httpds证书步骤
(基于yum安装,源码安装大同小异)
1.配置虚拟主机和模块相应文件生成
[root@8-4 conf.d]# pwd
/etc/httpd/conf.d
[root@8-4 conf.d]# mv /usr/share/doc/httpd/httpd-vhosts.conf .
[root@8-4 conf.d]# cat httpd-vhosts.conf
<VirtualHost *:80>
DocumentRoot "/var/www/html/h/"
ServerName web1.example.com
ErrorLog "/var/log/web1.com-error_log"
CustomLog "/var/log/web1.example.com-access_log" combined
</VirtualHost>
[root@8-4 ~]# yum -y install mod_ssl #安装mod_ssl模块
#ssl模块的开启
[root@8-4 conf.modules.d]# pwd
/etc/httpd/conf.modules.d
[root@8-4 conf.modules.d]# ls
00-base.conf 00-lua.conf 00-optional.conf 00-ssl.conf(此处)
[root@8-4 conf.modules.d]# cat 00-ssl.conf
LoadModule ssl_module modules/mod_ssl.so
2.配置密钥相关文件生成证书
#/etc/pki下创建该目录
[root@8-4 ~]# mkdir /etc/pki/CA
[root@8-4 ~]# cd /etc/pki/CA/
#再创建private目录,存放下一步生成的文件
[root@8-4 CA]# mkdir private
#生成一个公钥的文件
[root@8-4 CA]# (umask 077;openssl genrsa -out private/cakey.pem 2048)
Generating RSA private key, 2048 bit long modulus (2 primes)
.+++++
..........+++++
e is 65537 (0x010001)
#查看密钥(可忽略)
[root@8-4 CA]# openssl rsa -in private/cakey.pem -pubout
#x509协议,生成cacert.pem文件,有365天效期
[root@8-4 CA]# openssl req -new -x509 -key private/cakey.pem -out cacert.pem -days 365
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [XX]:CN #国家
State or Province Name (full name) []:HB #省
Locality Name (eg, city) [Default City]:WH #城市
Organization Name (eg, company) [Default Company Ltd]:999 #公司
Organizational Unit Name (eg, section) []:999* #部门
Common Name (eg, your name or your server's hostname) []:web1.example.com #服务机主机名
Email Address []:999@qq.com #电子邮件
#查看生成的证书的信息
[root@8-4 CA]# openssl x509 -text -in cacert.pem
Certificate:
Data:
Version: 3 (0x2)
Serial Number:
32:1e:ac:80:35:d0:05:59:8b:83:70:df:ed:7c:49:d0:f0:f3:31:d3
Signature Algorithm: sha256WithRSAEncryption
Issuer: C = CN, ST = HB, L = WH, O = 999, OU = 999*, CN = web1.example.com, emailAddress = 999@qq.com
Validity
Not Before: Jul 19 10:46:29 2021 GMT
Not After : Jul 19 10:46:29 2022 GMT
Subject: C = CN, ST = HB, L = WH, O = 999, OU = 999*, CN = web1.example.com, emailAddress = 999@qq.com
Subject Public Key Info:
Public Key Algorithm: rsaEncryption
RSA Public-Key: (2048 bit)
#创建一个文件三个目录,输出01内容到serial内
[root@8-4 CA]# mkdir certs cr1 newcerts
[root@8-4 CA]# touch index.txt && echo "01" > serial
#到/opt内生成一个httpd.key文件
[root@8-4 ~]# cd /opt/
[root@8-4 opt]# umask 077;openssl genrsa -out httpd.key 2048
Generating RSA private key, 2048 bit long modulus (2 primes)
.........+++++
....................................................................................................................................................+++++
e is 65537 (0x010001)
[root@8-4 opt]# ls
httpd.key
#用httpd.key再生成一个httpd.csr文件
[root@8-4 opt]# openssl req -new -key httpd.key -days 365 -out httpd.csr
Ignoring -days; not generating a certificate
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [XX]:CN
State or Province Name (full name) []:HB
Locality Name (eg, city) [Default City]:WH
Organization Name (eg, company) [Default Company Ltd]:999
Organizational Unit Name (eg, section) []:999*
Common Name (eg, your name or your server's hostname) []:web1.example.com
Email Address []:999@qq.com
Please enter the following 'extra' attributes
to be sent with your certificate request
A challenge password []: #回车
An optional company name []:#回车 #要不要加密
[root@8-4 opt]# ll
总用量 8 #此处必须要有大小,否则失败
-rw-------. 1 root root 1029 7月 19 18:56 httpd.csr
-rw-------. 1 root root 1675 7月 19 18:52 httpd.key
#签署证书(再生一个crt的文件)
[root@8-4 opt]# openssl ca -in httpd.csr -out httpd.crt -days 365
Certificate is to be certified until Jul 19 11:06:03 2022 GMT (365 days)
Sign the certificate? [y/n]:y #签名
1 out of 1 certificate requests certified, commit? [y/n] #提交
[root@8-4 opt]# ls
httpd.crt httpd.csr httpd.key
#删掉之前的csr文件以免信息泄露
[root@8-4 opt]# rm -rf httpd.csr
3.生成的证书(httpd.key httpd.crt)应用到网站上(最重要一步)
#ssl.conf内配置证书的位置
[root@8-4 conf.d]# pwd
/etc/httpd/conf.d
[root@8-4 conf.d]# vim ssl.conf
Listen 443 https
<VirtualHost _default_:443>
ServerName web1.example.com:443
DocumentRoot "/var/www/html/h/"
ErrorLog "/var/log/ssl_error_log
TransferLog /var/log/ssl_access_log
#SSLSessionCache shmcb:/run/httpd/sslcache(512000)
#SSLSessionCacheTimeout 300 #俩行添加注释
在httpd目录下新创建一个ssl目录,密钥文件放到这个下面(方便查找)
[root@8-4 httpd]# mkdir ssl
[root@8-4 ssl]# mv /opt/* .
[root@8-4 ssl]# ls
httpd.crt httpd.key
#配置ssl.conf文件(该文件在conf.d辅助文件内)
[root@8-4 conf.d]# vim ssl.conf
SSLCertificateFile /etc/httpd/ssl/httpd.crt #俩路径可以自定义方便查找就行
SSLCertificateKeyFile /etc/httpd/ssl/httpd.key
4.重启httpd服务 (域名绑定略,铁子萌都知道)
[root@8-4 conf.d]# vim ssl.conf
[root@8-4 conf.d]# systemctl restart httpd.service
[root@8-4 conf.d]# ss -antl
State Recv-Q Send-Q Local Address:Port Peer Address:Port Process
LISTEN 0 128 0.0.0.0:22 0.0.0.0:*
LISTEN 0 128 [::]:22 [::]:*
LISTEN 0 128 *:443 *:*
5.效果:
1万+
被折叠的 条评论
为什么被折叠?
到【灌水乐园】发言
