httpd服务器配置ssl
- 手动安装ssl模块
#默认没有安装ssl的模块,需要手动安装
[root@lotus ~]# yum install -y mod_ssl
#ssl生成的文件
[root@lotus ~]# rpm -ql mod_ssl
/etc/httpd/conf.d/ssl.conf
/usr/lib64/httpd/modules/mod_ssl.so
/var/cache/mod_ssl
/var/cache/mod_ssl/scache.dir
/var/cache/mod_ssl/scache.pag
/var/cache/mod_ssl/scache.sem
- 单独使用一台服务器来做CA服务器
#进入/etc/pki/CA目录
[root@lotus CA]# pwd
/etc/pki/CA
#生成私钥(2048位),括号中的命令将会新开一个子shell顺序执行,所以括号中的变量不能够被脚本余下的部分使用。
[root@lotus CA]# (umask 077;openssl genrsa -out private/cakey.pem 2048)
Generating RSA private key, 2048 bit long modulus
......................................+++
..................................+++
e is 65537 (0x10001)
[root@lotus CA]# ll private
total 4
-rw------- 1 root root 1675 Apr 9 15:43 cakey.pem
#修改证书的一些默认填写信息
[root@lotus CA]# vim ../tls/openssl.cnf
[ req_distinguished_name ]
countryName = Country Name (2 letter code)
#国家
countryName_default = CN
countryName_min = 2
countryName_max = 2
stateOrProvinceName = State or Province Name (full name)
#省份
stateOrProvinceName_default = HeNan
#城市,地区
localityName = Locality Name (eg, city)
localityName_default = ZhengZhou
#组织
0.organizationName = Organization Name (eg, company)
0.organizationName_default = tye
# we can do this but it is not needed normally :-)
#1.organizationName = Second Organization Name (eg, company)
#1.organizationName_default = World Wide Web Pty Ltd
#部门
organizationalUnitName = Organizational Unit Name (eg, section)
organizationalUnitName_default = Tech
- 在CA服务器上生成自签证书
[root@lotus CA]# openssl req -new -x509 -key private/cakey.pem -out cacert.pem -days 365
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [CN]:
State or Province Name (full name) [HeNan]:
Locality Name (eg, city) [ZhengZhou]:
Organization Name (eg, company) [tye]:
Organizational Unit Name (eg, section) [Tech]:
Common Name (eg, your name or your server's hostname) []:ca.tye.com
Email Address []:admin@tye.com
- 查看openssl.cnf配置,如有不同需根据生成的证书名称,私钥名称进行修改
[ CA_default ]
#证书的目录配置
dir = /etc/pki/CA # Where everything is kept
certs = $dir/certs # Where the issued certs are kept
#吊销证书目录
crl_dir = $dir/crl # Where the issued crl are kept
#证书信息存储位置
database = $dir/index.txt # database index file.
#unique_subject = no # Set to 'no' to allow creation of
# several ctificates with same subject.
#新签证书存放目录
new_certs_dir = $dir/newcerts # default place for new certs.
#自签证书存放位置
certificate = $dir/cacert.pem # The CA certificate
#证书序列号
serial = $dir/serial # The current serial number
crlnumber = $dir/crlnumber # the current crl number
# must be commented out to leave a V1 CRL
crl = $dir/crl.pem # The current CRL
#私钥存放位置
private_key = $dir/private/cakey.pem# The private key
RANDFILE = $dir/private/.rand # private random number file
- 创建证书所需目录
- 切换至web服务器,生成私钥
[root@lotus ~]# cd /etc/httpd
[root@lotus httpd]# mkdir ssl
[root@lotus httpd]# cd ssl
[root@lotus ssl]# (umask 077;openssl genrsa 1024 >httpd.key)
Generating RSA private key, 1024 bit long modulus
........++++++
..................................................++++++
e is 65537 (0x10001)
[root@lotus ssl]# ll
total 4
-rw------- 1 root root 887 Apr 9 16:03 httpd.key
- 生成证书签署的请求文件
[root@lotus ssl]# openssl req -new -key httpd.key -out httpd.csr
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [XX]:CN
State or Province Name (full name) []:HeNan
Locality Name (eg, city) [Default City]:ZhengZhou
Organization Name (eg, company) [Default Company Ltd]:tye
Organizational Unit Name (eg, section) []:Tech
Common Name (eg, your name or your server's hostname) []:www.tye.com
Email Address []:tye@tye.com
Please enter the following 'extra' attributes
to be sent with your certificate request
A challenge password []:
An optional company name []:
- 将需要签署的证书文件发送到证书服务器
[root@lotus ssl]# scp httpd.csr 192.168.88.136:/tmp
The authenticity of host '192.168.88.136 (192.168.88.136)' can't be established.
