centos ssl证书_如何在CentOS 8上为Apache创建自签名SSL证书

centos ssl证书

介绍 (Introduction)

TLS, or “transport layer security” — and its predecessor SSL — are protocols used to wrap normal traffic in a protected, encrypted wrapper. Using this technology, servers can safely send information to their clients without their messages being intercepted or read by an outside party.

TLS或“传输层安全性”(及其前身SSL )是用于将正常流量包装在受保护的加密包装器中的协议。 使用此技术，服务器可以安全地向其客户端发送信息，而不会被外界拦截或读取其消息。

In this guide, we will show you how to create and use a self-signed SSL certificate with the Apache web server on a CentOS 8 machine.

在本指南中，我们将向您展示如何在CentOS 8机器上的Apache Web服务器上创建和使用自签名SSL证书。

Note: A self-signed certificate will encrypt communication between your server and its clients. However, because it is not signed by any of the trusted certificate authorities included with web browsers and operating systems, users cannot use the certificate to automatically validate the identity of your server. As a result, your users will see a security error when visiting your site.

注意：自签名证书将加密服务器与其客户端之间的通信。 但是，由于该证书未由Web浏览器和操作系统随附的任何受信任证书颁发机构签名，因此用户无法使用该证书来自动验证服务器的身份。 结果，您的用户在访问您的网站时将看到安全错误。

Because of this limitation, self-signed certificates are not appropriate for a production environment serving the public. They are typically used for testing, or for securing non-critical services used by a single user or a small group of users that can establish trust in the certificate’s validity through alternate communication channels.

由于此限制，自签名证书不适用于为公众服务的生产环境。 它们通常用于测试或保护单个用户或一小组用户使用的非关键服务，这些服务可以通过备用通信通道建立对证书有效性的信任。

For a more production-ready certificate solution, check out Let’s Encrypt, a free certificate authority. You can learn how to download and configure a Let’s Encrypt certificate in our How To Secure Apache with Let’s Encrypt on CentOS 8 tutorial.

有关更适合生产的证书解决方案，请查看免费的证书颁发机构Let's Encrypt 。 您可以在《 如何在CentOS 8上使用Let's Encrypt来保护Apache》中学习如何下载和配置Let's Encrypt证书。

先决条件 (Prerequisites)

Before starting this tutorial, you’ll need the following:

开始本教程之前，您需要满足以下条件：

• Access to a CentOS 8 server with a non-root, sudo-enabled user. Our Initial Server Setup with CentOS 8 guide can show you how to create this account.

  以非root用户 ，启用sudo的身份访问CentOS 8服务器。 我们的《 使用CentOS 8进行初始服务器设置》指南可以向您展示如何创建该帐户。

• You will also need to have Apache installed. You can install Apache using dnf:

  您还需要安装Apache。 您可以使用dnf安装Apache：

  • sudo dnf install httpd
    须藤dnf安装httpd

  Enable Apache and start it using systemctl:

  启用Apache并使用systemctl启动它：

  • sudo systemctl enable httpd
    sudo systemctl启用httpd
  • sudo systemctl start httpd
    sudo systemctl启动httpd

  And finally, if you have a firewalld firewall set up, open up the http and https ports:

  最后，如果您设置了firewalld防火墙，请打开http和https端口：

  • sudo firewall-cmd --permanent --add-service=http
    sudo Firewall-cmd-永久--add-service = http
  • sudo firewall-cmd --permanent --add-service=https
    sudo Firewall-cmd-永久--add-service = https
  • sudo firewall-cmd --reload
    sudo firewall-cmd-重新加载

After these steps are complete, be sure you are logged in as your non-root user and continue with the tutorial.

完成这些步骤之后，请确保您以非root用户身份登录并继续学习本教程。

第1步-安装mod_ssl (Step 1 — Installing mod_ssl)

We first need to install mod_ssl, an Apache module that provides support for SSL encryption.

我们首先需要安装mod_ssl ，这是一个提供SSL加密支持的Apache模块。

Install mod_ssl with the dnf command:

使用dnf命令安装mod_ssl ：

• sudo dnf install mod_ssl
  须藤dnf安装mod_ssl

Because of a packaging bug, we need to restart Apache once to properly generate the default SSL certificate and key, otherwise we’ll get an error reading '/etc/pki/tls/certs/localhost.crt' does not exist or is empty.

由于存在打包错误，我们需要重新启动Apache一次以正确生成默认的SSL证书和密钥，否则我们将收到一条错误消息，内容为'/etc/pki/tls/certs/localhost.crt' does not exist or is empty 。

• sudo systemctl restart httpd
  sudo systemctl重新启动httpd

The mod_ssl module is now enabled and ready for use.

