openssl加密机制( 五 )


-------------注意 , 这里的01不能写成1 , 否则也会报错 。
CA给自己颁发证书 , 序列号为1.至此 , CA自建证书完毕 。
第二步:配置web网站 , 新建虚拟主机
# yum -y install httpd
安装web服务应用程序包
这里以虚拟主机为例 , 配置一台虚拟主机 。
首先
在主配置文件/etc/httpd/conf/httpd.conf中注释掉主服务器的 “/var/www/html”
然后新建虚拟主机
ServerName www.a.comDocumentRoot "/www/website/"ErrorLog /www/website/logs/error.logCustomLog /www/website/logs/access.log common
在index.html中随便写上一段话 , 这是网站的首页 。
然后在物理机hosts文件中配置解析

openssl加密机制

文章插图
目录下边有个hosts文件
然后就可以在浏览器里搜索了 。
不过这里可能会遇到问题 , 我就遇到了一个很让人头疼的问题 , 浏览器死活连接不上 , 原因可能是防火墙的问题 , 这时就需要关掉防火墙了 。
# chkconfig iptables off# service iptables stop
好了 , 虚拟web主机建好了 , 下面开始建
除了可以实现自签证书 , 还可以为web服务器提供ssl服务 。
Ssl服务对于ip是一对一的 , 有一个虚拟主机 , 就可以配置一个ssl服务 。
第三步:Ssl服务的配置
安装模块
# yum -y install mod_ssl
Ssl服务的配置文件/etc/httpd/conf.d/ssl.conf
在编辑ssl配置文件之前 , 要先为web服务器颁发一个证书 。
Web服务器自己生成一个证书请求
# cd /etc/httpd# (umask 077;openssl genrsa -out private.key 2048)Generating RSA private key, 2048 bit long modulus.............................................................................................................................................+++...+++e is 65537 (0x10001)[root@luliming httpd]# openssl req -new -key private.key -out private.csrYou are about to be asked to enter information that will be incorporatedinto your certificate request.What you are about to enter is what is called a Distinguished Name or a DN.There are quite a few fields but you can leave some blankFor some fields there will be a default value,If you enter '.', the field will be left blank.-----Country Name (2 letter code) [XX]:cnState or Province Name (full name) []:henanLocality Name (eg, city) [Default City]:zhengzhouOrganization Name (eg, company) [Default Company Ltd]:mageduOrganizational Unit Name (eg, section) []:techCommon Name (eg, your name or your server's hostname) []:www.a.comEmail Address []:magedu@163.comPlease enter the following 'extra' attributesto be sent with your certificate requestA challenge password []:An optional company name []:# lsconfconf.dlogsmodulesprivate.csrprivate.keyrun
让CA为它颁发证书 , 注意 , 由于笔者是在同一台电脑上配置的 , 本机就是CA机关 , 所以 , 直接在/etc/httpd/目录下为web服务器颁发ca证书 , 如果不是在同一台主机 , 还需要web服务器向CA发送申请 , 由CA为其签署 。
签证
openssl ca -in private.csr -out private.crt -days 365Using configuration from /etc/pki/tls/openssl.cnfCheck that the request matches the signatureSignature okCertificate Details:Serial Number: 1 (0x1)ValidityNot Before: Aug 22 22:25:47 2013 GMTNot After : Aug 22 22:25:47 2014 GMTSubject:countryName= cnstateOrProvinceName= henanorganizationName= mageduorganizationalUnitName= techcommonName= www.a.comemailAddress= magedu@163.comX509v3 extensions:X509v3 Basic Constraints:CA:FALSENetscape Comment:OpenSSL Generated CertificateX509v3 Subject Key Identifier:6B:A2:C3:A9:E3:A4:49:28:23:40:DA:77:3F:5B:94:28:EA:34:E3:4BX509v3 Authority Key Identifier:keyid:14:45:59:59:0C:93:35:19:72:18:FA:EE:FA:56:7A:AE:8A:07:E8:D2Certificate is to be certified until Aug 22 22:25:47 2014 GMT (365 days)Sign the certificate? [y/n]:y1 out of 1 certificate requests certified, commit? [y/n]yWrite out database with 1 new entriesData Base Updated