httpd服务器配置ssl

1. 手动安装ssl模块

#默认没有安装ssl的模块，需要手动安装
[root@lotus ~]# yum install -y mod_ssl
#ssl生成的文件
[root@lotus ~]# rpm -ql mod_ssl
/etc/httpd/conf.d/ssl.conf
/usr/lib64/httpd/modules/mod_ssl.so
/var/cache/mod_ssl
/var/cache/mod_ssl/scache.dir
/var/cache/mod_ssl/scache.pag
/var/cache/mod_ssl/scache.sem

2. 单独使用一台服务器来做CA服务器

#进入/etc/pki/CA目录
[root@lotus CA]# pwd
/etc/pki/CA
#生成私钥(2048位),括号中的命令将会新开一个子shell顺序执行，所以括号中的变量不能够被脚本余下的部分使用。
[root@lotus CA]# (umask 077;openssl genrsa -out private/cakey.pem 2048)
Generating RSA private key, 2048 bit long modulus
......................................+++
..................................+++
e is 65537 (0x10001)

[root@lotus CA]# ll private
total 4
-rw------- 1 root root 1675 Apr  9 15:43 cakey.pem
#修改证书的一些默认填写信息
[root@lotus CA]# vim ../tls/openssl.cnf
[ req_distinguished_name ]
countryName                     = Country Name (2 letter code)
#国家
countryName_default             = CN
countryName_min                 = 2
countryName_max                 = 2

stateOrProvinceName             = State or Province Name (full name)
#省份
stateOrProvinceName_default     = HeNan
#城市，地区
localityName                    = Locality Name (eg, city)
localityName_default            = ZhengZhou
#组织
0.organizationName              = Organization Name (eg, company)
0.organizationName_default      = tye

# we can do this but it is not needed normally :-)
#1.organizationName             = Second Organization Name (eg, company)
#1.organizationName_default     = World Wide Web Pty Ltd
#部门
organizationalUnitName          = Organizational Unit Name (eg, section)
organizationalUnitName_default  = Tech

3. 在CA服务器上生成自签证书

[root@lotus CA]# openssl req -new -x509 -key private/cakey.pem -out cacert.pem -days 365
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [CN]:
State or Province Name (full name) [HeNan]:
Locality Name (eg, city) [ZhengZhou]:
Organization Name (eg, company) [tye]:
Organizational Unit Name (eg, section) [Tech]:
Common Name (eg, your name or your server's hostname) []:ca.tye.com
Email Address []:admin@tye.com

4. 查看openssl.cnf配置，如有不同需根据生成的证书名称，私钥名称进行修改

[ CA_default ]
#证书的目录配置
dir             = /etc/pki/CA           # Where everything is kept
certs           = $dir/certs            # Where the issued certs are kept
#吊销证书目录
crl_dir         = $dir/crl              # Where the issued crl are kept
#证书信息存储位置
database        = $dir/index.txt        # database index file.
#unique_subject = no                    # Set to 'no' to allow creation of
                                        # several ctificates with same subject.
#新签证书存放目录
new_certs_dir   = $dir/newcerts         # default place for new certs.
#自签证书存放位置
certificate     = $dir/cacert.pem       # The CA certificate
#证书序列号
serial          = $dir/serial           # The current serial number
crlnumber       = $dir/crlnumber        # the current crl number
                                        # must be commented out to leave a V1 CRL
crl             = $dir/crl.pem          # The current CRL
#私钥存放位置
private_key     = $dir/private/cakey.pem# The private key
RANDFILE        = $dir/private/.rand    # private random number file

5. 创建证书所需目录
   
6. 切换至web服务器，生成私钥

[root@lotus ~]# cd /etc/httpd
[root@lotus httpd]# mkdir ssl
[root@lotus httpd]# cd ssl
[root@lotus ssl]# (umask 077;openssl genrsa 1024 >httpd.key)
Generating RSA private key, 1024 bit long modulus
........++++++
..................................................++++++
e is 65537 (0x10001)
[root@lotus ssl]# ll
total 4
-rw------- 1 root root 887 Apr  9 16:03 httpd.key

7. 生成证书签署的请求文件

[root@lotus ssl]# openssl req -new -key httpd.key -out httpd.csr
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [XX]:CN
State or Province Name (full name) []:HeNan  
Locality Name (eg, city) [Default City]:ZhengZhou
Organization Name (eg, company) [Default Company Ltd]:tye
Organizational Unit Name (eg, section) []:Tech
Common Name (eg, your name or your server's hostname) []:www.tye.com      
Email Address []:tye@tye.com         