现在已启用mod_ssl模块并可以使用。

第2步-创建SSL证书 (Step 2 — Creating the SSL Certificate)

Now that Apache is ready to use encryption, we can move on to generating a new SSL certificate. The certificate will store some basic information about your site, and will be accompanied by a key file that allows the server to securely handle encrypted data.

既然Apache可以使用加密了，那么我们可以继续生成新的SSL证书了。 该证书将存储有关您站点的一些基本信息，并附带一个密钥文件，该密钥文件允许服务器安全地处理加密的数据。

We can create the SSL key and certificate files with the openssl command:

我们可以使用openssl命令创建SSL密钥和证书文件：

• sudo openssl req -x509 -nodes -days 365 -newkey rsa:2048 -keyout /etc/pki/tls/private/apache-selfsigned.key -out /etc/pki/tls/certs/apache-selfsigned.crt
  sudo openssl req -x509 -nodes -days 365 -newkey rsa：2048 -keyout /etc/pki/tls/private/apache-selfsigned.key -out /etc/pki/tls/certs/apache-selfsigned.crt

After you enter the command, you will be taken to a prompt where you can enter information about your website. Before we go over that, let’s take a look at what is happening in the command we are issuing:

输入命令后，系统将提示您输入关于网站的信息。 在讨论之前，让我们看一下发出的命令中正在发生的事情：

• openssl: This is the command line tool for creating and managing OpenSSL certificates, keys, and other files.

  openssl ：这是用于创建和管理OpenSSL证书，密钥和其他文件的命令行工具。

• req -x509: This specifies that we want to use X.509 certificate signing request (CSR) management. X.509 is a public key infrastructure standard that SSL and TLS adhere to for key and certificate management.

  req -x509 ：这指定我们要使用X.509证书签名请求(CSR)管理。 X.509是SSL和TLS用于密钥和证书管理的公用密钥基础结构标准。

• -nodes: This tells OpenSSL to skip the option to secure our certificate with a passphrase. We need Apache to be able to read the file, without user intervention, when the server starts up. A passphrase would prevent this from happening, since we would have to enter it after every restart.

  -nodes ：这告诉OpenSSL跳过使用密码短语来保护我们的证书的选项。 我们需要Apache在服务器启动时能够在没有用户干预的情况下读取文件。 密码短语可以防止这种情况的发生，因为每次重新启动后我们都必须输入密码。

• -days 365: This option sets the length of time that the certificate will be considered valid. We set it for one year here. Many modern browsers will reject any certificates that are valid for longer than one year.

  -days 365 ：此选项设置证书被视为有效的时间长度。 我们在这里设置了一年。 许多现代的浏览器都会拒绝任何有效期超过一年的证书。

• -newkey rsa:2048: This specifies that we want to generate a new certificate and a new key at the same time. We did not create the key that is required to sign the certificate in a previous step, so we need to create it along with the certificate. The rsa:2048 portion tells it to make an RSA key that is 2048 bits long.

  -newkey rsa:2048 ：这指定我们要同时生成一个新证书和一个新密钥。 我们没有在上一步中创建签名证书所需的密钥，因此我们需要将其与证书一起创建。 rsa:2048部分告诉它制作一个2048位长的RSA密钥。

• -keyout: This line tells OpenSSL where to place the generated private key file that we are creating.

  -keyout ：此行告诉OpenSSL在何处放置我们正在创建的生成的私钥文件。

• -out: This tells OpenSSL where to place the certificate that we are creating.

  -out ：这告诉OpenSSL在哪里放置我们要创建的证书。

Fill out the prompts appropriately. The most important line is the one that requests the Common Name. You need to enter either the hostname you’ll use to access the server by, or the public IP of the server. It’s important that this field matches whatever you’ll put into your browser’s address bar to access the site, as a mismatch will cause more security errors.

适当填写提示。 最重要的一行是要求Common Name那一行。 您需要输入用来访问服务器的主机名或服务器的公共IP。 请务必将该字段与您将要放入浏览器的地址栏中的任何内容进行匹配以访问该网站，因为不匹配会导致更多的安全错误。

The full list of prompts will look something like this:

完整的提示列表如下所示：

Country Name (2 letter code) [XX]:US
State or Province Name (full name) []:Example
Locality Name (eg, city) [Default City]:Example 
Organization Name (eg, company) [Default Company Ltd]:Example Inc
Organizational Unit Name (eg, section) []:Example Dept
Common Name (eg, your name or your server's hostname) []:your_domain_or_ip
Email Address []:webmaster@example.com

Both of the files you created will be placed in the appropriate subdirectories of the /etc/pki/tls directory. This is a standard directory provided by CentOS for this purpose.

