OpenSSL创建私有CA并配置https服务器

系统运维 waitig 520℃ 百度已收录 0评论

OpenSSL 是目前最流行的 SSL 密码库工具,其提供了一个通用、健壮、功能完备的工具套件,用以支持SSL/TLS 协议的实现

一 实验环境
两台CentOS 虚拟机,其版本和内核均为

[root@localhost ~]# cat /etc/centos-release   
CentOS release 6.9 (Final)  
[root@localhost ~]# uname -r  
2.6.32-696.el6.x86_64

两台主机的地址分别是172.16.8.11/24和172.16.8.12/24
其中172.16.8.11/24作为CA签署服务器主机,172.16.8.12/24作为httpd服务器主机

二 创建私有CA(172.16.8.11/24主机)

1.创建CA所需要的文件和目录

[root@localhost ~]# mkdir -p /etc/pki/CA/{certs,crl,newcerts}
[root@localhost ~]# touch /etc/pki/CA/index.txt
[root@localhost ~]# echo 01 > /etc/pki/CA/serial

根据openssl配置文件/etc/pki/tls/openssl.cnf中所定义的按需创建即可

2.CA主机生成私钥

[root@localhost ~]# (umask 077; openssl genrsa -out /etc/pki/CA/private/cakey.pem 4096)

3.生成CA自签证书

[root@localhost ~]# openssl req -new -x509 -key /etc/pki/CA/private/cakey.pem -days 3650 -out /etc/pki/CA/cacert.pem
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [XX]:CN
State or Province Name (full name) []:GuangDong
Locality Name (eg, city) [Default City]:ShenZhen
Organization Name (eg, company) [Default Company Ltd]:example
Organizational Unit Name (eg, section) []:Ops
Common Name (eg, your name or your server's hostname) []:ca.example.com
Email Address []:admin@example.com

三 服务申请证书签署实现SSL安全通信(172.16.8.12/24主机)

1.httpd主机生成私钥


[root@localhost ~]# mkdir /etc/httpd/ssl
[root@localhost ~]# (umask 077; openssl genrsa -out /etc/httpd/ssl/httpd.key 4096)

2.生成证书签署请求

[root@localhost ~]# openssl req -new -key /etc/httpd/ssl/httpd.key -days 365 -out /etc/httpd/ssl/httpd.csr
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [XX]:CN
State or Province Name (full name) []:GuangDong
Locality Name (eg, city) [Default City]:ShenZhen
Organization Name (eg, company) [Default Company Ltd]:example
Organizational Unit Name (eg, section) []:Ops
Common Name (eg, your name or your server's hostname) []:www.example.com
Email Address []:admin@example.com

Please enter the following 'extra' attributes
to be sent with your certificate request
A challenge password []:
An optional company name []:

3.将请求通过可靠方式发送给CA主机

[root@localhost ~]# scp /etc/httpd/ssl/httpd.csr root@172.16.8.11:/tmp/

四 CA签署证书,并将证书发还给请求者(172.16.8.11/24主机)

1.CA签署证书

[root@localhost ~]# openssl ca -in /tmp/httpd.csr -days 365 -out /etc/pki/CA/certs/httpd.crt 
Using configuration from /etc/pki/tls/openssl.cnf
Check that the request matches the signature
Signature ok
Certificate Details:
        Serial Number: 1 (0x1)
        Validity
            Not Before: Oct 14 19:41:11 2017 GMT
            Not After : Oct 14 19:41:11 2018 GMT
        Subject:
            countryName               = CN
            stateOrProvinceName       = GuangDong
            organizationName          = example
            organizationalUnitName    = Ops
            commonName                = www.example.com
            emailAddress              = admin@example.com
        X509v3 extensions:
            X509v3 Basic Constraints: 
                CA:FALSE
            Netscape Comment: 
                OpenSSL Generated Certificate
            X509v3 Subject Key Identifier: 
                BC:0E:00:EE:D6:1E:8B:F8:2A:6E:EB:8D:F9:15:3A:EE:29:A4:07:7E
            X509v3 Authority Key Identifier: 
                keyid:92:D1:16:20:31:94:90:38:C1:BF:55:E5:4F:1D:C2:8C:D3:37:3D:70

Certificate is to be certified until Oct 14 19:41:11 2018 GMT (365 days)
Sign the certificate? [y/n]:y

1 out of 1 certificate requests certified, commit? [y/n]y
Write out database with 1 new entries
Data Base Updated

2.查看证书

[root@localhost ~]# cat /etc/pki/CA/index.txt
V   181014194111Z       01  unknown /C=CN/ST=GuangDong/O=example/OU=Ops/CN=www.example.com/emailAddress=admin@example.com

3.将证书发给httpd主机

[root@localhost ~]# scp  /etc/pki/CA/certs/httpd.crt  root@172.16.8.12:/etc/httpd/ssl

五 配置https服务(172.16.8.12/24主机)
此处httpd是编译安装,其版本是2.4.28,安装路径是/usr/local/apache/,配置文件在/etc/httpd/目录下,编译时已加入了–enable-so 和 –enable-ssl参数

1.启用ssl并加载mod_ssl.so和mod_socache_shmcb.so模块
编辑httpd主配置文件,找到如下三行,把前面的#号去掉

[root@localhost ~]# vim /etc/httpd/httpd.conf 
#Include /etc/httpd/extra/httpd-ssl.conf
#LoadModule ssl_module modules/mod_ssl.so
#LoadModule socache_shmcb_module modules/mod_socache_shmcb.so

2.编译httpd-ssl.conf文件,找到对应字段,作如下改动(以下内容在配置文件里并不是连续的,中间有许多注释信息,还有其它内容)

[root@localhost ~]# vim /etc/httpd/extra/httpd-ssl.conf 
<VirtualHost *:443>
   DocumentRoot "/vhosts/htdocs/example.com"
   ServerName www.example.com
   SSLCertificateFile "/etc/httpd/ssl/httpd.crt"
   SSLCertificateKeyFile "/etc/httpd/ssl/httpd.key"
   <Directory "/vhosts/htdocs/example.com">
      SSLOptions +StdEnvVars
      Options Indexes FollowSymLinks
      AllowOverride None
      Require all granted
   </Directory>
</VirtualHost>

3.创建一个测试页,然后重启httpd服务,iptables开放443端口

[root@localhost ~]# mkdir -p /vhosts/htdocs/example.com
[root@localhost ~]# vim /vhosts/htdocs/example.com/index.html
Test https server
[root@localhost ~]# service httpd restart
[root@localhost ~]# vim /etc/sysconfig/iptables
-A INPUT -m state --state NEW -m tcp -p tcp --dport 443 -j ACCEPT
[root@localhost ~]# service iptables restart
[root@localhost ~]# ss -tunl | grep 443
tcp    LISTEN     0      128                   :::443                  :::* 

4.测试
将CA主机的/etc/pki/CA/cacert.pem文件下载到windows客户端并改名为cacert.crt
然后通过 控制面板-Internet选项-内容-证书将cacert.crt导入
修改windows客户端的hosts文件,其路径是C:\Windows\System32\drivers\etc\hosts
添加如下一条
172.16.8.12 www.example.com
然后在浏览器上输入 https://www.example.com,其显示结果是
Test https server


本文由【waitig】发表在等英博客
本文固定链接:OpenSSL创建私有CA并配置https服务器
欢迎关注本站官方公众号,每日都有干货分享!
等英博客官方公众号
点赞 (0)分享 (0)