1、演示环境:

192.168.1.145:CentOS 6.9 x86_64,Apache服务器

192.168.1.146:CentOS 7.4 x86_64,私建的CA服务器

备注:ApacheCA可以位于同一台服务器


2、192.168.1.145安装httpd服务,并启动:

# yum -y install httpd  -->  版本:httpd-2.2.15

# cd /etc/httpd/conf

# cp httpd.conf httpd.conf.bak

# vim httpd.conf  -->  ServerName localhost:80

# service httpd start

# ss -tnl | grep :80


3、创建虚拟主机页面存放目录及测试页:

# mkdir -pv /web/vhosts/htdocs

# cd /web/vhosts/htdocs

# vim index.html  -->  <h3>Index Page</h3>

# vim test.html  -->  <h3>Test Page</h3>


4、创建基于主机名的虚拟主机:

# vim /etc/httpd/conf/httpd.conf,末尾新增如下代码:

wKioL1njbxqx4ZEWAAB14lAK6R8906.jpg

# service httpd reload


5、以管理员权限运行notepad,修改本地Windows 10C:\Windows\System32\drivers\etc\hosts文件,末尾新增代码:192.168.1.145 web.vhosts.com,保存修改后访问测试页

wKiom1njcgbQczf8AAA8Qs7QNHI251.jpg

wKiom1njcgahXzWzAABIa7CiyJ0745.jpg

wKioL1njb1DwEzcrAAAsla8Kmg0931.jpg


6、192.168.1.146创建私有CA

(1)安装相关软件包:# yum -y install openssl openssh-clients

备注:OpenSSL的配置文件是/etc/pki/tls/openssl.cnf,此处无需修改,使用默认配置即可

(2)创建保存证书信息的数据库文件:# touch /etc/pki/CA/index.txt

(3)创建保存证书序列号的文件:# echo 01 > /etc/pki/CA/serial

(4)生成私钥cakey.pem# (umask 077; openssl genrsa -out /etc/pki/CA/private/cakey.pem 2048)

wKioL1njcjji3NdXAABKghT0ahc572.jpg

备注:genrsa子命令常用选项

  • genrsa:用于生成RSA密钥对的OpenSSL子命令

  • -out cakey.pem:私钥保存位置

  • 2048:密钥长度,也可以使用10244096

更多genrsa子命令选项可查看:# man genrsa

(5)生成CA证书cacert.pem

# openssl req -new -x509 -key /etc/pki/CA/private/cakey.pem -days 7300 -out /etc/pki/CA/cacert.pem

wKioL1njcoCDXPHOAAE8r6iqNQY027.jpg

其中ca.keyso.com为证书颁发者

备注:req子命令常用选项

  • req:用于证书签署请求和证书生成的OpenSSL子命令

  • -new:生成新证书签署请求

  • -x509:专用于CA生成自签证书

  • -key cakey.pem:生成CA证书请求时用到的私钥

  • -days 7300:证书的有效期限为20

  • -out cacert.pem:证书的保存路径

更多req子命令选项可查看:# man req


7、192.168.1.145生成证书签署请求文件并发送至192.168.1.146

(1)安装相关软件包:# yum -y install openssh-clients

(2)创建用于存放密钥的目录:# mkdir -pv /etc/httpd/ssl

(3)生成私钥web-vhosts-com.key# (umask 077; openssl genrsa -out /etc/httpd/ssl/web-vhosts-com.key 2048)

wKioL1njctuTFjrMAABcyC-ouMs808.jpg(4)生成证书签署请求文件web-vhosts-com.csr

# openssl req -new -key /etc/httpd/ssl/web-vhosts-com.key -days 7300 -out /etc/httpd/ssl/web-vhosts-com.csr

wKioL1njcvqj0svHAAGBpWE7F6I332.jpg其中web.vhosts.com为证书颁发的对象

(5)将证书签署请求文件web-vhosts-com.csr发送至192.168.1.146

# scp /etc/httpd/ssl/web-vhosts-com.csr root@192.168.1.146:/etc/pki/CA/certs

8、192.168.1.146签署证书并发还给192.168.1.145

(1)签署证书:

# openssl ca -in /etc/pki/CA/certs/web-vhosts-com.csr -days 7300 -out /etc/pki/CA/certs/web-vhosts-com.crt

wKioL1njc3fj7FZxAAG31xwyAxw568.jpg备注:ca子命令常用选项

  • ca:用于签署证书请求的OpenSSL子命令

  • -in web-vhosts-com.csr:证书签署请求文件路径

  • -days 7300:证书的有效期限为20

  • -out web-vhosts-com.crt:证书的保存路径

更多ca子命令选项可查看:# man ca

wKioL1njc6Hw7EeHAAB1gURMx9o621.jpg(2)将证书web-vhosts-com.crt发还给192.168.1.145

# scp /etc/pki/CA/certs/web-vhosts-com.crt root@192.168.1.145:/etc/httpd/ssl

(3)192.168.1.145查看证书信息:

wKiom1njdq3COddKAABQHzTrc30329.jpg

# openssl x509 -in /etc/httpd/ssl/web-vhosts-com.crt -noout -text       //显示的信息多

# openssl x509 -in /etc/httpd/ssl/web-vhosts-com.crt -noout -subject

# openssl x509 -in /etc/httpd/ssl/web-vhosts-com.crt -noout -serial

wKioL1njdBjyypoyAAByhZLXsQI663.jpg

备注:

