1. 搭建web环境
我这里使用源码编译安装方式安装httpd。详情可以参加我的一篇博客 http://www.cnblogs.com/zhaojiedi1992/p/zhaojiedi_linux_18_httpd.html
1.准备证书
详情可以参考我的另一篇文章 : http://www.cnblogs.com/zhaojiedi1992/p/zhaojiedi_linux_011_ca.html
1.1 创建必要的目录和文件
[root@localhost CA]# mkdir csr crl newcerts [root@localhost CA]# touch index.txt serial [root@localhost CA]# echo 01 >serial
1.2 修改默认配置
[root@localhost CA]# vim /etc/pki/tls/openssl.cnf #编辑以下行, 设置默认的国家,省,城市,组织名,部门名 countryName_default = CN stateOrProvinceName_default = HeNan localityName_default = ZhengZhou organizationName_default = ZKYT organizationalUnitName_default = Tech
1.3生成自签证书
[root@localhost CA]# (umask 077;openssl genrsa -out private/cakey.pem 2048) Generating RSA private key, 2048 bit long modulus ........................................................................................................................................+++ ...+++ e is 65537 (0x10001) [root@localhost CA]# openssl req -new -x509 -key private/cakey.pem -out cacert.pem -days 3650 You are about to be asked to enter information that will be incorporated into your certificate request. What you are about to enter is what is called a Distinguished Name or a DN. There are quite a few fields but you can leave some blank For some fields there will be a default value, If you enter '.', the field will be left blank. ----- Country Name (2 letter code) [CN]: State or Province Name (full name) [HeNan]: Locality Name (eg, city) [ZhengZhou]: Organization Name (eg, company) [ZKYT]: Organizational Unit Name (eg, section) [Tech]: Common Name (eg, your name or your server's hostname) []:ca.linuxpanda.com Email Address []:
1.4 创建证书请求
我们这里给web服务器创建一个证书请求。
[root@localhost CA]# cd /etc/httpd
[root@localhost httpd]# ls
extra httpd.conf magic mime.types original [root@localhost httpd]# mkdir ssl
[root@localhost httpd]# cd ssl [root@localhost ssl]# (umask 077; openssl genrsa -out httpd.key 2048) Generating RSA private key, 2048 bit long modulus ..............+++ ..............................................................+++ e is 65537 (0x10001) [root@localhost ssl]# openssl req -new -key httpd.key -out 192.168.168.20.httpd.csr -days 365 You are about to be asked to enter information that will be incorporated into your certificate request. What you are about to enter is what is called a Distinguished Name or a DN. There are quite a few fields but you can leave some blank For some fields there will be a default value, If you enter '.', the field will be left blank. ----- Country Name (2 letter code) [CN]: State or Province Name (full name) [HeNan]: Locality Name (eg, city) [ZhengZhou]: Organization Name (eg, company) [ZKYT]: Organizational Unit Name (eg, section) [Tech]: Common Name (eg, your name or your server's hostname) []:www.linuxpanda.com Email Address []: Please enter the following 'extra' attributes to be sent with your certificate request A challenge password []: An optional company name []:
1.5 复制证书请求到CA服务器上
root@localhost ssl]# scp 192.168.168.20.httpd.csr root@192.168.40.152:/tmp The authenticity of host '192.168.40.152 (192.168.40.152)' can't be established. RSA key fingerprint is 84:8d:9e:44:bf:41:15:6a:6d:2f:cd:04:76:c9:fd:55. Are you sure you want to continue connecting (yes/no)? yes Warning: Permanently added '192.168.40.152' (RSA) to the list of known hosts. 192.168.168.20.httpd.csr 100% 1009 1.0KB/s 00:00
1.6 CA服务器签发证书
[root@localhost CA]# openssl ca -in /tmp/192.168.168.20.httpd.csr -out 192.168.168.20.crt Using configuration from /etc/pki/tls/openssl.cnf Check that the request matches the signature Signature ok Certificate Details: Serial Number: 1 (0x1) Validity Not Before: Dec 31 15:16:46 2015 GMT Not After : Dec 30 15:16:46 2016 GMT Subject: countryName = CN stateOrProvinceName = HeNan organizationName = ZKYT organizationalUnitName = Tech commonName = www.linuxpanda.com X509v3 extensions: X509v3 Basic Constraints: CA:FALSE Netscape Comment: OpenSSL Generated Certificate X509v3 Subject Key Identifier: 78:43:F1:F9:96:66:8C:47:B6:E1:EB:AF:D4:86:AC:D9:80:71:EB:86 X509v3 Authority Key Identifier: keyid:F4:20:54:DD:76:3D:21:EC:10:17:C5:BA:7C:53:C2:2F:11:A8:30:17 Certificate is to be certified until Dec 30 15:16:46 2016 GMT (365 days) Sign the certificate? [y/n]:y 1 out of 1 certificate requests certified, commit? [y/n]y Write out database with 1 new entries Data Base Updated
1.7 证书发送给web申请者
[root@localhost CA]# scp 192.168.168.20.crt root@192.168.168.20:/tmp The authenticity of host '192.168.168.20 (192.168.168.20)' can't be established. RSA key fingerprint is 84:8d:9e:44:bf:41:15:6a:6d:2f:cd:04:76:c9:fd:55. Are you sure you want to continue connecting (yes/no)? yes Warning: Permanently added '192.168.168.20' (RSA) to the list of known hosts. root@192.168.168.20's password: 192.168.168.20.crt 100% 4462 4.4KB/s 00:00
2. 配置web服务器支持https
2.1 编辑配置文件支持虚拟主机
[root@localhost extra]# vim /etc/httpd/extra/httpd-vhosts.conf
#添加如下行
<VirtualHost 192.168.168.152:80>
DocumentRoot "/var/www/www.linuxpanda.com"
ServerName www.linuxpanda.com
</VirtualHost>
<Directory /var/www/www.linuxpanda.com>
Require all granted
</Directory>
2.2 编辑配置文件支持https
[root@localhost extra]# vim /etc/httpd/extra/httpd-ssl.conf
#修改<VirtualHost _default_:443> 为<VirtualHost 192.168.168.152:443> DocumentRoot "/var/www/www.linuxpanda.com" ServerName www.linuxpanda.com:443 ErrorLog "/var/www/www.linuxpanda.com/error_log" TransferLog "/var/www/www.linuxpanda.com/access_log" #修改httpd的私钥和证书文件位置 SSLCertificateKeyFile "/etc/httpd/ssl/httpd.key" SSLCertificateFile "/etc/httpd/ssl/httpd.crt"
2.3 编辑配置文件httpd.conf
[root@localhost extra]# vim /etc/httpd/httpd.conf #启用一下行 Include /etc/httpd24/extra/httpd-vhosts.conf Include /etc/httpd24/extra/httpd-ssl.conf LoadModule ssl_module modules/mod_ssl.so LoadModule socache_shmcb_module modules/mod_socache_shmcb.so #注释行 #DocumentRoot "/usr/local/apache/htdocs"
2.4 测试web服务
[root@localhost extra]# apachectl restart
#在我们测试机(windows主机的)的hosts文件中添加行
192.168.168.152 www.linuxpanda.com
浏览器输入http://192.168.168.152 即可看到 www.linuxpanda.com信息
在浏览器输入https://192.168.168.152 提示有警告信息。 证书不被信任的。 我们需要把ca服务器的cacert.pem 复制到测试机上,
重命名为cacert.crt文件, 双击安装,选择受信任的颁发机构即可。再次刷新发现可以正常访问了。