RedHat/CentOS8【OpenSSL】制作自签证书和 HTTPS 配置
1.OpenSSL 制作自签名证书1.1.第一阶段:制作 CA 根证书1.2.第二阶段:制作服务器证书1.3.第三阶段:制作客户端证书(双向认证使用)2.Web 容器配置 HTTPS站点2.1.Tomcat 配置方案2.2.Nginx 配置方案2.3.Apache Httpd 配置方案3.客户端访问3.1.安装 CA 机构证书3.2.安装客户端 PKCS12 证书(双向认证使用)3.3.常见问题后
1.OpenSSL 制作自签名证书
1.1.第一阶段:制作 CA 根证书
1.2.第二阶段:制作服务器证书
1.3.第三阶段:制作客户端证书(双向认证使用)
2.Web 容器配置 HTTPS站点
2.1.Tomcat 配置方案
2.2.Nginx 配置方案
2.3.Apache Httpd 配置方案
3.客户端访问
3.1.安装 CA 机构证书
3.2.安装客户端 PKCS12 证书(双向认证使用)
3.3.常见问题
后记一:HTTPS 和 SSL 的概念和工作原理
后记二:在腾讯云服务上申请互联网域名的公共 CA 机构颁发的证书
后记三:制作服务器端自签证书
作者:张毅SOHO
链接:https://www.jianshu.com/p/5b3dfe4bb12e
来源:简书
著作权归作者所有。商业转载请联系作者获得授权,非商业转载请注明出处。
1.OpenSSL 制作自签名证书
1、安装 OpenSSL 。
[root@localhost conf.d]# sudo dnf install openssl
上次元数据过期检查:0:01:01 前,执行于 2022年04月18日 星期一 09时12分58秒。
软件包 openssl-1:1.1.1k-5.el8_5.x86_64 已安装。
依赖关系解决。
无需任何处理。
完毕!
2、创建 SSL 工作目录。
证书包括 CA 认证机构、服务器和客户端三类证书的制作,在 SSL 工作根目录下分别建立"ca"、“server”、"client"子目录存放对应的输出文件,并设置所有者为证书管理账户。
[root@localhost conf.d]# sudo mkdir -p /data/ssl/ca
[root@localhost conf.d]# sudo mkdir -p /data/ssl/server
[root@localhost conf.d]# sudo mkdir -p /data/ssl/client
[root@localhost /]# sudo chown -R apache:apache /data/ssl
1.1.第一阶段:制作 CA 根证书
1、制作 CA【秘钥】。
操作过程:设置 CA 秘钥口令。
[root@localhost /]# openssl genrsa -des3 -out /data/ssl/ca/ca.key 2048
Generating RSA private key, 2048 bit long modulus (2 primes)
......+++++
..................................................................................................................................................+++++
e is 65537 (0x010001)
Enter pass phrase for /data/ssl/ca/ca.key:
Verifying - Enter pass phrase for /data/ssl/ca/ca.key:
[root@localhost /]#
输入key:ma****.
说明:
【openssl genrsa】表示制作秘钥。
【-des3】表示加密秘钥使用的算法;
【-out】表示秘钥的输出文件;
【2048】表示秘钥的密码强度。
查看 CA 秘钥文件(需要输入秘钥口令):
[root@localhost /]# openssl rsa -in /data/ssl/ca/ca.key
Enter pass phrase for /data/ssl/ca/ca.key:
writing RSA key
-----BEGIN RSA PRIVATE KEY-----
MIIEogIBAAKCAQEApEzUeG5bXOphTe7qu0NdbpiM0Erx4q1sNrRTY7uHZcqPhWY6
Ha7UM033+HQtg71z2hiEuVJkokoazo44fy17QNOZk5ule920dclFYuE3g6k0TSPa
WuPf7XrJFMdYPLNyI/xWSZF+7KJG/C3utWcYLAPY1xuVHW20xgCSuOV/cnJq0dz0
RVxbTIFKAC2fOAOQWumSxvfdYwX2yyPCB4bzIV0XIptqW3oOYd/1bqLh72A8Akqw
9LZccN9ktzTF0kz9h3ea9hZ+9srlICTypaTTTDBgN4zDn/wXnEnkd+gaeAwkEcC6
1wCr0yCa5GqCRdbZQ+6LdO5Z/uMJVPnkE22nsQIDAQABAoIBAB5W6a1Lg6eGyG0h
v0rRR8GSff5AuKYJLEB10ChMitYrL5GMrRKqJBlNPossuPLo2ync+TVXl6m4UXbv
IFOrzGTOLj/psAdNi3NstVlrCVtQtY3BHyNFjSZHVDZ4ET00TdGDWVPAgFWmKcGL
odbxsK8ADty6BTEn/wfJN07ZYk15s6bO8RuXXpssyP8gSfSfdaP+LzVTZ2wBIICU
vUbvJChPEzgzcKG92klDuuiB4UhGbSFG2bG6Of6UC8tpkthognK24eesootfj/As
4wI+bpTl8rIYdXbm0JhkEP2vcx9jpLJfGLDK5sjwWem/juCAEAtZDlhauYMo2KZ8
WjAYMYECgYEA0p1p5cvGo39tnrwS4k+35PBm9NrF5QHT4soIyrelyFLsCjZIe2h6
rolH3a0bc3gZfzSlxGQY5JXS5apwIkrzgt798TaTzE/H+pdIcei9ifFkbYWZQoxW
/OQOfnst6GoUgDC6Cnz0EaBjtT6El2KRaE5AKuvC0UgrzgHEK8ak8JkCgYEAx7R1
Qh7eUA17JgAspzoWZkFvC61w3XFNkSee7L3++Hj/YaMeaagwPQvJCdT5Pe+7DVy6
JEVlFCnICRv4P3kQOj2qAcb8ypkXEaHDQ0i9eD68Yzsg6LNDeGd/BKTYo7dDlFod
ASkbzKyED4eo5cRzq90T1f4gXifAq5RtFep/JtkCgYBScMWD6qjdVMLe8HVf2p57
4dIbJAt0YavDyRt55jrhV/wG30qt666h5SCZV+o335nzXfNJFXlc+Hxt47Iy6i25
W3oBUkC2J8B6iX8U/2o5taB+8l2UXASsxsQZpDPLFsLhjrEz68dJowOEbW1PKIkM
UBzz8Ab5Dov+/lgAXqgveQKBgBumfr3C7GEFHNHsIEKfJk7OLIPfZcsjTuwUIksB
G3ZnumRYY3OZl+Q753/2/vN2Z923wwYWnaInDs1EFCElr/uAYjOQy5t5itokHZcJ
UUJ+3TKYEzxk5aicG9gWwvAYBcFaoL1yZaj3EencjKQTiTh4ibCNWQnwUxrumBP6
vdQxAoGABmkPtzz3dSFb8ZsSUuaV5nk7NnZmnMJ/wh9h7IZ76ozotSOKHs7ke1EQ
kG7g7fTs0Un1vAyIFeJ0gbneTrW9Lj89RqE9qhSTm5qPd3xr92hk+MZc3ZiteBIN
