#CA生成一对密钥
[root@localhost ~]# cd /etc/pki/CA
[root@localhost CA]# ls
certs crl newcerts private
[root@localhost CA]# (umask 077;openssl genrsa -out private/cakey.pem 2048)
Generating RSA private key, 2048 bit long modulus
.....+++
............................+++
e is 65537 (0x10001)
[root@localhost CA]# openssl rsa -in private/cakey.pem -pubout
writing RSA key
-----BEGIN PUBLIC KEY-----
MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEA4f3NOf/sGr3QEWGShWNP
4xoJPNYpsoBhUuRSPGRmuSYiJCtxplDVTNzUCLssKCCdl2sM3ijBa+Pelju3w8a5
iq9LgAVYKNsOjCdyN5PsAroQRAmdHANPlRfnJj/u3tNRKDlEP7pEuI1nKzZyykkU
ION1ni7o+d4D41nO9UkheK6ds6YbyCvRoIl+yqv6WtpV6UUgRMOIlXv9kYjMIBj4
Qa6SYNm6kMm+R8aLI8hzzdrRte2bFfvPmKYC3nMrPekS0HW7G0alYlyZIb/X9DUs
UB9tG2v++UA7ZqW1tZkiP50peNumcWSP/MNIftKP1z0z/3IPvJHLeMDHOJk2xJrJ
ywIDAQAB
-----END PUBLIC KEY-----
#CA生成自签署证书
[root@localhost CA]# openssl req -new -x509 -key private/cakey.pem -out cacert.pem
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
**----**
Country Name (2 letter code) [XX]:CN
State or Province Name (full name) []:HuBei
Locality Name (eg, city) [Default City]:WuHan
Organization Name (eg, company) [Default Company Ltd]:runtime.example.com
Organizational Unit Name (eg, section) []:runtime.example.com
Common Name (eg, your name or your server's hostname) []:runtime.example.com
Email Address []:1@2.com
[root@localhost CA]# openssl x509 -text -in cacert.pem
内容省略....
[root@localhost CA]# mkdir certs newcerts crl
[root@localhost CA]# touch index.txt && echo 01 > serial
[root@localhost CA]# ls
cacert.pem certs crl index.txt newcerts private serial
[root@localhost CA]# cat serial
01
#服务端生成密钥
[root@whb ~]# cd /etc/httpd24 && mkdir ssl && cd ssl
[root@whb ssl]# (umask 077;openssl genrsa -out httpd.key 2048)
Generating RSA private key, 2048 bit long modulus
........................................................................+++
.....................................................................................+++
e is 65537 (0x10001)
[root@whb ssl]#
#服务端生成证书签署请求
[root@whb ssl]# openssl req -new -key httpd.key -days 365 -out httpd.csr
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [XX]:CN
State or Province Name (full name) []:HuBei
Locality Name (eg, city) [Default City]:WuHan
Organization Name (eg, company) [Default Company Ltd]:runtime.example.com
Organizational Unit Name (eg, section) []:runtime.example.com
Common Name (eg, your name or your server's hostname) []:runtime.example.com
Email Address []:1@2.com
Please enter the following 'extra' attributes
to be sent with your certificate request
A challenge password []:
An optional company name []:
#服务端把证书签署请求文件发送给CD
服务端:
[root@whb ssl]# scp httpd.csr root@192.168.86.137:/root
root@192.168.86.137's password:
httpd.csr 100% 1082 26.4KB/s 00:00
[root@whb ssl]#
客户端:
[root@localhost CA]# cd
[root@localhost ~]# ls
1 3.sh apr-1.6.5.tar.gz cai.sh httpd-2.4.38.tar.bz2 program.sh
1.sh anaconda-ks.cfg apr-util-1.6.1 db-backup.sh httpd.csr shu.sh
2.sh apr-1.6.5 apr-util-1.6.1.tar.bz2 httpd-2.4.38 mkuser.sh whb
[root@localhost ~]# openssl ca -in /root/httpd.csr -out httpd.crt -days 365
[root@localhost ~]# ls
1 3.sh apr-1.6.5.tar.gz cai.sh httpd-2.4.38.tar.bz2 mkuser.sh whb
1.sh anaconda-ks.cfg apr-util-1.6.1 db-backup.sh httpd.crt program.sh
2.sh apr-1.6.5 apr-util-1.6.1.tar.bz2 httpd-2.4.38 httpd.csr shu.sh
#签署服务端提交上来的证书
[root@localhost ~]# openssl ca -in /root/httpd.csr -out httpd.crt -days 365
[root@localhost ~]# ls
1 3.sh apr-1.6.5.tar.gz cai.sh httpd-2.4.38.tar.bz2 mkuser.sh whb
1.sh anaconda-ks.cfg apr-util-1.6.1 db-backup.sh httpd.crt program.sh
2.sh apr-1.6.5 apr-util-1.6.1.tar.bz2 httpd-2.4.38 httpd.csr shu.sh
#把签署好的证书httpd.crt发给服务端
客户端:
[root@localhost ~]# scp httpd.crt root@192.168.86.138:/root/
httpd.crt 100% 4718 193.2KB/s 00:00
[root@localhost ~]#
服务端:
[root@whb ~]# ls
1 2 3 anaconda-ks.cfg httpd-2.4.38 httpd-2.4.38.tar.bz2 httpd.crt httpd.csr lol upload
[root@whb ~]# mv httpd.crt /etc/httpd24/ssl/
[root@whb ~]# cd /etc/httpd24/ssl
[root@whb ssl]# ls
httpd.crt httpd.csr httpd.key
[root@whb ssl]#
#ssl配置:
[root@100 ~]# vim /etc/httpd24/extra/httpd-ssl.conf
/DocumentRoot //搜索
修改为以下内容:
DocumentRoot "/usr/local/apache/htdocs/runtime"
ServerName runtime.example.com:443
ServerAdmin you@example.com
ErrorLog "/usr/local/apache/logs/runtime.example.com-error_log"
TransferLog "/usr/local/apache/logs/runtime.example.com-access_log"
紧接着将
SSLCertificateFile "/etc/httpd24/server.crt" 改为 SSLCertificateFile "/etc/httpd24/ssl/httpd.crt"
SSLCertificateKeyFile "/etc/httpd24/server.key" 改为 SSLCertificateKeyFile "/etc/httpd24/ssl/httpd.key"
#检查是否有语法错误
[root@whb ~]# cd /etc/httpd24
[root@100 httpd24]# apachectl restart
来源:51CTO
作者:wx5e782fbb12ee3
链接:https://blog.51cto.com/14763231/2483864