openssl實現私有CA，并配置基于openssl的https服務的配置，原理如下圖

在CA服務器上實現私有CA步驟如下；

1、生成一對密鑰

2.生成自簽證書

基本的配置如下代碼;

[root@CA?CA]#?pwd /etc/pki/CA [root@CA?CA]#?(umask?077;openssl?genrsa?-out?private/cakey.pem?2048) [root@CA?CA]#?openssl?req?-new?-x509?-key?private/cakey.pem?-out?cacert.pem You?are?about?to?be?asked?to?enter?information?that?will?be?incorporated into?your?certificate?request. What?you?are?about?to?enter?is?what?is?called?a?Distinguished?Name?or?a?DN. There?are?quite?a?few?fields?but?you?can?leave?some?blank For?some?fields?there?will?be?a?default?value, If?you?enter?'.',?the?field?will?be?left?blank. ----- Country?Name?(2?letter?code)?[CN]: State?or?Province?Name?(full?name)?[NEIMENGGU]: Locality?Name?(eg,?city)?[Huhhot]: Organization?Name?(eg,?company)?[EDU]: Organizational?Unit?Name?(eg,?section)?[Tech]: Common?Name?(eg,?your?name?or?your?server's?hostname)?[]:ca.edu.cn Email?Address?[]:caadmin@edu.cn [root@CA?CA]#?touch?index.txt [root@CA?CA]#?touch?serial [root@CA?CA]#?echo?01?>?serial? [root@CA?CA]#?ls cacert.pem??certs??crl??index.txt??newcerts??private??serial

webserver服務器上的證書生成步驟；

[root@www?~]#?cd?/etc/httpd/ [root@www?httpd]#?mkdir?ssl [root@www?httpd]#?cd?ssl/ [root@www?ssl]#?pwd /etc/httpd/ssl [root@www?ssl]#?(umask?077;?openssl?genrsa?-out?httpd.key?1024) Generating?RSA?private?key,?1024?bit?long?modulus ..........................++++++ .......++++++ e?is?65537?(0x10001) [root@www?ssl]#?ll total?4 -rw-------.?1?root?root?887?Aug??6?23:46?httpd.key

webserver生成證書簽署請求；

[root@www?ssl]#?openssl?req?-new?-key?httpd.key?-out?httpd.csr You?are?about?to?be?asked?to?enter?information?that?will?be?incorporated into?your?certificate?request. What?you?are?about?to?enter?is?what?is?called?a?Distinguished?Name?or?a?DN. There?are?quite?a?few?fields?but?you?can?leave?some?blank For?some?fields?there?will?be?a?default?value, If?you?enter?'.',?the?field?will?be?left?blank. ----- Country?Name?(2?letter?code)?[XX]:CN State?or?Province?Name?(full?name)?[]:NEIMENGGU Locality?Name?(eg,?city)?[Default?City]:Huhhot Organization?Name?(eg,?company)?[Default?Company?Ltd]:EDU Organizational?Unit?Name?(eg,?section)?[]:Tech Common?Name?(eg,?your?name?or?your?server's?hostname)?[]:www.edu.cn Email?Address?[]: Please?enter?the?following?'extra'?attributes to?be?sent?with?your?certificate?request A?challenge?password?[]: An?optional?company?name?[]:

將申請證書發送打CA服務器上，讓CA服務器來完成證書的簽署

[root@CA?CA]#?scp?root@192.168.0.107:/etc/httpd/ssl/httpd.csr?./certs/ root@192.168.0.107's?password:? httpd.csr?????????????????????????????????100%??647?????0.6KB/s???00:00???? [root@CA?CA]#?ll?./certs/ total?4 -rw-r--r--?1?root?root?647?Aug??5?21:39?httpd.csr

CA服務器來完成證書的簽署

[root@CA?CA]#?openssl?ca?-in?./certs/httpd.csr?-out?./certs/httpd.crt?-days?365 Using?configuration?from?/etc/pki/tls/openssl.cnf Check?that?the?request?matches?the?signature Signature?ok Certificate?Details:Serial?Number:?1?(0x1)ValidityNot?Before:?Aug??5?13:45:06?2016?GMTNot?After?:?Aug??5?13:45:06?2017?GMTSubject:countryName???????????????=?CNstateOrProvinceName???????=?NEIMENGGUorganizationName??????????=?EDUorganizationalUnitName????=?TechcommonName????????????????=?www.edu.cnX509v3?extensions:X509v3?Basic?Constraints:?CA:FALSENetscape?Comment:?OpenSSL?Generated?CertificateX509v3?Subject?Key?Identifier:?12:2C:ED:3F:F1:FA:54:FB:71:03:79:03:81:77:2D:A6:33:EF:8E:8FX509v3?Authority?Key?Identifier:?keyid:1B:1E:92:D1:DD:79:A6:68:19:91:5F:08:04:FF:7C:25:73:E4:BC:82 Certificate?is?to?be?certified?until?Aug??5?13:45:06?2017?GMT?(365?days) Sign?the?certificate??[y/n]:y 1?out?of?1?certificate?requests?certified,?commit??[y/n]y Write?out?database?with?1?new?entries Data?Base?Updated [root@CA?CA]#?ll?./certs/ total?4 -rw-r--r--?1?root?root???0?Aug??5?21:43?httpd.crt -rw-r--r--?1?root?root?647?Aug??5?21:39?httpd.csr

將證書文件發送給請求端；

[root@CA?CA]#?scp?./certs/httpd.crt?root@192.168.0.107:/etc/httpd/ssl/ root@192.168.0.107's?password:? httpd.crt?????????????????????????????????100%?3754?????3.7KB/s???00:00

在webserver服務器上安裝支持ssl的模塊；

#?yum?install?-y?mod_ssl

配置ssl.conf配置文件，修改如下行；

[root@www?ssl]#?vim?/etc/httpd/conf.d/ssl.conf? 107?SSLCertificateFile?/etc/httpd/ssl/httpd.crt 114?SSLCertificateKeyFile?/etc/httpd/ssl/httpd.key

啟動apache服務

[root@www?ssl]#?service?httpd?start

在windows客戶端通過如下方式安裝信任CA證書頒發機構；

將CA服務器上的cakey.pem文件下載到windows客戶端上，修改文件名后綴為crt（cakey.crt），雙擊此文件，安裝信任該證書頒發機構，具體步驟；

安裝證書-->下一步-->選擇將證書放入下列存儲-->瀏覽-->選擇受信任的根證書頒發機構-->完成；

通過web頁面訪問，效果如下；

部署完成。

轉載于:https://blog.51cto.com/xiaofeifei/1835136

總結

以上是生活随笔為你收集整理的基于openssl的https服务的配置的全部內容，希望文章能夠幫你解決所遇到的問題。

如果覺得生活随笔網站內容還不錯，歡迎將生活随笔推薦給好友。