0jWVj+sQIz+VORk7qZFZVVcQP0PyXpa1Kou5WZOD9QpkWDJPKeM=
-----END RSA PRIVATE KEY-----
[root@localhost /]#
2、制作 CA 【根证书签名申请】。
输入 CA 秘钥文件,输出 CA 根证书签名申请文件。
操作过程:验证 CA 秘钥口令 => 设置国家名称 => 设置省份名称 => 设置城市名称 => 设置组织机构名称 => 设置组织单元名称 => 设置证书名称 => 设置电子邮件地址和扩展属性(密码提示信息和可选的公司名称)。
[root@localhost /]# openssl req -new -key /data/ssl/ca/ca.key -out /data/ssl/ca/ca.csr
Enter pass phrase for /data/ssl/ca/ca.key:
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [XX]:ch
State or Province Name (full name) []:hb
Locality Name (eg, city) [Default City]:xg
Organization Name (eg, company) [Default Company Ltd]:zf
Organizational Unit Name (eg, section) []:wqb
Common Name (eg, your name or your server's hostname) []:ca
Email Address []:wqbboy@163.com
Please enter the following 'extra' attributes
to be sent with your certificate request
A challenge password []:
An optional company name []:
[root@localhost /]#
说明:
【openssl req】表示制作证书签名申请。
【-new】表示生成证书请求文件;
【-key】表示秘钥的输入文件;
【-out】表示证书签名申请的输出文件。
注意:【Common Name】应为 CA 机构的名称。
查看 CA 证书申请文件:
[root@localhost /]# openssl req -in /data/ssl/ca/ca.csr -noout -text
Certificate Request:
Data:
Version: 1 (0x0)
Subject: C = ch, ST = hb, L = xg, O = zf, OU = wqb, CN = ca, emailAddress = wqbboy@163.com
Subject Public Key Info:
Public Key Algorithm: rsaEncryption
RSA Public-Key: (2048 bit)
Modulus:
00:a4:4c:d4:78:6e:5b:5c:ea:61:4d:ee:ea:bb:43:
5d:6e:98:8c:d0:4a:f1:e2:ad:6c:36:b4:53:63:bb:
87:65:ca:8f:85:66:3a:1d:ae:d4:33:4d:f7:f8:74:
2d:83:bd:73:da:18:84:b9:52:64:a2:4a:1a:ce:8e:
38:7f:2d:7b:40:d3:99:93:9b:a5:7b:dd:b4:75:c9:
45:62:e1:37:83:a9:34:4d:23:da:5a:e3:df:ed:7a:
c9:14:c7:58:3c:b3:72:23:fc:56:49:91:7e:ec:a2:
46:fc:2d:ee:b5:67:18:2c:03:d8:d7:1b:95:1d:6d:
b4:c6:00:92:b8:e5:7f:72:72:6a:d1:dc:f4:45:5c:
5b:4c:81:4a:00:2d:9f:38:03:90:5a:e9:92:c6:f7:
dd:63:05:f6:cb:23:c2:07:86:f3:21:5d:17:22:9b:
6a:5b:7a:0e:61:df:f5:6e:a2:e1:ef:60:3c:02:4a:
b0:f4:b6:5c:70:df:64:b7:34:c5:d2:4c:fd:87:77:
9a:f6:16:7e:f6:ca:e5:20:24:f2:a5:a4:d3:4c:30:
60:37:8c:c3:9f:fc:17:9c:49:e4:77:e8:1a:78:0c:
24:11:c0:ba:d7:00:ab:d3:20:9a:e4:6a:82:45:d6:
d9:43:ee:8b:74:ee:59:fe:e3:09:54:f9:e4:13:6d:
a7:b1
Exponent: 65537 (0x10001)
Attributes:
a0:00
Signature Algorithm: sha256WithRSAEncryption
96:71:0f:df:47:3a:b0:2a:d8:42:60:69:fa:36:a1:bc:df:47:
d7:48:d6:68:89:ab:a4:e7:49:94:71:3b:f0:7b:9f:3f:91:b8:
77:16:06:60:90:6d:79:e7:d5:78:c3:2f:e7:be:7d:51:98:f6:
0a:48:7e:7e:1a:30:cd:0f:70:1d:ad:64:98:b7:0d:ae:0d:e0:
8d:7f:c1:7f:9c:71:72:7e:b4:b9:ab:c6:41:4b:82:17:46:c0:
4e:f5:86:4d:8b:c4:ad:be:51:e2:fd:66:ec:71:47:f2:d8:71:
a2:f4:02:f3:f3:d1:ee:6e:98:df:9e:c1:ad:e6:7f:d9:ef:a8:
04:17:2e:8d:22:03:b3:64:6a:89:c0:3d:b7:03:9e:24:41:5a:
20:a3:0f:ab:ba:8f:4d:89:66:4f:03:82:07:76:92:a4:94:a1:
d6:e3:2d:ae:00:14:65:eb:4b:30:da:5d:80:32:82:b8:31:ef:
49:08:7d:77:55:40:bd:c0:f2:fa:6f:8e:e7:47:57:89:94:76:
80:3a:15:5b:5e:80:98:a6:fe:0e:0a:4f:00:3f:cb:37:2f:1f:
28:d8:69:38:f3:ea:e2:78:29:f2:10:a0:a6:7d:09:c2:5a:af:
7c:18:bc:04:c2:d8:be:fe:6d:f0:96:b9:7b:26:c2:ea:4f:4a:
1b:56:0f:81
3、生成 CA 自签名【根证书】,即对签名申请进行自签名生成证书。
输入 CA 秘钥文件、CA 根证书签名申请,输出 CA 自签名根证书文件。
操作过程:验证 CA 秘钥口令。
[root@localhost /]# openssl x509 -req -days 3650 -signkey /data/ssl/ca/ca.key -in /data/ssl/ca/ca.csr -out /data/ssl/ca/ca.pem
Signature ok
subject=C = ch, ST = hb, L = xg, O = zf, OU = wqb, CN = ca, emailAddress = wqbboy@163.com
Getting Private key
Enter pass phrase for /data/ssl/ca/ca.key:
[root@localhost /]#
说明:
【openssl x509】表示制作自签名证书。
【-req】表示输入文件的类型是证书签名申请;
【-days】表示证书的有效期,单位是天;
【-signkey】表示签名秘钥的输入文件;
【-in】表示证书签名申请的输入文件;
