自建CA然后颁发证书给搭建的httpd用

以前相关博文链接：
https://blog.csdn.net/u012271055/article/details/84672691 #有涉及httpd的yum安装的目录层级介绍
https://blog.csdn.net/u012271055/article/details/84675204 #有涉及如何制作httpd2.4版本的httpd的rpm包在centos6.x上安装使用
https://blog.csdn.net/u012271055/article/details/84491365 #有设计如何编译安装httpd以及如何写SysV的脚本文件以及systemd管理的unit文件
https://blog.csdn.net/u012271055/article/details/84576344 #有设计自建CA以及颁发证书的

一、实验环境

1、本次httpd的实验环境说明

[root@localhost ~]# cat /etc/redhat-release 
CentOS release 6.5 (Final)
[root@localhost ~]# uname -a
Linux localhost.localdomain 2.6.32-431.el6.x86_64 #1 SMP Fri Nov 22 03:15:09 UTC 2013 x86_64 x86_64 x86_64 GNU/Linux
[root@localhost ~]# ifconfig | sed -rn 's/^[[:space:]]+inet addr:(.*)[[:space:]]+Bcast.*$/\1/p'
192.168.56.96 
#httpd的版本(之前自己制作的httpd2.4版本的rpm包，在CentOS 6.x上使用)
[root@localhost ~]# httpd -v
Server version: Apache/2.4.37 (Unix)
Server built:   Dec  1 2018 18:17:27

PS：配置本小结，要对http的知识点有些基础概念，而且要了解httpd的配置语法。我这里是只简单的演示自建CA，然后配置httpd使用。

2、CA服务

[root@localhost ~]# cat /etc/redhat-release 
CentOS release 6.10 (Final)
[root@localhost ~]# uname -a
Linux localhost.localdomain 2.6.32-754.el6.x86_64 #1 SMP Tue Jun 19 21:26:04 UTC 2018 x86_64 x86_64 x86_64 GNU/Linux
[root@localhost ~]# ifconfig | sed -rn 's/^[[:space:]]+inet addr:(.*)[[:space:]]+Bcast.*$/\1/p'
192.168.56.98 

二、关于httpd的ssl配置简单说明

参考官网索引：
中文：http://httpd.apache.org/docs/current/ssl/
英文：http://httpd.apache.org/docs/current/en/ssl/

说明：
Apache HTTP 服务器模块 mod_ssl 提供了与 OpenSSL 的接口，它使用安全套接字层和传输层安全协议提供了强加密。

(1) 基本配置示例：

LoadModule ssl_module modules/mod_ssl.so

Listen 443   #
<VirtualHost *:443>
    ServerName www.example.com
    SSLEngine on
    SSLCertificateFile "/path/to/www.example.com.cert"
    SSLCertificateKeyFile "/path/to/www.example.com.key"
</VirtualHost>

Listen指令语法格式：
	Listen [IP-address:]portnumber [protocol]
a> 省略IP表示为0.0.0.0；
b> Listen指令可重复出现多次；
c> 修改监听socket，重启服务进程方可生效；
d> 限制其必须通过ssl通信时，protocol需要定义为https；
5> 如果省略后边的协议参数，表示默认http使用80标准端口，https使用443标准端口
如果要设置https为非标准端口，需要限制指明协议，例如：
Listen 192.170.2.1:8443 https

<VirtualHost *:443>
</VirtualHost>
表示一组，这个配置就不详解来，这个*:443表示监听到所有接口上的443端口。

ServerName指令语法：
	ServerName [scheme://]domain-name|ip-address[:port]
	ServerName可以指定为：[方案://]域名|ip地址[:端口]
	
