本文主要内容为:通过 OpenSSL 自建 CA来自签名证书 和 颁发SSL 证书实现 HTTPS(SSL)服务。
实现效果预览
1、安装apache2
1.1、安装
apt install apache2
1.2、停止运行
执行命令:
/etc/init.d/apache2 stop效果:
root@YY:/# /etc/init.d/apache2 stop
[ ok ] Stopping Apache httpd web server: apache2.2、自建CA
2.1、创建文件夹
执行下面的命令创建相关文件夹:
mkdir -p /etc/apache2/ownSSL/{CA,Server}
cd /etc/apache2/ownSSL/执行效果:
root@YY:~# mkdir -p /etc/apache2/ownSSL/{CA,Server}
root@YY:~# cd /etc/apache2/ownSSL/
root@YY:/etc/apache2/ownSSL# ls
CA Server
root@YY:/etc/apache2/ownSSL#文件夹作用:
文件夹 | 作用 |
/etc/apache2/ownSSL/CA | 存放CA私匙、CA 证书请求、CA根证书 |
/etc/apache2/ownSSL/Server | 包含Server私匙、Server证书请求、Server证书 |
2.2、生成 CA 私匙
执行下面的命令
cd /etc/apache2/ownSSL
openssl genrsa -out CA/CA_private.key 2048执行效果:
2.3、生成 CA 证书请求
执行下面的命令:
openssl req -new -key CA/CA_private.key -out CA/CA_request.csr在这个过程中,程序会提示需要你输入该根证书相关信息,请自行更改:
我的生成过程:
root@YY:/etc/apache2/ownSSL# openssl req -new -key CA/CA_private.key -out CA/CA_request.csr
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [AU]:CN
State or Province Name (full name) [Some-State]:GuangXi
Locality Name (eg, city) []:NanNing
Organization Name (eg, company) [Internet Widgits Pty Ltd]:spzx
Organizational Unit Name (eg, section) []:spzx
Common Name (e.g. server FQDN or YOUR name) []:spzx
Email Address []:admin@spzx.com
Please enter the following 'extra' attributes
to be sent with your certificate request
A challenge password []:spzx
An optional company name []:spzx
root@YY:/etc/apache2/ownSSL#2.4、生成 CA 根证书
执行下面的命令:
openssl x509 -req -in CA/CA_request.csr \
-extensions v3_ca \
-signkey CA/CA_private.key \
-out CA/CA_root.crt执行过程:
root@YY:/etc/apache2/ownSSL# openssl x509 -req -in CA/CA_request.csr \
> -extensions v3_ca \
> -signkey CA/CA_private.key \
> -out CA/CA_root.crt
Signature ok
subject=C = CN, ST = GuangXi, L = NanNing, O = spzx, OU = spzx, CN = spzx, emailAddress = admin@spzx.com
Getting Private key
root@YY:/etc/apache2/ownSSL#3、自建 Server 端证书
3.1、生成 Server 私匙
执行:
openssl genrsa -out Server/Server_private.key 2048执行结果:
root@YY:/etc/apache2/ownSSL# openssl genrsa -out Server/Server_private.key 2048
Generating RSA private key, 2048 bit long modulus (2 primes)
...............+++++
.....................+++++
e is 65537 (0x010001)
root@YY:/etc/apache2/ownSSL#3.2、 生成 Server 证书请求
openssl req -new -key Server/Server_private.key -out Server/Server_request.csr执行过程
root@YY:/etc/apache2/ownSSL# openssl req -new -key Server/Server_private.key -out Server/Server_request.csr
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [AU]:CN
State or Province Name (full name) [Some-State]:GuangXi
Locality Name (eg, city) []:NanNing
Organization Name (eg, company) [Internet Widgits Pty Ltd]:spzx
Organizational Unit Name (eg, section) []:spzx
Common Name (e.g. server FQDN or YOUR name) []:spzx
Email Address []:admin@spzx.com
Please enter the following 'extra' attributes
to be sent with your certificate request
A challenge password []:spzx
An optional company name []:spzx
root@YY:/etc/apache2/ownSSL#3.3、生成 Server 证书
新建文件
touch /etc/apache2/ownSSL/openssl.cnf然后写入内容(请根据自己的实际信息更改)
[req]
distinguished_name = req_distinguished_name
req_extensions = v3_req
[req_distinguished_name]
countryName = CN
countryName_default = CN
stateOrProvinceName = GuangXi
stateOrProvinceName_default = NanNing
localityName = NanNing
localityName_default = NanNing
organizationalUnitName = spzx
organizationalUnitName_default = Domain Control Validated
commonName = Internet Widgits Ltd
commonName_max = 64
[ v3_req ]
# Extensions to add to a certificate request
basicConstraints = CA:FALSE
keyUsage = nonRepudiation, digitalSignature, keyEncipherment
subjectAltName = @alt_names
[alt_names]
# 注意这个IP.1的设置,IP地址需要和你的服务器的监听地址一样 DNS为server网址
IP.1 = 3.3.3.2
DNS.1 = 3.3.3.2需要将 Server 监听的地址写入证书中,如果访问时地址与证书中地址不一致将不能通过证书认证。
实现效果:
root@YY:/etc/apache2/ownSSL# cat /etc/apache2/ownSSL/openssl.cnf
[req]
distinguished_name = req_distinguished_name
req_extensions = v3_req
[req_distinguished_name]
countryName = CN
countryName_default = CN
stateOrProvinceName = GuangXi
stateOrProvinceName_default = NanNing
localityName = NanNing
localityName_default = NanNing