【-out】表示证书的输出文件。
查看 CA 证书文件:
[root@localhost /]# openssl x509 -in /data/ssl/ca/ca.pem -noout -text
Certificate:
Data:
Version: 1 (0x0)
Serial Number:
52:a1:bf:3e:4d:c7:22:68:e3:1e:0f:3d:be:50:78:99:00:9c:d0:23
Signature Algorithm: sha256WithRSAEncryption
Issuer: C = ch, ST = hb, L = xg, O = zf, OU = wqb, CN = ca, emailAddress = wqbboy@163.com
Validity
Not Before: Apr 18 01:28:05 2022 GMT
Not After : Apr 15 01:28:05 2032 GMT
Subject: C = ch, ST = hb, L = xg, O = zf, OU = wqb, CN = ca, emailAddress = wqbboy@163.com
Subject Public Key Info:
Public Key Algorithm: rsaEncryption
RSA Public-Key: (2048 bit)
Modulus:
00:a4:4c:d4:78:6e:5b:5c:ea:61:4d:ee:ea:bb:43:
5d:6e:98:8c:d0:4a:f1:e2:ad:6c:36:b4:53:63:bb:
87:65:ca:8f:85:66:3a:1d:ae:d4:33:4d:f7:f8:74:
2d:83:bd:73:da:18:84:b9:52:64:a2:4a:1a:ce:8e:
38:7f:2d:7b:40:d3:99:93:9b:a5:7b:dd:b4:75:c9:
45:62:e1:37:83:a9:34:4d:23:da:5a:e3:df:ed:7a:
c9:14:c7:58:3c:b3:72:23:fc:56:49:91:7e:ec:a2:
46:fc:2d:ee:b5:67:18:2c:03:d8:d7:1b:95:1d:6d:
b4:c6:00:92:b8:e5:7f:72:72:6a:d1:dc:f4:45:5c:
5b:4c:81:4a:00:2d:9f:38:03:90:5a:e9:92:c6:f7:
dd:63:05:f6:cb:23:c2:07:86:f3:21:5d:17:22:9b:
6a:5b:7a:0e:61:df:f5:6e:a2:e1:ef:60:3c:02:4a:
b0:f4:b6:5c:70:df:64:b7:34:c5:d2:4c:fd:87:77:
9a:f6:16:7e:f6:ca:e5:20:24:f2:a5:a4:d3:4c:30:
60:37:8c:c3:9f:fc:17:9c:49:e4:77:e8:1a:78:0c:
24:11:c0:ba:d7:00:ab:d3:20:9a:e4:6a:82:45:d6:
d9:43:ee:8b:74:ee:59:fe:e3:09:54:f9:e4:13:6d:
a7:b1
Exponent: 65537 (0x10001)
Signature Algorithm: sha256WithRSAEncryption
1c:d6:ac:37:c5:23:f1:c5:74:c8:53:5e:7f:a1:5c:00:94:25:
46:47:3f:7f:dc:28:51:40:45:cf:52:40:b5:00:14:b3:b5:d7:
47:26:d0:59:34:bc:64:54:01:95:d2:38:a4:48:17:b8:81:f5:
4a:9a:0f:91:98:17:6a:78:56:38:31:8b:ff:9c:40:61:7b:61:
1a:d2:dc:47:3b:b7:dd:d8:1f:b7:12:fb:aa:03:d1:45:08:b8:
43:4e:36:6e:54:d7:9d:7c:a7:f5:6c:3c:24:c9:4a:ea:75:99:
4d:c9:54:a0:98:61:10:c9:35:a7:f5:7e:96:da:aa:71:49:72:
f8:9c:ea:dd:83:ba:d0:79:c7:1b:8c:4f:81:62:81:bf:a8:56:
d7:ef:6a:f5:20:05:f1:7b:3d:4e:b1:a7:06:3e:57:19:42:55:
76:76:f4:5f:bf:61:69:1c:2b:10:68:c3:97:fc:7d:5f:2d:a5:
4f:46:34:09:c5:14:fc:d7:97:68:c1:90:1a:b5:af:80:eb:e8:
66:88:7f:f2:a0:cb:2a:4d:ed:b4:d3:d1:75:66:33:ec:a9:14:
8a:4d:bc:cb:b2:a7:db:ad:6d:86:b7:07:af:05:6b:6b:23:b4:
1a:f2:fe:fa:96:87:51:34:70:d0:cf:83:30:c6:11:b9:fd:f6:
b1:85:e7:83
[root@localhost /]#
4、导出 CA【 PKCS12 证书】。
输入 CA 自签的 CA 证书文件、CA 秘钥,输出 CA PKCS12 证书。
操作过程:设置 PKCS12 证书口令。
gmssl工具安装使用及问题解决
gmssl版本:GmSSL-v1
(本次没有尝试最新的GmSSL-master,在编译的时候出了一下问题,后续如果解决出来了补上)
编译安装
[root@test-gmssl ~]# wget https://github.com/guanzhi/GmSSL/archive/GmSSL-v1.zip
[root@test-gmssl ~]# unzip GmSSL-v1.zip
[root@test-gmssl ~]# cd GmSSL-GmSSL-v1
[root@test-gmssl ~]# ./config --prefix=/usr/local
[root@test-gmssl ~]# make
[root@test-gmssl ~]# make install
gcc安装
dnf install -y httpd
安装完成检查
[root@test-gmssl ~]# gmssl verison
GmSSL 1.3.0 - OpenSSL 1.0.2d
4、导出 CA【 PKCS12 证书】。
输入 CA 自签的 CA 证书文件、CA 秘钥,输出 CA PKCS12 证书。
操作过程:设置 PKCS12 证书口令。
[root@localhost GmSSL-GmSSL-v1]# gmssl pkcs12 -export -in /data/ssl/ca/ca.pem -inkey /data/ssl/ca/ca.key -out /data/ssl/ca/ca.p12 -name ca
GMSSL: pem_lib.c 857: pem_str = RSA PRIVATE KEY
GMSSL: pem_lib.c 858: suffix = PRIVATE KEY
GMSSL: pem_lib.c 863: p = PRIVATE KEY
Enter pass phrase for /data/ssl/ca/ca.key:
GMSSL: pem_lib.c 857: pem_str = RSA PRIVATE KEY
GMSSL: pem_lib.c 858: suffix = PRIVATE KEY
GMSSL: pem_lib.c 863: p = PRIVATE KEY
GMSSL: d2i_pr.c 96
GMSSL: d2i_pr.c 118
GMSSL: d2i_pr.c 121
说明:
【openssl pkcs12】表示制作 PKCS12 证书。
【-export 】表示导出 PKCS12 证书;
【-in】表示签名证书的输入文件;
