自簽證書 配置到apache的httpd、nginx的 配置文件內測試

N28_剛好遇到小熊貓 ? ? Linux筆記

算是一個小整理,我在這里轉了好幾天,整理一下適合剛剛開始迷惑的朋友

申請證書:

后綴類型解釋:

  • 證書:crt(簽發的證書),pem(ca 服務器自簽證書)
  • 私鑰:key
  • 證書請求:csr

一、ca 服務器 (192.168.1.110):

1.使用命令:生成私鑰。

[root@MiWiFi-R3-srv pki]# (umask 077; openssl genrsa -out /etc/pki/CA/private/cakey.pem 4096)
Generating RSA private key, 4096 bit long modulus
.................................................................................................................................................................................................++
..........................++
e is 65537 (0x10001)

2.生成自簽證書

[root@MiWiFi-R3-srv pki]# openssl req -new -x509 -key /etc/pki/CA/private/cakey.pem -out /etc/pki/CA/cacert.pem -days 3655
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [XX]:CN
State or Province Name (full name) []:shandong
Locality Name (eg, city) [Default City]:tengzhou
Organization Name (eg, company) [Default Company Ltd]:mageedu
Organizational Unit Name (eg, section) []:ops
Common Name (eg, your name or your server's hostname) []:ca.magedu.com
Email Address []:

3.創建CA所需要的目錄及文件

[root@MiWiFi-R3-srv pki]# mkdir -pv /etc/pki/CA/{certs,crl,newcerts}
mkdir: 已創建目錄 "/etc/pki/CA/certs"
mkdir: 已創建目錄 "/etc/pki/CA/crl"
mkdir: 已創建目錄 "/etc/pki/CA/newcerts"
[root@MiWiFi-R3-srv pki]# touch /etc/pki/CA/{serial,index.txt}
[root@MiWiFi-R3-srv pki]# echo 01 > /etc/pki/CA/serial

二、客戶端(191.168.1.175) 申請證書

1.創建目錄

[root@localhost ~]# mkdir -pv /etc/httpd/ssl
mkdir: 已創建目錄 "/etc/httpd"
mkdir: 已創建目錄 "/etc/httpd/ssl"
[root@localhost ~]# cd /etc/httpd/ssl

2.用到證書的主機生成私鑰

[root@localhost ssl]# (umask 077; openssl genrsa -out /etc/httpd/ssl/httpd.key 2048)
Generating RSA private key, 2048 bit long modulus
............................................+++
.........................................................................+++
e is 65537 (0x10001)

3.生成證書簽署請求

[root@localhost ssl]# openssl req -new -key /etc/httpd/ssl/httpd.key -out /etc/httpd/ssl/httpd.csr -days 365
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [XX]:CN
State or Province Name (full name) []:shandong
Locality Name (eg, city) [Default City]:tengzhou
Organization Name (eg, company) [Default Company Ltd]:mageedu
Organizational Unit Name (eg, section) []:ops
Common Name (eg, your name or your server's hostname) []:www.magedu.com
Email Address []:

Please enter the following 'extra' attributes
to be sent with your certificate request
A challenge password []:123456
An optional company name []:a

將申請以可靠的方式發送給192.168.1.110 CA服務器

[root@localhost ssl]# scp httpd.csr root@192.168.1.110:/tmp/
root@192.168.1.110's password: 
httpd.csr                                                                                       100% 1066     1.0KB/s   00:00

三、ca 服務器(192.168.1.110) 簽發證書

[root@MiWiFi-R3-srv pki]# openssl ca -in /tmp/httpd.csr -out /etc/pki/CA/certs/httpd.crt -days 365
Using configuration from /etc/pki/tls/openssl.cnf
Check that the request matches the signature
Signature ok
Certificate Details:
        Serial Number: 1 (0x1)
        Validity
            Not Before: Apr 29 14:59:43 2018 GMT
            Not After : Apr 29 14:59:43 2019 GMT
        Subject:
            countryName               = CN
            stateOrProvinceName       = shandong
            organizationName          = mageedu
            organizationalUnitName    = ops
            commonName                = www.magedu.com
        X509v3 extensions:
            X509v3 Basic Constraints: 
                CA:FALSE
            Netscape Comment: 
                OpenSSL Generated Certificate
            X509v3 Subject Key Identifier: 
                52:45:76:06:A8:43:FC:2B:E4:71:D1:F1:F0:EF:C7:A3:AB:76:66:29
            X509v3 Authority Key Identifier: 
                keyid:39:B3:4B:48:C3:28:1A:4B:D0:6E:A1:4F:5E:1A:47:AD:CE:85:CC:00

Certificate is to be certified until Apr 29 14:59:43 2019 GMT (365 days)
Sign the certificate? [y/n]:y


1 out of 1 certificate requests certified, commit? [y/n]y
Write out database with 1 new entries
Data Base Updated
查看證書信息
[root@MiWiFi-R3-srv pki]# openssl x509 -in /etc/pki/CA/certs/httpd.crt -noout -serial -subject
serial=01
subject= /C=CN/ST=shandong/O=mageedu/OU=ops/CN=www.magedu.com
查看證書序列
[root@MiWiFi-R3-srv CA]# cat /etc/pki/CA/index.txt
V	190429145943Z		01	unknown	/C=CN/ST=shandong/O=mageedu/OU=ops/CN=www.magedu.com
將簽發的證書發送給 申請主機
[root@localhost certs]# scp httpd.crt root@192.168.1.175:/etc/httpd/ssl/