Please enter the following 'extra' attributes
to be sent with your certificate request
A challenge password []:
An optional company name []:

8. 将需要签署的证书文件发送到证书服务器

[root@lotus ssl]# scp httpd.csr 192.168.88.136:/tmp
The authenticity of host '192.168.88.136 (192.168.88.136)' can't be established.
RSA key fingerprint is 2f:b6:90:d7:24:13:57:f3:ed:19:2a:9a:33:b3:19:c8.
Are you sure you want to continue connecting (yes/no)? yes
Warning: Permanently added '192.168.88.136' (RSA) to the list of known hosts.
root@192.168.88.136's password: 
httpd.csr     

9. 在CA服务器上对web服务器的证书进行签署

[root@lotus CA]# openssl ca -in /tmp/httpd.csr -out /tmp/httpd.crt -days 3650
Using configuration from /etc/pki/tls/openssl.cnf
Check that the request matches the signature
Signature ok
Certificate Details:
        Serial Number: 1 (0x1)
        Validity
            Not Before: Apr  9 08:14:58 2021 GMT
            Not After : Apr  7 08:14:58 2031 GMT
        Subject:
            countryName               = CN
            stateOrProvinceName       = HeNan
            organizationName          = tye
            organizationalUnitName    = Tech
            commonName                = www.tye.com
            emailAddress              = tye@tye.com
        X509v3 extensions:
            X509v3 Basic Constraints: 
                CA:FALSE
            Netscape Comment: 
                OpenSSL Generated Certificate
            X509v3 Subject Key Identifier: 
                0E:51:AB:08:65:AF:40:5F:BF:60:E4:F8:14:E4:9D:78:B8:63:C1:FA
            X509v3 Authority Key Identifier: 
                keyid:43:64:DD:E6:66:46:C9:E3:C8:D1:90:C4:F5:01:FA:4D:EF:D0:E4:63

Certificate is to be certified until Apr  7 08:14:58 2031 GMT (3650 days)
Sign the certificate? [y/n]:y


1 out of 1 certificate requests certified, commit? [y/n]y
Write out database with 1 new entries
Data Base Updated
#查看证书签署存放的文件和序列号
[root@lotus CA]# cat index.txt
V	310407081458Z		01	unknown	/C=CN/ST=HeNan/O=tye/OU=Tech/CN=www.tye.com/emailAddress=tye@tye.com
[root@lotus CA]# cat serial
02
#删除/tmp下的证书文件
[root@lotus CA]# rm -rf /tmp/*.c*

10. 从CA服务器上复制签署的证书到当前Web服务器上

[root@lotus ssl]# scp 192.168.88.136:/tmp/httpd.crt ./
root@192.168.88.136's password: 
httpd.crt                                                                                     100% 3808     3.7KB/s   00:00    
[root@lotus ssl]# ll
total 12
-rw-r--r-- 1 root root 3808 Apr  9 16:17 httpd.crt
-rw-r--r-- 1 root root  684 Apr  9 16:11 httpd.csr
-rw------- 1 root root  887 Apr  9 16:03 httpd.key

11. 修改web服务器上的ssl.conf配置文件

[root@lotus ~]# vim /etc/httpd/conf.d/ssl.conf 
#以下是ssl.conf中修改的信息
<VirtualHost 192.168.88.135:443>
ServerName www.tye.com
DocumentRoot "/www/lotus.tye"
ErrorLog logs/ssl_error_log
TransferLog logs/ssl_access_log
LogLevel warn
SSLEngine on
SSLProtocol all -SSLv2
SSLCipherSuite DEFAULT:!EXP:!SSLv2:!DES:!IDEA:!SEED:+3DES
SSLCertificateFile /etc/httpd/ssl/httpd.crt
SSLCertificateKeyFile /etc/httpd/ssl/httpd.key

12. 修改完成后，重新启动web服务器
13. 通过window电脑访问，访问前记得修改本地hosts配置文件，由于发放证书的CA服务器不是window认证的证书，所以会报错
    
14. 传输CA服务器上的认证证书到本地window电脑一份
    
15. 修改cacert.pem文件名为cacert.crt,双击安装证书
    
    

16. 成功使用https访问网站