1,安装mod_ssl软件
yum install mod_ssl.x86_64
2,创建CA证书
cd /etc/httpd/conf.d/
mkdir .ssl
cd .ssl
创建rsa私用密钥
[root@www .ssl]# openssl genrsa -des3 -out ca.key 1024
查看ca.key密钥内容
[root@www .ssl]# openssl rsa -noout -text -in ca.key
Enter pass phrase for ca.key:
Private-Key: (1024 bit)
modulus:
利用CA的RSA密钥创建一个自签署的CA证书
[root@www .ssl]# openssl req -new -x509 -days 3650 -key ca.key -out ca.crt
Country Name (2 letter code) [XX]:cn
State or Province Name (full name) []:hn
Locality Name (eg, city) [Default City]:ly
Organization Name (eg, company) [Default Company Ltd]:sw
Organizational Unit Name (eg, section) []:sw
Common Name (eg, your name or your server's hostname) []:wang
Email Address []:
3.创建服务器证书签署请求
创建一个RSA私用密钥
[root@www .ssl]# openssl genrsa -des3 -out server.key 1024
Generating RSA private key, 1024 bit long modulus
.............++++++
...............++++++
e is 65537 (0x10001)
Enter pass phrase for server.key:
Verifying - Enter pass phrase for server.key:
利用server.key产生证书签署请求CSR
[root@www .ssl]# openssl req -new -key server.key -out server.csr
Enter pass phrase for server.key:
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [XX]:cn
State or Province Name (full name) []:hn
Locality Name (eg, city) [Default City]:ly
Organization Name (eg, company) [Default Company Ltd]:sw
Organizational Unit Name (eg, section) []:sw
Common Name (eg, your name or your server's hostname) []:wang
Email Address []:
Please enter the following 'extra' attributes
to be sent with your certificate request
A challenge password []:
An optional company name []:
4,下载mod_ssl源码软件
[root@www .ssl]# wget
提取sign.sh并签署证书
[root@www .ssl]# tar zxvf mod_ssl-2.8.31-1.3.41.tar.gz
[root@www .ssl]# ./mod_ssl-2.8.31-1.3.41/pkg.contrib/sign.sh server.csr
CA signing: server.csr -> server.crt:
Using configuration from ca.config
Enter pass phrase for ./ca.key:
Check that the request matches the signature
Signature ok
The Subject's Distinguished Name is as follows
countryName :PRINTABLE:'cn'
stateOrProvinceName :ASN.1 12:'hn'
localityName :ASN.1 12:'ly'
organizationName :ASN.1 12:'sw'
organizationalUnitName:ASN.1 12:'sw'
commonName :ASN.1 12:'wang'
Certificate is to be certified until Mar 6 11:16:12 2015 GMT (365 days)
Sign the certificate? [y/n]:y
1 out of 1 certificate requests certified, commit? [y/n]y
Write out database with 1 new entries
Data Base Updated
CA verifying: server.crt <-> CA cert
server.crt: C = cn, ST = hn, L = ly, O = sw, OU = sw, CN = wang
error 18 at 0 depth lookup:self signed certificate
OK
5.产生client端的个人证书
[root@www .ssl]# openssl pkcs12 -export -in server.crt -inkey server.key -out client.p12 -name "public"
6,下改配置文件/etc/httpd/conf.d/ssl.conf
Listen 443
DocumentRoot "/var/www/html"
ServerName
SSLCertificateFile /etc/httpd/conf.d/.ssl/server.crt
SSLCertificateKeyFile /etc/httpd/conf.d/.ssl/server.key
7,验证
即可
阅读(594) | 评论(0) | 转发(0) |
