证书申请及签署步骤:
1.生成申请请求
2.RA核验
3.CA签署
4.获取证书
创建私有CA
openssl的配置文件:/etc/pki/tls/openssl.conf,先查看[CA_default],查看dir=/etc/pki/CA
(1)创建所需要的文件:目录在/etc/pki/CA
cd /etc/pki/CA
touch index.txt
echo 01 > serial
创建不存在的目录,new_certs_dir = $dir/newcerts
(2)CA自签证书
cd /etc/pki/CA
(umask 077;openssl genrsa-out private/cakey.pem 2048)#生成私钥
openssl req -new -x509 -key private/cakey.pem -days 7300 -out cacert.pem
-new:生成新证书请求
-x509:自签(若不需要则不需要x509)
-days:有效期限
-key:指定私钥文件
注意:Common Name要与dns解析的主机名相同:ca.magedu.com
Organization Name (eg, company) [Default Company Ltd]要相同
(3)发证书
(a)用到证书的主机生成证书请求
(b)把请求文件传输给CA
(c)CA签署证书,并将证书发还给请求者
3.1给http服务器创建证书
cd /etc/httpd/
mkdir ssl
cd ssl
(umask 077; openssl genrsa -out httpd.key 2048)
openssl req -new -key httpd.key -days 365 -out httpd.csr
注意:保持与CA一样,Common Name:www.magedu.com
Organization Name (eg, company) [Default Company Ltd]要相同
3.1把请求发送给CA
scp httpd.csr root@192.168.1.130:/tmp/
3.2在CA端
openssl ca -in /tmp/httpd.csr -out certs/web1.magedu.crt -days 365
3.3把生成的证书发回给http服务器
scp certs/web1.magedu.com.crt root@192.168.1.131:/etc/httpd/ssl/
(4)在httpd端配置httpd支持使用ssl及使用的证书
yum -y install mod_ssl
配置文件:/etc/httpd/conf.d/ssl.conf
httpd -M | grep ssl
cd /etc/httpd/conf.d/
cp ssl.conf{,.bak}
vim ssl.conf
<VirtualHost *:443>
SSLCertificateFile /etc/httpd/ssl/web1.magedu.com.crt #公钥
SSLCertificateKeyFile /etc/httpd/ssl/httpd.key #私钥
DocumentRoot "/vhosts/web1/htdocs"
ServerName web1.magedu.com
</VirtualHost>
httpd -t
service httpd restart
(5)用一台机子测试
openssl s_client -connect 192.168.1.131:443 -CAfile /etc/pki/CA/cacert.pem
GET / HTTP/1.1
Host:web1.magedu.com
在win中把/etc/pki/CA/cacert.pem复制到本地,并且改为cacert.crt
CA端:cakey.pem --> cacert.pem
httpd端:httpd.key --> httpd.csr
CA端:httpd.csr --> web1.magedu.com.crt