一、服务端(IP:192.168.10.201)【 RHEL 7.0系统 】
1、cd /etc/pki/CA
2、创建private/cakey.pem
(umask 077;openssl genrsa -out private/cakey.pem 2048)
3、创建index.txt文件 和serial文件
[root@system-1 CA]# touch index.txt
[root@system-1 CA]# echo 01 > serial
4、创建自签证书
[root@system-1 CA]# openssl req -new -x509 -key private/cakey.pem -out cacert.pem -days 7300
Country Name (2 letter code) [XX]:CN
State or Province Name (full name) []:Guangdong
Locality Name (eg, city) [Default City]:Guangdong
Organization Name (eg, company) [Default Company Ltd]:Haha Ltd
Organizational Unit Name (eg, section) []:Ops
Common Name (eg, your name or your server's hostname) []:ca.haha.com
Email Address []:caadmin@haha.com
等客户端传证书过来再做第5、6步
5、对客户端传过来的证书(/tmp/httpd.csr)进行签证
openssl ca -in /tmp/httpd.csr -out certs/httpd.crt -days 365
6、将签好的证书(/etc/pki/CA/certs/ httpd.crt)和/etc/pki/CA/ cacert.pem发还给客户端
[root@system-1 certs]#
scp httpd.crt root@192.168.10.204:/etc/httpd/ssl
[root@system-1 CA]# scp cacert.pem root@192.168.10.204:/etc/httpd/ssl
二、客户端(IP:192.168.10.204)【 CentOS 6.8系统 】
1、进入/etc/httpd目录,新建ssl目录,cd /etc/httpd/; mkdir ssl
2、进入ssl,生成证书密钥、生成证书请求
生成证书密钥:
(umask 077;openssl genrsa -out httpd.key 1024)
生成证书请求:
openssl req -new -key httpd.key -days 365 -out httpd.csr
Country Name (2 letter code) [XX]:CN
State or Province Name (full name) []:Guangdong
Locality Name (eg, city) [Default City]:Guangdong
Organization Name (eg, company) [Default Company Ltd]:Haha Ltd
Organizational Unit Name (eg, section) []:Ops
Common Name (eg, your name or your server's hostname) []:
web1.haha.com
Email Address []:webadmin@haha.com
Please enter the following 'extra' attributes
to be sent with your certificate request
A challenge password []:密码为空
An optional company name []:为空
3、将httpd.csr 传给服务端,假设放在/tmp目录中
[root@system-4 ssl]# scp httpd.csr root@192.168.10.201:/tmp/
4、服务端签证(看服务端第5、6步)
5、/etc/httpd/ssl目录中的证书
6、客户端安装ssl模块 yum install mod_ssl -y
7、编辑/etc/httpd/conf.d/ssl.conf文件,编辑之前先备份
[root@system-4 conf.d]# cp ssl.conf{,.bak}
vim ssl.conf
|
<VirtualHost *:443> DocumentRoot "/vhosts/web1/htdocs" ServerName www.example.com:443 SSLEngine on SSLProtocol all -SSLv2 SSLCipherSuite DEFAULT:!EXP:!SSLv2:!DES:!IDEA:!SEED:+3DES SSLCertificateFile /etc/httpd/ssl/httpd.crt SSLCertificateKeyFile /etc/httpd/ssl/httpd.key SSLCACertificateFile /etc/httpd/ssl/cacert.pem </VirtualHost > |
红色字体根据实际情况
保存,重启httpd服务,火狐浏览器打开:
-new:生成新证书
-x509:生成自签证书
-key: 私钥文件
-days:证书有效期
-out: 保存为