【-inkey】表示秘钥的输入文件;
【-name】表示 PKCS12 证书的别名;
【-out】表示 PKCS12 证书的输出文件。
查看 CA PKCS12 证书文件(需要输入 CA PKCS12 证书口令):
[root@localhost GmSSL-GmSSL-v1]# gmssl pkcs12 -in /data/ssl/ca/ca.p12 -info
140633287399104:error:0D07207B:asn1 encoding routines:ASN1_get_object:header too long:asn1_lib.c:157:
`查看 CA 产生的全部文件。
```c
[root@localhost GmSSL-GmSSL-v1]# ls /data/ssl/ca/
ca.csr ca.key ca.p12 ca.pem
1.2.第二阶段:制作服务器证书
1、制作服务器【秘钥】。
操作过程:设置服务器秘钥口令。
[root@localhost GmSSL-GmSSL-v1]# openssl genrsa -des3 -out /data/ssl/server/server.key 2048
Generating RSA private key, 2048 bit long modulus (2 primes)
.............................................................................+++++
...............................................................+++++
e is 65537 (0x010001)
Enter pass phrase for /data/ssl/server/server.key:
Verifying - Enter pass phrase for /data/ssl/server/server.key:
[root@localhost GmSSL-GmSSL-v1]#
说明:
【openssl genrsa】表示制作秘钥。
【-des3】表示加密秘钥使用的算法;
【-out】表示秘钥的输出文件;
【2048】表示秘钥的密码强度。
查看服务器秘钥文件(需要输入秘钥口令):
[root@localhost GmSSL-GmSSL-v1]# openssl rsa -in /data/ssl/server/server.key
Enter pass phrase for /data/ssl/server/server.key:
writing RSA key
-----BEGIN RSA PRIVATE KEY-----
MIIEpAIBAAKCAQEAxqYasLlhG9cWDrz2M5/tvhZNSQbOq2BNZTjlfB/HEdhukzsm
xkZoUMbw90dryWPjj1+eqw1MMxRp6Y0pbOhDNeNm3NEVu9rMB00VpVEzaWXH9j8F
nMokS1cnCwZ5RagRyIgSwz9HH+ownFxkr3JM0lIunNmpVHKKrJJlpb2IivA4XkpS
6C1U/AOpnjt3gDoSIHFz56BBWg4OqVfx8eWfS0Fqdg9caHcmdWLtMpeq1mCb61Wa
axwvH3inm/Uk5T5/vje7G9UW3FyZAqTVCf3vM04lVoal9DDZFTmfFRdqwPoFqJbJ
7L7G9278l+YWAYSPDyXIrtk7YM35q+tRoahwQwIDAQABAoIBADFWTei4khLND9Bn
RCq8PNrqRRWvGCNeTrqmL/DtH48iFwyAM3gpQn1Ve8GevnmNUpZoZEsNiXBiUI/O
HIzM/uxiZ0jOsTwv8l6Z2ZdunHs/6TMSof04A12m7q6BVBtly8znZumRTMPzcVFU
bTlaBRRzjtosAS9VJ3YHAjHw6fm/kefQxnhKmN3m0NiFNCxEy1AqoU3PsDOapqmw
AiTeKYr8/U86Nt8jt0bUonTRn2DRCCeUE4ZHmkSKxJMKQ5L5w0EItD2ofy2HtH8z
JOAN+Z6rzUjDQjT6+ipRaN5PfJ+GJg1r14YaXrRUbElFvNCRSGKVvd+7QBvD+MV0
BQZ6GykCgYEA5VPms4eVtVbB5YGtZc9OLadQPX3ty2ivQBmCgskOFf7mMNChJTc9
8TOdiONnGkpD7/LAwFzQlCo0ETHG2rhm2ond6UYvwEfjjEdZ7vXmvzHoeiZvXDjt
v7znyqB5bJEPbL3J8OsRVNZ/esbJkrZRA9QEVfVjSYiz3282qXIC0f8CgYEA3cDB
y65lbxoaY0lUuw4v8+8iuxG3ZiXLCnKZ4EJtFa51G7qLa593Ky697rC7U8C2+hC0
QiboPqZchfdzHstbUGtqC903CtW6nj70dUKtrOeg5mTRRMoLExixJxPe0tdnh3te
+YhG53ZNuN5elWhDvoFiZXlqXyLCmcxFhHXumb0CgYEAge3eWLsp4/sKkki9gGBK
z+zqtlxBvSxLloqdehIFjArGSsP5eQdqbd0rlSIaCTgoc6ta7+HmPvwGUfOc0dEG
XS0dcIxWg593WcQXPR9PI+ZX69UY5OxQL4EM5q2y/gLV9Ws2Hexg/mslAN/d1uS6
0+tspXMJVOFB4Aa3tpsk4+sCgYBttRprkUkfkTNy4Wmo7Vjt/uYY1Kf+Qj5UWeQk
3dgn/Np1MHIfeZI0a/iNaSQUSGh+CNuVSrhlnlpx8L0khAkWHT4mxnefxaOA/LZm
eOmBfErPERuzQ539AZ9LLPp1JxpSHcgb/b7Obmn/RwxWMHIrgslSWKI2lPTfr/7I
jKvRpQKBgQDk3TANS7mH2xhRPeEzkCTfw1DIgwL91UTunIhgCFnl0fGQfeMqBVJn
YX+lMNyzY/aAig7vNlMnXqXkfPOXabLwL77hW0n3s+0jQupyHYR2J1ZB959UXopN
HUQjLBlYtd6XeQl07yeAQ9nAEQfVz1LRO8KEIKbo1QVuo8QK7VK0PA==
-----END RSA PRIVATE KEY-----
2、制作服务器【证书签名申请】。
输入服务器秘钥文件,输出服务器证书签名申请文件。
操作过程:验证服务器秘钥口令 => 设置国家名称 => 设置省份名称 => 设置城市名称 => 设置组织机构名称 => 设置组织单元名称 => 设置证书名称 => 设置电子邮件地址和扩展属性(密码提示信息和可选的公司名称)。
[root@localhost GmSSL-GmSSL-v1]# openssl req -new -key /data/ssl/server/server.key -out /data/ssl/server/server.csr
Enter pass phrase for /data/ssl/server/server.key:
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [XX]:ch
State or Province Name (full name) []:hb
Locality Name (eg, city) [Default City]:xg
Organization Name (eg, company) [Default Company Ltd]:zf
Organizational Unit Name (eg, section) []:wqb
Common Name (eg, your name or your server's hostname) []:192.168.20.14
