apache配置https加密传输
环境:两台linux虚拟机和一台windows本机,一台充当要使用https传输的web服务器apache2.4.4,另一台CA服务器,window测试https配置。
1.CA服务器生成私有CA
1.1生成私钥,进入/etc/pki/CA
[root@localhost CA]# (umask 077; openssl genrsa -out private/cakey.pem 1024) //CA私钥必须存放到private目录下名称为cakey.pem
Generating RSA private key, 1024 bit long modulus
..................................................++++++
........++++++
e is 65537 (0x10001)
1.2制作私有CA
[root@localhost CA]# openssl req -new -x509 -key private/cakey.pem -out cacert.pem -days 3655 You are about to be asked to enter information that will be incorporated into your certificate request. What you are about to enter is what is called a Distinguished Name or a DN. There are quite a few fields but you can leave some blank For some fields there will be a default value, If you enter '.', the field will be left blank. ----- Country Name (2 letter code) [XX]:CN //填写国家 随意填写,但是一定要记住 State or Province Name (full name) []:Hangzhou //省份 同上 Locality Name (eg, city) [Default City]:Hangzhou //城市 同上 Organization Name (eg, company) [Default Company Ltd]:Taobao //公司 同上 Organizational Unit Name (eg, section) []:Test //组织 Common Name (eg, your name or your server's hostname) []:Test.com //域名这里填写自己公司的域名 Email Address []:admin@test.com //管理员邮件 [root@localhost CA]#
看本地有没有 certs , newcerts, crl 目录 和index.txt ,serial文件,如果没有 创建并给serial一个初始值
[root@localhost CA]# ls ca.key certs crl newcerts private [root@localhost CA]# touch serial index.txt [root@localhost CA]# ls ca.key certs crl index.txt newcerts private serial [root@localhost CA]# echo "001">serial [root@localhost CA]#
2.web服务器生成CA请求
2.1比如为httpd服务配置https
在/etc/httpd/下面创建一个ssl目录,创建私钥,和CA请求,这个目录随意选择
2.2生成私钥,同上
[root@localhost ssl]# (umask 077; openssl genrsa -out httpd.key 1024) Generating RSA private key, 1024 bit long modulus .......................++++++ ..............................++++++ e is 65537 (0x10001) [root@localhost ssl]# ls httpd.key [root@localhost ssl]#
2.2生成CA请求
[root@localhost ssl]# openssl req -new -key httpd.key -out httpd.csr You are about to be asked to enter information that will be incorporated into your certificate request. What you are about to enter is what is called a Distinguished Name or a DN. There are quite a few fields but you can leave some blank For some fields there will be a default value, If you enter '.', the field will be left blank. ----- Country Name (2 letter code) [XX]:CN //前面这些信息一定要和私有CA一样,因为是内部私有的,所以要保持一直不然无法签署 State or Province Name (full name) []:Hangzhou Locality Name (eg, city) [Default City]:Hangzhou Organization Name (eg, company) [Default Company Ltd]:Taobao Organizational Unit Name (eg, section) []:Test Common Name (eg, your name or your server's hostname) []:www.a.org //这里的域名为你配置https的名字 Email Address []:admin@a.org Please enter the following 'extra' attributes to be sent with your certificate request A challenge password []: An optional company name []: [root@localhost ssl]#
3.将请求httpd.csr发送到CA服务器,请求签署,这里复制过去
[root@localhost ssl]# scp -P 5211 httpd.csr 192.168.136.131:/tmp/
root@192.168.136.131's password:
httpd.csr 100% 688 0.7KB/s 00:00
[root@localhost ssl]#
4.CA签署请求
4.1 这里碰到一问题
