自签证书 配置到apache的httpd、nginx的 配置文件内测试

算是一个小整理,我在这里转了好几天,整理一下适合刚刚开始迷惑的朋友

申请证书:

后缀类型解释:

  • 证书:crt(签发的证书),pem(ca 服务器自签证书)
  • 私钥:key
  • 证书请求:csr

一、ca 服务器 (192.168.1.110):

1.使用命令:生成私钥。

[root@MiWiFi-R3-srv pki]# (umask 077; openssl genrsa -out /etc/pki/CA/private/cakey.pem 4096)
Generating RSA private key, 4096 bit long modulus
.................................................................................................................................................................................................++
..........................++
e is 65537 (0x10001)

2.生成自签证书

[root@MiWiFi-R3-srv pki]# openssl req -new -x509 -key /etc/pki/CA/private/cakey.pem -out /etc/pki/CA/cacert.pem -days 3655
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [XX]:CN
State or Province Name (full name) []:shandong
Locality Name (eg, city) [Default City]:tengzhou
Organization Name (eg, company) [Default Company Ltd]:mageedu
Organizational Unit Name (eg, section) []:ops
Common Name (eg, your name or your server's hostname) []:ca.magedu.com
Email Address []:

3.创建CA所需要的目录及文件

[root@MiWiFi-R3-srv pki]# mkdir -pv /etc/pki/CA/{certs,crl,newcerts}
mkdir: 已创建目录 "/etc/pki/CA/certs"
mkdir: 已创建目录 "/etc/pki/CA/crl"
mkdir: 已创建目录 "/etc/pki/CA/newcerts"
[root@MiWiFi-R3-srv pki]# touch /etc/pki/CA/{serial,index.txt}
[root@MiWiFi-R3-srv pki]# echo 01 > /etc/pki/CA/serial

二、客户端(191.168.1.175) 申请证书

1.创建目录

[root@localhost ~]# mkdir -pv /etc/httpd/ssl
mkdir: 已创建目录 "/etc/httpd"
mkdir: 已创建目录 "/etc/httpd/ssl"
[root@localhost ~]# cd /etc/httpd/ssl

2.用到证书的主机生成私钥

[root@localhost ssl]# (umask 077; openssl genrsa -out /etc/httpd/ssl/httpd.key 2048)
Generating RSA private key, 2048 bit long modulus
............................................+++
.........................................................................+++
e is 65537 (0x10001)

3.生成证书签署请求

[root@localhost ssl]# openssl req -new -key /etc/httpd/ssl/httpd.key -out /etc/httpd/ssl/httpd.csr -days 365
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [XX]:CN
State or Province Name (full name) []:shandong
Locality Name (eg, city) [Default City]:tengzhou
Organization Name (eg, company) [Default Company Ltd]:mageedu
Organizational Unit Name (eg, section) []:ops
Common Name (eg, your name or your server's hostname) []:www.magedu.com
Email Address []:

Please enter the following 'extra' attributes
to be sent with your certificate request
A challenge password []:123456
An optional company name []:a

将申请以可靠的方式发送给192.168.1.110 CA服务器

[root@localhost ssl]# scp httpd.csr root@192.168.1.110:/tmp/
root@192.168.1.110's password: 
httpd.csr                                                                                       100% 1066     1.0KB/s   00:00  

三、ca 服务器(192.168.1.110) 签发证书

[root@MiWiFi-R3-srv pki]# openssl ca -in /tmp/httpd.csr -out /etc/pki/CA/certs/httpd.crt -days 365
Using configuration from /etc/pki/tls/openssl.cnf
Check that the request matches the signature
Signature ok
Certificate Details:
        Serial Number: 1 (0x1)
        Validity
            Not Before: Apr 29 14:59:43 2018 GMT
            Not After : Apr 29 14:59:43 2019 GMT
        Subject:
            countryName               = CN
            stateOrProvinceName       = shandong
            organizationName          = mageedu
            organizationalUnitName    = ops
            commonName                = www.magedu.com
        X509v3 extensions:
            X509v3 Basic Constraints: 
                CA:FALSE
            Netscape Comment: 
                OpenSSL Generated Certificate
            X509v3 Subject Key Identifier: 
                52:45:76:06:A8:43:FC:2B:E4:71:D1:F1:F0:EF:C7:A3:AB:76:66:29
            X509v3 Authority Key Identifier: 
                keyid:39:B3:4B:48:C3:28:1A:4B:D0:6E:A1:4F:5E:1A:47:AD:CE:85:CC:00