您创建的两个文件都将放置在/etc/pki/tls目录的相应子目录中。 这是CentOS为此提供的标准目录。

Next we will update our Apache configuration to use the new certificate and key.

接下来，我们将更新我们的Apache配置以使用新的证书和密钥。

第3步-配置Apache使用SSL (Step 3 — Configuring Apache to Use SSL)

Now that we have our self-signed certificate and key available, we need to update our Apache configuration to use them. On CentOS, you can place new Apache configuration files (they must end in .conf) into /etc/httpd/conf.d and they will be loaded the next time the Apache process is reloaded or restarted.

现在我们有了自签名证书和密钥，我们需要更新我们的Apache配置以使用它们。 在CentOS上，您可以将新的Apache配置文件(它们必须以.conf结尾)放入/etc/httpd/conf.d ，这些文件将在下次重新加载或重新启动Apache进程时加载。

For this tutorial we will create a new minimal configuration file. If you already have an Apache <Virtualhost> set up and just need to add SSL to it, you will likely need to copy over the configuration lines that start with SSL, and switch the VirtualHost port from 80 to 443. We will take care of port 80 in the next step.

在本教程中，我们将创建一个新的最小配置文件。 如果您已经设置了Apache <Virtualhost> ，并且只需要向其中添加SSL，则可能需要复制以SSL开头的配置行，并将VirtualHost端口从80切换到443 。 下一步，我们将维护端口80 。

Open a new file in the /etc/httpd/conf.d directory:

在/etc/httpd/conf.d目录中打开一个新文件：

• sudo vi /etc/httpd/conf.d/your_domain_or_ip.conf

  sudo vi /etc/httpd/conf.d/ your_domain_or_ip .conf

Paste in the following minimal VirtualHost configuration:

粘贴以下最小VirtualHost配置：

/etc/httpd/conf.d/your_domain_or_ip.conf

/etc/httpd/conf.d/your_domain_or_ip.conf

<VirtualHost *:443>
    ServerName your_domain_or_ip
    DocumentRoot /var/www/ssl-test
    SSLEngine on
    SSLCertificateFile /etc/pki/tls/certs/apache-selfsigned.crt
    SSLCertificateKeyFile /etc/pki/tls/private/apache-selfsigned.key
</VirtualHost>

Be sure to update the ServerName line to however you intend to address your server. This can be a hostname, full domain name, or an IP address. Make sure whatever you choose matches the Common Name you chose when making the certificate.

确保将ServerName行更新为您要寻址的服务器。 这可以是主机名，完整域名或IP地址。 确保您选择的任何内容都与制作证书时选择的Common Name相匹配。

The remaining lines specify a DocumentRoot directory to serve files from, and the SSL options needed to point Apache to our newly-created certificate and key.

其余各行指定了用于提供文件来源的DocumentRoot目录，以及将Apache指向我们新创建的证书和密钥所需的SSL选项。

Now let’s create our DocumentRoot and put an HTML file in it just for testing purposes:

现在，让我们创建我们的DocumentRoot并将HTML文件放进其中以用于测试：

• sudo mkdir /var/www/ssl-test
  须藤mkdir / var / www / ssl-test

Open a new index.html file with your text editor:

使用文本编辑器打开一个新的index.html文件：

• sudo vi /var/www/ssl-test/index.html
  须藤vi /var/www/ssl-test/index.html

Paste the following into the blank file:

将以下内容粘贴到空白文件中：

/var/www/ssl-test/index.html

/var/www/ssl-test/index.html

<h1>it worked!</h1>

This is not a full HTML file, of course, but browsers are lenient and it will be enough to verify our configuration.

当然，这不是完整HTML文件，但浏览器比较宽松，足以验证我们的配置。

Save and close the file, then check your Apache configuration for syntax errors by typing:

保存并关闭文件，然后通过键入以下命令检查Apache配置是否存在语法错误：

• sudo apachectl configtest
  须藤apachectl configtest

You may see some warnings, but as long as the output ends with Syntax OK, you are safe to continue. If this is not part of your output, check the syntax of your files and try again.

您可能会看到一些警告，但是只要输出以Syntax OK结尾，就可以安全地继续。 如果这不是输出的一部分，请检查文件的语法，然后重试。

When all is well, reload Apache to pick up the configuration changes:

一切正常后，重新加载Apache以获取配置更改：

• sudo systemctl reload httpd
  须藤systemctl重新加载httpd

Now load your site in a browser, being sure to use https:// at the beginning.