[root@localhost CA]# openssl ca -in /tmp/httpd.csr -out httpd.crt Using configuration from /etc/pki/tls/openssl.cnf Check that the request matches the signature //意思说配置文件中policy,没有CN这个选项 Signature ok CN:invalid type in 'policy' configuration
4.2 查看配置文件
# For the CA policy //这里就是配置CA请求和CA哪些选项是必须(match)匹配,一样的,哪些是(optional)可选自己填写的,哪些是(supplied) [ policy_match ] //这个是错误的,是以前想改默认配置改错了,红色的是正确的配置,把CN,Henan,WEB等修改为红色选项,就可以签署了。 countryName = CN match stateOrProvinceName = Henan match organizationName = WEB match organizationalUnitName = WEB optional commonName = test supplied emailAddress = test@.com optional # For the 'anything' policy # At this point in time, you must list all acceptable 'object' # types. [ policy_anything ] countryName = optional stateOrProvinceName = optional localityName = optional organizationName = optional organizationalUnitName = optional commonName = supplied emailAddress = optional
4.3 CA签署
[root@localhost CA]# openssl ca -in /tmp/httpd.csr -out httpd.crt Using configuration from /etc/pki/tls/openssl.cnf Check that the request matches the signature Signature ok Certificate Details: Serial Number: 1 (0x1) Validity Not Before: Jul 19 05:17:43 2015 GMT Not After : Jul 18 05:17:43 2016 GMT Subject: countryName = CN stateOrProvinceName = Hangzhou organizationName = Taobao organizationalUnitName = Test commonName = www.a.org emailAddress = admin@a.org
X509v3 extensions:
X509v3 Basic Constraints:
CA:FALSE
Netscape Comment:
OpenSSL Generated Certificate
X509v3 Subject Key Identifier:
C7:06:AC:D8:C2:49:DA:F6:DD:1A:03:75:4F:94:26:FD:53:E7:18:5F
X509v3 Authority Key Identifier:
keyid:F2:A3:E1:30:32:E5:24:38:6F:4D:FF:3F:97:B1:E7:84:4A:41:97:36
Certificate is to be certified until Jul 18 05:17:43 2016 GMT (365 days)
Sign the certificate? [y/n]:y
1 out of 1 certificate requests certified, commit? [y/n]y
Write out database with 1 new entries
Data Base Updated
[root@localhost CA]# ls
cacert.pem certs crl httpd.crt index.txt index.txt.attr index.txt.old newcerts private serial serial.old
[root@localhost CA]#
5.然后CA将httpd.crt发送给web服务器
[root@localhost CA]# scp httpd.crt 192.168.136.135:/etc/httpd/ssl root@192.168.136.135's password: httpd.crt 100% 3128 3.1KB/s 00:00 [root@localhost CA]#
6如果没有mode_ssl模块需要安装模块先,修改web服务器/etc/httpd/conf.d/httpd.conf配置文件
6.1
LoadModule socache_shmcb_module modules/mod_socache_shmcb.so //前面#去掉,如果不载入在这个模块会报错SSLSessionCache: 'shmcb' session cache not supported (known names: ). Maybe you need to load the appropriate socache module (mod_socache_shmcb?).
LoadModule ssl_module modules/mod_ssl.so //取代哦#去掉载入模块
6.2配置/etc/httpd/extra/httpd-ssl.conf
SSLCertificateFile "/etc/httpd/ssl/httpd.crt" //修改证书文件位置 SSLCertificateKeyFile "/etc/httpd/ssl/httpd.key //修改密钥存放位置
<VirtualHost 192.168.136.135:443> //修改VitualHost和httpd-vhost.cong中的配置一样即可
# General setup for the virtual host
DocumentRoot "/usr/local/apache/htdocs/www.a.org"
ServerName www.a.org:443
ServerAdmin you@example.com
ErrorLog "/usr/local/apache/logs/error_log"
TransferLog "/usr/local/apache/logs/access_log"
# SSL Engine Switch:
# Enable/Disable SSL for this virtual host.
SSLEngine on //这个表示开启ssl
7.重启服务,测试www.a.org,因为私有CA不公开使用,只在内部使用,所以不受信任互联网。可以自己导入CA的证书,让私有CA为可信任的证书颁发者。
将CA服务器上的cacert.pem下载到本地,更改为cacer.crt,安装,导入添加信任。