@H_404_1@
本次坏境:CA和apache为同一台主机@H_404_1@
先使本机作为CA服务端:@H_404_1@
[root@localhost~]#yum -y install openssl openssl-devel@H_404_1@
[root@localhost~]#vi /etc/pki/tls/openssl.cnf@H_404_1@
[ CA_default ]@H_404_1@
dir = ../../CA@H_404_1@
改为:@H_404_1@
[ CA_default ]@H_404_1@
dir= /etc/pki/CA@H_404_1@
为了减少不必要的重复操作,可以预先定义[ req_distinguished_name ]下面的一些内容,自定义即可,具体的就不多说了@H_404_1@
:wq@H_404_1@
[root@localhost~]#cd /etc/pki/CA @H_404_1@
[root@localhost CA]# mkdir certs newcerts crl@H_404_1@
[root@localhost CA]# touch index.txt@H_404_1@
[root@localhost CA]# echo 00 > serial@H_404_1@
[root@localhost CA]# (umask 077; openssl genrsa -out private/cakey.pem 2048) ##生成自签密钥@H_404_1@
[root@localhost CA]# openssl req -new -x509 -key private/cakey.pem -out cacert.pem -days 3657 ##生成自签证书@H_404_1@
You are about to be asked to enter @R_513_4045@ion that will be incorporated@H_404_1@
into your certificate request.@H_404_1@
What you are about to enter is what is called a distinguished Name or a DN.@H_404_1@
There are quite a few fields but you can leave some blank@H_404_1@
For some fields there will be a default value,@H_404_1@
If you enter '.', the field will be left blank.@H_404_1@
-----@H_404_1@
Country Name (2 letter code) [CN]:@H_404_1@
State or Province Name (full name) [BJ]:@H_404_1@
Locality Name (eg, city) [HaiDian]:@H_404_1@
Organization Name (eg, company) [TEXT]:@H_404_1@
Organizational Unit Name (eg, section) [DEV]:@H_404_1@
Common Name (eg, your name or your server's hostname) []:ca.text.com@H_404_1@
Email Address []:[email protected]@H_404_1@
由于openssl.cnf里面定义了部分内容,上面一直敲回车,直到Common Name (eg, your name or your server's hostname) []: (此为CA服务名称,可自定义)@H_404_1@
都敲完后,我们的CA服务端就完成了,继续往下做@H_404_1@
Apache动态编译安装:@H_404_1@
[root@localhost CA]# tar -xf httpd-2.2.9.tar -C /usr/local/src/@H_404_1@
[root@localhost CA]#cd /usr/local/src/httpd-2.2.9/@H_404_1@
[root@localhost httpd-2.2.9]# ./configure --prefix=/usr/local/apache2 --sysconfdir=/etc/httpd --with-z=/usr/local/zlib/ --with-included-apr --enable-so --enable-mods-shared=most@H_404_1@
[root@localhost httpd-2.2.9]#make;make install@H_404_1@
Apache配置ssl:@H_404_1@
[root@localhost CA]# rpm -qa |grep mod_ssl@H_404_1@
[root@localhost CA]# yum -y install mod_ssl ##如没有mod_ssl直接使用yum安装即可@H_404_1@
[root@localhost CA]# rpm -ql mod_ssl ##查看mod_ssl生成的配置文件位置@H_404_1@
[root@localhost CA]# cd /etc/httpd@H_404_1@
[root@localhost httpd]# mkdir ssl@H_404_1@
[root@localhost httpd]# cd ssl@H_404_1@
[root@localhost ssl]# (umask 077; openssl genrsa -out httpd.key 2048) ##生成密钥@H_404_1@
[root@localhost ssl]#openssl req -new -key httpd.key -out httpd.csr ##生成证书签署请求@H_404_1@
You are about to be asked to enter @R_513_4045@ion that will be incorporated@H_404_1@
into your certificate request.@H_404_1@
What you are about to enter is what is called a distinguished Name or a DN.@H_404_1@
There are quite a few fields but you can leave some blank@H_404_1@
For some fields there will be a default value,@H_404_1@
If you enter '.', the field will be left blank.@H_404_1@
-----@H_404_1@
Country Name (2 letter code) [CN]:@H_404_1@
State or Province Name (full name) [BJ]:@H_404_1@
Locality Name (eg, city) [HaiDian]:@H_404_1@
Organization Name (eg, company) [TEXT]:@H_404_1@
Organizational Unit Name (eg, section) [DEV]:@H_404_1@
## 上面五条一定要和CA服务器设置一致,本次实验都是在一台主机上,所以直接敲回车即可@H_404_1@
Common Name (eg, your name or your server's hostname) []:text.bj.com ##一定要是客户端访问的地址,而不是上面CA设置的地址@H_404_1@
Email Address []:[email protected] ##自定义@H_404_1@
[root@localhost ssl]#openssl ca -in httpd.csr -out httpd.crt -days 3657 ## ca签署命令,敲两次y和回车即可(由于都在一台机器上,直接签署就可以了,如果在不同机器上,把http的证书签署请求文件拷贝到CA服务端签署后拷贝回来就可以了)@H_404_1@
[root@localhost ssl]#vi /etc/httpd/conf.d/ssl.conf@H_404_1@
AddType application/x-x509-ca-cert .crt@H_404_1@
AddType application/x-pkcs7-crl .crl@H_404_1@
<VirtualHost _ default_443>@H_404_1@
改为:@H_404_1@
<VirtualHost 192.168.1.99:443> ##web服务器或web虚拟主机IP地址@H_404_1@
ServerName text.bj.com ##上面定义的地址@H_404_1@
DocumentRoot "/var/www/html" ##网站目录位置,如设置的虚拟主机,此位置需和apache配置文件里虚拟主机定义的位置一致@H_404_1@
SSLEngine on ##确保开启@H_404_1@
SSLCertificateFile /etc/httpd/ssl/httpd.crt ## 证书存放位置@H_404_1@
SSLCertificateKeyFile /etc/httpd/ssl/httpd.key ##密钥存放位置@H_404_1@
:wq@H_404_1@
[root@localhost ssl]#echo text.bj.com > /var/www/html/index.html@H_404_1@
[root@localhost ssl]#/etc/init.d/httpd start@H_404_1@
[root@localhost ssl]#netstat –tnlp ##查看443端口是否开启@H_404_1@
访问https://text.bj.com @H_404_1@
拷贝/etc/pki/CA/cacert.pem到客户端上安装即可(winPC后缀改为.crt后双击安装)@H_404_1@
版权声明:本文内容由互联网用户自发贡献,该文观点与技术仅代表作者本人。本站仅提供信息存储空间服务,不拥有所有权,不承担相关法律责任。如发现本站有涉嫌侵权/违法违规的内容, 请发送邮件至 [email protected] 举报,一经查实,本站将立刻删除。
@H_404_1@
