基于openssl的https服务的配置

iyut

openssl实现私有CA，并配置基于openssl的https服务的配置，原理如下图

在CA服务器上实现私有CA步骤如下；

1、生成一对密钥

2.生成自签证书

基本的配置如下代码;

1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23

[iyunv@CA CA]# pwd /etc/pki/CA [iyunv@CA CA]# (umask 077;openssl genrsa -out private/cakey.pem 2048) [iyunv@CA CA]# openssl req -new -x509 -key private/cakey.pem -out cacert.pem You are about to be asked to enter information that will be incorporated into your certificate request. What you are about to enter is what is called a Distinguished Name or a DN. There are quite a few fields but you can leave some blank For some fields there will be a default value, If you enter '.', the field will be left blank. ----- Country Name (2 letter code) [CN]: State or Province Name (full name) [NEIMENGGU]: Locality Name (eg, city) [Huhhot]: Organization Name (eg, company) [EDU]: Organizational Unit Name (eg, section) [Tech]: Common Name (eg, your name or your server's hostname) []:ca.edu.cn Email Address []:caadmin@edu.cn [iyunv@CA CA]# touch index.txt [iyunv@CA CA]# touch serial [iyunv@CA CA]# echo 01 > serial [iyunv@CA CA]# ls cacert.pem  certs  crl  index.txt  newcerts  private  serial

webserver服务器上的证书生成步骤；

1 2 3 4 5 6 7 8 9 10 11 12 13

[iyunv@www ~]# cd /etc/httpd/ [iyunv@www httpd]# mkdir ssl [iyunv@www httpd]# cd ssl/ [iyunv@www ssl]# pwd /etc/httpd/ssl [iyunv@www ssl]# (umask 077; openssl genrsa -out httpd.key 1024) Generating RSA private key, 1024 bit long modulus ..........................++++++ .......++++++ e is 65537 (0x10001) [iyunv@www ssl]# ll total 4 -rw-------. 1 root root 887 Aug  6 23:46 httpd.key

webserver生成证书签署请求；

1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19

[iyunv@www ssl]# openssl req -new -key httpd.key -out httpd.csr You are about to be asked to enter information that will be incorporated into your certificate request. What you are about to enter is what is called a Distinguished Name or a DN. There are quite a few fields but you can leave some blank For some fields there will be a default value, If you enter '.', the field will be left blank. ----- Country Name (2 letter code) [XX]:CN State or Province Name (full name) []:NEIMENGGU Locality Name (eg, city) [Default City]:Huhhot Organization Name (eg, company) [Default Company Ltd]:EDU Organizational Unit Name (eg, section) []:Tech Common Name (eg, your name or your server's hostname) []:www.edu.cn Email Address []: Please enter the following 'extra' attributes to be sent with your certificate request A challenge password []: An optional company name []:

将申请证书发送打CA服务器上，让CA服务器来完成证书的签署

1 2 3 4 5 6

[iyunv@CA CA]# scp root@192.168.0.107:/etc/httpd/ssl/httpd.csr ./certs/ root@192.168.0.107's password: httpd.csr                                 100%  647     0.6KB/s   00:00    [iyunv@CA CA]# ll ./certs/ total 4 -rw-r--r-- 1 root root 647 Aug  5 21:39 httpd.csr

CA服务器来完成证书的签署

1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33

[iyunv@CA CA]# openssl ca -in ./certs/httpd.csr -out ./certs/httpd.crt -days 365 Using configuration from /etc/pki/tls/openssl.cnf Check that the request matches the signature Signature ok Certificate Details:         Serial Number: 1 (0x1)         Validity             Not Before: Aug  5 13:45:06 2016 GMT             Not After : Aug  5 13:45:06 2017 GMT         Subject:             countryName               = CN             stateOrProvinceName       = NEIMENGGU             organizationName          = EDU             organizationalUnitName    = Tech             commonName                = www.edu.cn         X509v3 extensions:             X509v3 Basic Constraints:                 CA:FALSE             Netscape Comment:                 OpenSSL Generated Certificate             X509v3 Subject Key Identifier:                 12:2C:ED:3F:F1:FA:54:FB:71:03:79:03:81:77:2D:A6:33:EF:8E:8F             X509v3 Authority Key Identifier:                 keyid:1B:1E:92:D1:DD:79:A6:68:19:91:5F:08:04:FF:7C:25:73:E4:BC:82 Certificate is to be certified until Aug  5 13:45:06 2017 GMT (365 days) Sign the certificate? [y/n]:y 1 out of 1 certificate requests certified, commit? [y/n]y Write out database with 1 new entries Data Base Updated [iyunv@CA CA]# ll ./certs/ total 4 -rw-r--r-- 1 root root   0 Aug  5 21:43 httpd.crt -rw-r--r-- 1 root root 647 Aug  5 21:39 httpd.csr

将证书文件发送给请求端；

1 2 3

[iyunv@CA CA]# scp ./certs/httpd.crt root@192.168.0.107:/etc/httpd/ssl/ root@192.168.0.107's password: httpd.crt                                 100% 3754     3.7KB/s   00:00

在webserver服务器上安装支持ssl的模块；

1	# yum install -y mod_ssl

配置ssl.conf配置文件，修改如下行；

1 2 3

[iyunv@www ssl]# vim /etc/httpd/conf.d/ssl.conf 107 SSLCertificateFile /etc/httpd/ssl/httpd.crt 114 SSLCertificateKeyFile /etc/httpd/ssl/httpd.key

启动apache服务

1	[iyunv@www ssl]# service httpd start

在windows客户端通过如下方式安装信任CA证书颁发机构；
将CA服务器上的cakey.pem文件下载到windows客户端上，修改文件名后缀为crt（cakey.crt），双击此文件，安装信任该证书颁发机构，具体步骤；
安装证书-->下一步-->选择将证书放入下列存储-->浏览-->选择受信任的根证书颁发机构-->完成；
通过web页面访问，效果如下；