- 1.0 CA端操作:
1.1,安装openssl
root@wsc-d-caigary:~# apt-get install openssl
1.2,配置openssl修改CA根目录为/etc/ca
vim /etc/ssl/openssl.cnf
dir=/etc/ca
1.3,复制配置模板
root@wsc-d-caigary:/etc/ca# cp -rf /etc/ssl/* /etc/ca
1.4,创建初始文件
root@wsc-d-caigary:/etc/ca# touch index.txt
root@wsc-d-caigary:/etc/ca# echo 01 > serial
root@wsc-d-caigary:/etc/ca# mkdir ./newcerts
root@wsc-d-caigary:/etc/ca#
1.5,生成根密匙
root@wsc-d-caigary:/etc/ca# openssl genrsa -out ./private/cakey.pem 2048
Generating RSA private key, 2048 bit long modulus
.............+++
................................................+++
e is 65537 (0x010001)
root@wsc-d-caigary:/etc/ca#
1.6,生成根证书(PS:除了common name输入你的域名xxx.com或者其他,其他的随意)
root@wsc-d-caigary:/etc/ca# openssl req -new -x509 -key ./private/cakey.pem -out cacert.pem
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [AU]:CN
State or Province Name (full name) [Some-State]:zhejiang
Locality Name (eg, city) []:ningbo
Organization Name (eg, company) [Internet Widgits Pty Ltd]:mdzz
Organizational Unit Name (eg, section) []:mdzz
Common Name (e.g. server FQDN or YOUR name) []:mdzz.com
Email Address []:mdzz@mdzz
- 2.0 http 服务端
2.1,创建ssl目录
root@wsc-d-saopaulo:~# mkdir /etc/apache2/ssl
root@wsc-d-saopaulo:~# cd /etc/apache2/ssl/
root@wsc-d-saopaulo:/etc/apache2/ssl#
2.2,生成ssl密钥
root@wsc-d-saopaulo:/etc/apache2/ssl# openssl genrsa -out apache.key 2048
Generating RSA private key, 2048 bit long modulus
...+++
.......+++
e is 65537 (0x010001)
root@wsc-d-saopaulo:/etc/apache2/ssl#
2.3,生成证书签署请求(PS:注意common name和上次的一致)
root@wsc-d-saopaulo:/etc/apache2/ssl# openssl req -new -key apache.key -out apache.csr
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [AU]:CN
State or Province Name (full name) [Some-State]:zhejiang
Locality Name (eg, city) []:ningbo
Organization Name (eg, company) [Internet Widgits Pty Ltd]:mdzz
Organizational Unit Name (eg, section) []:mdzz
Common Name (e.g. server FQDN or YOUR name) []:mdzz.com
Email Address []:mdzz@mdzz
Please enter the following 'extra' attributes
to be sent with your certificate request
A challenge password []:1234
An optional company name []:mdzz
root@wsc-d-saopaulo:/etc/apache2/ssl#
2.4,CA签署证书请求
2.4.1,把证书请求文件发送到CA服务器上
用scp命令,具体你是从CA拷贝还是从Apache服务器上传都一样
证书签署
root@wsc-d-caigary:/etc/ca# openssl x509 -req -in apache.csr -CA /etc/ca/cacert.pem -CAkey /etc/ca/private/cakey.pem -CAcreateserial -out apache.crt
Signature ok
subject=C = CN, ST = zhejiang, L = ningbo, O = mdzz, OU = mdzz, CN = mdzz.com, emailAddress = mdzz@mdzz
Getting CA Private Key
root@wsc-d-caigary:/etc/ca#
2.4.2,将生成的crt证书文件发回Apache服务器使用
同样还是scp命令
2.5,配置Apache以使用https
- 启用ssl模块
- a2enmod ssl
- a2ensite default-ssl(如果没有这个浏览器会报ssl too lang 错误)
root@wsc-d-saopaulo:/etc/apache2/ssl# a2enmod ssl
Considering dependency setenvif for ssl:
Module setenvif already enabled
Considering dependency mime for ssl:
Module mime already enabled
Considering dependency socache_shmcb for ssl:
Module socache_shmcb already enabled
Module ssl already enabled
root@wsc-d-saopaulo:/etc/apache2/ssl# a2ensite default-ssl
root@wsc-d-saopaulo:/etc/apache2/ssl# systemctl restart apache2
- 配置default-ssl.conf
root@wsc-d-saopaulo:/etc/apache2/ssl# cd /etc/apache2/sites-available/
root@wsc-d-saopaulo:/etc/apache2/sites-available# ls
000-default.conf default-ssl.conf
root@wsc-d-saopaulo:/etc/apache2/sites-available# vim default-ssl.conf
- 修改内容如下
<IfModule mod_ssl.c>
<VirtualHost _defalut_:443>
DocumentRoot /var/www/html
ErrorLog ${APACHE_LOG_DIR}/error.log
CustomLog ${APACHE_LOG_DIR}/access.log combined
SSLEngine on
SSLCertificateFile /etc/apache2/ssl/apache.crt ***** 需要修改部分
SSLCertificateKeyFile /etc/apache2/ssl/apache.key ***** 需要修改部分
<FilesMatch "\.(cgi|shtml|phtml|php)$">
SSLOptions +StdEnvVars
</FilesMatch>
<Directory /usr/lib/cgi-bin>
SSLOptions +StdEnvVars
</Directory>
BrowserMatch "MSIE [2-6]" \
nokeepalive ssl-unclean-shutdown \
downgrade-1.0 force-response-1.0
BrowserMatch "MSIE [17-9]" ssl-unclean-shutdown
</VirtualHost>
</IfModule>
2.6,启用配置
root@wsc-d-saopaulo:/etc/apache2/sites-available# a2ensite default-ssl.conf
Enabling site default-ssl.
To activate the new configuration, you need to run:
systemctl reload apache2
root@wsc-d-saopaulo:/etc/apache2/sites-available#
重启Apache服务
/etc/init.d/apache2 restart
网友评论