Email Address []:wqbboy@163.com
Please enter the following 'extra' attributes
to be sent with your certificate request
A challenge password []:
An optional company name []:
[root@localhost GmSSL-GmSSL-v1]#
说明:
【openssl req】表示制作证书签名申请。
【-new】表示生成证书请求文件;
【-key】表示秘钥的输入文件;
【-out】表示证书签名申请的输出文件。
注意:【Common Name】应为服务器的 IP 地址或者 DNS(如:192.168.216.128 或者 localhost)。在 在 Web 容器配置后,当客户端使用 HTTPS 协议访问时,如果域名与【Common Name】不一致,则会进行风险提示。
查看服务器证书申请文件:
[root@localhost GmSSL-GmSSL-v1]# openssl req -in /data/ssl/server/server.csr -noout -text
Certificate Request:
Data:
Version: 1 (0x0)
Subject: C = ch, ST = hb, L = xg, O = zf, OU = wqb, CN = 192.168.20.14, emailAddress = wqbboy@163.com
Subject Public Key Info:
Public Key Algorithm: rsaEncryption
RSA Public-Key: (2048 bit)
Modulus:
00:c6:a6:1a:b0:b9:61:1b:d7:16:0e:bc:f6:33:9f:
ed:be:16:4d:49:06:ce:ab:60:4d:65:38:e5:7c:1f:
c7:11:d8:6e:93:3b:26:c6:46:68:50:c6:f0:f7:47:
6b:c9:63:e3:8f:5f:9e:ab:0d:4c:33:14:69:e9:8d:
29:6c:e8:43:35:e3:66:dc:d1:15:bb:da:cc:07:4d:
15:a5:51:33:69:65:c7:f6:3f:05:9c:ca:24:4b:57:
27:0b:06:79:45:a8:11:c8:88:12:c3:3f:47:1f:ea:
30:9c:5c:64:af:72:4c:d2:52:2e:9c:d9:a9:54:72:
8a:ac:92:65:a5:bd:88:8a:f0:38:5e:4a:52:e8:2d:
54:fc:03:a9:9e:3b:77:80:3a:12:20:71:73:e7:a0:
41:5a:0e:0e:a9:57:f1:f1:e5:9f:4b:41:6a:76:0f:
5c:68:77:26:75:62:ed:32:97:aa:d6:60:9b:eb:55:
9a:6b:1c:2f:1f:78:a7:9b:f5:24:e5:3e:7f:be:37:
bb:1b:d5:16:dc:5c:99:02:a4:d5:09:fd:ef:33:4e:
25:56:86:a5:f4:30:d9:15:39:9f:15:17:6a:c0:fa:
05:a8:96:c9:ec:be:c6:f7:6e:fc:97:e6:16:01:84:
8f:0f:25:c8:ae:d9:3b:60:cd:f9:ab:eb:51:a1:a8:
70:43
Exponent: 65537 (0x10001)
Attributes:
a0:00
Signature Algorithm: sha256WithRSAEncryption
7d:b4:13:9b:6e:f3:7c:f2:2a:e2:06:91:31:7f:32:0a:36:8f:
c8:83:83:00:56:3b:38:f2:46:16:f8:9a:c5:29:34:41:3f:1c:
0c:74:19:4d:f4:1d:a6:00:71:51:5f:ad:f1:a0:59:6b:f2:2a:
33:6e:a4:2e:ea:ed:43:7b:de:93:52:91:cb:14:a1:0e:f7:cb:
86:1d:55:2f:29:60:8f:01:64:33:fb:3a:86:8d:77:f0:c5:81:
89:eb:fb:24:31:b4:21:87:fa:ca:75:3d:32:8f:b2:53:af:6f:
d0:55:0c:de:10:16:93:5e:a9:39:d8:bf:b5:b5:00:2c:32:0a:
4c:fb:a8:68:e0:f8:bf:eb:ab:c8:55:e3:dc:65:b4:90:7f:85:
bd:0f:bb:d3:10:87:b1:cd:db:07:73:2f:e0:fb:06:35:81:4c:
0f:b8:1b:75:2b:fc:45:9b:b5:37:df:08:06:5d:6c:b3:95:a1:
c1:53:02:19:53:d0:2a:33:79:f9:2b:3c:5d:69:36:80:da:fa:
f2:11:93:16:a1:fd:d4:42:66:32:76:7c:3f:dd:66:da:66:0e:
49:45:1c:45:15:6c:e4:10:b9:42:01:82:a4:71:52:9a:07:2a:
4c:df:ef:92:80:80:3e:62:a0:f6:e2:2c:c4:11:ff:e4:9f:69:
70:ad:79:6b
[root@localhost GmSSL-GmSSL-v1]#
3、生成 CA 签名的服务器【证书】,即 CA 对服务器签名申请进行签名生成服务器证书。
输入 CA 根证书文件、 CA 秘钥文件、服务器证书签名申请,输出 CA 签名的服务器证书文件。
操作过程:验证 CA 秘钥口令。
[root@localhost GmSSL-GmSSL-v1]# openssl x509 -req -days 3650 -CA /data/ssl/ca/ca.pem -CAkey /data/ssl/ca/ca.key -CAcreateserial -in /data/ssl/server/server.csr -out /data/ssl/server/server.pem
Signature ok
subject=C = ch, ST = hb, L = xg, O = zf, OU = wqb, CN = 192.168.20.14, emailAddress = wqbboy@163.com
Getting CA Private Key
Enter pass phrase for /data/ssl/ca/ca.key:
说明:
【openssl x509】表示制作 CA 签名的证书。
【-req】表示输入文件的类型是证书签名申请;
【-days】表示证书的有效期,单位是天;
【-CA】表示 CA 根证书的输入文件;
【-CAkey】表示 CA 秘钥的输入文件;
【-CAcreateserial】表示如果 CA 序列号文件不存在自动创建;
【-in】表示证书签名申请的输入文件;
【-out】表示证书的输出文件。
查看服务器证书文件:
[root@localhost GmSSL-GmSSL-v1]# openssl x509 -in /data/ssl/server/server.pem -noout -text
Certificate:
Data:
Version: 1 (0x0)
Serial Number:
1a:5d:40:ab:0f:da:91:d8:e3:e7:d0:2a:72:5a:bf:1c:cd:47:d8:db
Signature Algorithm: sha256WithRSAEncryption
Issuer: C = ch, ST = hb, L = xg, O = zf, OU = wqb, CN = ca, emailAddress = wqbboy@163.com