SSLCertificateFile指令指定用于特定域名的证书；
SSLCertificateKeyFile 指令指定证书对应的私钥。

(2) 自带的默认的httpd-ssl.conf配置文件内容

[root@localhost extra]# grep -Ev '^#|^$' /etc/httpd/conf/extra/httpd-ssl.conf 
Listen 443
SSLCipherSuite HIGH:MEDIUM:!MD5:!RC4:!3DES
SSLProxyCipherSuite HIGH:MEDIUM:!MD5:!RC4:!3DES
SSLHonorCipherOrder on 
SSLProtocol all -SSLv3
SSLProxyProtocol all -SSLv3
SSLPassPhraseDialog  builtin
SSLSessionCache        "shmcb:/var/run/ssl_scache(512000)"
SSLSessionCacheTimeout  300
<VirtualHost _default_:443>
DocumentRoot "/var/www/html"
ServerName www.example.com:443
ServerAdmin [email protected]
ErrorLog "/var/log/httpd/error_log"
TransferLog "/var/log/httpd/access_log"
SSLEngine on
SSLCertificateFile "/etc/httpd/conf/server.crt"
SSLCertificateKeyFile "/etc/httpd/conf/server.key"
<FilesMatch "\.(cgi|shtml|phtml|php)$">
    SSLOptions +StdEnvVars
</FilesMatch>
<Directory "/var/www/cgi-bin">
    SSLOptions +StdEnvVars
</Directory>
BrowserMatch "MSIE [2-5]" \
         nokeepalive ssl-unclean-shutdown \
         downgrade-1.0 force-response-1.0
CustomLog "/var/log/httpd/ssl_request_log" \
          "%t %h %{SSL_PROTOCOL}x %{SSL_CIPHER}x \"%r\" %b"
</VirtualHost>     

(3) 默认ssl模块引用和ssl站点都是注释掉的

[root@localhost extra]# grep -E 'mod_ssl.so|httpd-ssl' /etc/httpd/conf/httpd.conf 
#LoadModule ssl_module lib64/httpd/modules/mod_ssl.so
#Include /etc/httpd/conf/extra/httpd-ssl.conf

三、自建CA以及颁发证书

不单独生成私钥，自签时或签署证书请求时候一次生成所需密钥。
以下步骤在ca主机上执行：
(1) 生成自签证书(会生成所需要的私钥)

[root@localhost ~]# (umask 077;openssl req -x509 -newkey rsa:4096 -nodes -keyout /etc/pki/CA/private/cakey.pem -out /etc/pki/CA/cacert.pem -days 3655)
Generating a 4096 bit RSA private key
...............................................++
...............................................................++
writing new private key to '/etc/pki/CA/private/cakey.pem'
-----
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [XX]:CN
State or Province Name (full name) []:FuJian
Locality Name (eg, city) [Default City]:FuZhou
Organization Name (eg, company) [Default Company Ltd]:yanhui
Organizational Unit Name (eg, section) []:ops
Common Name (eg, your name or your server's hostname) []:ca.yanhui.com
Email Address []:[email protected]
[root@localhost ~]# ls -l /etc/pki/CA/private/cakey.pem
-rw-------. 1 root root 3272 Dec  1 19:59 /etc/pki/CA/private/cakey.pem
[root@localhost ~]# ls -l /etc/pki/CA/cacert.pem 
-rw-------. 1 root root 2106 Dec  1 19:59 /etc/pki/CA/cacert.pem
[root@localhost ~]# file /etc/pki/CA/cacert.pem
/etc/pki/CA/cacert.pem: ASCII text
[root@localhost ~]# file /etc/pki/CA/private/cakey.pem
/etc/pki/CA/private/cakey.pem: ASCII text

用到的选项再次解释：
    -x509 表示自签证书用到的一个比较特殊的选项
    -newkey rsa:4096 表示创建一个新的证书请求和一个新的RSA的4096长度的私钥
    -nodes 表示生成的私钥不加使用密码
    -keyout 表示指明私钥的路径和名字，一定要与默认配置文件中ca所需要的私钥路径和名字一致
    -out 指明创建ca 新的证书的路径和名字，一定要与默认配置文件中ca所需要的证书路径和名字一致
    -days表示这里给ca自签证书的使用天数为3655一天

(2) 为CA提供所需的目录及文件

[root@localhost ~]# mkdir -p /etc/pki/CA/{certs,crl,newcerts}
[root@localhost ~]# touch /etc/pki/CA/{serial,index.txt}
[root@localhost ~]# echo 01 > /etc/pki/CA/serial 
[root@localhost ~]# 

以下步骤在web主机上执行：
(1) 生成证书签署请求(会生成所需的私钥)

[root@localhost tmp]# (umask 077;openssl req -newkey rsa:2048 -nodes -keyout /var/tmp/httpd.key -out /var/tmp/httpd.csr -days 365)
Generating a 2048 bit RSA private key
..+++
.............+++
writing new private key to '/var/tmp/httpd.key'
-----
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [XX]:CN
State or Province Name (full name) []:FuJian
Locality Name (eg, city) [Default City]:FuZhou
Organization Name (eg, company) [Default Company Ltd]:yanhui
Organizational Unit Name (eg, section) []:ops
Common Name (eg, your name or your server's hostname) []:www.yanhui.com
Email Address []:[email protected]

Please enter the following 'extra' attributes
to be sent with your certificate request
A challenge password []:
An optional company name []:
[root@localhost tmp]# 

