apache配置https加密传输

环境:两台linux虚拟机和一台windows本机,一台充当要使用https传输的web服务器apache2.4.4,另一台CA服务器,window测试https配置。

1.CA服务器生成私有CA

    1.1生成私钥,进入/etc/pki/CA

  

[root@localhost CA]# (umask 077; openssl genrsa -out private/cakey.pem 1024)      //CA私钥必须存放到private目录下名称为cakey.pem
Generating RSA private key, 1024 bit long modulus
..................................................++++++
........++++++
e is 65537 (0x10001)

  1.2制作私有CA

[root@localhost CA]# openssl req -new -x509 -key private/cakey.pem  -out cacert.pem -days 3655   
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [XX]:CN                                 //填写国家  随意填写,但是一定要记住 
State or Province Name (full name) []:Hangzhou                       //省份  同上
Locality Name (eg, city) [Default City]:Hangzhou                     //城市  同上
Organization Name (eg, company) [Default Company Ltd]:Taobao          //公司 同上 
Organizational Unit Name (eg, section) []:Test                        //组织 
Common Name (eg, your name or your server's hostname) []:Test.com     //域名这里填写自己公司的域名
Email Address []:admin@test.com                                        //管理员邮件
[root@localhost CA]# 

  看本地有没有 certs , newcerts,  crl 目录 和index.txt ,serial文件,如果没有 创建并给serial一个初始值

[root@localhost CA]# ls
ca.key  certs  crl  newcerts  private
[root@localhost CA]# touch serial index.txt
[root@localhost CA]# ls
ca.key  certs  crl  index.txt  newcerts  private  serial
[root@localhost CA]# echo "001">serial                
[root@localhost CA]# 

 

   

 2.web服务器生成CA请求

  2.1比如为httpd服务配置https

  在/etc/httpd/下面创建一个ssl目录,创建私钥,和CA请求,这个目录随意选择

  2.2生成私钥,同上

 

[root@localhost ssl]# (umask 077; openssl genrsa  -out httpd.key 1024)
Generating RSA private key, 1024 bit long modulus
.......................++++++
..............................++++++
e is 65537 (0x10001)
[root@localhost ssl]# ls
httpd.key
[root@localhost ssl]# 

2.2生成CA请求

[root@localhost ssl]# openssl req -new -key httpd.key -out httpd.csr
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [XX]:CN                                         //前面这些信息一定要和私有CA一样,因为是内部私有的,所以要保持一直不然无法签署
State or Province Name (full name) []:Hangzhou
Locality Name (eg, city) [Default City]:Hangzhou
Organization Name (eg, company) [Default Company Ltd]:Taobao
Organizational Unit Name (eg, section) []:Test
Common Name (eg, your name or your server's hostname) []:www.a.org            //这里的域名为你配置https的名字
Email Address []:admin@a.org

Please enter the following 'extra' attributes
to be sent with your certificate request
A challenge password []:
An optional company name []:
[root@localhost ssl]# 

3.将请求httpd.csr发送到CA服务器,请求签署,这里复制过去

[root@localhost ssl]# scp -P 5211 httpd.csr 192.168.136.131:/tmp/
root@192.168.136.131's password:
httpd.csr                                                                          100%  688     0.7KB/s   00:00    
[root@localhost ssl]#

4.CA签署请求

 4.1 这里碰到一问题

[root@localhost CA]# openssl  ca -in /tmp/httpd.csr -out httpd.crt
Using configuration from /etc/pki/tls/openssl.cnf
Check that the request matches the signature      //意思说配置文件中policy,没有CN这个选项
Signature ok
CN:invalid type in 'policy' configuration

4.2 查看配置文件

  

# For the CA policy          //这里就是配置CA请求和CA哪些选项是必须(match)匹配,一样的,哪些是(optional)可选自己填写的,哪些是(supplied)
[ policy_match ]            //这个是错误的,是以前想改默认配置改错了,红色的是正确的配置,把CN,Henan,WEB等修改为红色选项,就可以签署了。
countryName             = CN     match
stateOrProvinceName     = Henan      match
organizationName        = WEB        match
organizationalUnitName  = WEB      optional
commonName              = test       supplied
emailAddress            = test@.com   optional

