CentOS下利用httpdopenssl來實現(xiàn)網(wǎng)站的httpscentos.doc_第1頁
CentOS下利用httpdopenssl來實現(xiàn)網(wǎng)站的httpscentos.doc_第2頁
CentOS下利用httpdopenssl來實現(xiàn)網(wǎng)站的httpscentos.doc_第3頁
CentOS下利用httpdopenssl來實現(xiàn)網(wǎng)站的httpscentos.doc_第4頁
CentOS下利用httpdopenssl來實現(xiàn)網(wǎng)站的httpscentos.doc_第5頁
已閱讀5頁,還剩10頁未讀 繼續(xù)免費閱讀

下載本文檔

版權(quán)說明:本文檔由用戶提供并上傳,收益歸屬內(nèi)容提供方,若內(nèi)容存在侵權(quán),請進行舉報或認(rèn)領(lǐng)

文檔簡介

1、CentOS 下利用 httpd+openssl來實現(xiàn)網(wǎng)站的httpscentos下面呢我們來講一下具體步驟配置 CA 服務(wù)器=1. 配置 CA 生成 CA 自己的公鑰私鑰CA 對自己進行證書自簽名(用腳本生成 )rootCA # vim /etc/pki/tls/fdir= /etc/CA# Whereeverything is kept第45行basicConstraints=CA:TRUE# 自簽署的證書可以使用第 178 行 rootCA # vim /etc/pki/tls/misc/CACATOP=/etc/CA#第 42 行 rootCA #/etc/pki/

2、tls/misc/CA -newcaCA certificate filename (or enter to create)Making CA certificate .Generating a 1024 bit RSA private key.+.+writing new private key to ././CA/private/./cakey.pem#私鑰Enter PEM pass phrase:123456#保護 CA 私鑰Verifying - Enter PEM pass phrase:123456-You are about to be asked to enter infor

3、mation that will beincorporated into your certificate request.What you are about to enter is what is called a Distinguished Name or a DN.There are quite a few fields but you can leave some blankFor some fields there will be a default value,If you enter ., the field will be left blank.-Country Name (

4、2 letter code) GB:CN#身份信息State or Province Name (full name) Berkshire:BEIJINGLocality Name (eg, city) Newbury:HDOrganization Name (eg, company) My Company Ltd:UPLOOKINGOrganizational Unit Name (eg, section) :ITCommon Name (eg, your name or your servers hostname):CAEmail Address :CAPlease enter the f

5、ollowing extra attributes to be sent with your certificate requestA challenge password :An optional company name :Using configuration from /etc/pki/tls/fEnter pass phrase for ././CA/private/./cakey.pem:123456#使用私鑰自簽名Check that the request matches the signatureSignature okCertificate Details:Serial N

6、umber: 0 (0x0)ValidityNot Before: Mar 5 01:40:50 2012 GMTNot After : Mar 5 01:40:50 2015 GMTSubject:countryName = CNstateOrProvinceName = BEIJINGorganizationName = UPLOOKINGorganizationalUnitName = ITcommonName = CAemailAddress = CAX509v3 extensions:X509v3 Basic Constraints:CA:TRUENetscape Comment:O

7、penSSL Generated CertificateX509v3 Subject Key Identifier:61:D5:3A:C7:5C:0F:66:FE:D5:EF:5D:A1:94:8F:FD:C2:E5:94:7D:D3X509v3 Authority Key Identifier:keyid:61:D5:3A:C7:5C:0F:66:FE:D5:EF:5D:A1:94:8F:FD:C 2:E5:94:7D:D3Certificate is to be certified until Mar 5 01:40:50 2015 GMT (1095 days)Write out dat

8、abase with 1 new entriesData Base UpdatedrootCA # ls/etc/CA/private/cakey.pem#CA 私鑰rootCA # ls /etc/CA/cacert.pem#CA 證書rootCA # ls /etc/CA/careq.pem#CA 證書請求配置 web 服務(wù)器=web生成自己的私鑰rootwww # openssl genrsa -des3 -out/etc/httpd/conf.d/server.key#使用 des3 保護私鑰Generating RSA private key, 512 bit long modulu

9、s.+.+e is 65537 (0x10001)Enter pass phrase for /etc/httpd/conf.d/server.key:123456Verifying - Enter pass phrase for/etc/httpd/conf.d/server.key:123456 生成證書請求(使用身份標(biāo)識公鑰)rootwww # openssl req -new -key /etc/httpd/conf.d/server.key -out /tmp/server.csrEnter pass phrase for /etc/httpd/conf.d/server.key:1

