这里使用两台虚拟服务器来做演示,一台服务器作为CA服务器,另一台作为HTTP服务器
1. 制作CA自签证书,生成CA私钥生成CA私钥命令如下:
(umask 077; openssl genrsa -out private/cakey.pem 2048)
制作自签证书
openssl req -new -x509 -key private/cakey.pem -out cacert.pem -days 365
2. 修改配置文件
/tls/openssl.cnf 配置文件可以更改证书默认配置[ CA_default ]
dir = /etc/pki/CA # Where everything is kept
certs = $dir/certs # Where the issued certs are kept
crl_dir = $dir/crl # Where the issued crl are kept
database = $dir/index.txt # database index file.
#unique_subject = no # Set to 'no' to allow creation of
# several ctificates with same subject.
new_certs_dir = $dir/newcerts # default place for new certs.
serial = $dir/serial # The current serial number
crlnumber = $dir/crlnumber # the current crl number
# must be commented out to leave a V1 CRL
crl = $dir/crl.pem # The current CRL
private_key = $dir/private/cakey.pem# The private key
RANDFILE = $dir/private/.rand # private random number file
x509_extensions = usr_cert # The extentions to add to the cert
[ req_distinguished_name ]
countryName = Country Name (2 letter code)
countryName_default = CN
countryName_min = 2
countryName_max = 2
stateOrProvinceName = State or Province Name (full name)
stateOrProvinceName_default = ZheJiang
localityName = Locality Name (eg, city)
localityName_default = HangZhou
0.organizationName = Organization Name (eg, company)
0.organizationName_default = SinaTay
organizationalUnitName = Organizational Unit Name (eg, section)
organizationalUnitName_default = Tech
3. 补充CA内容
cacert.prm要扮演成CA,还需要以下内容
mkdir certs crl newcerts
touch index.txt
echo 00>serial
CA目录
|-- cacert.prm
|-- certs
|-- crl
|-- index.txt
|-- newcerts
|-- private
| `-- cakey.pem
`-- serial
4. 在HTTP服务器上,生成私钥及证书颁发请求
在另一台服务器上
生成私钥
(umask 077; openssl genrsa 1024 > http.key)
生成证书颁发请求
[root@dengqp ssl]# openssl req -new -key http.key -out httpd.csr
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [XX]:CN
State or Province Name (full name) []:ZheJiang
Locality Name (eg, city) [Default City]:HangZhou
Organization Name (eg, company) [Default Company Ltd]:SinaTay
Organizational Unit Name (eg, section) []:Tech
Common Name (eg, your name or your server's hostname) []:www.dengqp.com
Email Address []:dengqp.com
Please enter the following 'extra' attributes
to be sent with your certificate request
A challenge password []:
An optional company name []:
5. 发送到CA服务器进行签发
[root@dengqp ssl]# ansible mytest -m copy -a 'src=httpd.csr dest=/tmp'
mytest | SUCCESS => {
"changed": true,
"checksum": "82e312d69e70696ecabf1e2dd458ab9727a72afe",
"dest": "/tmp/httpd.csr",
"gid": 0,
"group": "root",
"md5sum": "101836ba742a1b6a022f00a93f38b269",
"mode": "0644",
"owner": "root",
"size": 761,
"src": "/root/.ansible/tmp/ansible-tmp-1461446666.48-188486814423862/source",
"state": "file",
"uid": 0
}
6. 在CA上进行签发证书
openssl ca -in /tmp/httpd.csr -out /tmp/httpd.crt -days 3650
出现如下报错:
Check that the request matches the signature
Signature ok
The stateOrProvinceName field needed to be the same in the
CA certificate (ZheJiang) and the request (ZheJiang)
修改/etc/pki/tls/openssl.cnf文件内容
[ policy_match ]
countryName = match
stateOrProvinceName = optional
organizationName = optional
重新签发
[root@dengqingpu tmp]# openssl ca -in /tmp/httpd.csr -out /tmp/httpd.crt -days 3650
Using configuration from /etc/pki/tls/openssl.cnf
Check that the request matches the signature
Signature ok
Certificate Details:
Serial Number: 1 (0x1)
Validity
Not Before: May 2 05:27:34 2016 GMT
Not After : Apr 30 05:27:34 2026 GMT
Subject:
countryName = CN
stateOrProvinceName = ZheJiang
organizationName = SinaTay
organizationalUnitName = Tech
commonName = www.dengqp.com
emailAddress = dengqp@com
X509v3 extensions:
X509v3 Basic Constraints:
CA:FALSE
Netscape Comment:
OpenSSL Generated Certificate
X509v3 Subject Key Identifier:
C9:43:FA:BC:78:6A:CE:51:57:11:F3:0D:5A:07:3D:2B:96:23:3A:DE
X509v3 Authority Key Identifier:
keyid:66:7B:F3:AA:19:06:BA:D9:A5:73:8D:D0:8E:A9:32:BD:A4:82:B6:30
Certificate is to be certified until Apr 30 05:27:34 2026 GMT (3650 days)
Sign the certificate? [y/n]:y
1 out of 1 certificate requests certified, commit? [y/n]y
Write out database with 1 new entries
Data Base Updated
7. 将签发证书发回web服务器,并修改SSL配置
scp 192.168.0.180:/tmp/httpd.crt .
修改/etc/httpd/conf.d/ssl.conf 修改后内容如下
<VirtualHost 192.168.0.181:443>
ServerName www.dengqp.com:443
SSLCertificateFile /etc/httpd/ssl/httpd.crt
SSLCertificateKeyFile /etc/httpd/ssl/httpd.key
修改完成后重启httpd服务
service httpd restart
查看SSL 监听端口是否打开
[root@dengqp ssl]# netstat -tnap | grep httpd
tcp 0 0 :::80 :::* LISTEN 20631/httpd
tcp 0 0 :::443 :::* LISTEN 20631/httpd
8. 通过https://www.dengqp.com 进行访问
此时虽然能够访问,但是证书不受信任,需要将CA上的自签证书在浏览器所在服务器进行安装
sz cacert.pem 改名为cacert.crt,双击安装即可
再重新打开浏览器进行访问,此时与WEB服务器连接就是加密的了