RSA key fingerprint is 2f:b6:90:d7:24:13:57:f3:ed:19:2a:9a:33:b3:19:c8.
Are you sure you want to continue connecting (yes/no)? yes
Warning: Permanently added '192.168.88.136' (RSA) to the list of known hosts.
root@192.168.88.136's password:
httpd.csr
- 在CA服务器上对web服务器的证书进行签署
[root@lotus CA]# openssl ca -in /tmp/httpd.csr -out /tmp/httpd.crt -days 3650
Using configuration from /etc/pki/tls/openssl.cnf
Check that the request matches the signature
Signature ok
Certificate Details:
Serial Number: 1 (0x1)
Validity
Not Before: Apr 9 08:14:58 2021 GMT
Not After : Apr 7 08:14:58 2031 GMT
Subject:
countryName = CN
stateOrProvinceName = HeNan
organizationName = tye
organizationalUnitName = Tech
commonName = www.tye.com
emailAddress = tye@tye.com
X509v3 extensions:
X509v3 Basic Constraints:
CA:FALSE
Netscape Comment:
OpenSSL Generated Certificate
X509v3 Subject Key Identifier:
0E:51:AB:08:65:AF:40:5F:BF:60:E4:F8:14:E4:9D:78:B8:63:C1:FA
X509v3 Authority Key Identifier:
keyid:43:64:DD:E6:66:46:C9:E3:C8:D1:90:C4:F5:01:FA:4D:EF:D0:E4:63
Certificate is to be certified until Apr 7 08:14:58 2031 GMT (3650 days)
Sign the certificate? [y/n]:y
1 out of 1 certificate requests certified, commit? [y/n]y
Write out database with 1 new entries
Data Base Updated
#查看证书签署存放的文件和序列号
[root@lotus CA]# cat index.txt
V 310407081458Z 01 unknown /C=CN/ST=HeNan/O=tye/OU=Tech/CN=www.tye.com/emailAddress=tye@tye.com
[root@lotus CA]# cat serial
02
#删除/tmp下的证书文件
[root@lotus CA]# rm -rf /tmp/*.c*
- 从CA服务器上复制签署的证书到当前Web服务器上
[root@lotus ssl]# scp 192.168.88.136:/tmp/httpd.crt ./
root@192.168.88.136's password:
httpd.crt 100% 3808 3.7KB/s 00:00
[root@lotus ssl]# ll
total 12
-rw-r--r-- 1 root root 3808 Apr 9 16:17 httpd.crt
-rw-r--r-- 1 root root 684 Apr 9 16:11 httpd.csr
-rw------- 1 root root 887 Apr 9 16:03 httpd.key
- 修改web服务器上的ssl.conf配置文件
[root@lotus ~]# vim /etc/httpd/conf.d/ssl.conf
#以下是ssl.conf中修改的信息
<VirtualHost 192.168.88.135:443>
ServerName www.tye.com
DocumentRoot "/www/lotus.tye"
ErrorLog logs/ssl_error_log
TransferLog logs/ssl_access_log
LogLevel warn
SSLEngine on
SSLProtocol all -SSLv2
SSLCipherSuite DEFAULT:!EXP:!SSLv2:!DES:!IDEA:!SEED:+3DES
SSLCertificateFile /etc/httpd/ssl/httpd.crt
SSLCertificateKeyFile /etc/httpd/ssl/httpd.key
- 修改完成后,重新启动web服务器
- 通过window电脑访问,访问前记得修改本地hosts配置文件,由于发放证书的CA服务器不是window认证的证书,所以会报错
- 传输CA服务器上的认证证书到本地window电脑一份
- 修改cacert.pem文件名为cacert.crt,双击安装证书
16. 成功使用https访问网站