# For the 'anything' policy
# At this point in time, you must list all acceptable 'object'
# types.
[ policy_anything ]
countryName             = optional
stateOrProvinceName     = optional
localityName            = optional
organizationName        = optional
organizationalUnitName  = optional
commonName              = supplied
emailAddress            = optional

4.3 CA签署

[root@localhost CA]# openssl  ca -in /tmp/httpd.csr -out httpd.crt
Using configuration from /etc/pki/tls/openssl.cnf
Check that the request matches the signature
Signature ok
Certificate Details:
        Serial Number: 1 (0x1)
        Validity
            Not Before: Jul 19 05:17:43 2015 GMT
            Not After : Jul 18 05:17:43 2016 GMT
        Subject:
            countryName               = CN
            stateOrProvinceName       = Hangzhou
            organizationName          = Taobao
            organizationalUnitName    = Test
            commonName                = www.a.org
            emailAddress               = admin@a.org
        X509v3 extensions:
            X509v3 Basic Constraints:
                CA:FALSE
            Netscape Comment:
                OpenSSL Generated Certificate
            X509v3 Subject Key Identifier:
                C7:06:AC:D8:C2:49:DA:F6:DD:1A:03:75:4F:94:26:FD:53:E7:18:5F
            X509v3 Authority Key Identifier:
                keyid:F2:A3:E1:30:32:E5:24:38:6F:4D:FF:3F:97:B1:E7:84:4A:41:97:36

Certificate is to be certified until Jul 18 05:17:43 2016 GMT (365 days)
Sign the certificate? [y/n]:y
1 out of 1 certificate requests certified, commit? [y/n]y
Write out database with 1 new entries
Data Base Updated
[root@localhost CA]# ls
cacert.pem  certs  crl  httpd.crt  index.txt  index.txt.attr  index.txt.old  newcerts  private  serial  serial.old
[root@localhost CA]#

5.然后CA将httpd.crt发送给web服务器

[root@localhost CA]# scp httpd.crt 192.168.136.135:/etc/httpd/ssl
root@192.168.136.135's password: 
httpd.crt                                                                          100% 3128     3.1KB/s   00:00    
[root@localhost CA]# 

6如果没有mode_ssl模块需要安装模块先,修改web服务器/etc/httpd/conf.d/httpd.conf配置文件

 

 6.1

LoadModule socache_shmcb_module modules/mod_socache_shmcb.so     //前面#去掉,如果不载入在这个模块会报错SSLSessionCache: 'shmcb' session cache not supported (known names: ). Maybe you need to load the appropriate socache module (mod_socache_shmcb?).
LoadModule ssl_module modules/mod_ssl.so //取代哦#去掉载入模块

6.2配置/etc/httpd/extra/httpd-ssl.conf

SSLCertificateFile "/etc/httpd/ssl/httpd.crt"        //修改证书文件位置     
SSLCertificateKeyFile "/etc/httpd/ssl/httpd.key    //修改密钥存放位置

<VirtualHost 192.168.136.135:443> //修改VitualHost和httpd-vhost.cong中的配置一样即可

#   General setup for the virtual host
DocumentRoot "/usr/local/apache/htdocs/www.a.org"
ServerName www.a.org:443
ServerAdmin you@example.com
ErrorLog "/usr/local/apache/logs/error_log"
TransferLog "/usr/local/apache/logs/access_log"

#   SSL Engine Switch:
#   Enable/Disable SSL for this virtual host.
SSLEngine on //这个表示开启ssl


7.重启服务,测试www.a.org,因为私有CA不公开使用,只在内部使用,所以不受信任互联网。可以自己导入CA的证书,让私有CA为可信任的证书颁发者。

 

将CA服务器上的cacert.pem下载到本地,更改为cacer.crt,安装,导入添加信任。

 

 
 
posted @ 2015-07-19 14:21  看天空  阅读(1145)  评论(0编辑  收藏