Chinaunix首页 | 论坛 | 博客
  • 博客访问: 24412
  • 博文数量: 5
  • 博客积分: 0
  • 博客等级: 民兵
  • 技术积分: 137
  • 用 户 组: 普通用户
  • 注册时间: 2014-03-03 08:00
文章分类

全部博文(5)

文章存档

2014年(5)

我的朋友

分类: Web开发

2014-03-10 08:12:23

  1,安装mod_ssl软件
      yum install mod_ssl.x86_64
  2,创建CA证书
   cd /etc/httpd/conf.d/
   mkdir .ssl
   cd .ssl
  创建rsa私用密钥
  [root@www .ssl]# openssl genrsa -des3 -out ca.key 1024
  查看ca.key密钥内容
  [root@www .ssl]# openssl rsa -noout -text -in ca.key 
    Enter pass phrase for ca.key:
    Private-Key: (1024 bit)
    modulus:
 利用CA的RSA密钥创建一个自签署的CA证书
  [root@www .ssl]# openssl req -new -x509 -days 3650  -key ca.key -out ca.crt
   Country Name (2 letter code) [XX]:cn
   State or Province Name (full name) []:hn
   Locality Name (eg, city) [Default City]:ly
Organization Name (eg, company) [Default Company Ltd]:sw 
Organizational Unit Name (eg, section) []:sw
Common Name (eg, your name or your server's hostname) []:wang
Email Address []:
  
3.创建服务器证书签署请求
  创建一个RSA私用密钥
   [root@www .ssl]# openssl genrsa -des3 -out server.key 1024
Generating RSA private key, 1024 bit long modulus
.............++++++
...............++++++
e is 65537 (0x10001)
Enter pass phrase for server.key:
Verifying - Enter pass phrase for server.key:
  利用server.key产生证书签署请求CSR
  [root@www .ssl]# openssl req -new -key server.key -out server.csr
Enter pass phrase for server.key:
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [XX]:cn
State or Province Name (full name) []:hn
Locality Name (eg, city) [Default City]:ly
Organization Name (eg, company) [Default Company Ltd]:sw
Organizational Unit Name (eg, section) []:sw
Common Name (eg, your name or your server's hostname) []:wang
Email Address []:


Please enter the following 'extra' attributes
to be sent with your certificate request
A challenge password []:
An optional company name []:
   4,下载mod_ssl源码软件
    [root@www .ssl]# wget
    提取sign.sh并签署证书
     [root@www .ssl]# tar zxvf mod_ssl-2.8.31-1.3.41.tar.gz 
     [root@www .ssl]# ./mod_ssl-2.8.31-1.3.41/pkg.contrib/sign.sh server.csr
CA signing: server.csr -> server.crt:
Using configuration from ca.config
Enter pass phrase for ./ca.key:
Check that the request matches the signature
Signature ok
The Subject's Distinguished Name is as follows
countryName           :PRINTABLE:'cn'
stateOrProvinceName   :ASN.1 12:'hn'
localityName          :ASN.1 12:'ly'
organizationName      :ASN.1 12:'sw'
organizationalUnitName:ASN.1 12:'sw'
commonName            :ASN.1 12:'wang'
Certificate is to be certified until Mar  6 11:16:12 2015 GMT (365 days)
Sign the certificate? [y/n]:y




1 out of 1 certificate requests certified, commit? [y/n]y
Write out database with 1 new entries
Data Base Updated
CA verifying: server.crt <-> CA cert
server.crt: C = cn, ST = hn, L = ly, O = sw, OU = sw, CN = wang
error 18 at 0 depth lookup:self signed certificate
OK
   5.产生client端的个人证书
     [root@www .ssl]# openssl pkcs12 -export -in server.crt -inkey server.key -out client.p12 -name  "public"
   6,下改配置文件/etc/httpd/conf.d/ssl.conf
   Listen 443
   DocumentRoot "/var/www/html"
   ServerName
   SSLCertificateFile /etc/httpd/conf.d/.ssl/server.crt
   SSLCertificateKeyFile /etc/httpd/conf.d/.ssl/server.key
  7,验证
   即可
阅读(590) | 评论(0) | 转发(0) |
给主人留下些什么吧!~~