Certificate is to be certified until Apr 29 14:59:43 2019 GMT (365 days)
Sign the certificate? [y/n]:y


1 out of 1 certificate requests certified, commit? [y/n]y
Write out database with 1 new entries
Data Base Updated

查看证书信息
[root@MiWiFi-R3-srv pki]# openssl x509 -in /etc/pki/CA/certs/httpd.crt -noout -serial -subject
serial=01
subject= /C=CN/ST=shandong/O=mageedu/OU=ops/CN=www.magedu.com
查看证书序列
[root@MiWiFi-R3-srv CA]# cat /etc/pki/CA/index.txt
V	190429145943Z		01	unknown	/C=CN/ST=shandong/O=mageedu/OU=ops/CN=www.magedu.com

将签发的证书发送给 申请主机
[root@localhost certs]# scp httpd.crt root@192.168.1.175:/etc/httpd/ssl/

APache 配置证书

192.168.1.175 测试服务器

准备:

[root@localhost ssl]# yum -y install mod_ssl

1、编辑配置文件 添加私钥和掐发证书路径

[root@localhost ssl]# vim /etc/httpd/conf.d/ssl.conf

#   Server Certificate:
# Point SSLCertificateFile at a PEM encoded certificate.  If
# the certificate is encrypted, then you will be prompted for a
# pass phrase.  Note that a kill -HUP will prompt again.  A new
# certificate can be generated using the genkey(1) command.
#SSLCertificateFile /etc/pki/tls/certs/localhost.crt
SSLCertificateFile /etc/httpd/ssl/httpd.crt   修改私签发证书路径

#   Server Private Key:
#   If the key is not combined with the certificate, use this
#   directive to point at the key file.  Keep in mind that if
#   you've both a RSA and a DSA private key you can configure
#   both in parallel (to also allow the use of DSA ciphers, etc.)
#SSLCertificateKeyFile /etc/pki/tls/private/localhost.key
SSLCertificateKeyFile /etc/httpd/ssl/httpd.key  修改私钥指向路径

2、重启Apache 的服务

[root@localhost ssl]# systemctl restart httpd.service

3、使用浏览器 输入 https://web服务器ip 查看证书

image

马哥笔记 网络笔记

使用命令停掉httpd服务,在进行nginx测试;

Nginx 配置证书

192.168.1.175 测试服务器

准备yum官方源

要为RHEL / CentOS设置yum存储库,请/etc/yum.repos.d/nginx.repo 使用以下内容创建名为的文件 

[nginx]
name=nginx repo
baseurl=http://nginx.org/packages/mainline/OS/OSRELEASE/$basearch/
gpgcheck=0
enabled=1

将“ OS 替换为“ rhel”或“ centos”,这取决于所使用的分布,以及“ OSRELEASE”替换为“ 6”或“ 7”,分别用于6.x7.x版本。

1、安装nginx

[root@localhost conf.d]# yum -y install nginx

2、新建一个测试文件

[root@localhost conf.d]# vim /etc/nginx/conf.d/magedu.conf


server {
        listen 443 ssl;   新增端口
        server_name magedu.com;       服务器名称
        root /usr/share/nginx/html;   默认网站文件为准
        index index.php index.html;
        ssl_certificate /etc/httpd/ssl/httpd.crt;       添加签发证书
        ssl_certificate_key /etc/httpd/ssl/httpd.key;   添加主机私钥

        ssl_stapling on;
        ssl_stapling_verify on;


}

3、重载配置

[root@localhost conf.d]# systemctl restart nginx

4、测试

!(im)

网络笔记

本文来自投稿,不代表Linux运维部落立场,如若转载,请注明出处:http://www.178linux.com/99544

发表评论

登录后才能评论

联系我们

400-080-6560

在线咨询:点击这里给我发消息

邮件:1823388528@qq.com

工作时间:周一至周五,9:30-18:30,节假日同时也值班