本文主要内容为:通过 OpenSSL 自建 CA
来自签名证书 和 颁发SSL 证书
实现 HTTPS(SSL)
服务。
实现效果预览
1、安装apache2
1.1、安装
apt install apache2
1.2、停止运行
执行命令:
/etc/init.d/apache2 stop
效果:
root@YY:/
[ ok ] Stopping Apache httpd web server: apache2.
2、自建CA
2.1、创建文件夹
执行下面的命令创建相关文件夹:
mkdir -p /etc/apache2/ownSSL/{CA,Server}
cd /etc/apache2/ownSSL/
执行效果:
root@YY:~
root@YY:~
root@YY:/etc/apache2/ownSSL
CA Server
root@YY:/etc/apache2/ownSSL
文件夹作用:
文件夹 | 作用 |
---|
/etc/apache2/ownSSL/CA | 存放CA私匙、CA 证书请求、CA根证书 |
/etc/apache2/ownSSL/Server | 包含Server私匙、Server证书请求、Server证书 |
2.2、生成 CA 私匙
执行下面的命令
cd /etc/apache2/ownSSL
openssl genrsa -out CA/CA_private.key 2048
执行效果:
2.3、生成 CA 证书请求
执行下面的命令:
openssl req -new -key CA/CA_private.key -out CA/CA_request.csr
在这个过程中,程序会提示需要你输入该根证书相关信息,请自行更改:
我的生成过程:
root@YY:/etc/apache2/ownSSL
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [AU]:CN
State or Province Name (full name) [Some-State]:GuangXi
Locality Name (eg, city) []:NanNing
Organization Name (eg, company) [Internet Widgits Pty Ltd]:spzx
Organizational Unit Name (eg, section) []:spzx
Common Name (e.g. server FQDN or YOUR name) []:spzx
Email Address []:admin@spzx.com
Please enter the following 'extra' attributes
to be sent with your certificate request
A challenge password []:spzx
An optional company name []:spzx
root@YY:/etc/apache2/ownSSL
2.4、生成 CA 根证书
执行下面的命令:
openssl x509 -req -in CA/CA_request.csr \
-extensions v3_ca \
-signkey CA/CA_private.key \
-out CA/CA_root.crt
执行过程:
root@YY:/etc/apache2/ownSSL
> -extensions v3_ca \
> -signkey CA/CA_private.key \
> -out CA/CA_root.crt
Signature ok
subject=C = CN, ST = GuangXi, L = NanNing, O = spzx, OU = spzx, CN = spzx, emailAddress = admin@spzx.com
Getting Private key
root@YY:/etc/apache2/ownSSL
3、自建 Server 端证书
3.1、生成 Server 私匙
执行:
openssl genrsa -out Server/Server_private.key 2048
执行结果:
root@YY:/etc/apache2/ownSSL
Generating RSA private key, 2048 bit long modulus (2 primes)
...............+++++
.....................+++++
e is 65537 (0x010001)
root@YY:/etc/apache2/ownSSL
3.2、 生成 Server 证书请求
openssl req -new -key Server/Server_private.key -out Server/Server_request.csr
执行过程
root@YY:/etc/apache2/ownSSL
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [AU]:CN
State or Province Name (full name) [Some-State]:GuangXi
Locality Name (eg, city) []:NanNing
Organization Name (eg, company) [Internet Widgits Pty Ltd]:spzx
Organizational Unit Name (eg, section) []:spzx
Common Name (e.g. server FQDN or YOUR name) []:spzx
Email Address []:admin@spzx.com
Please enter the following 'extra' attributes
to be sent with your certificate request
A challenge password []:spzx
An optional company name []:spzx
root@YY:/etc/apache2/ownSSL
3.3、生成 Server 证书
新建文件
touch /etc/apache2/ownSSL/openssl.cnf
然后写入内容(请根据自己的实际信息更改)
[req]
distinguished_name = req_distinguished_name
req_extensions = v3_req
[req_distinguished_name]
countryName = CN
countryName_default = CN
stateOrProvinceName = GuangXi
stateOrProvinceName_default = NanNing
localityName = NanNing
localityName_default = NanNing
organizationalUnitName = spzx
organizationalUnitName_default = Domain Control Validated
commonName = Internet Widgits Ltd
commonName_max = 64
[ v3_req ]
basicConstraints = CA:FALSE
keyUsage = nonRepudiation, digitalSignature, keyEncipherment
subjectAltName = @alt_names
[alt_names]
IP.1 = 3.3.3.2
DNS.1 = 3.3.3.2
需要将 Server 监听的地址写入证书中,如果访问时地址与证书中地址不一致将不能通过证书认证。
实现效果:
root@YY:/etc/apache2/ownSSL
[req]
distinguished_name = req_distinguished_name
req_extensions = v3_req
[req_distinguished_name]
countryName = CN
countryName_default = CN
stateOrProvinceName = GuangXi
stateOrProvinceName_default = NanNing
localityName = NanNing
