https配置

这里使用两台虚拟服务器来做演示，一台服务器作为CA服务器，另一台作为HTTP服务器

1.  制作CA自签证书，生成CA私钥
生成CA私钥命令如下：
(umask 077; openssl genrsa -out private/cakey.pem 2048)
制作自签证书
openssl req -new -x509 -key private/cakey.pem -out cacert.pem -days 365

2.  修改配置文件

/tls/openssl.cnf  配置文件可以更改证书默认配置
[ CA_default ]
dir             = /etc/pki/CA           # Where everything is kept
certs           = $dir/certs            # Where the issued certs are kept
crl_dir         = $dir/crl              # Where the issued crl are kept
database        = $dir/index.txt        # database index file.
#unique_subject = no                    # Set to 'no' to allow creation of
                                        # several ctificates with same subject.

new_certs_dir   = $dir/newcerts         # default place for new certs.

certificate     = $dir/cacert.pem       # The CA certificate
serial          = $dir/serial           # The current serial number
crlnumber       = $dir/crlnumber        # the current crl number
                                        # must be commented out to leave a V1 CRL
crl             = $dir/crl.pem          # The current CRL
private_key     = $dir/private/cakey.pem# The private key
RANDFILE        = $dir/private/.rand    # private random number file
x509_extensions = usr_cert              # The extentions to add to the cert

[ req_distinguished_name ]
countryName                     = Country Name (2 letter code)
countryName_default             = CN
countryName_min                 = 2
countryName_max                 = 2


stateOrProvinceName             = State or Province Name (full name)
stateOrProvinceName_default     = ZheJiang


localityName                    = Locality Name (eg, city)
localityName_default            = HangZhou


0.organizationName              = Organization Name (eg, company)
0.organizationName_default      = SinaTay


organizationalUnitName          = Organizational Unit Name (eg, section)
organizationalUnitName_default  = Tech

3.  补充CA内容
cacert.prm要扮演成CA，还需要以下内容
mkdir certs crl newcerts
touch index.txt
echo 00>serial


CA目录
|-- cacert.prm
|-- certs
|-- crl
|-- index.txt
|-- newcerts
|-- private
|   `-- cakey.pem
`-- serial

4.  在HTTP服务器上，生成私钥及证书颁发请求
在另一台服务器上
生成私钥
(umask 077; openssl genrsa 1024 > http.key)

生成证书颁发请求
[root@dengqp ssl]# openssl req -new -key http.key -out httpd.csr
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [XX]:CN
State or Province Name (full name) []:ZheJiang
Locality Name (eg, city) [Default City]:HangZhou
Organization Name (eg, company) [Default Company Ltd]:SinaTay
Organizational Unit Name (eg, section) []:Tech
Common Name (eg, your name or your server's hostname) []:www.dengqp.com
Email Address []:dengqp.com 

Please enter the following 'extra' attributes
to be sent with your certificate request
A challenge password []:
An optional company name []:

5.  发送到CA服务器进行签发
[root@dengqp ssl]# ansible mytest -m copy -a 'src=httpd.csr dest=/tmp'
mytest | SUCCESS => {
    "changed": true, 
    "checksum": "82e312d69e70696ecabf1e2dd458ab9727a72afe", 
    "dest": "/tmp/httpd.csr", 
    "gid": 0, 
    "group": "root", 
    "md5sum": "101836ba742a1b6a022f00a93f38b269", 
    "mode": "0644", 
    "owner": "root", 
    "size": 761, 
    "src": "/root/.ansible/tmp/ansible-tmp-1461446666.48-188486814423862/source", 
    "state": "file", 
    "uid": 0
}

6.   在CA上进行签发证书
openssl ca -in /tmp/httpd.csr -out /tmp/httpd.crt -days 3650
出现如下报错：
Check that the request matches the signature
Signature ok
The stateOrProvinceName field needed to be the same in the
CA certificate (ZheJiang) and the request (ZheJiang)

修改/etc/pki/tls/openssl.cnf文件内容
[ policy_match ]
countryName             = match
stateOrProvinceName     = optional
organizationName        = optional

重新签发
[root@dengqingpu tmp]# openssl ca -in /tmp/httpd.csr -out /tmp/httpd.crt -days 3650
Using configuration from /etc/pki/tls/openssl.cnf
Check that the request matches the signature
Signature ok
Certificate Details:
        Serial Number: 1 (0x1)
        Validity
            Not Before: May  2 05:27:34 2016 GMT
            Not After : Apr 30 05:27:34 2026 GMT
        Subject:
            countryName               = CN
            stateOrProvinceName       = ZheJiang
            organizationName          = SinaTay
            organizationalUnitName    = Tech
            commonName                = www.dengqp.com
            emailAddress              = dengqp@com
        X509v3 extensions:
            X509v3 Basic Constraints: 
                CA:FALSE
            Netscape Comment: 
                OpenSSL Generated Certificate
            X509v3 Subject Key Identifier: 
                C9:43:FA:BC:78:6A:CE:51:57:11:F3:0D:5A:07:3D:2B:96:23:3A:DE
            X509v3 Authority Key Identifier: 
                keyid:66:7B:F3:AA:19:06:BA:D9:A5:73:8D:D0:8E:A9:32:BD:A4:82:B6:30


Certificate is to be certified until Apr 30 05:27:34 2026 GMT (3650 days)
Sign the certificate? [y/n]:y

1 out of 1 certificate requests certified, commit? [y/n]y
Write out database with 1 new entries
Data Base Updated

7.  将签发证书发回web服务器，并修改SSL配置
scp 192.168.0.180:/tmp/httpd.crt .

修改/etc/httpd/conf.d/ssl.conf 修改后内容如下
<VirtualHost 192.168.0.181:443>
ServerName www.dengqp.com:443
SSLCertificateFile /etc/httpd/ssl/httpd.crt
SSLCertificateKeyFile /etc/httpd/ssl/httpd.key

修改完成后重启httpd服务
service httpd restart  
查看SSL 监听端口是否打开
[root@dengqp ssl]# netstat -tnap | grep httpd
tcp        0      0 :::80                       :::*                        LISTEN      20631/httpd         
tcp        0      0 :::443                      :::*                        LISTEN      20631/httpd 

8.  通过https://www.dengqp.com 进行访问
此时虽然能够访问，但是证书不受信任，需要将CA上的自签证书在浏览器所在服务器进行安装

sz cacert.pem  改名为cacert.crt，双击安装即可

再重新打开浏览器进行访问，此时与WEB服务器连接就是加密的了