生成证书
# mkdir /etc/httpd/ssl.cert/
# cd /etc/httpd/ssl.cert/
1.生成X509格式的CA自签名证书
# openssl req -new -x509 -keyout ca.key -out ca.crt
2.生成服务端的私钥(key文件)及csr 文件
# openssl genrsa -des3 -out server.key 1024
# openssl req -new -key server.key -out server.csr
3.生成客户端的私钥(key文件)及csr文件
# openssl genrsa -des3 -out client.key 1024
# openssl req -new -key client.key -out client.csr
4.用生成的CA的证书为刚才生成的server.csr,client.csr文件签名
# openssl ca -in server.csr -out server.crt -cert ca.crt -keyfile ca.key
# openssl ca -in client.csr -out client.crt -cert ca.crt -keyfile ca.key
=========================================================================
#可选部分
5. 生成p12格式证书 (思科是.p12,微软是.pfx)
# openssl pkcs12 -export -inkey client.key -in client.crt -out client.pfx
# openssl pkcs12 -export -inkey server.key -in server.crt -out server.pfx
6.生成pem格式证书
# cat client.crt client.key> client.pem
# cat server.crt server.key > server.pem
7.PFX文件转换为X509证书文件和RSA密钥文件
# openssl pkcs12 -in server.pfx -nodes -out server.pem
# openssl rsa -in server.pem -out server2.key
# openssl x509 -in server.pem -out server2.crt
=========================================================================
配置apache
# yum install -y mod_ssl
# vi /etc/httpd/conf.d/ssl.conf
=========================================================================
SSLCertificateFile /etc/httpd/ssl.cert/server.crt
SSLCACertificatePath /etc/httpd/ssl.cert
SSLCertificateKeyFile /etc/httpd/ssl.cert/server.key
SSLCertificateChainFile /etc/httpd/ssl.cert/ca.crt
SSLCACertificateFile /etc/httpd/ssl.cert/client.crt
=========================================================================
# vi /etc/httpd/conf/httpd.conf
=========================================================================
AddType application/octet-stream plist
=========================================================================
# service httpd start
#启动的时候需要输入 server.key 的密码。可以通过服务器私钥解密存储,重启也无需输入密码:
# openssl rsa -in server.key -out servernopw.key
# vi /etc/httpd/conf.d/ssl.conf
=========================================================================
SSLCertificateKeyFile /etc/httpd/ssl.cert/servernopw.key
=========================================================================
# service httpd restart
#ipad上安装ca.crt证书文件。
阅读(1561) | 评论(0) | 转发(0) |