RHEL5中http中ssl模块的配置,主要是证书、私钥的制作
来源:
作者:
时间:2007-12-03
Tag:
点击:
现有的证书只可以通过localhost.localdomain来访问,意味着只可以本机访问。所以我们就去创建匹配自己主机名的证书。
由于对ssl的理论知识不够,这里只描述创建过程,对于理论知识正在恶补中。SSH权威指南正在看。加密和证书这里看得头晕,尤其关于私钥,公钥,CA等等,逻辑不清。
1:保证自己进入下面的目录:
[root@server certs]# pwd
/etc/pki/tls/certs
[root@server certs]# pwd
/etc/pki/tls/certs
2:创建私钥:
[root@server certs]# make server.key
umask 77 ; \
/usr/bin/openssl genrsa -des3 1024 > server.key
Generating RSA private key, 1024 bit long modulus
.++++++
...++++++
e is 65537 (0x10001)
Enter pass phrase: 输入密码
Verifying - Enter pass phrase: 再次输入密码
[root@server certs]# make server.key
umask 77 ; \
/usr/bin/openssl genrsa -des3 1024 > server.key
Generating RSA private key, 1024 bit long modulus
.++++++
...++++++
e is 65537 (0x10001)
Enter pass phrase: 输入密码
Verifying - Enter pass phrase: 再次输入密码
3:重写私钥,清除密码,保证httpd启动时不必输入密码
[root@rhce conf]# openssl rsa -in server.key -out server.key
Enter pass phrase for server.key:
writing RSA key
[root@rhce conf]# openssl rsa -in server.key -out server.key
Enter pass phrase for server.key:
writing RSA key
4:证书签发请求(Certificate Signing Request) (CSR)
[root@server certs]# make server.csr
umask 77 ; \
/usr/bin/openssl req -utf8 -new -key server.key -out server.csr
Enter pass phrase for server.key:
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [GB]:CN
State or Province Name (full name) [Berkshire]:ShangHai
Locality Name (eg, city) [Newbury]:ShangHai
Organization Name (eg, company) [My Company Ltd]:kook.com
Organizational Unit Name (eg, section) []:
Common Name (eg, your name or your server's hostname) []:server.rhel5.com
Email Address []:kook@kook.com
[root@server certs]# make server.csr
umask 77 ; \
/usr/bin/openssl req -utf8 -new -key server.key -out server.csr
Enter pass phrase for server.key:
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [GB]:CN
State or Province Name (full name) [Berkshire]:ShangHai
Locality Name (eg, city) [Newbury]:ShangHai
Organization Name (eg, company) [My Company Ltd]:kook.com
Organizational Unit Name (eg, section) []:
Common Name (eg, your name or your server's hostname) []:server.rhel5.com
Email Address []:kook@kook.com
Please enter the following 'extra' attributes
to be sent with your certificate request
A challenge password []:liujia
An optional company name []:kook
to be sent with your certificate request
A challenge password []:liujia
An optional company name []:kook
5:由于我们不能申请上级CA授权认证,自己给自己创建个CA吧。
[root@server certs]# openssl x509 -in server.csr -req -signkey server.key -days 365 -out server.crt
Signature ok
subject=/C=CN/ST=ShangHai/L=ShangHai/O=kook.com/CN=server.rhel5.com/emailAddress=kook@kook.com
Getting Private key
[root@server certs]# openssl x509 -in server.csr -req -signkey server.key -days 365 -out server.crt
Signature ok
subject=/C=CN/ST=ShangHai/L=ShangHai/O=kook.com/CN=server.rhel5.com/emailAddress=kook@kook.com
Getting Private key
6:如上操作后,我们产生了3个文件。
[root@server certs]# ls server.*
server.crt server.csr server.key
[root@server certs]# ls server.*
server.crt server.csr server.key
最后,需要调整/etc/httpd/conf.d/ssl.conf正确引用我们创建的证书。然后启动服务。
[root@server conf.d]# cat ssl.conf
.............
SSLCertificateFile /etc/pki/tls/certs/server.crt
SSLCertificateKeyFile /etc/pki/tls/certs/server.key
..................
.............
SSLCertificateFile /etc/pki/tls/certs/server.crt
SSLCertificateKeyFile /etc/pki/tls/certs/server.key
..................