墨少离 - 个人小站,分享一些资源以及心得~ - 机场订阅
https://www.msl.la/tag/%E6%9C%BA%E5%9C%BA%E8%AE%A2%E9%98%85/
-
Openssl配置CA证书及https访问
https://www.msl.la/archives/305/
2021-06-15T15:49:00+08:00
一、创建根秘钥对1.创建目录cd
mkdir /root/ca
cd /root/ca
mkdir certs crl newcerts private
chmod 700 private
touch index.txt
echo 1000 > serial
touch openssl.cnf2.编辑openssl配置文件openssl.cnf,将链接中的内容复制到openssl.cnf中3.创建根私钥openssl genrsa -aes256 -out private/ca.key.pem 4096
chmod 400 private/ca.key.pem4.生成根证书cd /root/ca
openssl req -config openssl.cnf -key private/ca.key.pem -new -x509 -days 7300 -sha256 -extensions v3_ca -out certs/ca.cert.pem
chmod 444 certs/ca.cert.pem(可选)验证根证书openssl x509 -noout -text -in certs/ca.cert.pem二、创建中间密钥对1.创建目录mkdir /root/ca/intermediate
cd /root/ca/intermediate
mkdir certs crl csr newcerts private
chmod 700 private
touch index.txt
echo 1000 > serialtouch openssl.cnf2.编辑openssl配置文件openssl.cnf,将链接中的内容复制到openssl.cnf中3.生成intermediate的秘钥cd /root/ca
openssl genrsa -aes256 -out intermediate/private/intermediate.key.pem 4096
chmod 400 intermediate/private/intermediate.key.pem4.生成证书签名请求(csr)(除common name之外,其他细节与根证书的一致)openssl req -config intermediate/openssl.cnf -new -sha256 -key intermediate/private/intermediate.key.pem -out intermediate/csr/intermediate.csr.pem5.用根私钥签名cd /root/ca
openssl ca -config openssl.cnf -extensions v3_intermediate_ca -days 3650 -notext -md sha256 -in intermediate/csr/intermediate.csr.pem -out intermediate/certs/intermediate.cert.pem
chmod 444 intermediate/certs/intermediate.cert.pem(可选)验证证书openssl x509 -noout -text -in intermediate/certs/intermediate.cert.pem
openssl verify -CAfile certs/ca.cert.pem intermediate/certs/intermediate.cert.pem6.生成证书链文件cat intermediate/certs/intermediate.cert.pem certs/ca.cert.pem > intermediate/certs/ca-chain.cert.pem
chmod 444 intermediate/certs/ca-chain.cert.pem三、生成服务器秘钥对1.生成服务器所用的证书及私钥cd /root/ca
openssl genrsa -aes256 -out intermediate/private/www.example.com.key.pem 2048
chmod 400 intermediate/private/www.example.com.key.pem
openssl req -config intermediate/openssl.cnf -key intermediate/private/www.example.com.key.pem -new -sha256 -out intermediate/csr/www.example.com.csr.pem(注意:common name与所要访问域名相同)openssl ca -config intermediate/openssl.cnf -extensions server_cert -days 375 -notext -md sha256 -in intermediate/csr/www.example.com.csr.pem -out intermediate/certs/www.example.com.cert.pemchmod 444 intermediate/certs/www.example.com.cert.pem(可选)验证证书及证书链openssl x509 -noout -text -in intermediate/certs/www.example.com.cert.pem
openssl verify -CAfile intermediate/certs/ca-chain.cert.pem intermediate/certs/www.example.com.cert.pem这样得到3个用来配置服务器https的文件:ca-chain.cert.pem
www.example.com.key.pem
www.example.com.cert.pem之后配置apache四、配置apache1.安装apache (ubuntu16.04)apt-get update
apt-get install apache22.配置https打开/etc/apache2/sites-available/目录下的default-ssl.confvim /etc/apache2/sites-available/default-ssl.conf将ServerName改为之前服务器证书中所填的common name将之前得到的三个证书文件复制到/etc/apache2/cert/目录下,并更改ssl配置中相应的内容启动apache/etc/init.d/apache2 start启动时需要输入证书的密码五、修改本机hosts文件(若域名无法访问)windows下hosts文件在C:\Windows\System32\drivers\etc\目录下:前面为apache服务器ip,后面为生成证书时填的common name。之后在cmd中刷新dns,命令如下:ipconfig /flushdns之后可ping 域名检查返回ip是否为hosts中所填ip.六、验证在浏览器访问https://域名,查看结果会有警告,因为根证书不可信,此时,将之前的根证书下载到本地,导入根证书至浏览器的证书颁发机构中。再次访问,即可成功访问。转自:https://www.cnblogs.com/adhzl/p/11577384.html