organizationalUnitName = spzx
organizationalUnitName_default = Domain Control Validated
commonName = Internet Widgits Ltd
commonName_max = 64
[ v3_req ]
# Extensions to add to a certificate request
basicConstraints = CA:FALSE
keyUsage = nonRepudiation, digitalSignature, keyEncipherment
subjectAltName = @alt_names
[alt_names]
IP.1 = 3.3.3.2
DNS.1 = 3.3.3.2
root@YY:/etc/apache2/ownSSL#执行命令生成 Server 证书
openssl x509 -days 365 -req \
-in /etc/apache2/ownSSL/Server/Server_request.csr \
-extensions v3_req -CAkey /etc/apache2/ownSSL/CA/CA_private.key \
-CA /etc/apache2/ownSSL/CA/CA_root.crt \
-CAcreateserial -out /etc/apache2/ownSSL/Server/Server_root.crt \
-extfile /etc/apache2/ownSSL/openssl.cnf实现效果:
root@YY:~# openssl x509 -days 365 -req \
> -in /etc/apache2/ownSSL/Server/Server_request.csr \
> -extensions v3_req -CAkey /etc/apache2/ownSSL/CA/CA_private.key \
> -CA /etc/apache2/ownSSL/CA/CA_root.crt \
> -CAcreateserial -out /etc/apache2/ownSSL/Server/Server_root.crt \
> -extfile /etc/apache2/ownSSL/openssl.cnf
Signature ok
subject=C = CN, ST = GuangXi, L = NanNing, O = spzx, OU = spzx, CN = spzx, emailAddress = admin@spzx.com
Getting CA Private Key
root@YY:~#4、Apache2 SSL 证书加载
4.1、停止服务运行(重要)
/etc/init.d/apache2 stop执行过程
root@YY:~# /etc/init.d/apache2 stop
[ ok ] Stopping Apache httpd web server: apache2.
root@YY:~# /etc/init.d/apache2 status
[FAIL] apache2 is not running ... failed!
root@YY:~#4.2、启用SSL模块
a2enmod ssl效果:
root@YY:~# a2enmod ssl
Considering dependency setenvif for ssl:
Module setenvif already enabled
Considering dependency mime for ssl:
Module mime already enabled
Considering dependency socache_shmcb for ssl:
Enabling module socache_shmcb.
Enabling module ssl.
See /usr/share/doc/apache2/README.Debian.gz on how to configure SSL and create self-signed certificates.
To activate the new configuration, you need to run:
service apache2 restart
root@YY:~#然后根据提示信息重启服务,然后继续停止服务(别问,问就是机密)
/etc/init.d/apache2 restart
/etc/init.d/apache2 stop效果:
root@YY:~# /etc/init.d/apache2 restart
[....] Restarting Apache httpd web server: apache2AH00558: apache2: Could not reliably determine the server's fully qualified domain name, using 127.0.1.1. Set the 'ServerName' directive globally to suppress this message
. ok
root@YY:~# /etc/init.d/apache2 stop
[....] Stopping Apache httpd web server: apache2
. ok
root@YY:~#4.3、加载 SSL 配置文件 default-ssl.conf
执行:
a2ensite default-ssl效果:
root@YY:~# a2ensite default-ssl
Enabling site default-ssl.
To activate the new configuration, you need to run:
service apache2 reload
root@YY:~#然后提示重新加载配置,执行下面的命令
/etc/init.d/apache2 reload
/etc/init.d/apache2 restart效果
root@YY:~# /etc/init.d/apache2 reload
[FAIL] Reloading Apache httpd web server: apache2 failed!
[warn] Apache2 is not running ... (warning).
root@YY:~# /etc/init.d/apache2 restart
[....] Restarting Apache httpd web server: apache2AH00558: apache2: Could not reliably determine the server's fully qualified domain name, using 127.0.1.1. Set the 'ServerName' directive globally to suppress this message
. ok
root@YY:~#5、Apache2 SSL 证书配置
5.1、添加监听端口
在Listen 80基础上添加443端口
vim /etc/apache2/ports.conf效果:
root@YY:~# cat /etc/apache2/ports.conf
# If you just change the port or add more ports here, you will likely also
# have to change the VirtualHost statement in
# /etc/apache2/sites-enabled/000-default.conf
Listen 80 443
<IfModule ssl_module>
Listen 443
</IfModule>
<IfModule mod_gnutls.c>
Listen 443
</IfModule>
# vim: syntax=apache ts=4 sw=4 sts=4 sr noet
root@YY:~#5.2、修改 SSL 配置文件 default-ssl.conf
找到ServerAdmin(第三行),然后在下一行添加内容,根据下面的格式添加服务器服务器域名/IP也就是前面设置的:DNS.0 的值
ServerName <服务器域名/IP>实现效果:
ServerAdmin webmaster@localhost
ServerName 3.3.3.3
DocumentRoot /var/www/html然后保存退出
6、验证
6.1、重启服务
/etc/init.d/apache2 restart效果:
root@YY:~# /etc/init.d/apache2 restart
[....] Restarting Apache httpd web server: apache2AH00558: apache2: Could not reliably determine the server's fully qualified domain name, using 127.0.1.1. Set the 'ServerName' directive globally to suppress this message
. ok
root@YY:~#6.2、访问
然后就可以啦
本文章为转载内容,我们尊重原作者对文章享有的著作权。如有内容错误或侵权问题,欢迎原作者联系我们进行内容更正或删除文章。