(2) 将证书签署请求文件通过工具(ftp或scp或rsync等)传递给ca主机

[root@localhost tmp]# scp -P22 -p /var/tmp/httpd.csr [email protected]:/var/tmp/
The authenticity of host '192.168.56.98 (192.168.56.98)' can't be established.
RSA key fingerprint is f7:2d:c2:e7:a5:0c:7b:4e:da:91:f8:65:9a:d4:5f:58.
Are you sure you want to continue connecting (yes/no)? yes
Warning: Permanently added '192.168.56.98' (RSA) to the list of known hosts.
[email protected]'s password: 
httpd.csr                                                                                                                        100% 1054     1.0KB/s   00:00    
[root@localhost tmp]# 

以下步骤在ca主机上执行：
(1) 在ca主机上完成证书签署请求并提供给站点主机下载或者传递给站点主机

[root@localhost tmp]# openssl ca -in /var/tmp/httpd.csr -out /etc/pki/CA/certs/httpd.crt -days 365
Using configuration from /etc/pki/tls/openssl.cnf
Check that the request matches the signature
Signature ok
Certificate Details:
        Serial Number: 1 (0x1)
        Validity
            Not Before: Dec  1 12:18:24 2018 GMT
            Not After : Dec  1 12:18:24 2019 GMT
        Subject:
            countryName               = CN
            stateOrProvinceName       = FuJian
            organizationName          = yanhui
            organizationalUnitName    = ops
            commonName                = www.yanhui.com
            emailAddress              = [email protected]
        X509v3 extensions:
            X509v3 Basic Constraints: 
                CA:FALSE
            Netscape Comment: 
                OpenSSL Generated Certificate
            X509v3 Subject Key Identifier: 
                B2:C8:5F:A0:34:F9:76:E6:57:0D:1C:1E:A3:1B:61:AF:27:7D:6A:E6
            X509v3 Authority Key Identifier: 
                keyid:97:FB:AE:F0:F5:B4:97:4D:BD:A0:00:E7:48:DB:3C:1C:1D:71:7D:68

Certificate is to be certified until Dec  1 12:18:24 2019 GMT (365 days)
Sign the certificate? [y/n]:y


1 out of 1 certificate requests certified, commit? [y/n]y
Write out database with 1 new entries
Data Base Updated

(2) 把签署的证书传递给站点服务器

[root@localhost tmp]# scp -P22 -p /etc/pki/CA/certs/httpd.crt [email protected]:/var/tmp/
The authenticity of host '192.168.56.96 (192.168.56.96)' can't be established.
RSA key fingerprint is 33:7f:49:19:73:6e:7a:f4:f1:36:23:e3:92:0e:8a:16.
Are you sure you want to continue connecting (yes/no)? yes
Warning: Permanently added '192.168.56.96' (RSA) to the list of known hosts.
[email protected]'s password: 
httpd.crt                                                                                                                        100% 5862     5.7KB/s   00:00    
[root@localhost tmp]# 

四、配置到httpd站点上，检测测试走https访问

(1) 启用ssl模块以及打开include包含的httpd-ssl.conf配置文件

[root@localhost tmp]# ls -l /etc/httpd/modules/mod_ssl.so 
-rwxr-xr-x 1 root root 227928 Dec  1 18:19 /etc/httpd/modules/mod_ssl.so
[root@localhost tmp]# ls -ld /etc/httpd
drwxr-xr-x 4 root root 4096 Dec  1 18:48 /etc/httpd
[root@localhost tmp]# ls -l /etc/httpd
total 8
drwxr-xr-x 4 root root 4096 Dec  1 20:27 conf
drwxr-xr-x 2 root root 4096 Dec  1 18:18 conf.d
lrwxrwxrwx 1 root root   19 Dec  1 18:48 logs -> ../../var/log/httpd
lrwxrwxrwx 1 root root   29 Dec  1 18:48 modules -> ../../usr/lib64/httpd/modules
lrwxrwxrwx 1 root root   13 Dec  1 18:48 run -> ../../var/run
[root@localhost tmp]# ls -l /usr/lib64/httpd/modules/mod_ssl.so 
-rwxr-xr-x 1 root root 227928 Dec  1 18:19 /usr/lib64/httpd/modules/mod_ssl.so

[root@localhost tmp]# grep -E 'mod_ssl|httpd-ssl' /etc/httpd/conf/httpd.conf 
LoadModule ssl_module lib64/httpd/modules/mod_ssl.so
Include /etc/httpd/conf/extra/httpd-ssl.conf
#       but a statically compiled-in mod_ssl.

