假设实例如下:
CA主机192.168.191.160
Web服务器主机192.168.191.150,httpd配置沿用上一篇博文的
CA自签署证书,传输给Web服务器,配置/etc/httpd/conf.d/ssl.conf
一、CA主机生成自签署证书
cd /etc/pki/CA (umask 077;openssl genrsa -out private/cakey.pem 2048) #生成密钥
vim /etc/pki/tls/openssl.cnf 参照并修改工作目录dir和签署时的默认参数
[ CA_default ] dir = /etc/pki/CA # Where everything is kept certs = $dir/certs # Where the issued certs are kept crl_dir = $dir/crl # Where the issued crl are kept database = $dir/index.txt # database index file. #unique_subject = no # Set to 'no' to allow creation of # several ctificates with same subject. new_certs_dir = $dir/newcerts # default place for new certs. certificate = $dir/cacert.pem # The CA certificate serial = $dir/serial # The current serial number crlnumber = $dir/crlnumber # the current crl number # must be commented out to leave a V1 CRL crl = $dir/crl.pem # The current CRL private_key = $dir/private/cakey.pem# The private key RANDFILE = $dir/private/.rand # private random number file ... [ req_distinguished_name ] countryName = Country Name (2 letter code) countryName_default = CN countryName_min = 2 countryName_max = 2 stateOrProvinceName = State or Province Name (full name) stateOrProvinceName_default = Guangdong localityName = Locality Name (eg, city) localityName_default = Guangzhou 0.organizationName = Organization Name (eg, company) 0.organizationName_default = cqy # we can do this but it is not needed normally :-) #1.organizationName = Second Organization Name (eg, company) #1.organizationName_default = World Wide Web Pty Ltd organizationalUnitName = Organizational Unit Name (eg, section) organizationalUnitName_default = tech
openssl req -new -x509 -key private/cakey.pem -out cacert.pem -days 3655 #生成自签署证书 mkdir certs crl newcerts #创建对应目录 touch index.txt #生成对应文件 echo 01 > serial
二、Web服务器生成证书签署请求
cd /etc/httpd/ mkdir ssl cd ssl (umask 077;openssl genrsa 1024 > httpd.key) #生成密钥文件 openssl req -new -key httpd.key -out httpd.csr #生成证书签署请求 scp httpd.csr 192.168.191.160:/tmp
三、CA主机帮Web服务器签署证书
openssl ca -in /tmp/httpd.csr -out /tmp/httpd.crt -days 3650 scp /tmp/httpd.crt 192.168.191.150:/etc/httpd/ssl/
四、Web服务器配置/etc/httpd/conf.d/ssl.conf
vim /etc/httpd/conf.d/ssl.conf 添加修改如下
<VirtualHost 192.168.191.150:443> #指定IP Servername #指定服务器名称,与httpd.conf中的对应 DocumentRoot "/www/cqy150" #指定工作目录,与httpd.conf中的对应 ... SSLCertificateFile /etc/httpd/ssl/httpd.crt #指定证书位置 SSLCertificateKeyFile /etc/httpd/ssl/httpd.key #指定密钥文件文件 ... </VirtualHost>
五、重启httpd服务器
[root@localhost conf.d]# service httpd restart Stopping httpd: [ OK ] Starting httpd: [ OK ] [root@localhost conf.d]# netstat -tunl | grep 443 tcp 0 0 :::443 :::* LISTEN