现在，在浏览器中加载您的网站，请确保在开始时使用https:// 。

You should see an error. This is normal for a self-signed certificate! The browser is warning you that it can’t verify the identity of the server, because our certificate is not signed by any of the browser’s known certificate authorities. For testing purposes and personal use this can be fine. You should be able to click through to advanced or more information and choose to proceed.

您应该会看到一个错误。 对于自签名证书，这是正常的！ 浏览器警告您无法验证服务器的身份，因为我们的证书未由任何浏览器的已知证书颁发机构签名。 出于测试目的和个人使用，这可能很好。 您应该可以单击以查看高级或更多信息，然后选择继续。

After you do so, your browser will load the it worked! message.

完成后，您的浏览器将加载it worked! 信息。

Note: if your browser doesn’t connect at all to the server, make sure your connection isn’t being blocked by a firewall. If you are using firewalld, the following commands will open ports 80 and 443:

注意：如果您的浏览器根本没有连接到服务器，请确保您的连接没有被防火墙阻止。 如果使用firewalld ，则以下命令将打开端口80和443 ：

• sudo firewall-cmd --permanent --add-service=http
  sudo Firewall-cmd-永久--add-service = http
• sudo firewall-cmd --permanent --add-service=https
  sudo Firewall-cmd-永久--add-service = https
• sudo firewall-cmd --reload
  sudo firewall-cmd-重新加载

Next we will add another VirtualHost section to our configuration to serve plain HTTP requests and redirect them to HTTPS.

接下来，我们将在我们的配置中添加另一个VirtualHost部分，以处理纯HTTP请求并将其重定向到HTTPS。

步骤4 —将HTTP重定向到HTTPS (Step 4 — Redirecting HTTP to HTTPS)

Currently, our configuration will only respond to HTTPS requests on port 443. It is good practice to also respond on port 80, even if you want to force all traffic to be encrypted. Let’s set up a VirtualHost to respond to these unencrypted requests and redirect them to HTTPS.

当前，我们的配置将仅响应端口443上的HTTPS请求。 即使您要强制对所有流量进行加密，也要在端口80上做出响应是一个好习惯。 让我们设置一个VirtualHost来响应这些未加密的请求，并将它们重定向到HTTPS。

Open the same Apache configuration file we started in previous steps:

打开我们在前面的步骤中开始的相同的Apache配置文件：

• sudo vi /etc/httpd/conf.d/your_domain_or_ip.conf

  sudo vi /etc/httpd/conf.d/ your_domain_or_ip .conf

At the bottom, create another VirtualHost block to match requests on port 80. Use the ServerName directive to again match your domain name or IP address. Then, use Redirect to match any requests and send them to the SSL VirtualHost. Make sure to include the trailing slash:

在底部，创建另一个VirtualHost块以匹配端口80上的请求。 使用ServerName指令再次匹配您的域名或IP地址。 然后，使用Redirect来匹配任何请求，并将其发送到SSL VirtualHost 。 确保包括斜杠：

/etc/httpd/conf.d/your_domain_or_ip.conf

/etc/httpd/conf.d/your_domain_or_ip.conf

<VirtualHost *:80>
    ServerName your_domain_or_ip
    Redirect / https://your_domain_or_ip/
</VirtualHost>

Save and close this file when you are finished, then test your configuration syntax again, and reload Apache:

完成后保存并关闭此文件，然后再次测试配置语法，然后重新加载Apache：

• sudo apachectl configtest
  须藤apachectl configtest
• sudo systemctl reload httpd
  须藤systemctl重新加载httpd

You can test the new redirect functionality by visiting your site with plain http:// in front of the address. You should be redirected to https:// automatically.

您可以通过使用地址前面的纯http://访问站点来测试新的重定向功能。 您应该自动重定向到https:// 。

结论 (Conclusion)

You have now configured Apache to serve encrypted requests using a self-signed SSL certificate, and to redirect unecrypted HTTP requests to HTTPS.

现在，您已配置Apache使用自签名SSL证书来服务加密的请求，并将未加密的HTTP请求重定向到HTTPS。

If you are planning on using SSL for a public website, you should look into purchasing a domain name and using a widely supported certificate authority such as Let’s Encrypt.

如果您打算在公共网站上使用SSL，则应考虑购买域名并使用广泛支持的证书颁发机构，例如Let's Encrypt 。

For more information on using Let’s Encrypt with Apache, please read our How To Secure Apache with Let’s Encrypt on CentOS 8 tutorial.

有关在Apache上使用“让我们加密”的更多信息，请阅读CentOS 8教程上的“如何通过我们的加密保护Apache” 。

翻译自: https://www.digitalocean.com/community/tutorials/how-to-create-a-self-signed-ssl-certificate-for-apache-on-centos-8

centos ssl证书