CA：生成自簽名證書 [root@CA~]#cd/etc/pki/CA/ [root@CACA]#(umask077;opensslgenrsa-outprivate/cakey.pem2048) GeneratingRSAprivatekey,2048bitlongmodulus ....................................+++ .....+++ eis65537(0x10001) [root@CACA]#ls certscrlnewcertsprivate [root@CACA]#ls-lprivate/cakey.pem -rw-------.1rootroot1679Aug816:19private/cakey.pem 2、修改默認選項，可以不修改，經常使用的話就修改一下 [root@CACA]#vim../tls/openssl.cnf [req_distinguished_name] countryName=CountryName(2lettercode) countryName_default=CN#修改的 countryName_min=2 countryName_max=2 stateOrProvinceName=StateorProvinceName(fullname) stateOrProvinceName_default=shanxi#修改的 localityName=LocalityName(eg,city) localityName_default=xi\'an#修改的 0.organizationName=OrganizationName(eg,company) 0.organizationName_default=kcw9527#修改的 #wecandothisbutitisnotneedednormally:-) #1.organizationName=SecondOrganizationName(eg,company) #1.organizationName_default=WorldWideWebPtyLtd organizationalUnitName=OrganizationalUnitName(eg,section) #organizationalUnitName_default= organizationalUnitName_default=Tech#修改的 先給自己生成一個自簽證書 [root@CACA]#opensslreq-new-x509-keyprivate/cakey.pem-outcacert.pem-days3656 Youareabouttobeaskedtoenterinformationthatwillbeincorporated intoyourcertificaterequest.