localityName_default = NanNing
organizationalUnitName = spzx
organizationalUnitName_default = Domain Control Validated
commonName = Internet Widgits Ltd
commonName_max = 64
[ v3_req ]
basicConstraints = CA:FALSE
keyUsage = nonRepudiation, digitalSignature, keyEncipherment
subjectAltName = @alt_names
[alt_names]
IP.1 = 3.3.3.2
DNS.1 = 3.3.3.2
root@YY:/etc/apache2/ownSSL
执行命令生成 Server 证书
openssl x509 -days 365 -req \
-in /etc/apache2/ownSSL/Server/Server_request.csr \
-extensions v3_req -CAkey /etc/apache2/ownSSL/CA/CA_private.key \
-CA /etc/apache2/ownSSL/CA/CA_root.crt \
-CAcreateserial -out /etc/apache2/ownSSL/Server/Server_root.crt \
-extfile /etc/apache2/ownSSL/openssl.cnf
实现效果:
root@YY:~
> -in /etc/apache2/ownSSL/Server/Server_request.csr \
> -extensions v3_req -CAkey /etc/apache2/ownSSL/CA/CA_private.key \
> -CA /etc/apache2/ownSSL/CA/CA_root.crt \
> -CAcreateserial -out /etc/apache2/ownSSL/Server/Server_root.crt \
> -extfile /etc/apache2/ownSSL/openssl.cnf
Signature ok
subject=C = CN, ST = GuangXi, L = NanNing, O = spzx, OU = spzx, CN = spzx, emailAddress = admin@spzx.com
Getting CA Private Key
root@YY:~
4、Apache2 SSL 证书加载
4.1、停止服务运行(重要)
/etc/init.d/apache2 stop
执行过程
root@YY:~
[ ok ] Stopping Apache httpd web server: apache2.
root@YY:~
[FAIL] apache2 is not running ... failed!
root@YY:~
4.2、启用SSL模块
a2enmod ssl
效果:
root@YY:~
Considering dependency setenvif for ssl:
Module setenvif already enabled
Considering dependency mime for ssl:
Module mime already enabled
Considering dependency socache_shmcb for ssl:
Enabling module socache_shmcb.
Enabling module ssl.
See /usr/share/doc/apache2/README.Debian.gz on how to configure SSL and create self-signed certificates.
To activate the new configuration, you need to run:
service apache2 restart
root@YY:~
然后根据提示信息重启服务,然后继续停止服务(别问,问就是机密)
/etc/init.d/apache2 restart
/etc/init.d/apache2 stop
效果:
root@YY:~
[....] Restarting Apache httpd web server: apache2AH00558: apache2: Could not reliably determine the server's fully qualified domain name, using 127.0.1.1. Set the 'ServerName' directive globally to suppress this message
. ok
root@YY:~
[....] Stopping Apache httpd web server: apache2
. ok
root@YY:~
4.3、加载 SSL 配置文件 default-ssl.conf
执行:
a2ensite default-ssl
效果:
root@YY:~
Enabling site default-ssl.
To activate the new configuration, you need to run:
service apache2 reload
root@YY:~
然后提示重新加载配置,执行下面的命令
/etc/init.d/apache2 reload
/etc/init.d/apache2 restart
效果
root@YY:~
[FAIL] Reloading Apache httpd web server: apache2 failed!
[warn] Apache2 is not running ... (warning).
root@YY:~
[....] Restarting Apache httpd web server: apache2AH00558: apache2: Could not reliably determine the server's fully qualified domain name, using 127.0.1.1. Set the 'ServerName' directive globally to suppress this message
. ok
root@YY:~
5、Apache2 SSL 证书配置
5.1、添加监听端口
在Listen 80
基础上添加443
端口
vim /etc/apache2/ports.conf
效果:
root@YY:~
Listen 80 443
<IfModule ssl_module>
Listen 443
</IfModule>
<IfModule mod_gnutls.c>
Listen 443
</IfModule>
root@YY:~
5.2、修改 SSL 配置文件 default-ssl.conf
找到ServerAdmin
(第三行),然后在下一行添加内容,根据下面的格式添加服务器
服务器域名/IP也就是前面设置的:DNS.0 的值
ServerName <服务器域名/IP>
实现效果:
ServerAdmin webmaster@localhost
ServerName 3.3.3.3
DocumentRoot /var/www/html
然后保存退出
6、验证
6.1、重启服务
/etc/init.d/apache2 restart
效果:
root@YY:~
[....] Restarting Apache httpd web server: apache2AH00558: apache2: Could not reliably determine the server's fully qualified domain name, using 127.0.1.1. Set the 'ServerName' directive globally to suppress this message
. ok
root@YY:~
6.2、访问
https://localhost/login.php
然后就可以啦
本文内容由网友自发贡献,版权归原作者所有,本站不承担相应法律责任。如您发现有涉嫌抄袭侵权的内容,请联系:hwhale#tublm.com(使用前将#替换为@)