用OpenSSL通过创建CA、生成网站证书、使用CA对网站证书签名等步骤,搭建一个HTTPS网站。转载连接
1.工具安装
安装Apache2和OpenSSL
sudo apt-get install apache2
sudo apt-get install libssl1.1
sudo apt-get install libssl-dev
2.环境配置
1. 加入侦听443端口(https端口)
sudo gedit /etc/apache2/ports.conf
在Listen 80 后加入443
2.在apache2.conf和default-ssl.conf中加入ServerName localhost
sudo gedit /etc/apache2/apache2.conf
sudo gedit /etc/apache2/sites-available/default-ssl.conf
3.启用ssl模块
sudo a2enmod ssl
4.启用ssl站点
sudo a2ensite default-ssl
3.生成证书
1.生成存放证书文件夹
cd && mkdir -p myCA/signedcerts && mkdir myCA/private && cd myCA
echo '01' > serial && touch index.txt
2.编写caconfig.cnf
sudo nano ~/myCA/caconfig.cnf
# My sample caconfig.cnf file.
#
# Default configuration to use when one is not provided on the command line.
#
[ ca ]
default_ca = local_ca
#
#
# Default location of directories and files needed to generate certificates.
#
[ local_ca ]
dir = /home/<username>/myCA
certificate = $dir/cacert.pem
database = $dir/index.txt
new_certs_dir = $dir/signedcerts
private_key = $dir/private/cakey.pem
serial = $dir/serial
#
#
# Default expiration and encryption policies for certificates.
#
default_crl_days = 365
default_days = 1825
default_md = sha256
#
policy = local_ca_policy
x509_extensions = local_ca_extensions
#
#
# Copy extensions specified in the certificate request
#
copy_extensions = copy
#
#
# Default policy to use when generating server certificates. The following
# fields must be defined in the server certificate.
#
[ local_ca_policy ]
commonName = supplied
stateOrProvinceName = supplied
countryName = supplied
emailAddress = supplied
organizationName = supplied
organizationalUnitName = supplied
#
#
# x509 extensions to use when generating server certificates.
#
[ local_ca_extensions ]
basicConstraints = CA:false
#
#
# The default root certificate generation policy.
#
[ req ]
default_bits = 2048
default_keyfile = /home/<username>/myCA/private/cakey.pem
default_md = sha256
#
prompt = no
distinguished_name = root_ca_distinguished_name
x509_extensions = root_ca_extensions
#
#
# Root Certificate Authority distinguished name. Change these fields to match
# your local environment!
#
[ root_ca_distinguished_name ]
commonName = MyOwn Root Certificate Authority
stateOrProvinceName = NC
countryName = US
emailAddress = root@tradeshowhell.com
organizationName = Trade Show Hell
organizationalUnitName = IT Department
#
[ root_ca_extensions ]
basicConstraints = CA:true
将caconfig.cnf中[ local_ca ][ req ]的username替换成本机user名,
[ root_ca_distinguished_name ]修改为自定义的CA
3.生成CA证书
export OPENSSL_CONF=~/myCA/caconfig.cnf
openssl req -x509 -sha256 -newkey rsa:2048 -out cacert.pem -outform PEM -days 1825
openssl x509 -in cacert.pem -out cacert.crt
4.编写exampleserver.cnf
sudo gedit ~/myCA/exampleserver.cnf
#
# exampleserver.cnf
#
[ req ]
prompt = no
distinguished_name = server_distinguished_name
req_extensions = v3_req
[ server_distinguished_name ]
commonName = localhost
stateOrProvinceName = Suzhou
countryName = CN
emailAddress = root@tradeshowhell.com
organizationName = Server
organizationalUnitName = Server Organization
[ v3_req ]
basicConstraints = CA:FALSE
keyUsage = nonRepudiation, digitalSignature, keyEncipherment
subjectAltName = @alt_names
[ alt_names ]
DNS.0 = localhost
DNS.1 = 127.0.1.1
ServerName 必须与commonName,[ alt_names ]一致,所以都改为localhost
5.生成服务器证书
export OPENSSL_CONF=~/myCA/exampleserver.cnf
openssl req -sha256 -newkey rsa:2048 -keyout tempkey.pem -keyform PEM -out tempreq.pem -outform PEM
openssl rsa < tempkey.pem > server_key.pem
export OPENSSL_CONF=~/myCA/caconfig.cnf
openssl ca -in tempreq.pem -out server_crt.pem
rm -f tempkey.pem && rm -f tempreq.pem
6.生成客户端认证证书
openssl req -x509 -nodes -sha256 -days 365 -newkey rsa:2048 -keyout mycert.pem -out mycert.pem
openssl pkcs12 -export -out mycert.pfx -in mycert.pem -name "Certificate for Whatever"
7.把生成的mycert.pfx和cacert.crt导入浏览器
cacert.crt导入证书颁发机构
mycert.pfx导入您的证书
4.配置证书
sudo gedit /etc/apache2/sites-available/default-ssl.conf
添加ServerName修改SSLCertificateFile与SSLCertificateKeyFile
ServerName localhost
SSLCertificateFile /home/twj/myCA/server_crt.pem
SSLCertificateKeyFile /home/twj/myCA/server_key.pem
5.访问测试网页
1.在/var/www/html中添加一个test.html
<html>
<head>
<h1>This is a test!</h1>
</head>
<body>
<p>Hello world!</p>
</body>
</html>
2.重启apache2服务
sudo systemctl restart apache2
3.访问https://localhost/test.html
访问成功!