自签证书使用户可以通过https访问站点

生成私钥

[root@lampw pki]# (umask 077; openssl genrsa -out /etc/pki/ca-trust/cakey.pem 8192)
Generating RSA private key, 8192 bit long modulus
...................................................................................................................++
.......................................................................	.................................................................................................................................................................................++
e is 65537 (0x10001)

生成自签证书

[root@lampw pki]# openssl req -new -x509 -key /etc/pki/ca-trust/cakey.pem -out /etc/pki/ca-trust/cacert.pem -days 3655
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [AU]:CN  
State or Province Name (full name) [Some-State]:HA
Locality Name (eg, city) []:ZZ
Organization Name (eg, company) [Internet Widgits Pty Ltd]:Tmall
Organizational Unit Name (eg, section) []:Tmall
Common Name (e.g. server FQDN or YOUR name) []:www2.stuX.com
Email Address []:admin@stuX.com
[root@lampw pki]#

为CA提供所需的目录及文件

[root@lampw pki]# mkdir  -pv  /etc/pki/CA/{certs,crl,newcerts}
mkdir: created directory `/etc/pki/CA'
mkdir: created directory `/etc/pki/CA/certs'
mkdir: created directory `/etc/pki/CA/crl'
mkdir: created directory `/etc/pki/CA/newcerts'
[root@lampw pki]# touch  /etc/pki/CA/{serial,index.txt}
[root@lampw pki]# echo  01 > /etc/pki/CA/serial
[root@lampw pki]#

用到证书的主机生成私钥

[root@lampw pki]# mkdir  -pv  /etc/pki/CA/{certs,crl,newcerts}
mkdir: created directory `/etc/pki/CA'
mkdir: created directory `/etc/pki/CA/certs'
mkdir: created directory `/etc/pki/CA/crl'
mkdir: created directory `/etc/pki/CA/newcerts'
[root@lampw pki]# touch  /etc/pki/CA/{serial,index.txt}
[root@lampw pki]# echo  01 > /etc/pki/CA/serial
[root@lampw pki]#  mkdir -pv /opt/apache24/ssl
mkdir: created directory `/opt/apache24/ssl'
[root@lampw pki]# cd /opt/apache24/ssl
[root@lampw ssl]# (umask  077; openssl  genrsa -out  /opt/apache24/ssl/httpd.key 8192)
Generating RSA private key, 8192 bit long modulus
.............................................................................................................++
....................................................++
e is 65537 (0x10001)
[root@lampw ssl]#

生成证书签署请求

[root@lampw ssl]# openssl  req  -new  -key  /opt/apache24/ssl/httpd.key  -out /opt/apache24/ssl/httpd.csr  -days  365
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [AU]:CN
State or Province Name (full name) [Some-State]:HA
Locality Name (eg, city) []:ZZ
Organization Name (eg, company) [Internet Widgits Pty Ltd]:Tmall
Organizational Unit Name (eg, section) []:Tmall
Common Name (e.g. server FQDN or YOUR name) []:www2.stuX.com
Email Address []:admin@stuX.com

Please enter the following 'extra' attributes
to be sent with your certificate request
A challenge password []:
An optional company name []:

将请求通过可靠方式发送给CA主机，这次是在同一台机器，我就略过，如果是生产环境，估计就是要发给可信的证书签署机构

1、在CA主机上签署证书

[root@centos ssl]# openssl ca  -in  /etc/httpd/ssl/httpd.csr  -out  /etc/pki/CA/certs/httpd.crt  -days  365
Using configuration from /etc/pki/tls/openssl.cnf
Check that the request matches the signature
Signature ok
Certificate Details:
        Serial Number: 1 (0x1)
        Validity
            Not Before: Mar 22 03:49:48 2017 GMT
            Not After : Mar 22 03:49:48 2018 GMT
        Subject:
            countryName               = CN
            stateOrProvinceName       = HA
            organizationName          = Tmall
            organizationalUnitName    = ops
            commonName                = www2.stuX.com
            emailAddress              = admin@stuX.com
        X509v3 extensions:
            X509v3 Basic Constraints: 
                CA:FALSE
            Netscape Comment: 
                OpenSSL Generated Certificate
            X509v3 Subject Key Identifier: 
                EC:C4:48:10:BE:BD:1D:D2:48:38:17:B7:FD:0D:57:DE:51:B1:8F:64
            X509v3 Authority Key Identifier: 
                keyid:ED:42:A1:59:88:A2:45:0A:F2:64:46:A6:BA:C9:7A:5D:E3:9C:FB:AE

Certificate is to be certified until Mar 22 03:49:48 2018 GMT (365 days)
Sign the certificate? [y/n]:y

    1 out of 1 certificate requests certified, commit? [y/n]y

    Write out database with 1 new entries

    Data Base Updated


[root@centos ssl]# ls
httpd.crt  httpd.csr  httpd.key

2、修改配置文件提供ssl服务

开启主配置文件的ssl调用，删除www2在httpd-vhosts中的定义

Include /etc/httpd24/extra/httpd-ssl.conf

~]# vim /etc/httpd24/extra/httpd-ssl.conf

[root@localhost httpd24]# cat extra/httpd-ssl.conf | grep -v "^#"

Listen 443

SSLPassPhraseDialog  builtin

<VirtualHost 192.168.150.136:443>

DocumentRoot "/web/vhost/www2"

ServerName www2.stuX.com:443

ServerAdmin you@example.com

ErrorLog "/var/log/httpd/www2.err"

TransferLog "/usr/local/apache24/logs/access_log"

SSLEngine on

SSLCertificateFile "/etc/httpd24/ssl/httpd.crt"

SSLCertificateKeyFile "/etc/httpd24/ssl/httpd.key"

<Directory "/web/vhost/www2">

 AllowOverride None

Options None

Require all granted


</Directory>

</VirtualHost>

主配置文件中启用ssl模块

1
2
3

~]# vim /etc/httpd24/httpd.conf

LoadModule ssl_module modules/mod_ssl.so

重启httpd服务后测试

1
2
3

httpd24]# ss -tnl | grep 443

LISTEN     0      128                      :::443                     :::*