Validity
Not Before: Apr 18 01:54:54 2022 GMT
Not After : Apr 15 01:54:54 2032 GMT
Subject: C = ch, ST = hb, L = xg, O = zf, OU = wqb, CN = 192.168.20.14, emailAddress = wqbboy@163.com
Subject Public Key Info:
Public Key Algorithm: rsaEncryption
RSA Public-Key: (2048 bit)
Modulus:
00:c6:a6:1a:b0:b9:61:1b:d7:16:0e:bc:f6:33:9f:
ed:be:16:4d:49:06:ce:ab:60:4d:65:38:e5:7c:1f:
c7:11:d8:6e:93:3b:26:c6:46:68:50:c6:f0:f7:47:
6b:c9:63:e3:8f:5f:9e:ab:0d:4c:33:14:69:e9:8d:
29:6c:e8:43:35:e3:66:dc:d1:15:bb:da:cc:07:4d:
15:a5:51:33:69:65:c7:f6:3f:05:9c:ca:24:4b:57:
27:0b:06:79:45:a8:11:c8:88:12:c3:3f:47:1f:ea:
30:9c:5c:64:af:72:4c:d2:52:2e:9c:d9:a9:54:72:
8a:ac:92:65:a5:bd:88:8a:f0:38:5e:4a:52:e8:2d:
54:fc:03:a9:9e:3b:77:80:3a:12:20:71:73:e7:a0:
41:5a:0e:0e:a9:57:f1:f1:e5:9f:4b:41:6a:76:0f:
5c:68:77:26:75:62:ed:32:97:aa:d6:60:9b:eb:55:
9a:6b:1c:2f:1f:78:a7:9b:f5:24:e5:3e:7f:be:37:
bb:1b:d5:16:dc:5c:99:02:a4:d5:09:fd:ef:33:4e:
25:56:86:a5:f4:30:d9:15:39:9f:15:17:6a:c0:fa:
05:a8:96:c9:ec:be:c6:f7:6e:fc:97:e6:16:01:84:
8f:0f:25:c8:ae:d9:3b:60:cd:f9:ab:eb:51:a1:a8:
70:43
Exponent: 65537 (0x10001)
Signature Algorithm: sha256WithRSAEncryption
4d:c1:b0:ed:07:d5:65:cd:94:6d:4a:6d:46:6d:d1:d8:ca:b8:
4b:1f:99:48:17:2e:74:e6:28:7a:c9:00:bc:cf:f8:52:3b:13:
52:a1:20:93:cb:bd:95:2e:d1:06:bc:ba:3a:28:9e:a8:ed:06:
20:a6:f3:a3:aa:25:0b:08:a8:54:bc:84:55:e9:26:bd:19:85:
c1:58:b5:76:70:2f:bd:bb:9f:10:dd:48:5f:f9:3f:1f:96:5a:
34:9d:d3:7f:f7:e9:49:64:25:cd:19:8f:7f:c8:79:0a:9c:ce:
3b:6b:97:80:0c:3c:04:51:ae:46:58:e4:d9:87:3d:7d:86:2f:
b6:83:e4:6d:e8:53:21:94:98:05:1a:95:00:c8:55:ca:8d:46:
17:70:2a:04:5c:ed:d5:3b:98:ec:02:aa:65:24:6b:91:f9:72:
9e:34:d5:d5:4d:70:7f:8a:84:ca:be:ce:c3:c2:6b:ea:b8:6b:
ff:63:9d:63:c5:2b:43:cf:52:c1:0d:5b:f1:bc:df:85:d2:8a:
1a:bf:37:32:ee:fc:20:38:a4:76:3f:1e:8e:02:50:f1:71:63:
c2:27:87:65:85:39:a1:2b:e4:5c:56:a7:45:41:91:e7:93:8f:
b5:9e:05:ca:dd:84:e7:63:7a:79:08:93:71:bf:1d:c9:35:b9:
a4:09:58:48
[root@localhost GmSSL-GmSSL-v1]#
4、导出服务器【 PKCS12 证书】。
输入 CA 签名的服务器证书文件,输出服务器 PKCS12 证书。
操作过程:验证服务器秘钥口令 => 设置 PKCS12 证书口令。
[root@localhost GmSSL-GmSSL-v1]# openssl pkcs12 -export -in /data/ssl/server/server.pem -inkey /data/ssl/server/server.key -out /data/ssl/server/server.p12 -name https_cert
Enter pass phrase for /data/ssl/server/server.key:
Enter Export Password:
Verifying - Enter Export Password:
[root@localhost GmSSL-GmSSL-v1]#
说明:
【openssl pkcs12】表示制作 PKCS12 证书。
【-export 】表示导出 PKCS12 证书;
【-in】表示签名证书的输入文件;
【-inkey】表示秘钥的输入文件;
【-name】表示 PKCS12 证书的别名;
【-out】表示 PKCS12 证书的输出文件。
查看服务器 PKCS12 证书文件(需要输入服务器 PKCS12 证书口令):
[root@localhost GmSSL-GmSSL-v1]# openssl pkcs12 -in /data/ssl/server/server.p12 -info
Enter Import Password:
MAC: sha1, Iteration 2048
MAC length: 20, salt length: 8
PKCS7 Encrypted data: pbeWithSHA1And40BitRC2-CBC, Iteration 2048
Certificate bag
Bag Attributes
friendlyName: https_cert
localKeyID: 06 5E C4 4E FC F7 E7 24 9D 81 60 BA 83 81 3C A6 DD 86 6C 1F
subject=C = ch, ST = hb, L = xg, O = zf, OU = wqb, CN = 192.168.20.14, emailAddress = wqbboy@163.com
issuer=C = ch, ST = hb, L = xg, O = zf, OU = wqb, CN = ca, emailAddress = wqbboy@163.com
-----BEGIN CERTIFICATE-----
MIIDbjCCAlYCFBpdQKsP2pHY4+fQKnJavxzNR9jbMA0GCSqGSIb3DQEBCwUAMG4x
CzAJBgNVBAYTAmNoMQswCQYDVQQIDAJoYjELMAkGA1UEBwwCeGcxCzAJBgNVBAoM
AnpmMQwwCgYDVQQLDAN3cWIxCzAJBgNVBAMMAmNhMR0wGwYJKoZIhvcNAQkBFg53
cWJib3lAMTYzLmNvbTAeFw0yMjA0MTgwMTU0NTRaFw0zMjA0MTUwMTU0NTRaMHkx
CzAJBgNVBAYTAmNoMQswCQYDVQQIDAJoYjELMAkGA1UEBwwCeGcxCzAJBgNVBAoM