WhatyouareabouttoenteriswhatiscalledaDistinguishedNameoraDN. Therearequiteafewfieldsbutyoucanleavesomeblank Forsomefieldstherewillbeadefaultvalue, Ifyouenter\'.\',thefieldwillbeleftblank. ----- CountryName(2lettercode)[CN]:#這一塊就是剛才在配置文件修改的默認值 StateorProvinceName(fullname)[shanxi]:# LocalityName(eg,city)[xian]:# OrganizationName(eg,company)[kcw9527]:# OrganizationalUnitName(eg,section)[Tech]:# CommonName(eg,yournameoryourserver\'shostname)[]:ca.test.com#這里很重要哦這里是發給那個服務器的證書名字要和你的server名一樣哦！不一致會有警告！這里測試發給自己的所以是ca.test.com EmailAddress[]:admin@admin.com# 要想成為一個私有的ca服務器還要修改幾個默認選項 [CA_default] dir=/etc/pki/CA#Whereeverythingiskept certs=$dir/certs#Wheretheissuedcertsarekept crl_dir=$dir/crl#Wheretheissuedcrlarekept database=$dir/index.txt#databaseindexfile. #unique_subject=no#Setto\'no\'toallowcreationof #severalctificateswithsamesubject. new_certs_dir=$dir/newcerts#defaultplacefornewcerts. certificate=$dir/cacert.pem#TheCAcertificate#避免修改所以一開始創建就這個名字 serial=$dir/serial#Thecurrentserialnumber crlnumber=$dir/crlnumber#thecurrentcrlnumber crl=$dir/crl.pem#ThecurrentCRL private_key=$dir/private/cakey.pem#Theprivatekey#這就是剛才為毛放私鑰到這個目錄下的原因 RANDFILE=$dir/private/.rand#privaterandomnumberfile 創建目錄和文件 [root@CACA]#ls cacert.pemcertscrlnewcertsprivate [root@CACA]#touchindex.txt [root@CACA]#echo01>serial 這個時候CA已經創建好了 Httpdserver端創建一對密鑰把公鑰發個CA [root@kcw~]#cd/etc/httpd/ [root@kcwhttpd]#mkdirssl#創建一個專門的ssl目錄 [root@kcwhttpd]#cdssl/ [root@kcwssl]#(umask077;opensslgenrsa2048>httpd.key) GeneratingRSAprivatekey,2048bitlongmodulus ..............+++ .............................................................................+++ eis65537(0x10001) 再下來生成證書簽署請求 [root@kcwssl]#opensslreq-new-keyhttpd.key-outhttpd.csr Youareabouttobeaskedtoenterinformationthatwillbeincorporated intoyourcertificaterequest. WhatyouareabouttoenteriswhatiscalledaDistinguishedNameoraDN. Therearequiteafewfieldsbutyoucanleavesomeblank Forsomefieldstherewillbeadefaultvalue, Ifyouenter\'.\',thefieldwillbeleftblank. ----- CountryName(2lettercode)[XX]:CN#注意一定要和你CA服務器信息一致因為是私有 StateorProvinceName(fullname)[]:shanxi# LocalityName(eg,city)[DefaultCity]:xi\'an# OrganizationName(eg,company)[DefaultCompanyLtd]:kcw9527# OrganizationalUnitName(eg,section)[]:Tech# CommonName(eg,yournameoryourserver\'shostname)[]:www.test.com#注意這個是你給那個虛擬主機頒發的在多個虛擬主機上只能有一個 EmailAddress[]:admin@admin.com Pleaseenterthefollowing\'extra\'attributes tobesentwithyourcertificaterequest Achallengepassword[]: Anoptionalcompanyname[]: [root@kcwssl]#ls httpd.csrhttpd.key 復制簽署請求證書到CA服務器 [root@kcwssl]#scphttpd.csrroot@10.52.115.106:/tmp#記著在/etc/hosts做解析不然很慢 root@10.52.115.106\'spassword: httpd.csr100%10451.0KB/s00:00 回到CA服務器簽署 [root@CA~]#opensslca-in/tmp/httpd.csr-out/tmp/httpd.crt-days3560 Usingconfigurationfrom/etc/pki/tls/openssl.cnf Checkthattherequestmatchesthesignature Signatureok CertificateDetails: SerialNumber:1(0x1) Validity NotBefore:Aug821:15:472014GMT NotAfter:May721:15:472024GMT Subject: countryName=CN stateOrProvinceName=shanxi organizationName=kcw9527 organizationalUnitName=Tech commonName=www.test.com emailAddress=admin@admin.com X509v3extensions: X509v3BasicConstraints: CA:FALSE NetscapeComment: OpenSSLGeneratedCertificate X509v3SubjectKeyIdentifier: DE:4A:B8:24:99:4D:E4:4B:E6:F0:37:D8:D9:70:88:0F:1E:C9:CD:EA X509v3AuthorityKeyIdentifier: keyid:EE:D9:8A:92:FF:FC:54:59:2E:33:3A:84:99:3B:B2:53:6F:44:33:4F CertificateistobecertifieduntilMay721:15:472024GMT(3560days) Signthecertificate?[y/n]:y# 1outof1certificaterequestscertified,commit?[y/n]y# Writeoutdatabasewith1newentries DataBaseUpdated [root@CA~]#cd/etc/pki/CA/ [root@CACA]#ls cacert.pemcertscrlindex.txtindex.txt.attrindex.txt.oldnewcertsprivateserialserial.old [root@CACA]#catindex.txt V240507211547Z01unknown/C=CN/ST=shanxi/O=kcw9527/OU=Tech/CN=www.test.com/emailAddress=admin@admin.com [root@CACA]#catserial 02 OK證書做好了發給請求者即可 回到httpdserver把生成的復制回來 [root@kcwssl]#scp10.52.115.106:/tmp/httpd.crt./ root@10.52.115.106\'spassword: httpd.crt100%45894.5KB/s00:00 開始配置ssl.conf配置文件 [root@kcwssl]#cd/etc/httpd/conf.d/ [root@kcwconf.d]#ls READMEssl.confwelcome.conf [root@kcwconf.d]#cpssl.confssl.conf.bak#修改之前先備份 修改ssl.conf如下 ServerNamewww.test.com DocumentRoot"/var/www/html" SSLCertificateFile/etc/httpd/ssl/httpd.crt#證書 SSLCertificateKeyFile/etc/httpd/ssl/httpd.key#私鑰文件 OK檢查語法保存退出 [root@kcwconf]#httpd-t SyntaxOK [root@kcwconf]#/etc/init.d/httpdrestart Stoppinghttpd:[FAILED] Startinghttpd:[OK] [root@kcwconf]#netstat-antlp|grephttpd tcp00:::80:::*LISTEN2782/httpd tcp00:::443:::*LISTEN2782/httpd 測試 www.test.com

用https來試試

這樣服務器發來得證書沒問題。但是客戶端沒有信任ca所以復制CA服務器證書到客戶端

客戶端裝載證書

改個名叫cacert.crt

然后安裝證書

測試

可以看見哦了