配制一个SSL站点
1、自建CA签证服务器IP:192.168.1.5 电脑名称:jacktest (Linux5.4-32b)
2、http服务器IP:192.168.1.3 电脑名称:test (Linux5.4-32b)
3、测试服务器IP: 192.168.1.19 电脑名称:test2 (winXP)
4、站点名称与证书站点名称一定要一致,否则有警告;
5、一个IP地址只能建立一个SSL虚拟主机;
一、安装SSL环境
[[email protected] conf.d]# yum install mod_ssl
Installed:
mod_ssl.i386 1:2.2.3-31.el5
Dependency Installed:
distcache.i386 0:1.4.5-14.1
[[email protected] conf.d]# rpm -ql mod_ssl
/etc/httpd/conf.d/ssl.conf #ssl配制文件
/usr/lib/httpd/modules/mod_ssl.so #ssl模块
/var/cache/mod_ssl #ssl缓存目录
/var/cache/mod_ssl/scache.dir
/var/cache/mod_ssl/scache.pag
/var/cache/mod_ssl/scache.sem
二、设置CA服务器
[[email protected] ~]# cd /etc/pki/CA #CA服务器192.168.1.5
[[email protected] CA]# (umask 077; openssl genrsa -out private/cakey.pem 2048)
Generating RSA private key, 2048 bit long modulus
......+++
........................................................................................+++
e is 65537 (0x10001)
[[email protected] CA]# ll private/
total 4
-rw------- 1 root root 1679 Dec 28 08:56 cakey.pem
[[email protected] CA]# vi ../tls/openssl.cnf
[ CA_default ]
dir = /etc/pki/CA # Where everything is kept
certs = $dir/certs # Where the issued certs are kept签发的证书位置
crl_dir = $dir/crl # Where the issued crl are kept吊销的证书位置
database = $dir/index.txt # database index file颁发过的证书索引文件
#unique_subject = no # Set to ‘no‘ to allow creation of
# several ctificates with same subject.
new_certs_dir = $dir/newcerts # default place for new certs.
certificate = $dir/cacert.pem # The CA certificate指明CA的自签证书
serial = $dir/serial # The current serial number 指明当前证书序列号,第一次要指定
...
[ req_distinguished_name ]
countryName = Country Name (2 letter code)
countryName_default = CN
countryName_min = 2
countryName_max = 2
stateOrProvinceName = State or Province Name (full name)
stateOrProvinceName_default = Jiansu
localityName = Locality Name (eg, city)
localityName_default = Suzhou
0.organizationName = Organization Name (eg, company)
0.organizationName_default = jacktest
# we can do this but it is not needed normally :-)
#1.organizationName = Second Organization Name (eg, company)
#1.organizationName_default = World Wide Web Pty Ltd
organizationalUnitName = Organizational Unit Name (eg, section)
#organizationalUnitName_default =
organizationalUnitName_default = Tech
[[email protected] CA]# openssl req -new -x509 -key private/cakey.pem -out cacert.pem -days 3655
You are about to be asked to enter information that will be incorporated #生成自签证书
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter ‘.‘, the field will be left blank.
-----
Country Name (2 letter code) [CN]:
State or Province Name (full name) [Jiansu]:
Locality Name (eg, city) [Suzhou]:
Organization Name (eg, company) [jacktest]:
Organizational Unit Name (eg, section) [Tech]:
Common Name (eg, your name or your server‘s hostname) []:ca.jacktest.com
Email Address []:[email protected]
-----BEGIN CERTIFICATE-----
MIIEmDCCA4CgAwIBAgIJANeTZklDKv8MMA0GCSqGSIb3DQEBBQUAMIGOMQswCQYD
...
-----END CERTIFICATE-----
[[email protected] CA]# mkdir certs crl newcerts
[[email protected] CA]# touch index.txt
[[email protected] CA]# echo 01 > serial
[[email protected] CA]# ls
certs crl index.txt newcerts private serial
三、设置服务器申请证书
[[email protected] ssl]# (umask 077; openssl genrsa 1024 > httpd.key)
Generating RSA private key, 1024 bit long modulus
.....................................................++++++
....................................++++++
e is 65537 (0x10001)
[[email protected] ssl]# ll
total 8
-rw------- 1 root root 887 Dec 28 09:40 httpd.key
[[email protected] ssl]# openssl req -new -key httpd.key -out http.csr
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter ‘.‘, the field will be left blank.
