debian自建CA

• 1.0 CA端操作：

1.1，安装openssl

root@wsc-d-caigary:~# apt-get install openssl

1.2，配置openssl修改CA根目录为/etc/ca

vim /etc/ssl/openssl.cnf
dir=/etc/ca

1.3，复制配置模板

root@wsc-d-caigary:/etc/ca# cp -rf /etc/ssl/* /etc/ca

1.4，创建初始文件

root@wsc-d-caigary:/etc/ca# touch index.txt
root@wsc-d-caigary:/etc/ca# echo 01 > serial
root@wsc-d-caigary:/etc/ca# mkdir ./newcerts
root@wsc-d-caigary:/etc/ca# 

1.5，生成根密匙

root@wsc-d-caigary:/etc/ca# openssl genrsa -out ./private/cakey.pem 2048
Generating RSA private key, 2048 bit long modulus
.............+++
................................................+++
e is 65537 (0x010001)
root@wsc-d-caigary:/etc/ca# 

1.6，生成根证书(PS:除了common name输入你的域名xxx.com或者其他，其他的随意)

root@wsc-d-caigary:/etc/ca# openssl req -new -x509 -key ./private/cakey.pem -out cacert.pem
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [AU]:CN
State or Province Name (full name) [Some-State]:zhejiang
Locality Name (eg, city) []:ningbo
Organization Name (eg, company) [Internet Widgits Pty Ltd]:mdzz
Organizational Unit Name (eg, section) []:mdzz
Common Name (e.g. server FQDN or YOUR name) []:mdzz.com
Email Address []:mdzz@mdzz

• 2.0 http 服务端

2.1，创建ssl目录

root@wsc-d-saopaulo:~# mkdir /etc/apache2/ssl
root@wsc-d-saopaulo:~# cd /etc/apache2/ssl/
root@wsc-d-saopaulo:/etc/apache2/ssl# 

2.2，生成ssl密钥

root@wsc-d-saopaulo:/etc/apache2/ssl# openssl genrsa -out apache.key 2048
Generating RSA private key, 2048 bit long modulus
...+++
.......+++
e is 65537 (0x010001)
root@wsc-d-saopaulo:/etc/apache2/ssl#

2.3，生成证书签署请求(PS：注意common name和上次的一致)

root@wsc-d-saopaulo:/etc/apache2/ssl# openssl req -new -key apache.key -out apache.csr
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [AU]:CN
State or Province Name (full name) [Some-State]:zhejiang
Locality Name (eg, city) []:ningbo
Organization Name (eg, company) [Internet Widgits Pty Ltd]:mdzz
Organizational Unit Name (eg, section) []:mdzz
Common Name (e.g. server FQDN or YOUR name) []:mdzz.com
Email Address []:mdzz@mdzz

Please enter the following 'extra' attributes
to be sent with your certificate request
A challenge password []:1234
An optional company name []:mdzz
root@wsc-d-saopaulo:/etc/apache2/ssl# 

2.4，CA签署证书请求
2.4.1，把证书请求文件发送到CA服务器上

用scp命令，具体你是从CA拷贝还是从Apache服务器上传都一样

证书签署

root@wsc-d-caigary:/etc/ca# openssl x509 -req -in apache.csr -CA /etc/ca/cacert.pem -CAkey /etc/ca/private/cakey.pem -CAcreateserial -out apache.crt
Signature ok
subject=C = CN, ST = zhejiang, L = ningbo, O = mdzz, OU = mdzz, CN = mdzz.com, emailAddress = mdzz@mdzz
Getting CA Private Key
root@wsc-d-caigary:/etc/ca# 

2.4.2，将生成的crt证书文件发回Apache服务器使用

同样还是scp命令

2.5，配置Apache以使用https

• 启用ssl模块
• a2enmod ssl
• a2ensite default-ssl(如果没有这个浏览器会报ssl too lang 错误)

root@wsc-d-saopaulo:/etc/apache2/ssl# a2enmod ssl
Considering dependency setenvif for ssl:
Module setenvif already enabled
Considering dependency mime for ssl:
Module mime already enabled
Considering dependency socache_shmcb for ssl:
Module socache_shmcb already enabled
Module ssl already enabled
root@wsc-d-saopaulo:/etc/apache2/ssl# a2ensite default-ssl
root@wsc-d-saopaulo:/etc/apache2/ssl# systemctl restart apache2

• 配置default-ssl.conf

root@wsc-d-saopaulo:/etc/apache2/ssl# cd /etc/apache2/sites-available/
root@wsc-d-saopaulo:/etc/apache2/sites-available# ls
000-default.conf  default-ssl.conf
root@wsc-d-saopaulo:/etc/apache2/sites-available# vim default-ssl.conf 

• 修改内容如下

   
       DocumentRoot /var/www/html
       ErrorLog ${APACHE_LOG_DIR}/error.log
       CustomLog ${APACHE_LOG_DIR}/access.log combined
       SSLEngine on
       SSLCertificateFile /etc/apache2/ssl/apache.crt                     ***** 需要修改部分
       SSLCertificateKeyFile /etc/apache2/ssl/apache.key             ***** 需要修改部分
       
                       SSLOptions +StdEnvVars
       
       
                       SSLOptions +StdEnvVars
       
       BrowserMatch "MSIE [2-6]" \
                       nokeepalive ssl-unclean-shutdown \
                       downgrade-1.0 force-response-1.0
       BrowserMatch "MSIE [17-9]" ssl-unclean-shutdown
   

2.6，启用配置

root@wsc-d-saopaulo:/etc/apache2/sites-available# a2ensite default-ssl.conf
Enabling site default-ssl.
To activate the new configuration, you need to run:
  systemctl reload apache2
root@wsc-d-saopaulo:/etc/apache2/sites-available# 

重启Apache服务
/etc/init.d/apache2 restart