yum install httpd php
1.配置CA服务器
vim /etc/pki/tls/openssl.cnf
修改第45行,更改存放证书目录
dir = ../../CA
dir = /etc/CA
修改第178行,让服务器支持自签名
#basicConstraints=CA:FALSE
自签名的证书可以使用
basicConstraints=CA:TRUE
cd /etc/pki/CA
配置生成CA证书脚本 42行
vim /etc/pki/tls/misc/CA
CATOP=../../CA
CATOP=/etc/CA
运行脚本生成CA证书
/etc/pki/tls/misc/CA -newca
CA certificate filename (or enter to create) 回车
Making CA certificate ...
Generating a 1024 bit RSA private key
.++++++
....................................................................................++++++
writing new private key to '/etc/CA/private/./cakey.pem'
Enter PEM pass phrase: 输入保护密码 111111
Verifying - Enter PEM pass phrase: 确认密码 111111
-----
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [GB]:CN
State or Province Name (full name) [Berkshire]:BEIJING
Locality Name (eg, city) [Newbury]:HD
Organization Name (eg, company) [My Company Ltd]:school
Organizational Unit Name (eg, section) []:it
Common Name (eg, your name or your server's hostname) []:server11.com
Email Address []:chengfeng56@126.com
Please enter the following 'extra' attributes
to be sent with your certificate request
A challenge password []:
An optional company name []:
Using configuration from /etc/pki/tls/openssl.cnf
Enter pass phrase for /etc/CA/private/./cakey.pem:111111
Check that the request matches the signature
Signature ok
Certificate Details:
Serial Number: 0 (0x0)
Validity
Not Before: Jul 17 01:20:16 2013 GMT
Not After : Jul 16 01:20:16 2016 GMT
Subject:
countryName = CN
stateOrProvinceName = BEIJING
organizationName = school
organizationalUnitName = it
commonName = server11.com
emailAddress = chengfeng56@126.com
X509v3 extensions:
X509v3 Basic Constraints:
CA:TRUE
Netscape Comment:
OpenSSL Generated Certificate
X509v3 Subject Key Identifier:
37:A5:4E:79:72:DF:51:1A:EF:9D:43:D1:9C:2E:24:92:70:D3:FF:64
X509v3 Authority Key Identifier:
keyid:37:A5:4E:79:72:DF:51:1A:EF:9D:43:D1:9C:2E:24:92:70:D3:FF:64
Certificate is to be certified until Jul 16 01:20:16 2016 GMT (1095 days)
Write out database with 1 new entries
Data Base Updated
配置web服务器 生成web自己的私钥
openssl genrsa -des3 -out /etc/httpd/conf.d/server.key
Generating RSA private key, 512 bit long modulus
........++++++++++++
......++++++++++++
e is 65537 (0x10001)
Enter pass phrase for /etc/httpd/conf.d/server.key: 111111
Verifying - Enter pass phrase for /etc/httpd/conf.d/server.key: 111111
(使用身份标识+公钥)生成证书请求
openssl req -new -key /etc/httpd/conf.d/server.key -out /tmp/server.csr
Enter pass phrase for /etc/httpd/conf.d/server.key:111111
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [GB]:CN
State or Province Name (full name) [Berkshire]:BEIJING
Locality Name (eg, city) [Newbury]:HD
Organization Name (eg, company) [My Company Ltd]:school
Organizational Unit Name (eg, section) []:it
Common Name (eg, your name or your server's hostname) []:server11.com
Email Address []:chengfeng56@126.com
Please enter the following 'extra' attributes
to be sent with your certificate request
A challenge password []:
An optional company name []:
将证书请求发送给CA
CA服务器对证书请求进行数字签名
openssl ca -keyfile /etc/CA/private/cakey.pem -cert /etc/CA/cacert.pem -in /tmp/server.csr -out /tmp/server.crt
/etc/CA/private/cakey.pem ca私钥
/tmp/server.csr 证书请求
/etc/CA/cacert.pem ca证书
/tmp/server.crt 数字证书名字
/etc/httpd/conf.d web私钥
报错:
failed to update database
TXT_DB error number 2
解决:
cd /etc/CA 修改yes为no
vim index.txt.attr
unique_subject = yes
unique_subject = no
将签名后的数字证书颁发给web服务器
cp /tmp/server.crt /etc/httpd/conf.d/
配置web支持ssl实现https
yum install mod_ssl
vim /etc/httpd/conf.d/ssl.conf
修改112行 数字证书签名
SSLCertificateFile /etc/pki/tls/certs/localhost.crt
SSLCertificateFile /etc/httpd/conf.d/server.crt
修改119行 web私钥
SSLCertificateKeyFile /etc/pki/tls/private/localhost.key
SSLCertificateKeyFile /etc/httpd/conf.d/server.key
启动 httpd 服务
service httpd restart
输入密码
验证安全可信度
把/etc/CA/private/cakey.pem 文件复制到ftp
下在后把此文件导入到浏览器
火狐 编辑 配置 高级 查看证书 导入 找到ca证书 选三个勾 ok
2061
被折叠的 条评论
为什么被折叠?
到【灌水乐园】发言
