一、服务端(IP:192.168.10.201)【 RHEL 7.0系统 】

1cd   /etc/pki/CA

2、创建private/cakey.pem

(umask 077;openssl  genrsa  -out  private/cakey.pem  2048)

3、创建index.txt文件 serial文件

[root@system-1 CA]#  touch  index.txt

[root@system-1 CA]#  echo  01  >  serial

4、创建自签证书

[root@system-1 CA]# openssl  req  -new  -x509  -key private/cakey.pem -out  cacert.pem   -days 7300

 

Country Name (2 letter code) [XX]:CN

State or Province Name (full name) []:Guangdong

Locality Name (eg, city) [Default City]:Guangdong

Organization Name (eg, company) [Default Company Ltd]:Haha Ltd

Organizational Unit Name (eg, section) []:Ops

Common Name (eg, your name or your server's hostname) []:ca.haha.com

Email Address []:caadmin@haha.com

blob.png

等客户端传证书过来再做第56

5、对客户端传过来的证书(/tmp/httpd.csr)进行签证

openssl  ca  -in  /tmp/httpd.csr  -out  certs/httpd.crt   -days  365

blob.png

6、将签好的证书(/etc/pki/CA/certs/ httpd.crt)和/etc/pki/CA/ cacert.pem发还给客户端

[root@system-1 certs]#

scp  httpd.crt  root@192.168.10.204:/etc/httpd/ssl

[root@system-1 CA]# scp cacert.pem root@192.168.10.204:/etc/httpd/ssl

二、客户端(IP:192.168.10.204)【 CentOS  6.8系统 】

1、进入/etc/httpd目录,新建ssl目录,cd /etc/httpd/; mkdir  ssl

2、进入ssl,生成证书密钥、生成证书请求

生成证书密钥:

(umask  077;openssl  genrsa  -out  httpd.key  1024)

生成证书请求:

openssl  req  -new  -key  httpd.key  -days  365  -out  httpd.csr

 

Country Name (2 letter code) [XX]:CN

State or Province Name (full name) []:Guangdong

Locality Name (eg, city) [Default City]:Guangdong

Organization Name (eg, company) [Default Company Ltd]:Haha Ltd

Organizational Unit Name (eg, section) []:Ops

Common Name (eg, your name or your server's hostname) []:

web1.haha.com

Email Address []:webadmin@haha.com

Please enter the following 'extra' attributes

to be sent with your certificate request

A challenge password []:密码为空

An optional company name []:为空

blob.png

3、将httpd.csr 传给服务端,假设放在/tmp目录中

[root@system-4 ssl]#  scp  httpd.csr  root@192.168.10.201:/tmp/

4、服务端签证(看服务端第56步)

5/etc/httpd/ssl目录中的证书

blob.png

6、客户端安装ssl模块  yum  install  mod_ssl  -y

7、编辑/etc/httpd/conf.d/ssl.conf文件,编辑之前先备份

[root@system-4 conf.d]#  cp  ssl.conf{,.bak}

vim  ssl.conf

<VirtualHost  *:443>

DocumentRoot  "/vhosts/web1/htdocs"

ServerName  www.example.com:443

SSLEngine  on

SSLProtocol  all  -SSLv2

SSLCipherSuite  DEFAULT:!EXP:!SSLv2:!DES:!IDEA:!SEED:+3DES

SSLCertificateFile      /etc/httpd/ssl/httpd.crt

SSLCertificateKeyFile   /etc/httpd/ssl/httpd.key

SSLCACertificateFile   /etc/httpd/ssl/cacert.pem

</VirtualHost >

红色字体根据实际情况

保存,重启httpd服务,火狐浏览器打开:

blob.png


-new:生成新证书

-x509:生成自签证书

-key: 私钥文件

-days:证书有效期

-out: 保存为

分类: Linux服务

发表评论

电子邮件地址不会被公开。 必填项已用*标注

2 × 3 =