在做实验的时候难免有时候会用到ssl证书,在局域网环境下完全没有必要去买一个ssl证书,所以这里我们自建一个CA服务器,对局域网内需要证书的服务器,提供证书颁发的服务。

直接上操作:
准备一台服务器作为CA服务器:

[root@localhost CA]# (umask 077;openssl genrsa -out /etc/pki/CA/private/cakey.pem 2048)
[root@localhost CA]# openssl req -new -x509 -key /etc/pki/CA/private/cakey.pem -out /etc/pki/CA/cacert.pem -days 3650
---
Country Name (2 letter code) [XX]:CN
State or Province Name (full name) []:Shanghai
Locality Name (eg, city) [Default City]:Shanghai
Organization Name (eg, company) [Default Company Ltd]:u9time       ##公司名,客户端申请要与此保持一致
Organizational Unit Name (eg, section) []:ca
Common Name (eg, your name or your server's hostname) []:ca.u9time.com       ##自签证书的完整域名
Email Address []:

[root@lvs CA]# touch index.txt        ##作为一台CA证书为别人颁发证书时会在此文件进行记录索引文档,文件名与位置由配置文件决定
[root@lvs CA]# echo "01" > serial   ##作为一台CA证书为别人颁发证书时会在此文件进行记录序号,文件名与位置由配置文件决定

客户端主机(apache或nginx)生成证书申请CSR文件

[root@localhost ssl]# (umask 077;openssl genrsa -out /etc/httpd/ssl/httpd.key 2048)
[root@localhost ssl]# openssl req -new -key /etc/httpd/ssl/httpd.key -out /etc/httpd/ssl/httpd.csr -days 365   ##输入相关信息,用于生成csr文件
---
Country Name (2 letter code) [XX]:CN
State or Province Name (full name) []:Shanghai
Locality Name (eg, city) [Default City]:Shanghai
Organization Name (eg, company) [Default Company Ltd]:u9time     ##公司信息要与CA一致
Organizational Unit Name (eg, section) []:ops
Common Name (eg, your name or your server's hostname) []:www.u9time.com     ##这里填写申请证书的完整域名,可以是其他域名比如www.ddong.com
Email Address []:
Please enter the following 'extra' attributes
to be sent with your certificate request
A challenge password []:www.u9time.com
An optional company name []:

[root@localhost ssl]# scp -p httpd.csr [email protected]:/root/                   ##将证书请求文件发送给CA服务器签署生成证书

CA服务器签署证书:

[root@localhost ~]# openssl ca -in httpd.csr -out httpd.crt -days 365
y
y
[root@localhost ~]# scp -p httpd.crt [email protected]:/etc/httpd/ssl/

apache2.4服务器配置:

[root@localhost ~]# yum install httpd mod_ssl -y
[root@localhost ~]# chmod 600 /etc/httpd/ssl/
[root@localhost ~]# vim /etc/httpd/conf.d/u9time_ssl.conf

    # This first-listed virtual host is also the default for *:80
    ServerName www.u9time.com
    ServerAlias www1.u9time.com www2.u9time.com
    DocumentRoot "/var/www/html/u9time"



    # This first-listed virtual host is also the default for *:80

    ServerName www.u9time.com
    ServerAlias www1.u9time.com www2.u9time.com
    DocumentRoot "/var/www/html/u9time"

    ErrorLog logs/ssl_error_log
    TransferLog logs/ssl_access_log
    LogLevel warn
    SSLEngine on
    SSLProtocol all -SSLv2 -SSLv3
    SSLCipherSuite HIGH:3DES:!aNULL:!MD5:!SEED:!IDEA

    SSLCertificateFile "/etc/httpd/ssl/u9time.crt"
    SSLCertificateKeyFile "/etc/httpd/ssl/u9time.key"

nginx服务器的配置:

前提是nginx安装时已经编译了ssl模块
[root@localhost conf.d]# cat u9time.conf 
server {

    listen 80;
    server_name www.u9time.com;
    root /var/www/html/u9;

    location / {
    }

}

server {

    listen 443;
    server_name www.u9time.com;
    root /var/www/html/u9;

    ssl on;
    ssl_certificate /etc/httpd/ssl/u9time.crt;  #证书文件
    ssl_certificate_key /etc/httpd/ssl/u9time.key;   #KEY文件

    ssl_session_cache   shared:SSL:10m;
        ssl_session_timeout 10m;
    location / {
    }

}