环境:centos6.5

两台主机,一个是CA签证 一个是apache服务器


第一步:apache上安装ssl支持

    yum install -y mod_ssl


    然后httpd -M就能看到ssl模块了

    ssl_module (shared)


第二步:在CA机器上生成自签证书


先生成私钥

 [root@slave CA]# cd /etc/pki/CA

 [root@slave CA]# (umask 077;openssl genrsa -out private/cakey.pem 2048)

Generating RSA private key, 2048 bit long modulus

..........................................................+++

...................................................................+++

e is 65537 (0x10001)

这样就是成功了 


生成自签证书

[root@slave CA]# openssl req -new -x509 -key private/cakey.pem -out cacert.pem -days 3650

You are about to be asked to enter information that will be incorporated

into your certificate request.

What you are about to enter is what is called a Distinguished Name or a DN.

There are quite a few fields but you can leave some blank

For some fields there will be a default value,

If you enter '.', the field will be left blank.

-----

Country Name (2 letter code) [XX]:CN

State or Province Name (full name) []:GD

Locality Name (eg, city) [Default City]:gz

Organization Name (eg, company) [Default Company Ltd]:hu

Organizational Unit Name (eg, section) []:hu

Common Name (eg, your name or your server's hostname) []:ca.8.com

Email Address []:a

[root@slave CA]# openssl req -new -x509 -key private/cakey.pem -out cacert.pem -days 3650

You are about to be asked to enter information that will be incorporated

into your certificate request.

What you are about to enter is what is called a Distinguished Name or a DN.

There are quite a few fields but you can leave some blank

For some fields there will be a default value,

If you enter '.', the field will be left blank.

-----

Country Name (2 letter code) [XX]:CN

State or Province Name (full name) []:gd

Locality Name (eg, city) [Default City]:gz

Organization Name (eg, company) [Default Company Ltd]:hu

Organizational Unit Name (eg, section) []:hu

Common Name (eg, your name or your server's hostname) []:ca.920.com

Email Address []:[email protected]

到这里,自签证书就生成完毕了


第三步:新建证书数据库

    

[root@slave CA]# touch index.txt        #证书数据库

[root@slave CA]# echo 01 serial         #序列号  


第四步:在apache机器上生成一堆密钥


[root@nginx ~]# mkdir /etc/httpd/ssl

[root@nginx ~]# (umask 077;openssl genrsa 1024 > httpd.key)

Generating RSA private key, 1024 bit long modulus

....++++++

.......++++++

e is 65537 (0x10001)


生成CA证书请求

注意,这里一定要跟CA上面输入的一直,hostname例外


[root@nginx ssl]# openssl req -new -key httpd.key -out http.csr

You are about to be asked to enter information that will be incorporated

into your certificate request.

What you are about to enter is what is called a Distinguished Name or a DN.

There are quite a few fields but you can leave some blank

For some fields there will be a default value,

If you enter '.', the field will be left blank.

-----

Country Name (2 letter code) [XX]:CN

State or Province Name (full name) []:GD

Locality Name (eg, city) [Default City]:^C

[root@nginx ssl]# openssl req -new -key httpd.key -out http.csr

You are about to be asked to enter information that will be incorporated

into your certificate request.

What you are about to enter is what is called a Distinguished Name or a DN.

There are quite a few fields but you can leave some blank

For some fields there will be a default value,

If you enter '.', the field will be left blank.

-----

Country Name (2 letter code) [XX]:CN

State or Province Name (full name) []:gd

Locality Name (eg, city) [Default City]:gz

Organization Name (eg, company) [Default Company Ltd]:hu

Organizational Unit Name (eg, section) []:hu

Common Name (eg, your name or your server's hostname) []:qq.com

Email Address []:[email protected]


Please enter the following 'extra' attributes

to be sent with your certificate request

A challenge password []:

An optional company name []:


然后将此http.csr拷贝到CA服务器上签名


第五步:在CA上签名


[root@slave CA]# openssl ca -in /tmp/http.csr -out /tmp/http.rt -days 3650

Using configuration from /etc/pki/tls/openssl.cnf

Check that the request matches the signature

Signature ok

Certificate Details:

        Serial Number: 1 (0x1)

        Validity

            Not Before: Feb 13 10:03:52 2015 GMT

            Not After : Feb 10 10:03:52 2025 GMT

        Subject:

            countryName               = CN

            stateOrProvinceName       = gd

            organizationName          = hu

            organizationalUnitName    = hu

            commonName                = qq.com

            emailAddress              = [email protected]

        X509v3 extensions:

            X509v3 Basic Constraints: 

                CA:FALSE

            Netscape Comment: 

                OpenSSL Generated Certificate

            X509v3 Subject Key Identifier: 

                A5:7E:50:2A:8C:4D:B5:E3:DB:72:D7:F8:CE:E2:20:B0:F9:FD:18:0D

            X509v3 Authority Key Identifier: 

                keyid:45:71:85:FA:99:EE:F1:0E:0F:EC:AB:6D:8C:F7:1F:A2:32:DF:31:6A


Certificate is to be certified until Feb 10 10:03:52 2025 GMT (3650 days)

Sign the certificate? [y/n]:y



1 out of 1 certificate requests certified, commit? [y/n]y

Write out database with 1 new entries

Data Base Updated



签名成功


[root@slave CA]# cat /etc/pki/CA/index.txt

V       250210100352Z           01      unknown /C=CN/ST=gd/O=hu/OU=hu/CN=qq.com/[email protected]

可以看到数据库更新了