需要使用到两台Debian服务器,一台作为ca端,一台作为Apache端
ca端IP:192.168.200.129
Apache端IP:192.168.200.131
以下是CA端配置:
安装openssl
root@CA-SERVER:~# apt install -y openssl
备份及修改ssl配置文件
root@CA-SERVER:~# cd /etc/ssl/
root@CA-SERVER:/etc/ssl# cp openssl.cnf openssl.cnf_bak
root@CA-SERVER:/etc/ssl# vim openssl.cnf
这个地方修改为存放证书的目录,下面是修改后的
创建对应的目录
root@CA-SERVER:/etc/ssl# cd /
root@CA-SERVER:/# mkdir CA
复制文件模板到新创建的文件中
root@CA-SERVER:/# cd CA
root@CA-SERVER:/CA# cp -rf /etc/ssl/* ./
生成根密钥
root@CA-SERVER:/CA# openssl genrsa -out private/cakey.pem 2048
Generating RSA private key, 2048 bit long modulus (2 primes)
.............+++++
.....................+++++
e is 65537 (0x010001)
生成根证书
root@CA-SERVER:/CA# openssl req -new -x509 -key private/cakey.pem -out cacert.pem
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [AU]:CN
State or Province Name (full name) [Some-State]:
Locality Name (eg, city) []:
Organization Name (eg, company) [Internet Widgits Pty Ltd]:Inc
Organizational Unit Name (eg, section) []:www.skills.com
Common Name (e.g. server FQDN or YOUR name) []:Skill Global Root CA
Email Address []:
下面是Apache端的设置
安装Apache2
root@debian:~# apt install -y apache2
创建网站根目录
root@debian:/# mkdir -p /data/htdocs/sdskills