美文网首页
debian自建CA

debian自建CA

作者: 单曲_循环 | 来源:发表于2018-02-06 22:02 被阅读0次
    • 1.0 CA端操作:

    1.1,安装openssl

    root@wsc-d-caigary:~# apt-get install openssl
    

    1.2,配置openssl修改CA根目录为/etc/ca

    vim /etc/ssl/openssl.cnf
    dir=/etc/ca
    

    1.3,复制配置模板

    root@wsc-d-caigary:/etc/ca# cp -rf /etc/ssl/* /etc/ca
    

    1.4,创建初始文件

    root@wsc-d-caigary:/etc/ca# touch index.txt
    root@wsc-d-caigary:/etc/ca# echo 01 > serial
    root@wsc-d-caigary:/etc/ca# mkdir ./newcerts
    root@wsc-d-caigary:/etc/ca# 
    

    1.5,生成根密匙

    root@wsc-d-caigary:/etc/ca# openssl genrsa -out ./private/cakey.pem 2048
    Generating RSA private key, 2048 bit long modulus
    .............+++
    ................................................+++
    e is 65537 (0x010001)
    root@wsc-d-caigary:/etc/ca# 
    
    

    1.6,生成根证书(PS:除了common name输入你的域名xxx.com或者其他,其他的随意)

    root@wsc-d-caigary:/etc/ca# openssl req -new -x509 -key ./private/cakey.pem -out cacert.pem
    You are about to be asked to enter information that will be incorporated
    into your certificate request.
    What you are about to enter is what is called a Distinguished Name or a DN.
    There are quite a few fields but you can leave some blank
    For some fields there will be a default value,
    If you enter '.', the field will be left blank.
    -----
    Country Name (2 letter code) [AU]:CN
    State or Province Name (full name) [Some-State]:zhejiang
    Locality Name (eg, city) []:ningbo
    Organization Name (eg, company) [Internet Widgits Pty Ltd]:mdzz
    Organizational Unit Name (eg, section) []:mdzz
    Common Name (e.g. server FQDN or YOUR name) []:mdzz.com
    Email Address []:mdzz@mdzz
    
    
    • 2.0 http 服务端

    2.1,创建ssl目录

    root@wsc-d-saopaulo:~# mkdir /etc/apache2/ssl
    root@wsc-d-saopaulo:~# cd /etc/apache2/ssl/
    root@wsc-d-saopaulo:/etc/apache2/ssl# 
    
    

    2.2,生成ssl密钥

    root@wsc-d-saopaulo:/etc/apache2/ssl# openssl genrsa -out apache.key 2048
    Generating RSA private key, 2048 bit long modulus
    ...+++
    .......+++
    e is 65537 (0x010001)
    root@wsc-d-saopaulo:/etc/apache2/ssl#
    

    2.3,生成证书签署请求(PS:注意common name和上次的一致)

    root@wsc-d-saopaulo:/etc/apache2/ssl# openssl req -new -key apache.key -out apache.csr
    You are about to be asked to enter information that will be incorporated
    into your certificate request.
    What you are about to enter is what is called a Distinguished Name or a DN.
    There are quite a few fields but you can leave some blank
    For some fields there will be a default value,
    If you enter '.', the field will be left blank.
    -----
    Country Name (2 letter code) [AU]:CN
    State or Province Name (full name) [Some-State]:zhejiang
    Locality Name (eg, city) []:ningbo
    Organization Name (eg, company) [Internet Widgits Pty Ltd]:mdzz
    Organizational Unit Name (eg, section) []:mdzz
    Common Name (e.g. server FQDN or YOUR name) []:mdzz.com
    Email Address []:mdzz@mdzz
    
    Please enter the following 'extra' attributes
    to be sent with your certificate request
    A challenge password []:1234
    An optional company name []:mdzz
    root@wsc-d-saopaulo:/etc/apache2/ssl# 
    
    

    2.4,CA签署证书请求
    2.4.1,把证书请求文件发送到CA服务器上

    用scp命令,具体你是从CA拷贝还是从Apache服务器上传都一样
    

    证书签署

    root@wsc-d-caigary:/etc/ca# openssl x509 -req -in apache.csr -CA /etc/ca/cacert.pem -CAkey /etc/ca/private/cakey.pem -CAcreateserial -out apache.crt
    Signature ok
    subject=C = CN, ST = zhejiang, L = ningbo, O = mdzz, OU = mdzz, CN = mdzz.com, emailAddress = mdzz@mdzz
    Getting CA Private Key
    root@wsc-d-caigary:/etc/ca# 
    
    

    2.4.2,将生成的crt证书文件发回Apache服务器使用

    同样还是scp命令
    

    2.5,配置Apache以使用https

    • 启用ssl模块
    • a2enmod ssl
    • a2ensite default-ssl(如果没有这个浏览器会报ssl too lang 错误)
    root@wsc-d-saopaulo:/etc/apache2/ssl# a2enmod ssl
    Considering dependency setenvif for ssl:
    Module setenvif already enabled
    Considering dependency mime for ssl:
    Module mime already enabled
    Considering dependency socache_shmcb for ssl:
    Module socache_shmcb already enabled
    Module ssl already enabled
    root@wsc-d-saopaulo:/etc/apache2/ssl# a2ensite default-ssl
    root@wsc-d-saopaulo:/etc/apache2/ssl# systemctl restart apache2
    
    
    • 配置default-ssl.conf
    root@wsc-d-saopaulo:/etc/apache2/ssl# cd /etc/apache2/sites-available/
    root@wsc-d-saopaulo:/etc/apache2/sites-available# ls
    000-default.conf  default-ssl.conf
    root@wsc-d-saopaulo:/etc/apache2/sites-available# vim default-ssl.conf 
    
    
    • 修改内容如下
    <IfModule mod_ssl.c>
       <VirtualHost   _defalut_:443>
           DocumentRoot /var/www/html
           ErrorLog ${APACHE_LOG_DIR}/error.log
           CustomLog ${APACHE_LOG_DIR}/access.log combined
           SSLEngine on
           SSLCertificateFile /etc/apache2/ssl/apache.crt                     ***** 需要修改部分
           SSLCertificateKeyFile /etc/apache2/ssl/apache.key             ***** 需要修改部分
           <FilesMatch "\.(cgi|shtml|phtml|php)$">
                           SSLOptions +StdEnvVars
           </FilesMatch>
           <Directory /usr/lib/cgi-bin>
                           SSLOptions +StdEnvVars
           </Directory>
           BrowserMatch "MSIE [2-6]" \
                           nokeepalive ssl-unclean-shutdown \
                           downgrade-1.0 force-response-1.0
           BrowserMatch "MSIE [17-9]" ssl-unclean-shutdown
       </VirtualHost>
    </IfModule>
    

    2.6,启用配置

    root@wsc-d-saopaulo:/etc/apache2/sites-available# a2ensite default-ssl.conf
    Enabling site default-ssl.
    To activate the new configuration, you need to run:
      systemctl reload apache2
    root@wsc-d-saopaulo:/etc/apache2/sites-available# 
    

    重启Apache服务
    /etc/init.d/apache2 restart

    相关文章

      网友评论

          本文标题:debian自建CA

          本文链接:https://www.haomeiwen.com/subject/sadnzxtx.html