Linux下ssl+http 实现 HTTPS 访问服务器设置

yum install httpd php
1.配置CA服务器
vim /etc/pki/tls/openssl.cnf
修改第45行,更改存放证书目录
dir   = ../../CA
dir   = /etc/CA
修改第178行,让服务器支持自签名
#basicConstraints=CA:FALSE
自签名的证书可以使用
basicConstraints=CA:TRUE
cd /etc/pki/CA
配置生成CA证书脚本 42行
vim /etc/pki/tls/misc/CA
CATOP=../../CA
CATOP=/etc/CA

运行脚本生成CA证书
/etc/pki/tls/misc/CA -newca
CA certificate filename (or enter to create) 回车

Making CA certificate ...
Generating a 1024 bit RSA private key
.++++++
....................................................................................++++++
writing new private key to '/etc/CA/private/./cakey.pem'
Enter PEM pass phrase: 输入保护密码 111111
Verifying - Enter PEM pass phrase: 确认密码 111111
-----
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [GB]:CN
State or Province Name (full name) [Berkshire]:BEIJING
Locality Name (eg, city) [Newbury]:HD
Organization Name (eg, company) [My Company Ltd]:school
Organizational Unit Name (eg, section) []:it
Common Name (eg, your name or your server's hostname) []:server11.com
Email Address []:[email protected]

Please enter the following 'extra' attributes
to be sent with your certificate request
A challenge password []:
An optional company name []:
Using configuration from /etc/pki/tls/openssl.cnf
Enter pass phrase for /etc/CA/private/./cakey.pem:111111
Check that the request matches the signature
Signature ok
Certificate Details:
       Serial Number: 0 (0x0)
       Validity
           Not Before: Jul 17 01:20:16 2013 GMT
           Not After : Jul 16 01:20:16 2016 GMT
       Subject:
           countryName               = CN
           stateOrProvinceName       = BEIJING
           organizationName          = school
           organizationalUnitName    = it
           commonName                = server11.com
           emailAddress              = [email protected]
       X509v3 extensions:
           X509v3 Basic Constraints:
               CA:TRUE
           Netscape Comment:
               OpenSSL Generated Certificate
           X509v3 Subject Key Identifier:
               37:A5:4E:79:72:DF:51:1A:EF:9D:43:D1:9C:2E:24:92:70:D3:FF:64
           X509v3 Authority Key Identifier:
               keyid:37:A5:4E:79:72:DF:51:1A:EF:9D:43:D1:9C:2E:24:92:70:D3:FF:64

Certificate is to be certified until Jul 16 01:20:16 2016 GMT (1095 days)

Write out database with 1 new entries
Data Base Updated

配置web服务器 生成web自己的私钥
openssl genrsa -des3 -out /etc/httpd/conf.d/server.key
Generating RSA private key, 512 bit long modulus
........++++++++++++
......++++++++++++
e is 65537 (0x10001)
Enter pass phrase for /etc/httpd/conf.d/server.key: 111111
Verifying - Enter pass phrase for /etc/httpd/conf.d/server.key: 111111
(使用身份标识+公钥)生成证书请求
openssl req -new -key /etc/httpd/conf.d/server.key -out /tmp/server.csr
Enter pass phrase for /etc/httpd/conf.d/server.key:111111
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [GB]:CN
State or Province Name (full name) [Berkshire]:BEIJING
Locality Name (eg, city) [Newbury]:HD
Organization Name (eg, company) [My Company Ltd]:school
Organizational Unit Name (eg, section) []:it
Common Name (eg, your name or your server's hostname) []:server11.com
Email Address []:[email protected]

Please enter the following 'extra' attributes
to be sent with your certificate request
A challenge password []:
An optional company name []:

将证书请求发送给CA

CA服务器对证书请求进行数字签名
openssl ca -keyfile /etc/CA/private/cakey.pem -cert /etc/CA/cacert.pem -in /tmp/server.csr -out /tmp/server.crt
/etc/CA/private/cakey.pem ca私钥
/tmp/server.csr 证书请求
/etc/CA/cacert.pem ca证书
/tmp/server.crt 数字证书名字
/etc/httpd/conf.d web私钥

报错:
failed to update database
TXT_DB error number 2
解决:
cd /etc/CA 修改yes为no
vim index.txt.attr
unique_subject = yes
unique_subject = no

将签名后的数字证书颁发给web服务器
cp /tmp/server.crt /etc/httpd/conf.d/

配置web支持ssl实现https
yum install mod_ssl
vim /etc/httpd/conf.d/ssl.conf
修改112行 数字证书签名
SSLCertificateFile /etc/pki/tls/certs/localhost.crt

SSLCertificateFile /etc/httpd/conf.d/server.crt
修改119行 web私钥
SSLCertificateKeyFile /etc/pki/tls/private/localhost.key

SSLCertificateKeyFile /etc/httpd/conf.d/server.key

启动 httpd 服务
service httpd restart
输入密码
验证安全可信度
把/etc/CA/private/cakey.pem 文件复制到ftp
下在后把此文件导入到浏览器
火狐 编辑 配置 高级 查看证书 导入 找到ca证书 选三个勾 ok

你可能感兴趣的:(linux,http,服务器,ssl,https,证书,private,create)