Ubuntu + Apache2 +OpenSSL搭建HTTPS网站

最新推荐文章于 2024-06-25 10:53:45 发布

show_maker_97

最新推荐文章于 2024-06-25 10:53:45 发布

阅读量1.9k

点赞数 3

原文链接：https://help.ubuntu.com/community/OpenSSL

版权

用OpenSSL通过创建CA、生成网站证书、使用CA对网站证书签名等步骤，搭建一个HTTPS网站。转载连接

1.工具安装

安装Apache2和OpenSSL

sudo apt-get install apache2
sudo apt-get install libssl1.1
sudo apt-get install libssl-dev

2.环境配置

1. 加入侦听443端口（https端口）

sudo gedit /etc/apache2/ports.conf

在Listen 80 后加入443
在这里插入图片描述

2.在apache2.conf和default-ssl.conf中加入ServerName localhost

在这里插入图片描述

sudo gedit /etc/apache2/apache2.conf
sudo gedit /etc/apache2/sites-available/default-ssl.conf

3.启用ssl模块

sudo a2enmod ssl

4.启用ssl站点

sudo a2ensite default-ssl

3.生成证书

1.生成存放证书文件夹

cd && mkdir -p myCA/signedcerts && mkdir myCA/private && cd myCA
echo '01' > serial  && touch index.txt

2.编写caconfig.cnf

sudo nano ~/myCA/caconfig.cnf

# My sample caconfig.cnf file.
#
# Default configuration to use when one is not provided on the command line.
#
[ ca ]
default_ca      = local_ca
#
#
# Default location of directories and files needed to generate certificates.
#
[ local_ca ]
dir             = /home/<username>/myCA
certificate     = $dir/cacert.pem
database        = $dir/index.txt
new_certs_dir   = $dir/signedcerts
private_key     = $dir/private/cakey.pem
serial          = $dir/serial
#       
#
# Default expiration and encryption policies for certificates.
#
default_crl_days        = 365
default_days            = 1825
default_md              = sha256
#       
policy          = local_ca_policy
x509_extensions = local_ca_extensions
#
#
# Copy extensions specified in the certificate request
#
copy_extensions = copy
#       
#
# Default policy to use when generating server certificates.  The following
# fields must be defined in the server certificate.
#
[ local_ca_policy ]
commonName              = supplied
stateOrProvinceName     = supplied
countryName             = supplied
emailAddress            = supplied
organizationName        = supplied
organizationalUnitName  = supplied
#       
#
# x509 extensions to use when generating server certificates.
#
[ local_ca_extensions ]
basicConstraints        = CA:false
#       
#
# The default root certificate generation policy.
#
[ req ]
default_bits    = 2048
default_keyfile = /home/<username>/myCA/private/cakey.pem
default_md      = sha256
#       
prompt                  = no
distinguished_name      = root_ca_distinguished_name
x509_extensions         = root_ca_extensions
#
#
# Root Certificate Authority distinguished name.  Change these fields to match
# your local environment!
#
[ root_ca_distinguished_name ]
commonName              = MyOwn Root Certificate Authority
stateOrProvinceName     = NC
countryName             = US
emailAddress            = root@tradeshowhell.com
organizationName        = Trade Show Hell
organizationalUnitName  = IT Department
#       
[ root_ca_extensions ]
basicConstraints        = CA:true

将caconfig.cnf中[ local_ca ][ req ]的username替换成本机user名，
[ root_ca_distinguished_name ]修改为自定义的CA

3.生成CA证书

export OPENSSL_CONF=~/myCA/caconfig.cnf
openssl req -x509 -sha256 -newkey rsa:2048 -out cacert.pem -outform PEM -days 1825
openssl x509 -in cacert.pem -out cacert.crt

4.编写exampleserver.cnf

sudo gedit  ~/myCA/exampleserver.cnf

#
# exampleserver.cnf
#

[ req ]
prompt                  = no
distinguished_name      = server_distinguished_name
req_extensions          = v3_req

[ server_distinguished_name ]
commonName              = localhost
stateOrProvinceName     = Suzhou
countryName             = CN
emailAddress            = root@tradeshowhell.com
organizationName        = Server
organizationalUnitName  = Server Organization

[ v3_req ]
basicConstraints        = CA:FALSE
keyUsage                = nonRepudiation, digitalSignature, keyEncipherment
subjectAltName          = @alt_names

[ alt_names ]
DNS.0                   = localhost
DNS.1                   = 127.0.1.1

ServerName 必须与commonName，[ alt_names ]一致，所以都改为localhost

5.生成服务器证书

export OPENSSL_CONF=~/myCA/exampleserver.cnf
openssl req -sha256 -newkey rsa:2048 -keyout tempkey.pem -keyform PEM -out tempreq.pem -outform PEM
openssl rsa < tempkey.pem > server_key.pem
export OPENSSL_CONF=~/myCA/caconfig.cnf
openssl ca -in tempreq.pem -out server_crt.pem
rm -f tempkey.pem && rm -f tempreq.pem

6.生成客户端认证证书

openssl req -x509 -nodes -sha256 -days 365 -newkey rsa:2048 -keyout mycert.pem -out mycert.pem
openssl pkcs12 -export -out mycert.pfx -in mycert.pem -name "Certificate for Whatever"

7.把生成的mycert.pfx和cacert.crt导入浏览器
cacert.crt导入证书颁发机构
mycert.pfx导入您的证书
在这里插入图片描述

4.配置证书

sudo gedit /etc/apache2/sites-available/default-ssl.conf

添加ServerName修改SSLCertificateFile与SSLCertificateKeyFile

ServerName localhost
SSLCertificateFile /home/twj/myCA/server_crt.pem
SSLCertificateKeyFile /home/twj/myCA/server_key.pem

5.访问测试网页

1.在/var/www/html中添加一个test.html

<html>
    <head>
        <h1>This is a test!</h1>
    </head>

    <body>
        <p>Hello world!</p>
    </body>
</html>

2.重启apache2服务

 sudo systemctl restart apache2

3.访问https://localhost/test.html
在这里插入图片描述
访问成功！

show_maker_97

关注

3
点赞
踩
8

收藏

觉得还不错? 一键收藏
0
评论
Ubuntu + Apache2 +OpenSSL搭建HTTPS网站

用OpenSSL通过创建CA、生成网站证书、使用CA对网站证书签名等步骤，搭建一个HTTPS网站。转载连接1.工具安装安装Apache2和OpenSSLsudo apt-get install apache2sudo apt-get install libssl1.1sudo apt-get install libssl-dev2.环境配置1. 加入侦听443端口（https端口）sudo gedit /etc/apache2/ports.conf在Listen 80 后加入443
复制链接

扫一扫