一、創建根秘鑰對
1.創建目錄
cd mkdir /root/ca cd /root/ca mkdir certs crl newcerts private chmod 700 private touch index.txt echo 1000 > serial
touch openssl.cnf
2.編輯openssl配置文件openssl.cnf,將鏈接中的內容復制到openssl.cnf中
3.創建根私鑰
openssl genrsa -aes256 -out private/ca.key.pem 4096 chmod 400 private/ca.key.pem
4.生成根證書
cd /root/ca openssl req -config openssl.cnf -key private/ca.key.pem -new -x509 -days 7300 -sha256 -extensions v3_ca -out certs/ca.cert.pem chmod 444 certs/ca.cert.pem
(可選)驗證根證書
openssl x509 -noout -text -in certs/ca.cert.pem
二、創建中間密鑰對
1.創建目錄
mkdir /root/ca/intermediate cd /root/ca/intermediate mkdir certs crl csr newcerts private chmod 700 private touch index.txt echo 1000 > serial
touch openssl.cnf
2.編輯openssl配置文件openssl.cnf,將鏈接中的內容復制到openssl.cnf中
3.生成intermediate的秘鑰
cd /root/ca openssl genrsa -aes256 -out intermediate/private/intermediate.key.pem 4096 chmod 400 intermediate/private/intermediate.key.pem
4.生成證書簽名請求(csr)(除common name之外,其他細節與根證書的一致)
openssl req -config intermediate/openssl.cnf -new -sha256 -key intermediate/private/intermediate.key.pem -out intermediate/csr/intermediate.csr.pem
5.用根私鑰簽名
cd /root/ca openssl ca -config openssl.cnf -extensions v3_intermediate_ca -days 3650 -notext -md sha256 -in intermediate/csr/intermediate.csr.pem -out intermediate/certs/intermediate.cert.pem chmod 444 intermediate/certs/intermediate.cert.pem
(可選)驗證證書
openssl x509 -noout -text -in intermediate/certs/intermediate.cert.pem
openssl verify -CAfile certs/ca.cert.pem intermediate/certs/intermediate.cert.pem
6.生成證書鏈文件
cat intermediate/certs/intermediate.cert.pem certs/ca.cert.pem > intermediate/certs/ca-chain.cert.pem chmod 444 intermediate/certs/ca-chain.cert.pem
三、生成服務器秘鑰對
1.生成服務器所用的證書及私鑰
cd /root/ca
openssl genrsa -aes256 -out intermediate/private/www.example.com.key.pem 2048
chmod 400 intermediate/private/www.example.com.key.pem
openssl req -config intermediate/openssl.cnf -key intermediate/private/www.example.com.key.pem -new -sha256 -out intermediate/csr/www.example.com.csr.pem
(注意:common name與所要訪問域名相同)
openssl ca -config intermediate/openssl.cnf -extensions server_cert -days 375 -notext -md sha256 -in intermediate/csr/www.example.com.csr.pem -out intermediate/certs/www.example.com.cert.pem
chmod 444 intermediate/certs/www.example.com.cert.pem
(可選)驗證證書及證書鏈
openssl x509 -noout -text -in intermediate/certs/www.example.com.cert.pem
openssl verify -CAfile intermediate/certs/ca-chain.cert.pem intermediate/certs/www.example.com.cert.pem
這樣得到3個用來配置服務器https的文件:
ca-chain.cert.pem
www.example.com.key.pem
www.example.com.cert.pem
之后配置apache
四、配置apache
1.安裝apache (ubuntu16.04)
apt-get update apt-get install apache2
2.配置https
打開/etc/apache2/sites-available/目錄下的default-ssl.conf
vim /etc/apache2/sites-available/default-ssl.conf
將ServerName改為之前服務器證書中所填的common name
將之前得到的三個證書文件復制到/etc/apache2/cert/目錄下,並更改ssl配置中相應的內容
啟動apache
/etc/init.d/apache2 start
啟動時需要輸入證書的密碼
五、修改本機hosts文件(若域名無法訪問)
windows下hosts文件在C:\Windows\System32\drivers\etc\目錄下:
前面為apache服務器ip,后面為生成證書時填的common name。
之后在cmd中刷新dns,命令如下:
ipconfig /flushdns
之后可ping 域名檢查返回ip是否為hosts中所填ip.
六、驗證
在瀏覽器訪問https://域名,查看結果
會有警告,因為根證書不可信,此時,將之前的根證書下載到本地,導入根證書至瀏覽器的證書頒發機構中。
再次訪問,即可成功訪問。