(2) 创建证书和私钥的路径

[root@localhost tmp]# mkdir -pv /etc/httpd/ssl_key
mkdir: created directory `/etc/httpd/ssl_key'
[root@localhost tmp]# ls -l /etc/httpd/ssl_key/
total 0
[root@localhost tmp]# cp -a /var/tmp/httpd.* /etc/httpd/ssl_key/
[root@localhost tmp]# ls -l
total 20
-rw-r--r--  1 root root 5862 Dec  1 20:18 httpd.crt
-rw-------  1 root root 1054 Dec  1 20:12 httpd.csr
-rw-------  1 root root 1704 Dec  1 20:12 httpd.key
drwx------. 2 root root 4096 Dec  1 18:40 yum-root-K6gOZI
PS：要确保httpd的运行管理进程的用户对证书有访问的权限，对私钥有读的权限即可(注意不能有执行权限，而且只能给用户属主权限)

(3) 配置ssl的配置

#创建我们的ssl文档的路径，然后写一个默认的配置测试主页文件
[root@localhost html]# cd /var/www/
[root@localhost www]# ls
cgi-bin  error  html  icons  manual
[root@localhost www]# mkdir ssl_atop
[root@localhost www]# cat ssl_atop/index.html 
<html><body><h1>SSL test Successfully!</h1></body></html>

#保存一份我们默认的模板文件，然后清空，填入我们配置的内容
[root@localhost www]# cp /etc/httpd/conf/extra/httpd-ssl.conf{,.bak}
[root@localhost www]# >/etc/httpd/conf/extra/httpd-ssl.conf

[root@localhost www]# cat /etc/httpd/conf/extra/httpd-ssl.conf
Listen 443 https

<VirtualHost *:443>
DocumentRoot "/var/www/ssl_atop"
SSLEngine on
ServerName www.yanhui.com
SSLCertificateFile "/etc/httpd/ssl_key/httpd.crt"
SSLCertificateKeyFile "/etc/httpd/ssl_key/httpd.key"
#SSLCACertificateFile "/etc/httpd/ssl_key/"
<Directory "/var/www/ssl_atop">
    Require all granted
</Directory>
</VirtualHost>

#因为我们是模拟的域名，所以这里我们要向/etc/hosts中写域名对应ip的映射关系，
[root@localhost www]# echo "192.168.56.96 www.yanhui.com" >>/etc/hosts
[root@localhost www]# cat /etc/hosts
127.0.0.1   localhost localhost.localdomain localhost4 localhost4.localdomain4
::1         localhost localhost.localdomain localhost6 localhost6.localdomain6
192.168.56.96 www.yanhui.com

#检测httpd配置文件语法，然后启动服务
[root@localhost www]# service httpd configtest
Syntax OK
[root@localhost www]# service httpd restart
Stopping httpd:                                            [  OK  ]
Starting httpd:                                            [  OK  ]
[root@localhost www]# ss -nltu
Netid State      Recv-Q Send-Q                                               Local Address:Port                                                 Peer Address:Port 
tcp   LISTEN     0      128                                                             :::80                                                             :::*     
tcp   LISTEN     0      128                                                             :::22                                                             :::*     
tcp   LISTEN     0      128                                                              *:22                                                              *:*     
tcp   LISTEN     0      100                                                            ::1:25                                                             :::*     
tcp   LISTEN     0      100                                                      127.0.0.1:25                                                              *:*     
tcp   LISTEN     0      128                                                             :::443                                                            :::*   
[root@localhost www]# ps aux|grep httpd
root       1779  0.0  0.3 107676  3660 ?        Ss   20:49   0:00 /usr/sbin/httpd
daemon     1781  0.0  0.4 452068  4892 ?        Sl   20:49   0:00 /usr/sbin/httpd
daemon     1782  0.0  0.4 452068  4896 ?        Sl   20:49   0:00 /usr/sbin/httpd
daemon     1783  0.0  0.4 452068  4896 ?        Sl   20:49   0:00 /usr/sbin/httpd
root       1867  0.0  0.0 103260   876 pts/1    S+   20:49   0:00 grep httpd

(4) 把ca的证书传到windows系统，然后安装到可信赖ca列表中
如果是pem后缀，windows不识别的话，可以改成crt后缀。

选择常规菜单中的"安装证书"：

#上面是一个安全警告，说是否要把这个无法确认来源可靠性的ca证书安装，因为我们是自己建的CA，所以我们直接是即可。

导入成功就行了。

然后把windows的hosts文件写一条域名到ip的映射关系：
路径：C:\Windows\System32\drivers\etc

然后用ie浏览器测试，google和firefox因为内置安全模块，版本审查比较严，自建CA貌似测试通过不了，所以用自带IE测试访问：