10、23456You are about to be asked to enter information that will be incorporated into your certificaterequest.What you are about to enter is what is called a Distinguished Name or a DN.There are quite a few fields but you can leave some blankFor some fields there will be a default value,If you enter .,

11、 the field will be left blank.-Country Name (2 letter code) GB:CN#這部分信息要與CA 一致!State or Province Name (full name) Berkshire:BEIJINGLocality Name (eg, city) Newbury:HDOrganization Name (eg, company) My Company Ltd:UPLOOKINGOrganizational Unit Name (eg, section) :IT-Common Name (eg, your name or your

12、servers hostname):Email Address :Please enter the following extra attributes to be sent with your certificate requestA challenge password :An optional company name :將證書請求發(fā)送給CArootwww # scp /tmp/server.csr CA:/tmp/CA 服務(wù)器對證書請求進行數(shù)字簽名=rootCA # openssl ca -keyfile /etc/CA/private/cakey.pem -cert /etc/CA/

13、cacert.pem -in /tmp/server.csr -out /tmp/server.crt/etc/CA/private/cakey.pem(這是 ca 的私鑰)/tmp/server.csr( httpserver的證書請求文件)/etc/CA/cacert.pem(ca 的證書 )/tmp/server.crt(生成的 httpserver的證書的名字) Using configuration from /etc/pki/tls/fEnter pass phrase for /etc/CA/private/cakey.pem:Check that the request mat

14、ches the signatureSignature okCertificate Details:Serial Number: 1 (0x1)ValidityNot Before: Mar 5 02:20:56 2012 GMTNot After : Mar 5 02:20:56 2013 GMTSubject:countryName = CNstateOrProvinceName = BEIJINGorganizationName = UPLOOKINGorganizationalUnitName = ITcommonName = emailAddress = X509v3 extensi

15、ons:X509v3 Basic Constraints:CA:TRUENetscape Comment:OpenSSL Generated CertificateX509v3 Subject Key Identifier:D0:6E:C7:7D:FC:BE:0D:62:CA:B9:A2:E0:2A:9A:27:32:39:0B:91:F8X509v3 Authority Key Identifier:keyid:61:D5:3A:C7:5C:0F:66:FE:D5:EF:5D:A1:94:8F:FD:C 2:E5:94:7D:D3Certificate is to be certified

16、until Mar 5 02:20:56 2013 GMT (365 days)Sign the certificate? y/n:y1 out of 1 certificate requests certified, commit? y/nyWrite out database with 1 new entriesData Base Updated將簽名后的數(shù)字證書頒發(fā)給webrootCA # scp /tmp/server.crt:/etc/httpd/conf.d/配置 web 支持 ssl 實現(xiàn) https=rootwww # yum install httpd mod_sslrootwww # vim /etc/httpd/conf.d/ssl.confSSLCertificateFile /etc/httpd/conf.d/server.crtSSLCertificateKeyFi

溫馨提示

  • 1. 本站所有資源如無特殊說明,都需要本地電腦安裝OFFICE2007和PDF閱讀器。圖紙軟件為CAD,CAXA,PROE,UG,SolidWorks等.壓縮文件請下載最新的WinRAR軟件解壓。
  • 2. 本站的文檔不包含任何第三方提供的附件圖紙等,如果需要附件,請聯(lián)系上傳者。文件的所有權(quán)益歸上傳用戶所有。
  • 3. 本站RAR壓縮包中若帶圖紙,網(wǎng)頁內(nèi)容里面會有圖紙預(yù)覽,若沒有圖紙預(yù)覽就沒有圖紙。
  • 4. 未經(jīng)權(quán)益所有人同意不得將文件中的內(nèi)容挪作商業(yè)或盈利用途。
  • 5. 人人文庫網(wǎng)僅提供信息存儲空間,僅對用戶上傳內(nèi)容的表現(xiàn)方式做保護處理,對用戶上傳分享的文檔內(nèi)容本身不做任何修改或編輯,并不能對任何下載內(nèi)容負責(zé)。
  • 6. 下載文件中如有侵權(quán)或不適當(dāng)內(nèi)容,請與我們聯(lián)系,我們立即糾正。
  • 7. 本站不保證下載資源的準(zhǔn)確性、安全性和完整性, 同時也不承擔(dān)用戶因使用這些下載資源對自己和他人造成任何形式的傷害或損失。

評論

0/150

提交評論