美文网首页
debian自建CA

debian自建CA

作者: 单曲_循环 | 来源:发表于2018-02-06 22:02 被阅读0次
    • 1.0 CA端操作:

    1.1,安装openssl

    root@wsc-d-caigary:~# apt-get install openssl

    1.2,配置openssl修改CA根目录为/etc/ca

    vim /etc/ssl/openssl.cnf
dir=/etc/ca

    1.3,复制配置模板

    root@wsc-d-caigary:/etc/ca# cp -rf /etc/ssl/* /etc/ca

    1.4,创建初始文件

    root@wsc-d-caigary:/etc/ca# touch index.txt
root@wsc-d-caigary:/etc/ca# echo 01 > serial
root@wsc-d-caigary:/etc/ca# mkdir ./newcerts
root@wsc-d-caigary:/etc/ca#

    1.5,生成根密匙

    root@wsc-d-caigary:/etc/ca# openssl genrsa -out ./private/cakey.pem 2048
Generating RSA private key, 2048 bit long modulus
.............+++
................................................+++
e is 65537 (0x010001)
root@wsc-d-caigary:/etc/ca#

    1.6,生成根证书(PS:除了common name输入你的域名xxx.com或者其他,其他的随意)

    root@wsc-d-caigary:/etc/ca# openssl req -new -x509 -key ./private/cakey.pem -out cacert.pem
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [AU]:CN
State or Province Name (full name) [Some-State]:zhejiang
Locality Name (eg, city) []:ningbo
Organization Name (eg, company) [Internet Widgits Pty Ltd]:mdzz
Organizational Unit Name (eg, section) []:mdzz
Common Name (e.g. server FQDN or YOUR name) []:mdzz.com
Email Address []:mdzz@mdzz
    • 2.0 http 服务端

    2.1,创建ssl目录

    root@wsc-d-saopaulo:~# mkdir /etc/apache2/ssl
root@wsc-d-saopaulo:~# cd /etc/apache2/ssl/
root@wsc-d-saopaulo:/etc/apache2/ssl#

    2.2,生成ssl密钥

    root@wsc-d-saopaulo:/etc/apache2/ssl# openssl genrsa -out apache.key 2048
Generating RSA private key, 2048 bit long modulus
...+++
.......+++
e is 65537 (0x010001)
root@wsc-d-saopaulo:/etc/apache2/ssl#

    2.3,生成证书签署请求(PS:注意common name和上次的一致)

    root@wsc-d-saopaulo:/etc/apache2/ssl# openssl req -new -key apache.key -out apache.csr
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [AU]:CN
State or Province Name (full name) [Some-State]:zhejiang
Locality Name (eg, city) []:ningbo
Organization Name (eg, company) [Internet Widgits Pty Ltd]:mdzz
Organizational Unit Name (eg, section) []:mdzz
Common Name (e.g. server FQDN or YOUR name) []:mdzz.com
Email Address []:mdzz@mdzz

Please enter the following 'extra' attributes
to be sent with your certificate request
A challenge password []:1234
An optional company name []:mdzz
root@wsc-d-saopaulo:/etc/apache2/ssl#

    2.4,CA签署证书请求
    2.4.1,把证书请求文件发送到CA服务器上

    用scp命令,具体你是从CA拷贝还是从Apache服务器上传都一样

    证书签署

    root@wsc-d-caigary:/etc/ca# openssl x509 -req -in apache.csr -CA /etc/ca/cacert.pem -CAkey /etc/ca/private/cakey.pem -CAcreateserial -out apache.crt
Signature ok
subject=C = CN, ST = zhejiang, L = ningbo, O = mdzz, OU = mdzz, CN = mdzz.com, emailAddress = mdzz@mdzz
Getting CA Private Key
root@wsc-d-caigary:/etc/ca#

    2.4.2,将生成的crt证书文件发回Apache服务器使用

    同样还是scp命令

    2.5,配置Apache以使用https

    • 启用ssl模块
    • a2enmod ssl
    • a2ensite default-ssl(如果没有这个浏览器会报ssl too lang 错误)
    root@wsc-d-saopaulo:/etc/apache2/ssl# a2enmod ssl
Considering dependency setenvif for ssl:
Module setenvif already enabled
Considering dependency mime for ssl:
Module mime already enabled
Considering dependency socache_shmcb for ssl:
Module socache_shmcb already enabled
Module ssl already enabled
root@wsc-d-saopaulo:/etc/apache2/ssl# a2ensite default-ssl
root@wsc-d-saopaulo:/etc/apache2/ssl# systemctl restart apache2
    • 配置default-ssl.conf
    root@wsc-d-saopaulo:/etc/apache2/ssl# cd /etc/apache2/sites-available/
root@wsc-d-saopaulo:/etc/apache2/sites-available# ls
000-default.conf  default-ssl.conf
root@wsc-d-saopaulo:/etc/apache2/sites-available# vim default-ssl.conf
    • 修改内容如下
    <IfModule mod_ssl.c>
   <VirtualHost   _defalut_:443>
       DocumentRoot /var/www/html
       ErrorLog ${APACHE_LOG_DIR}/error.log
       CustomLog ${APACHE_LOG_DIR}/access.log combined
       SSLEngine on
       SSLCertificateFile /etc/apache2/ssl/apache.crt                     ***** 需要修改部分
       SSLCertificateKeyFile /etc/apache2/ssl/apache.key             ***** 需要修改部分
       <FilesMatch "\.(cgi|shtml|phtml|php)$">
                       SSLOptions +StdEnvVars
       </FilesMatch>
       <Directory /usr/lib/cgi-bin>
                       SSLOptions +StdEnvVars
       </Directory>
       BrowserMatch "MSIE [2-6]" \
                       nokeepalive ssl-unclean-shutdown \
                       downgrade-1.0 force-response-1.0
       BrowserMatch "MSIE [17-9]" ssl-unclean-shutdown
   </VirtualHost>
</IfModule>

    2.6,启用配置

    root@wsc-d-saopaulo:/etc/apache2/sites-available# a2ensite default-ssl.conf
Enabling site default-ssl.
To activate the new configuration, you need to run:
  systemctl reload apache2
root@wsc-d-saopaulo:/etc/apache2/sites-available#

    重启Apache服务
    /etc/init.d/apache2 restart

    相关文章

      网友评论

          本文标题:debian自建CA

          本文链接:https://www.haomeiwen.com/subject/sadnzxtx.html

          延伸阅读

          深度阅读

          • 您也可以注册成为美文阅读网的作者,发表您的原创作品、分享您的心情!

          栏目导航

          热点阅读

          关于我们|服务条款|联系我们|debian自建CA|投稿指南|网站地图|RSS订阅|排版工具|手机版

          提供经典美文摘抄,优美散文欣赏,现代诗歌精选,短篇小说,心情随笔,表白情书范文,故事会在线阅读欣赏

          Copyright © 2014-2023 Haomeiwen.com All Rights Reserved. 好美文阅读网 版权所有

          备案信息:桂公网安备 45052102000051号 · 桂ICP备13007215号-3

          本站所收录作品、热点评论等信息部分来源互联网,目的只是为了系统归纳学习和传递资讯

          所有作品版权归原创作者所有,与本站立场无关,如不慎侵犯了你的权益,请联系我们告知,我们将做删除处理!