AnpmMQwwCgYDVQQLDAN3cWIxFjAUBgNVBAMMDTE5Mi4xNjguMjAuMTQxHTAbBgkq
hkiG9w0BCQEWDndxYmJveUAxNjMuY29tMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8A
MIIBCgKCAQEAxqYasLlhG9cWDrz2M5/tvhZNSQbOq2BNZTjlfB/HEdhukzsmxkZo
UMbw90dryWPjj1+eqw1MMxRp6Y0pbOhDNeNm3NEVu9rMB00VpVEzaWXH9j8FnMok
S1cnCwZ5RagRyIgSwz9HH+ownFxkr3JM0lIunNmpVHKKrJJlpb2IivA4XkpS6C1U
/AOpnjt3gDoSIHFz56BBWg4OqVfx8eWfS0Fqdg9caHcmdWLtMpeq1mCb61Waaxwv
H3inm/Uk5T5/vje7G9UW3FyZAqTVCf3vM04lVoal9DDZFTmfFRdqwPoFqJbJ7L7G
9278l+YWAYSPDyXIrtk7YM35q+tRoahwQwIDAQABMA0GCSqGSIb3DQEBCwUAA4IB
AQBNwbDtB9VlzZRtSm1GbdHYyrhLH5lIFy505ih6yQC8z/hSOxNSoSCTy72VLtEG
vLo6KJ6o7QYgpvOjqiULCKhUvIRV6Sa9GYXBWLV2cC+9u58Q3Uhf+T8fllo0ndN/
9+lJZCXNGY9/yHkKnM47a5eADDwEUa5GWOTZhz19hi+2g+Rt6FMhlJgFGpUAyFXK
jUYXcCoEXO3VO5jsAqplJGuR+XKeNNXVTXB/ioTKvs7DwmvquGv/Y51jxStDz1LB
DVvxvN+F0ooavzcy7vwgOKR2Px6OAlDxcWPCJ4dlhTmhK+RcVqdFQZHnk4+1ngXK
3YTnY3p5CJNxvx3JNbmkCVhI
-----END CERTIFICATE-----
PKCS7 Data
Shrouded Keybag: pbeWithSHA1And3-KeyTripleDES-CBC, Iteration 2048
Bag Attributes
friendlyName: https_cert
localKeyID: 06 5E C4 4E FC F7 E7 24 9D 81 60 BA 83 81 3C A6 DD 86 6C 1F
Key Attributes: <No Attributes>
Enter PEM pass phrase:
Verifying - Enter PEM pass phrase:
-----BEGIN ENCRYPTED PRIVATE KEY-----
MIIFHDBOBgkqhkiG9w0BBQ0wQTApBgkqhkiG9w0BBQwwHAQIBlm+TfKX+PgCAggA
MAwGCCqGSIb3DQIJBQAwFAYIKoZIhvcNAwcECPxlc3cQB34bBIIEyEOrlyORtLGF
Fsjzr2RTZu5TsfyOkB7DpMjIjrC3o6cgb0++QotI7n7k8EpYLjv8IcvSsyHeF7p+
vSuJ9cNuHhqKQOSLWqVY4jSHT3g6ijzYUgX9WNIZMdXZZvhKRqX17JcnEPgrrRkM
RTaSUmOYS5OJCkkDn5jtOnr1OvVPURv0qhVAMkCkvncrMwe43gRhoFb8M+YpJ2Vf
SJJxBNPj32aw0VRIItZiZQk8PhJbmoWGkyhgq0eTjEpZZ2+Gqes/qeFlUej8/uGH
bkAz9maStpTkm/67+rhcv94N1bv9aliKS5ml7DfuuWJUzYkRAqLZ5zMC9LMj7wyQ
2JJ6JilgR9Ke0gSzbg7SPRs3QDTor08IPvWyCL6b9YZodMXXi2qDZOY2a/BOpgQ5
YzcvK1YQm2C4TS6lmdw+q8zf87j2zi6R7wcBBjK8lWTrArvTAOnuUNMCpsqmFvZd
93Z+eK3ZJBpJ/cFAWO7hIksOHMSgIvWrjbF2XeWP24jpFd9yf4+KMoHgzxd7D1kr
rSBRzsw4CqpHbUVq23GLSRUZ9prx4J/iz8uuIam/g6orUSfByQA49jlctMXTN6F5
eL2ThTov8WWkfVDfgioNmJNf2tor4QDSRh1NC3jn5IFxn/yhIeJyAGjgEr8XZnA2
pttoXSF3V/nN+gBQUmagVwX2q6LEquMN28OyNJcZNPjBUz0SNy16TyXgQHqXvBfQ
KcRmcb+OF17F5yvdW+5FhAUeCvGPcTN2dLaBs++grPoRqHwL9ebTZEujr6K8en93
bYaqRi64ZA2eXqiFW4WU/Jfpw+LFi9PBoXuffo13+SwJt/fYpyqH4iSlta8Kp5O0
Rj3QEsIo49hP6EntVouj9z000e9Px++rbGAuKWDRc9fohyzagf0gSwau6KpDdiFQ
kyBA0YgNv76ThICC2PBi3L3go3R4v7UTUjII7uqiWrLSBI6CnBxXZx2vRFMyA0ac
MmEqG5SnKfk0OcMVOBIJDAoVt41LVeMiODQQNH9AIVzfmx7uTDJEIuiyykLcM76F
zNmj+vpR1Tpwfho9in8BlvSDZCMR01fkZ5KmVdg4guwgRY1oAgqHe2DFkDVhbrwG
ycOvnWjsJ2eBpZoGEJccToR/13Nt+r2hCKzf9UOCGZV6LssViSxu7aJuozBzyA6c
FHyfz/Ta0dMnEVFBCpCFQx0SxtK3By/i4VWTsfZaaM09kb1Z/mkIYHiDTnyCvoOT
RIpGoyROLmnQkiHViP3b10qHIcOA0RF37F3AWCiUOTAo2/JcrGOk8YMhSaJYKFQT
ajiswa65B9O6X+OytrZqOGvsWXwhsh9Frur7o6mEhAX4no0DGFwvFs/5/J+yvQ7X
ZyR7g4dZM161kmpgtHDRt1D2Qha6ljVNEmT/DmHc4BSfp8fSR6vP8HFxlVoKGxl/
u38NSOqyILlvhEDhJUPlxV1fue+m7vfEzXHP1CT745uEiDW/OkTDB+fw+Tz4w4xG
b4EjVQcVeHfKRfhaZmbBpZK2ZAaN87K22qiOtqgH+ACj+EKPNRZFDcEsoyBcJbwC
QrNs9yS69ZJOgsDtpbiDf89w/JNZ4S1I5u3ILrQr2B8LQGOpSIh6LeAd5cLDifNu
tyOXG2lrPcTXFjRKRsODXg==
-----END ENCRYPTED PRIVATE KEY-----
[root@localhost GmSSL-GmSSL-v1]#
5、查看服务器产生的全部文件。
1.3.第三阶段:制作客户端证书(双向认证时使用)
1、制作客户端【秘钥】。
操作过程:设置客户端秘钥口令。
[root@localhost GmSSL-GmSSL-v1]# openssl genrsa -des3 -out /data/ssl/client/client.key 2048
Generating RSA private key, 2048 bit long modulus (2 primes)
........+++++
..........+++++
e is 65537 (0x010001)
Enter pass phrase for /data/ssl/client/client.key:
Verifying - Enter pass phrase for /data/ssl/client/client.key:
