环境:centos6.8 安装CA需要服务器已安装openssl
mkdir -p /etc/pki/CA/private
生成私钥,并设置权限
( umask 077 ; openssl genrsa -out /etc/pki/CA/private/cakey.pem 2048)
创建自签名证书
openssl req -new -x509 -key /etc/pki/CA/private/cakey.pem -out /etc/pki/CA/cacert.pem -days 1000
req:生成证书签署请求;
-x509:生成自签署证书;
-days n:证书的有效天数;
-new:新请求;
-key /path/to/keyfile:指定私钥文件;
-out /path/to/somefile:输出文件位置。
初始化工作文件
touch /etc/pki/CA/index.txt
touch /etc/pki/CA/serial
echo 01 > /etc/pki/CA/serial
index.txt:索引文件,用于匹配证书编号;
serial:证书序列号文件,只在首次生成证书时赋值
--------------------------------------------以下为节点服务器上的操作------------------------------------------
进入到apache的安装目录/usr/local/apache24/
新建存放密钥及证书的目录 mkdir ssl
openssl req -new -key /usr/local/apache24/ssl/httpd.key -out /usr/local/apache24/ssl/httpd.csr
将证书发送到CA服务器上进行签名
scp httpd.csr 172.17.9.150:/etc/pki/CA/csr/
openssl ca -in /etc/pki/CA/csr/httpd.csr -out /etc/pki/CA/httpd.crt -days 1000
将签名的证书发送给请求者
scp httpd.crt [email protected]:/usr/local/apache24/ssl
----------------------------
配置apache启用https:
httpd.conf中开启mod_socache_shmcb.so mod_ssl.so (我这里apache使用的2.4版本)
设置ServerName ,不然会有报错信息提示,虽然不影响使用,但是看着不爽。
去掉注释 Include conf/extra/httpd-vhosts.conf
Include conf/extra/httpd-ssl.conf
编辑httpd-ssl.conf
SSLCertificateKeyFile "/usr/local/apache24/ssl/httpd.key"
SSLCertificateFile "/usr/local/apache24/ssl/httpd.crt"
配置虚拟主机
<VirtualHost *:443>
SSLEngine on
SSLCertificateFile /usr/local/apache24/ssl/httpd.crt
SSLCertificateKeyFile /usr/local/apache24/ssl/httpd.key
ServerAdmin [email protected]
DocumentRoot /data/www/web3/subject/n1/n3/
ServerName www.testca.com
<Directory "/data/www/web3/subject/n1/n3/">
Options -Indexes +FollowSymLinks
AllowOverride none
Require all granted
</Directory>
ErrorLog "logs/dummy-host.example.com-error_log"
CustomLog "logs/dummy-host.example.com-access_log" common
</VirtualHost>
重启httpd服务
实际使用中,多数需要将80端口的访问 重定向到443,这时需要再配置一个虚拟主机
<VirtualHost *:80>
RewriteEngine On
RewriteCond %{SERVER_PORT} 80
RewriteRule ^(.*)$ https://www.testca.com/$1 [R=301,L]
</VirtualHost>
IP规划:CA 172.17.9.150 apache 172.17.9.151
创建目录,保存私钥使用mkdir -p /etc/pki/CA/private
生成私钥,并设置权限
( umask 077 ; openssl genrsa -out /etc/pki/CA/private/cakey.pem 2048)
创建自签名证书
openssl req -new -x509 -key /etc/pki/CA/private/cakey.pem -out /etc/pki/CA/cacert.pem -days 1000
req:生成证书签署请求;
-x509:生成自签署证书;
-days n:证书的有效天数;
-new:新请求;
-key /path/to/keyfile:指定私钥文件;
-out /path/to/somefile:输出文件位置。
初始化工作文件
touch /etc/pki/CA/index.txt
touch /etc/pki/CA/serial
echo 01 > /etc/pki/CA/serial
index.txt:索引文件,用于匹配证书编号;
serial:证书序列号文件,只在首次生成证书时赋值
--------------------------------------------以下为节点服务器上的操作------------------------------------------
进入到apache的安装目录/usr/local/apache24/
新建存放密钥及证书的目录 mkdir ssl
创建密钥
( umask 077 ; openssl genrsa -out /usr/local/apache24/ssl/httpd.key 2048 )
生成证书openssl req -new -key /usr/local/apache24/ssl/httpd.key -out /usr/local/apache24/ssl/httpd.csr
将证书发送到CA服务器上进行签名
scp httpd.csr 172.17.9.150:/etc/pki/CA/csr/
openssl ca -in /etc/pki/CA/csr/httpd.csr -out /etc/pki/CA/httpd.crt -days 1000
将签名的证书发送给请求者
scp httpd.crt [email protected]:/usr/local/apache24/ssl
----------------------------
配置apache启用https:
httpd.conf中开启mod_socache_shmcb.so mod_ssl.so (我这里apache使用的2.4版本)
设置ServerName ,不然会有报错信息提示,虽然不影响使用,但是看着不爽。
去掉注释 Include conf/extra/httpd-vhosts.conf
Include conf/extra/httpd-ssl.conf
编辑httpd-ssl.conf
SSLCertificateKeyFile "/usr/local/apache24/ssl/httpd.key"
SSLCertificateFile "/usr/local/apache24/ssl/httpd.crt"
配置虚拟主机
<VirtualHost *:443>
SSLEngine on
SSLCertificateFile /usr/local/apache24/ssl/httpd.crt
SSLCertificateKeyFile /usr/local/apache24/ssl/httpd.key
ServerAdmin [email protected]
DocumentRoot /data/www/web3/subject/n1/n3/
ServerName www.testca.com
<Directory "/data/www/web3/subject/n1/n3/">
Options -Indexes +FollowSymLinks
AllowOverride none
Require all granted
</Directory>
ErrorLog "logs/dummy-host.example.com-error_log"
CustomLog "logs/dummy-host.example.com-access_log" common
</VirtualHost>
重启httpd服务
实际使用中,多数需要将80端口的访问 重定向到443,这时需要再配置一个虚拟主机
<VirtualHost *:80>
RewriteEngine On
RewriteCond %{SERVER_PORT} 80
RewriteRule ^(.*)$ https://www.testca.com/$1 [R=301,L]
</VirtualHost>