证书HTTPS

httpds证书步骤

(基于yum安装,源码安装大同小异)
证书HTTPS_第1张图片

1.配置虚拟主机和模块相应文件生成
[root@8-4 conf.d]# pwd
/etc/httpd/conf.d
[root@8-4 conf.d]# mv /usr/share/doc/httpd/httpd-vhosts.conf . 
[root@8-4 conf.d]# cat httpd-vhosts.conf 
<VirtualHost *:80>
    DocumentRoot "/var/www/html/h/"
    ServerName web1.example.com
    ErrorLog "/var/log/web1.com-error_log"
    CustomLog "/var/log/web1.example.com-access_log" combined 
</VirtualHost>
[root@8-4 ~]# yum -y install mod_ssl   #安装mod_ssl模块
#ssl模块的开启
[root@8-4 conf.modules.d]# pwd
/etc/httpd/conf.modules.d
[root@8-4 conf.modules.d]# ls
00-base.conf  00-lua.conf  00-optional.conf  00-ssl.conf(此处)
[root@8-4 conf.modules.d]# cat 00-ssl.conf 
LoadModule ssl_module modules/mod_ssl.so
2.配置密钥相关文件生成证书
#/etc/pki下创建该目录
[root@8-4 ~]# mkdir /etc/pki/CA 
[root@8-4 ~]# cd /etc/pki/CA/
#再创建private目录,存放下一步生成的文件
[root@8-4 CA]# mkdir private
#生成一个公钥的文件
[root@8-4 CA]# (umask 077;openssl genrsa -out private/cakey.pem 2048)               
Generating RSA private key, 2048 bit long modulus (2 primes)
.+++++
..........+++++
e is 65537 (0x010001)
#查看密钥(可忽略)
[root@8-4 CA]# openssl rsa -in private/cakey.pem -pubout  
#x509协议,生成cacert.pem文件,有365天效期
[root@8-4 CA]# openssl req -new -x509 -key private/cakey.pem -out cacert.pem -days 365
 You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [XX]:CN     #国家
State or Province Name (full name) []:HB  #省
Locality Name (eg, city) [Default City]:WH	#城市
Organization Name (eg, company) [Default Company Ltd]:999  #公司
Organizational Unit Name (eg, section) []:999*			#部门
Common Name (eg, your name or your server's hostname) 	[]:web1.example.com						#服务机主机名
Email Address []:999@qq.com             #电子邮件

#查看生成的证书的信息
[root@8-4 CA]# openssl x509 -text -in cacert.pem 
Certificate:
    Data:
        Version: 3 (0x2)
        Serial Number:
            32:1e:ac:80:35:d0:05:59:8b:83:70:df:ed:7c:49:d0:f0:f3:31:d3
        Signature Algorithm: sha256WithRSAEncryption
        Issuer: C = CN, ST = HB, L = WH, O = 999, OU = 999*, CN = web1.example.com, emailAddress = 999@qq.com
        Validity
            Not Before: Jul 19 10:46:29 2021 GMT
            Not After : Jul 19 10:46:29 2022 GMT
        Subject: C = CN, ST = HB, L = WH, O = 999, OU = 999*, CN = web1.example.com, emailAddress = 999@qq.com
        Subject Public Key Info:
            Public Key Algorithm: rsaEncryption
                RSA Public-Key: (2048 bit)
                
#创建一个文件三个目录,输出01内容到serial内
[root@8-4 CA]# mkdir certs cr1 newcerts
[root@8-4 CA]# touch index.txt && echo "01" > serial

#到/opt内生成一个httpd.key文件
[root@8-4 ~]# cd /opt/
[root@8-4 opt]# umask 077;openssl genrsa -out httpd.key 2048
Generating RSA private key, 2048 bit long modulus (2 primes)
.........+++++
....................................................................................................................................................+++++
e is 65537 (0x010001)
[root@8-4 opt]# ls
httpd.key

#用httpd.key再生成一个httpd.csr文件
[root@8-4 opt]# openssl req -new -key httpd.key -days 365 -out httpd.csr
Ignoring -days; not generating a certificate
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [XX]:CN
State or Province Name (full name) []:HB
Locality Name (eg, city) [Default City]:WH
Organization Name (eg, company) [Default Company Ltd]:999
Organizational Unit Name (eg, section) []:999*
Common Name (eg, your name or your server's hostname) []:web1.example.com
Email Address []:999@qq.com

Please enter the following 'extra' attributes
to be sent with your certificate request
A challenge password []:    #回车 
An optional company name []:#回车     #要不要加密
[root@8-4 opt]# ll  
总用量 8                     #此处必须要有大小,否则失败
-rw-------. 1 root root 1029 719 18:56 httpd.csr
-rw-------. 1 root root 1675 719 18:52 httpd.key

#签署证书(再生一个crt的文件)
[root@8-4 opt]# openssl ca -in httpd.csr -out httpd.crt -days 365
Certificate is to be certified until Jul 19 11:06:03 2022 GMT (365 days)
Sign the certificate? [y/n]:y    #签名
1 out of 1 certificate requests certified, commit? [y/n]  #提交
[root@8-4 opt]# ls
httpd.crt  httpd.csr  httpd.key

#删掉之前的csr文件以免信息泄露
[root@8-4 opt]# rm -rf httpd.csr 

3.生成的证书(httpd.key httpd.crt)应用到网站上(最重要一步)

#ssl.conf内配置证书的位置
[root@8-4 conf.d]# pwd
/etc/httpd/conf.d
[root@8-4 conf.d]# vim ssl.conf 
Listen 443 https
<VirtualHost _default_:443>
ServerName web1.example.com:443
DocumentRoot "/var/www/html/h/"
ErrorLog "/var/log/ssl_error_log
TransferLog /var/log/ssl_access_log
#SSLSessionCache         shmcb:/run/httpd/sslcache(512000)
#SSLSessionCacheTimeout  300                     #俩行添加注释

在httpd目录下新创建一个ssl目录,密钥文件放到这个下面(方便查找)
[root@8-4 httpd]# mkdir ssl
[root@8-4 ssl]# mv /opt/* .
[root@8-4 ssl]# ls
httpd.crt  httpd.key
#配置ssl.conf文件(该文件在conf.d辅助文件内)
[root@8-4 conf.d]# vim ssl.conf 
SSLCertificateFile /etc/httpd/ssl/httpd.crt      #俩路径可以自定义方便查找就行
SSLCertificateKeyFile /etc/httpd/ssl/httpd.key

4.重启httpd服务 (域名绑定略,铁子萌都知道)

[root@8-4 conf.d]# vim ssl.conf 
[root@8-4 conf.d]# systemctl restart httpd.service 
[root@8-4 conf.d]# ss -antl
State          Recv-Q         Send-Q                 Local Address:Port                  Peer Address:Port         Process         
LISTEN         0              128                          0.0.0.0:22                         0.0.0.0:*                            
LISTEN         0              128                             [::]:22                            [::]:*                            
LISTEN         0              128                                *:443                              *:*                            
                        

5.效果:
证书HTTPS_第2张图片

你可能感兴趣的:(linux运维中级,https,linux,ssl,apache)