[CentOS]apache+mod_ssl中证书生成方法

uuogwxyiqs

　　


----------------------------------------------------借助工具 ssl.ca-0.1.tar.gz
参考网站：http://blog.shaosong.com/archives/96
　　
　　yum -y install mod_ssl      /*在线安装mod_ssl
　　
对证书不熟悉的人，有一个工具可以使用：ssl.ca-0.1
#wget http://www.openssl.org/contrib/ssl.ca-0.1.tar.gz
#tar zxvf ssl.ca-0.1.tar.gz
#cd ssl.ca-0.1
# ./new-root-ca.sh (生成根证书)
No Root CA key round. Generating one
Generating RSA private key, 1024 bit long modulus
………………………++++++
….++++++
e is 65537 (0×10001)
Enter pass phrase for ca.key: (输入一个密码)1234567
Verifying – Enter pass phrase for ca.key: (再输入一次密码)1234567
……
Self-sign the root CA… (签署根证书)
Enter pass phrase for ca.key: (输入刚刚设置的密码)1234567
……..
…….. (下面开始签署)
Country Name (2 letter code) [MY]:CN
State or Province Name (full name) [Perak]:JiangSu
Locality Name (eg, city) [Sitiawan]:NanJing
Organization Name (eg, company) [My Directory Sdn Bhd]:Wiscom System Co.,Ltd
Organizational Unit Name (eg, section) [Certification Services Division]:ACSTAR
Common Name (eg, MD Root CA) []:WISCOM CA
Email Address []:acmail@wiscom.com.cn

这样就生成了ca.key和ca.crt两个文件，下面还要为我们的服务器生成一个证书：




# ./new-server-cert.sh server (这个证书的名字是server)
……
……
Country Name (2 letter code) [MY]:CN
State or Province Name (full name) [Perak]:JiangSu
Locality Name (eg, city) [Sitiawan]:NanJing
Organization Name (eg, company) [My Directory Sdn Bhd]:Wiscom System Co.,Ltd
Organizational Unit Name (eg, section) [Secure Web Server]:ACSTAR
Common Name (eg, www.domain.com) []:acmail.wiscom.com.cn------------------------------该证书仅对 acmail.wiscom.com.cn 有效。换成192.168.1.104
Email Address []:acmail@wiscom.com.cn
这样就生成了server.csr和server.key这两个文件。



还需要签署一下才能使用的：
# ./sign-server-cert.sh server
CA signing: server.csr -> server.crt:
Using configuration from ca.config
Enter pass phrase for ./ca.key: (输入上面设置的根证书密码)
Check that the request matches the signature
Signature ok
The Subject’s Distinguished Name is as follows
countryName :P RINTABLE:’CN’
stateOrProvinceName :P RINTABLE:’JiangSu’
localityName :P RINTABLE:’NanJing’
organizationName :P RINTABLE:’Wiscom System Co.,Ltd’
organizationalUnitName:PRINTABLE:’ACSTAR’
commonName :P RINTABLE:’acmail.wiscom.com.cn’
emailAddress :IA5STRING:’acmail@wiscom.com.cn’
Certificate is to be certified until Jul 16 12:55:34 2005 GMT (365 days)
Sign the certificate? [y/n]:y
1 out of 1 certificate requests certified, commit? [y/n]y
Write out database with 1 new entries
Data Base Updated
CA verifying: server.crt <-> CA cert
server.crt: OK
(如果这里出现错误，最好重新来过，删除ssl.ca-0.1这个目录，从解压缩处重新开始。)





下面要按照ssl.conf里面的设置，将证书放在适当的位置。
cd /etc/httpd/
mkdir ssl.key
mv server.key /etc/httpd/ssl.key/
mv server.crt /etc/httpd/ssl.key/
　　
最后，修改配置文件：
vim /etc/httpd/conf.d/ssl.conf

修改里面server.crt和server.key的对应路径
SSLCertificateFile /etc/httpd/ssl.key/server.crt
SSLCertificateKeyFile /etc/httpd/ssl.key/server.key

然后根据自己的站点修改DocumentRoot和ServerName，然后重启apache就可以了。