在做實驗的時候難免有時候會用到ssl證書,在局域網環境下完全沒有必要去買一個ssl證書,所以這裏我們自建一個CA服務器,對局域網內需要證書的服務器,提供證書頒發的服務。
直接上操作:
準備一臺服務器作爲CA服務器:
[root@localhost CA]# (umask 077;openssl genrsa -out /etc/pki/CA/private/cakey.pem 2048)
[root@localhost CA]# openssl req -new -x509 -key /etc/pki/CA/private/cakey.pem -out /etc/pki/CA/cacert.pem -days 3650
---
Country Name (2 letter code) [XX]:CN
State or Province Name (full name) []:Shanghai
Locality Name (eg, city) [Default City]:Shanghai
Organization Name (eg, company) [Default Company Ltd]:u9time ##公司名,客戶端申請要與此保持一致
Organizational Unit Name (eg, section) []:ca
Common Name (eg, your name or your server's hostname) []:ca.u9time.com ##自簽證書的完整域名
Email Address []:
[root@lvs CA]# touch index.txt ##作爲一臺CA證書爲別人頒發證書時會在此文件進行記錄索引文檔,文件名與位置由配置文件決定
[root@lvs CA]# echo "01" > serial ##作爲一臺CA證書爲別人頒發證書時會在此文件進行記錄序號,文件名與位置由配置文件決定客戶端主機(apache或nginx)生成證書申請CSR文件
[root@localhost ssl]# (umask 077;openssl genrsa -out /etc/httpd/ssl/httpd.key 2048)
[root@localhost ssl]# openssl req -new -key /etc/httpd/ssl/httpd.key -out /etc/httpd/ssl/httpd.csr -days 365 ##輸入相關信息,用於生成csr文件
---
Country Name (2 letter code) [XX]:CN
State or Province Name (full name) []:Shanghai
Locality Name (eg, city) [Default City]:Shanghai
Organization Name (eg, company) [Default Company Ltd]:u9time ##公司信息要與CA一致
Organizational Unit Name (eg, section) []:ops
Common Name (eg, your name or your server's hostname) []:www.u9time.com ##這裏填寫申請證書的完整域名,可以是其他域名比如www.ddong.com
Email Address []:
Please enter the following 'extra' attributes
to be sent with your certificate request
A challenge password []:www.u9time.com
An optional company name []:
[root@localhost ssl]# scp -p httpd.csr [email protected]:/root/ ##將證書請求文件發送給CA服務器簽署生成證書CA服務器簽署證書:
[root@localhost ~]# openssl ca -in httpd.csr -out httpd.crt -days 365
y
y
[root@localhost ~]# scp -p httpd.crt [email protected]:/etc/httpd/ssl/
apache2.4服務器配置:
[root@localhost ~]# yum install httpd mod_ssl -y
[root@localhost ~]# chmod 600 /etc/httpd/ssl/
[root@localhost ~]# vim /etc/httpd/conf.d/u9time_ssl.conf
<VirtualHost *:80>
# This first-listed virtual host is also the default for *:80
ServerName www.u9time.com
ServerAlias www1.u9time.com www2.u9time.com
DocumentRoot "/var/www/html/u9time"
</VirtualHost>
<VirtualHost *:443>
# This first-listed virtual host is also the default for *:80
ServerName www.u9time.com
ServerAlias www1.u9time.com www2.u9time.com
DocumentRoot "/var/www/html/u9time"
ErrorLog logs/ssl_error_log
TransferLog logs/ssl_access_log
LogLevel warn
SSLEngine on
SSLProtocol all -SSLv2 -SSLv3
SSLCipherSuite HIGH:3DES:!aNULL:!MD5:!SEED:!IDEA
SSLCertificateFile "/etc/httpd/ssl/u9time.crt"
SSLCertificateKeyFile "/etc/httpd/ssl/u9time.key"
</VirtualHost>nginx服務器的配置:
前提是nginx安裝時已經編譯了ssl模塊
[root@localhost conf.d]# cat u9time.conf
server {
listen 80;
server_name www.u9time.com;
root /var/www/html/u9;
location / {
}
}
server {
listen 443;
server_name www.u9time.com;
root /var/www/html/u9;
ssl on;
ssl_certificate /etc/httpd/ssl/u9time.crt; #證書文件
ssl_certificate_key /etc/httpd/ssl/u9time.key; #KEY文件
ssl_session_cache shared:SSL:10m;
ssl_session_timeout 10m;
location / {
}
}