APache 配置證書

192.168.1.175 測試服務器

準備:

[root@localhost ssl]# yum -y install mod_ssl

1、編輯配置文件 添加私鑰和掐發證書路徑

[root@localhost ssl]# vim /etc/httpd/conf.d/ssl.conf

#   Server Certificate:
# Point SSLCertificateFile at a PEM encoded certificate.  If
# the certificate is encrypted, then you will be prompted for a
# pass phrase.  Note that a kill -HUP will prompt again.  A new
# certificate can be generated using the genkey(1) command.
#SSLCertificateFile /etc/pki/tls/certs/localhost.crt
SSLCertificateFile /etc/httpd/ssl/httpd.crt   修改私簽發證書路徑

#   Server Private Key:
#   If the key is not combined with the certificate, use this
#   directive to point at the key file.  Keep in mind that if
#   you've both a RSA and a DSA private key you can configure
#   both in parallel (to also allow the use of DSA ciphers, etc.)
#SSLCertificateKeyFile /etc/pki/tls/private/localhost.key
SSLCertificateKeyFile /etc/httpd/ssl/httpd.key  修改私鑰指向路徑

2、重啟Apache 的服務

[root@localhost ssl]# systemctl restart httpd.service

3、使用瀏覽器 輸入 https://web服務器ip 查看證書

image

馬哥筆記 網絡筆記

使用命令停掉httpd服務,在進行nginx測試;

Nginx 配置證書

192.168.1.175 測試服務器

準備yum官方源

要為RHEL / CentOS設置yum存儲庫,請/etc/yum.repos.d/nginx.repo 使用以下內容創建名為的文件 

[nginx]
name=nginx repo
baseurl=http://nginx.org/packages/mainline/OS/OSRELEASE/$basearch/
gpgcheck=0
enabled=1

將“ OS 替換為“ rhel”或“ centos”,這取決于所使用的分布,以及“ OSRELEASE”替換為“ 6”或“ 7”,分別用于6.x7.x版本。

1、安裝nginx

[root@localhost conf.d]# yum -y install nginx

2、新建一個測試文件

[root@localhost conf.d]# vim /etc/nginx/conf.d/magedu.conf


server {
        listen 443 ssl;   新增端口
        server_name magedu.com;       服務器名稱
        root /usr/share/nginx/html;   默認網站文件為準
        index index.php index.html;
        ssl_certificate /etc/httpd/ssl/httpd.crt;       添加簽發證書
        ssl_certificate_key /etc/httpd/ssl/httpd.key;   添加主機私鑰

        ssl_stapling on;
        ssl_stapling_verify on;


}

3、重載配置

[root@localhost conf.d]# systemctl restart nginx

4、測試

!(im)

網絡筆記

本文來自投稿,不代表Linux運維部落立場,如若轉載,請注明出處:http://www.www58058.com/99544

(0)
N28_剛好遇到小熊貓N28_剛好遇到小熊貓
上一篇 2018-05-27
下一篇 2018-05-27

相關推薦

  • shell

    shell 內外部命令

    2018-04-07

  • linux 學習5

    1. RPM包管理 1.1 RPM簡介 RPM類似于Windows系統中.exe的軟件安裝程序,用戶可以使用它自行安裝和管理Linux上的應用程序和系統工具; RPM軟件包文件都是以.rpm為后綴,一般采用這樣的命名格式:軟件包名稱 – 版本號 – 修正版 . 硬件平臺 . rpm。 1.2 RPM命令的使用方法 查詢:rpm {-q | –query} […

    2018-07-21

  • Docker容器技術之Dokcer networking

    我們知道,docker容器中的資源用namespace進行了隔離,每一個容器中都有自己獨立的一套網絡資源,docker容器如何實現單機通訊與跨主機通訊呢?本節內容將為你解答這個問題。

    2018-08-08

  • 馬哥教育第三周4.15

    vimvim +10 直接跳到第10行i 輸入信息I跳到行首A跳到行尾o當前下面重新開啟一行O當前上面重新開啟一行w f2 另存為w!強行覆蓋r 后面跟路徑 可以讀取別的文件加進來:!命令 可以直接出執行結果:r!+路徑 文件 直接寫入文檔中:s 搜索 :%s/xyz/&er/g ? 擴展模式::q 退出:q! 強制退出,丟棄做出的修改:wq 保存退…

    Linux筆記 2018-04-15

  • shell 腳本進階 ,啟動流程和故障排錯

    shell 腳本進階 ,啟動流程和故障排錯

    2018-05-06

  • 計算機原理與Linux基礎

    計算機的組成及功能 1、其實計算機的組織分為內部設備和外部設備, 內部設備: ? ? ? ? CPU:運算器、寄存器、緩存 ? ? ? ? 存儲器:內存,RAM(Random Access Memory) ? ? ? ? 控制器:控制器是整個計算機系統的控制中心,它指揮計算機各部分協調地工作,保證計算機按照預先規定的目標和步驟有條不紊地進行操作及處理。 外部…

    Linux筆記 2018-05-13
欧美性久久久久