一下具体步骤配置 CA 服务器=1. 配置 CA 生成 CA 自己的公钥私钥CA 对自己进行证书自签名(用脚本生成 )rootCA # vim /etc/pki/tls/fdir= /etc/CA# Whereeverything is kept第45行basicConstraints=CA:TRUE# 自签署的证书可以使用第 178 行 rootCA # vim /etc/pki/tls/misc/CACATOP=/etc/CA#第 42 行 rootCA #/etc/pki/

2、tls/misc/CA -newcaCA certificate filename (or enter to create)Making CA certificate .Generating a 1024 bit RSA private key.+.+writing new private key to ././CA/private/./cakey.pem#私钥Enter PEM pass phrase:123456#保护 CA 私钥Verifying - Enter PEM pass phrase:123456-You are about to be asked to enter infor

3、mation that will beincorporated into your certificate request.What you are about to enter is what is called a Distinguished Name or a DN.There are quite a few fields but you can leave some blankFor some fields there will be a default value,If you enter ., the field will be left blank.-Country Name (

4、2 letter code) GB:CN#身份信息State or Province Name (full name) Berkshire:BEIJINGLocality Name (eg, city) Newbury:HDOrganization Name (eg, company) My Company Ltd:UPLOOKINGOrganizational Unit Name (eg, section) :ITCommon Name (eg, your name or your servers hostname):CAEmail Address :CAPlease enter the f

5、ollowing extra attributes to be sent with your certificate requestA challenge password :An optional company name :Using configuration from /etc/pki/tls/fEnter pass phrase for ././CA/private/./cakey.pem:123456#使用私钥自签名Check that the request matches the signatureSignature okCertificate Details:Serial N

6、umber: 0 (0x0)ValidityNot Before: Mar 5 01:40:50 2012 GMTNot After : Mar 5 01:40:50 2015 GMTSubject:countryName = CNstateOrProvinceName = BEIJINGorganizationName = UPLOOKINGorganizationalUnitName = ITcommonName = CAemailAddress = CAX509v3 extensions:X509v3 Basic Constraints:CA:TRUENetscape Comment:O

7、penSSL Generated CertificateX509v3 Subject Key Identifier:61:D5:3A:C7:5C:0F:66:FE:D5:EF:5D:A1:94:8F:FD:C2:E5:94:7D:D3X509v3 Authority Key Identifier:keyid:61:D5:3A:C7:5C:0F:66:FE:D5:EF:5D:A1:94:8F:FD:C 2:E5:94:7D:D3Certificate is to be certified until Mar 5 01:40:50 2015 GMT (1095 days)Write out dat

8、abase with 1 new entriesData Base UpdatedrootCA # ls/etc/CA/private/cakey.pem#CA 私钥rootCA # ls /etc/CA/cacert.pem#CA 证书rootCA # ls /etc/CA/careq.pem#CA 证书请求配置 web 服务器=web生成自己的私钥rootwww # openssl genrsa -des3 -out/etc/httpd/conf.d/server.key#使用 des3 保护私钥Generating RSA private key, 512 bit long modulu

9、s.+.+e is 65537 (0x10001)Enter pass phrase for /etc/httpd/conf.d/server.key:123456Verifying - Enter pass phrase for/etc/httpd/conf.d/server.key:123456 生成证书请求（使用身份标识公钥）rootwww # openssl req -new -key /etc/httpd/conf.d/server.key -out /tmp/server.csrEnter pass phrase for /etc/httpd/conf.d/server.key:1

10、23456You are about to be asked to enter information that will be incorporated into your certificaterequest.What you are about to enter is what is called a Distinguished Name or a DN.There are quite a few fields but you can leave some blankFor some fields there will be a default value,If you enter .,

11、 the field will be left blank.-Country Name (2 letter code) GB:CN#这部分信息要与CA 一致!State or Province Name (full name) Berkshire:BEIJINGLocality Name (eg, city) Newbury:HDOrganization Name (eg, company) My Company Ltd:UPLOOKINGOrganizational Unit Name (eg, section) :IT-Common Name (eg, your name or your

12、servers hostname):Email Address :Please enter the following extra attributes to be sent with your certificate requestA challenge password :An optional company name :将证书请求发送给CArootwww # scp /tmp/server.csr CA:/tmp/CA 服务器对证书请求进行数字签名=rootCA # openssl ca -keyfile /etc/CA/private/cakey.pem -cert /etc/CA/

13、cacert.pem -in /tmp/server.csr -out /tmp/server.crt/etc/CA/private/cakey.pem（这是 ca 的私钥）/tmp/server.csr（ httpserver的证书请求文件）/etc/CA/cacert.pem(ca 的证书 )/tmp/server.crt（生成的 httpserver的证书的名字） Using configuration from /etc/pki/tls/fEnter pass phrase for /etc/CA/private/cakey.pem:Check that the request mat

14、ches the signatureSignature okCertificate Details:Serial Number: 1 (0x1)ValidityNot Before: Mar 5 02:20:56 2012 GMTNot After : Mar 5 02:20:56 2013 GMTSubject:countryName = CNstateOrProvinceName = BEIJINGorganizationName = UPLOOKINGorganizationalUnitName = ITcommonName = emailAddress = X509v3 extensi

15、ons:X509v3 Basic Constraints:CA:TRUENetscape Comment:OpenSSL Generated CertificateX509v3 Subject Key Identifier:D0:6E:C7:7D:FC:BE:0D:62:CA:B9:A2:E0:2A:9A:27:32:39:0B:91:F8X509v3 Authority Key Identifier:keyid:61:D5:3A:C7:5C:0F:66:FE:D5:EF:5D:A1:94:8F:FD:C 2:E5:94:7D:D3Certificate is to be certified

16、until Mar 5 02:20:56 2013 GMT (365 days)Sign the certificate? y/n:y1 out of 1 certificate requests certified, commit? y/nyWrite out database with 1 new entriesData Base Updated将签名后的数字证书颁发给webrootCA # scp /tmp/server.crt:/etc/httpd/conf.d/配置 web 支持 ssl 实现 https=rootwww # yum install httpd mod_sslrootwww # vim /etc/httpd/conf.d/ssl.confSSLCertificateFile /etc/httpd/conf.d/server.crtSSLCertificateKeyFi