  • 使用私钥web-vhosts-com.key和证书web-vhosts-com.crt生成微软专用证书web-vhosts-com.crt.pfx

# cd /etc/httpd/ssl

# openssl pkcs12 -export -out web-vhosts-com.pfx -inkey web-vhosts-com.key -clcerts -in web-vhosts-com.crt

wKiom1njdwGy1TkiAACZIhMiW3M288.jpg

  • 使用微软专用证书web-vhosts-com.pfx生成私钥web-vhosts-com.key和证书web-vhosts-com.crt

# openssl pkcs12 -in web-vhosts-com.pfx -nodes -out web-vhosts-com.pem

wKiom1njdzriVZvIAABFDUtCOW8385.jpg

# openssl rsa -in web-vhosts-com.pem -out web-vhosts-com.key

wKioL1njdJKyf9YxAAAnJTfa450526.jpg

# openssl x509 -in web-vhosts-com.pem -out web-vhosts-com.crt


9、192.168.1.145配置Apache支持SSL

(1)安装SSL模块:# yum -y install mod_ssl

备注:yum方式安装的Apache默认没有装载SSL模块,即没有/etc/httpd/conf.d/ssl.conf配置文件,也没有/usr/lib64/httpd/modules/mod_ssl.so模块文件

wKioL1njdOjS0jJXAAAcGz2DJXY213.jpg

(2)配置HTTPS虚拟主机并访问测试页:

# vim /etc/httpd/conf/httpd.conf,末尾新增如下代码:

wKiom1njd7vA-HjOAACqEErtnqI112.jpg

备注:上述内容也可在配置文件/etc/httpd/conf.d/ssl.conf中直接修改

# httpd -t

# service httpd reload

# ss -tnl | grep :443

wKioL1njdUXRrBzQAAGcOLeTBfc111.jpg


wKiom1njd_uBUP77AAIlkFh78WI634.jpg


wKiom1njd_zRXCBQAABREPyuv4E310.jpg

wKioL1njdUbyTkaTAABafKr1lXk369.jpg

wKioL1njdUbQiPPuAABSWBce0UQ404.jpg

(3)将所有HTTP请求(80端口)重定向到HTTPS443端口),并访问测试页:

# vim /etc/httpd/conf/httpd.conf,在<VirtualHost*:80></VirtualHost>标签中新增如下代码:

wKioL1njdfPz5-plAADBmqWPzaw323.jpg

# httpd -t

# service httpd reload

直接访问web.vhosts.com,会自动跳转至https://web.vhosts.com

wKioL1njdhfT85OhAABREPyuv4E933.jpg

直接访问web.vhosts.com/test.html,会自动跳转至https://web.vhosts.com/test.html

wKiom1njeNnxjbyCAABafKr1lXk077.jpg

/etc/httpd/conf/httpd.conf最终末尾一共新增了如下代码:

wKiom1njePey5FHAAAFZdCIh_k8089.jpg


10、360安全浏览器中安装证书:

(1)360安全浏览器中访问效果:

wKiom1njeSWgCbvfAABORoSDSjM231.jpg

(2)192.168.1.146中的证书/etc/pki/CA/cacert.pem保存至本地Windows10桌面,并重命名为cacert.crt

(3)360安全浏览器中安装证书:设置 --> 安全设置 --> 管理HTTPS/SSL证书

wKiom1njeVbTIMamAAED2eBqA9M204.jpg


wKioL1njdqCw16WgAADr3MwgU7I722.jpg


wKiom1njeVawfz-eAAD8HdEADI0046.jpg


wKioL1njdqGR1ZalAADwo1dTZqo055.jpg


wKiom1njeVeyMxUtAADS0YshhD0461.jpg


wKioL1njdqGjOKeTAAEoP7yX4qk494.jpg


wKiom1njeVeCzgG4AAAikraqrj8132.jpg


wKioL1njdqLCQnM8AAJ60eCHDX0418.jpg

(4)重新打开360安全浏览器,再次访问测试页:

wKiom1njee7heVsuAABHCaZuZVg808.jpg

wKioL1njdzjSm0-zAABSe_VfFN0464.jpg

已没有“证书风险”的提示

(5)查看证书信息:

wKioL1njd6KjSyTmAADXIUwNBOE760.jpg


wKiom1njelnwMtOcAAEAkGEoCas075.jpg

备注:如果是生产环境中需要使用证书,建议从正规的证书颁发机构处申请。