1----配置CA生成CA自己的公钥和私钥,CA对自己进行证书自签名
vim /etc/pki/tls/CA/openssl.cnf
以上的信息可以根据实际的情况自己填写
其中保护私钥,公钥可以通过私钥推测出来,不需要生成
Data Base Updated
[root@localhost CA]# ls ../../CA/private/./cakey.pem #私钥
../../CA/private/./cakey.pem
[root@localhost CA]# ls ../../CA/cacert.pem #证书
../../CA/cacert.pem
[root@localhost CA]# ls ../../CA/careq.pem #证书请求
../../CA/careq.pem
[root@localhost CA]#
2----web服务器生成自己的公钥和私钥
使用(公钥+身份信息)生成证书请求发给CA
[root@mail ~]# cd /etc/pki/CA
生成web的密钥对
[root@mail Server]# cd /etc/pki/CA
[root@mail CA]# ls
private
[root@mail CA]# openssl genrsa -des3 -out /etc/httpd/conf.d/server.key
Generating RSA private key, 512 bit long modulus
..........++++++++++++
..................................................++++++++++++
e is 65537 (0x10001)
Enter pass phrase for /etc/httpd/conf.d/server.key:
Verifying - Enter pass phrase for /etc/httpd/conf.d/server.key:
[root@mail CA]# openssl req -new -key /etc/httpd/conf.d/server.key -out /tmp/server.csr
Enter pass phrase for /etc/httpd/conf.d/server.key:
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [GB]:CN
State or Province Name (full name) [Berkshire]:beijing
Locality Name (eg, city) [Newbury]:bj
Organization Name (eg, company) [My Company Ltd]:uplooking
Organizational Unit Name (eg, section) []:it
Common Name (eg, your name or your server's hostname) []:CA.wangjinxiao.com
Email Address []:root@localhost
Please enter the following 'extra' attributes
to be sent with your certificate request
A challenge password []:
An optional company name []:
以上的配置选择要和配置CA的选择一样
3----把web服务器的证书请求发给CA的/tmp下
[root@mail CA]# scp /tmp/server.csr 192.168.1.62:/tmp
The authenticity of host '192.168.1.62 (192.168.1.62)' can't be established.
RSA key fingerprint is 07:0f:e8:af:d4:5c:96:68:2b:19:61:db:a6:62:30:9a.
Are you sure you want to continue connecting (yes/no)? yes
Warning: Permanently added '192.168.1.62' (RSA) to the list of known hosts.
root@192.168.1.62's password:
server.csr 100% 517 0.5KB/s 00:00
4---CA用自己的私钥加密server的证书请求文件,得到server的证书,颁发给web
[root@localhost tmp]# cd /etc/pki/CA
CA签名:
[root@localhost CA]# openssl ca -keyfile /etc/CA/private/cakey.pem -in /tmp/server.csr -cert /etc/CA/cacert.pem -out /tmp/server.crt
Using configuration from /etc/pki/tls/openssl.cnf
Enter pass phrase for /etc/CA/private/cakey.pem:
Check that the request matches the signature
Signature ok
Certificate Details:
Serial Number: 1 (0x1)
Validity
Not Before: Oct 11 14:17:20 2012 GMT
Not After : Oct 11 14:17:20 2013 GMT
Subject:
countryName = CN
stateOrProvinceName = beijing
organizationName = uplooking
organizationalUnitName = it
commonName = CA.wangjinxiao.com
emailAddress = root@localhost
X509v3 extensions:
X509v3 Basic Constraints:
CA:TRUE
Netscape Comment:
OpenSSL Generated Certificate
X509v3 Subject Key Identifier:
60:E9:CD:CB:50:4A:C8:58:87:E7:52:80:0A:53:92:E3:9B:3F:5B:70
X509v3 Authority Key Identifier:
keyid:46:07:F1:71:23:9E:F9:C8:DB:BC:14:C9:B7:EA:D2:E2:92:AC:C0:C5
Certificate is to be certified until Oct 11 14:17:20 2013 GMT (365 days)
Sign the certificate? [y/n]:y
1 out of 1 certificate requests certified, commit? [y/n]y
Write out database with 1 new entries
Data Base Updated
[root@localhost CA]#
5----把签完名的证书再颁发给web服务器
6---配置apache支持ssl实现https
yum install mod_ssl –y
vim /etc/httpd/conf.d/ssl.conf
7---启动服务
service httpd restart
端口:
netstat –tunpl | grep 443
8---客户端测试: