本文共 3821 字,大约阅读时间需要 12 分钟。
(环境:Centos7)
PS:建议实验前把防火墙和SELinux都关掉。
- 安装apache环境依赖
[root@qmfz ~]# yum -y install mod_ssl openssl httpd已加载插件:fastestmirrorLoading mirror speeds from cached hostfile * base: mirrors.aliyun.com * extras: mirrors.aliyun.com * updates: mirrors.163.combase | 3.6 kB 00:00extras | 2.9 kB 00:00updates | 2.9 kB 00:00软件包 1:mod_ssl-2.4.6-97.el7.centos.x86_64 已安装并且是最新版本软件包 1:openssl-1.0.2k-19.el7.x86_64 已安装并且是最新版本软件包 httpd-2.4.6-97.el7.centos.x86_64 已安装并且是最新版本无须任何处理
[root@qmfz ~]# cd /etc/httpd[root@qmfz httpd]# ll总用量 0drwxr-xr-x. 2 root root 177 11月 28 21:11 cadrwxr-xr-x. 2 root root 37 11月 28 21:15 confdrwxr-xr-x. 2 root root 98 11月 28 21:30 conf.ddrwxr-xr-x. 2 root root 165 11月 28 18:10 conf.modules.dlrwxrwxrwx. 1 root root 19 11月 26 19:27 logs -> ../../var/log/httpdlrwxrwxrwx. 1 root root 29 11月 26 19:27 modules -> ../../usr/lib64/httpd/moduleslrwxrwxrwx. 1 root root 10 11月 26 19:27 run -> /run/httpd
- 创建的CA证书
[root@qmfz ca]# cd /etc/httpd/ca[root@qmfz ca]# openssl req -newkey rsa:4096 -nodes -sha256 -keyout ca.key -x509 -days 1000(天数可以随意) -out ca.crtGenerating a 4096 bit RSA private key..................++................++writing new private key to 'ca.key'-----You are about to be asked to enter information that will be incorporatedinto your certificate request.What you are about to enter is what is called a Distinguished Name or a DN.There are quite a few fields but you can leave some blankFor some fields there will be a default value,If you enter '.', the field will be left blank.-----Country Name (2 letter code) [XX]:CN #中国State or Province Name (full name) []:GD #广东Locality Name (eg, city) [Default City]:QY #市区Organization Name (eg, company) [Default Company Ltd]:QMFZ #企业名字Organizational Unit Name (eg, section) []:YWB #部门名字Common Name (eg, your name or your server's hostname) []:chenshuyi.top #所属服务器名字Email Address []:Iwillshine0815@163.com #邮箱
- 创建CA证书签名请求
[root@qmfz ca]# openssl req -newkey rsa:4096 -nodes -sha256 -keyout chenshuyi.top.key -x509 -days 1000 -out chenshuyi.top.csrGenerating a 4096 bit RSA private key......................................................................++...............++writing new private key to 'chenshuyi.top.key'-----You are about to be asked to enter information that will be incorporatedinto your certificate request.What you are about to enter is what is called a Distinguished Name or a DN.There are quite a few fields but you can leave some blankFor some fields there will be a default value,If you enter '.', the field will be left blank.-----Country Name (2 letter code) [XX]:CNState or Province Name (full name) []:GDLocality Name (eg, city) [Default City]:QYOrganization Name (eg, company) [Default Company Ltd]:QMFZOrganizational Unit Name (eg, section) []:YWBCommon Name (eg, your name or your server's hostname) []:chenshuyi.topEmail Address []:Iwillshine0815@163.com
- 创建注册主机的证书
[root@qmfz ca]# openssl x509 -req -days 365 -in chenshuyi.top.csr -CA ca.crt -CAkey ca.key -CAcreateserial -out chenshuyi.top.crtSignature oksubject=/C=CN/ST=GD/L=QY/O=QMFZ/OU=YWB/CN=chenshuyi.top/emailAddress=Iwillshine010815@163.comGetting CA Private Key
到这里我们的证书就创建好了。
[root@qmfz ca]# ll总用量 32-rw-r--r--. 1 root root 2032 11月 28 21:11 2_api.biuayi.cn.crt-rw-r--r--. 1 root root 1700 11月 28 21:11 3_api.biuayi.cn.key-rw-r--r--. 1 root root 2098 11月 28 20:29 ca.crt-rw-r--r--. 1 root root 3272 11月 28 20:29 ca.key-rw-r--r--. 1 root root 17 11月 29 17:06 ca.srl-rw-r--r--. 1 root root 1980 11月 29 17:06 chenshuyi.top.crt-rw-r--r--. 1 root root 1797 11月 28 20:32 chenshuyi.top.csr-rw-r--r--. 1 root root 3272 11月 28 20:32 chenshuyi.top.key
转载地址:http://eikiz.baihongyu.com/