-----
Country Name (2 letter code) [CN]:
State or Province Name (full name) [Jiangsu]:
Locality Name (eg, city) [Kunshan]:
Organization Name (eg, company) [Fox]:jacktest #此项要与服务方一致,否则签证不成功
Organizational Unit Name (eg, section) [Tech]:
Common Name (eg, your name or your server‘s hostname) []:hello.jacktest.com
Email Address []:[email protected]
#hello.jacktest.com站点名称与证书站点名称一定要一致,否则有警告
Please enter the following ‘extra‘ attributes
to be sent with your certificate request
A challenge password []:
An optional company name []:
[[email protected] ssl]# ll
total 12
-rw-r--r-- 1 root root 704 Dec 28 09:45 http.csr
-rw------- 1 root root 887 Dec 28 09:40 httpd.key
[[email protected] ssl]# scp http.csr 192.168.1.5:/tmp
http.csr 100% 704 0.7KB/s 00:00
[[email protected] ssl]#
四、CA服务器收到后签署申请的证书
[[email protected] CA]# ll /tmp/http.csr
-rw-r--r-- 1 root root 708 Dec 28 10:05 /tmp/http.csr
[[email protected] CA]# openssl ca -in /tmp/http.csr -out /tmp/http.crt -days 3650
Using configuration from /etc/pki/tls/openssl.cnf
Check that the request matches the signature
Signature ok
Certificate Details:
Serial Number: 1 (0x1)
Validity
Not Before: Dec 28 02:08:24 2016 GMT
Not After : Dec 26 02:08:24 2026 GMT
Subject:
countryName = CN
stateOrProvinceName = Jiansu
organizationName = jacktest
organizationalUnitName = Tech
commonName = hello.jacktest.com
emailAddress = hello[email protected]
X509v3 extensions:
X509v3 Basic Constraints:
CA:FALSE
Netscape Comment:
OpenSSL Generated Certificate
X509v3 Subject Key Identifier:
83:4B:E1:D1:C5:0D:A0:F0:44:54:1B:D7:D3:12:C1:05:E6:61:9D:F8
X509v3 Authority Key Identifier:
keyid:38:24:D5:41:1D:98:0D:69:90:0C:95:41:69:72:67:BB:62:4D:4B:A2
Certificate is to be certified until Dec 26 02:08:24 2026 GMT (3650 days)
Sign the certificate? [y/n]:y
1 out of 1 certificate requests certified, commit? [y/n]y
Write out database with 1 new entries
Data Base Updated
[[email protected] CA]# cd /etc/pki/CA/
[[email protected] CA]# ls
cacert.pem certs crl index.txt index.txt.attr index.txt.old newcerts private serial serial.old
[[email protected] CA]# cat index.txt
V 261226020824Z 01 unknown /C=CN/ST=Jiansu/O=jacktest/OU=Tech/CN=hello.jacktest.com/[email protected]
[[email protected] CA]# cat serial #下一个签证序号
02
[[email protected] tmp]# scp http.crt 192.168.1.3:/etc/httpd/ssl/
[email protected]‘s password:
http.crt 100% 3885 3.8KB/s 00:00
[[email protected] tmp]# rm -f http.*
[[email protected] ssl]# ll #服务器192.168.1.3
total 16
-rw-r--r-- 1 root root 708 Dec 28 09:59 http.csr
-rw-r--r-- 1 root root 3885 Dec 28 10:25 http.crt
-rw------- 1 root root 887 Dec 28 09:57 httpd.key
五、CA服务器收到后签署申请的证书
[[email protected] conf.d]# vi ssl.conf
<VirtualHost 192.168.1.3:443>
# General setup for the virtual host, inherited from global configuration
#DocumentRoot "/var/www/html"
ServerName www.jacktest.com:443
DocumentRoot "/www/jacktest.com"
# Use separate log files for the SSL virtual host; note that LogLevel
# is not inherited from httpd.conf.
ErrorLog logs/ssl_error_log
TransferLog logs/ssl_access_log
LogLevel warn
# SSL Engine Switch:
# Enable/Disable SSL for this virtual host.
SSLEngine on
# SSL Protocol support:
# List the enable protocol levels with which clients will be able to
# connect. Disable SSLv2 access by default:
SSLProtocol all -SSLv2 #除V2以外
# Server Certificate:
# Point SSLCertificateFile at a PEM encoded certificate. If
# the certificate is encrypted, then you will be prompted for a
# pass phrase. Note that a kill -HUP will prompt again. A new
# certificate can be generated using the genkey(1) command.
SSLCertificateFile /etc/httpd/ssl/httpd.crt
# Server Private Key:
# If the key is not combined with the certificate, use this
# directive to point at the key file. Keep in mind that if
# you‘ve both a RSA and a DSA private key you can configure
# both in parallel (to also allow the use of DSA ciphers, etc.)
SSLCertificateKeyFile /etc/httpd/ssl/httpd.key
[[email protected] conf.d]# ll /etc/httpd/ssl/http.crt
-rw-r--r-- 1 root root 3885 Dec 28 11:31 /etc/httpd/ssl/http.crt
[[email protected] conf.d]# httpd -t
Syntax OK
[[email protected] conf.d]# service httpd restart
Stopping httpd: [FAILED]
Starting httpd: [ OK ]
[[email protected] conf.d]# netstat -tnlp |grep :443
tcp 0 0 0.0.0.0:443 0.0.0.0:* LISTEN 14998/httpd
[[email protected] conf.d]# service httpd restart
Stopping httpd: [ OK ]
Starting httpd: [ OK ]
---END---