[root@localhost GmSSL-GmSSL-v1]#
说明:
【openssl genrsa】表示制作秘钥。
【-des3】表示加密秘钥使用的算法;
【-out】表示秘钥的输出文件;
【2048】表示秘钥的密码强度。
查看客户端秘钥文件(需要输入秘钥口令):
[root@localhost GmSSL-GmSSL-v1]# openssl rsa -in /data/ssl/client/client.key
Enter pass phrase for /data/ssl/client/client.key:
2、制作客户端【证书签名申请】。
输入客户端秘钥文件,输出客户端证书签名申请文件。
操作过程:验证客户端秘钥口令 => 设置国家名称 => 设置省份名称 => 设置城市名称 => 设置组织机构名称 => 设置组织单元名称 => 设置证书名称 => 设置电子邮件地址和扩展属性(密码提示信息和可选的公司名称)。
[root@localhost GmSSL-GmSSL-v1]# openssl req -new -key /data/ssl/client/client.key -out /data/ssl/client/client.csr
Enter pass phrase for /data/ssl/client/client.key:
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [XX]:ch
State or Province Name (full name) []:hb
Locality Name (eg, city) [Default City]:xg
Organization Name (eg, company) [Default Company Ltd]:zf
Organizational Unit Name (eg, section) []:wqb
Common Name (eg, your name or your server's hostname) []:https_client
Email Address []:
Please enter the following 'extra' attributes
to be sent with your certificate request
A challenge password []:
An optional company name []:
[root@localhost GmSSL-GmSSL-v1]#
说明:
【openssl req】表示制作证书签名申请。
【-new】表示生成证书请求文件;
【-key】表示秘钥的输入文件;
【-out】表示证书签名申请的输出文件。
注意:【Common Name】应为客户端的统一标识。
查看客户端证书申请文件:
[root@localhost GmSSL-GmSSL-v1]# openssl req -in /data/ssl/client/client.csr -noout -text
Certificate Request:
Data:
3、生成 CA 签名的客户端【证书】,即 CA 对客户端签名申请进行签名生成客户端证书。
输入 CA 根证书文件、 CA 秘钥文件、客户端证书签名申请,输出 CA 签名的客户端证书文件。
操作过程:验证 CA 秘钥口令。
[root@localhost GmSSL-GmSSL-v1]# openssl x509 -req -days 3650 -CA /data/ssl/ca/ca.pem -CAkey /data/ssl/ca/ca.key -CAcreateserial -in /data/ssl/client/client.csr -out /data/ssl/client/client.pem
Signature ok
subject=C = ch, ST = hb, L = xg, O = zf, OU = wqb, CN = https_client
Getting CA Private Key
Enter pass phrase for /data/ssl/ca/ca.key:
说明:
【openssl x509】表示制作 CA 签名的证书。
【-req】表示输入文件的类型是证书签名申请;
【-days】表示证书的有效期,单位是天;
【-CA】表示 CA 根证书的输入文件;
【-CAkey】表示 CA 秘钥的输入文件;
【-CAcreateserial】表示如果 CA 序列号文件不存在自动创建;
【-in】表示证书签名申请的输入文件;
【-out】表示证书的输出文件。
查看客户端证书文件:
[root@localhost GmSSL-GmSSL-v1]# openssl x509 -in /data/ssl/client/client.pem -noout -text
Certificate:
Data:
Version: 1 (0x0)
Serial Number:
4、导出客户端【 PKCS12 证书】。
输入 CA 签名的客户端证书文件,输出客户端 PKCS12 证书。
操作过程:验证客户端秘钥口令 => 设置 PKCS12 证书口令。
[root@localhost GmSSL-GmSSL-v1]# openssl pkcs12 -export -in /data/ssl/client/client.pem -inkey /data/ssl/client/client.key -out /data/ssl/client/client.p12 -name https_client
Enter pass phrase for /data/ssl/client/client.key:
Enter Export Password:
Verifying - Enter Export Password:
[root@localhost GmSSL-GmSSL-v1]#
说明:
【openssl pkcs12】表示制作 PKCS12 证书。
【-export 】表示导出 PKCS12 证书;
【-in】表示签名证书的输入文件;
【-inkey】表示秘钥的输入文件;
【-name】表示 PKCS12 证书的别名;
【-out】表示 PKCS12 证书的输出文件。
查看客户端 PKCS12 证书文件(需要输入客户端 PKCS12 证书口令):
[root@localhost GmSSL-GmSSL-v1]# openssl pkcs12 -in /data/ssl/client/client.p12 -info
Enter Import Password:
MAC: sha1, Iteration 2048
MAC length: 20, salt length: 8
PKCS7 Encrypted data: pbeWithSHA1And40BitRC2-CBC, Iteration 2048
Certificate bag
查看客户端产生的全部文件。
[root@localhost GmSSL-GmSSL-v1]# ls /data/ssl/client
client.csr client.key client.p12 client.pem
2.Web 容器配置 HTTPS 站点
2.3.Apache Httpd 配置方案
1、安装并配置 Apache Httpd。
[centos@host ~]$ sudo dnf install httpd
[centos@host ~]$ sudo dnf install mod_ssl openssl
[centos@host ~]$ sudo setenforce 0
[centos@host ~]$ sudo gedit /etc/httpd/conf.d/ssl.conf
[root@localhost conf.d]# dnf install mod_ssl openssl -y
上次元数据过期检查:0:56:51 前,执行于 2022年04月18日 星期一 09时12分58秒。
软件包 openssl-1:1.1.1k-5.el8_5.x86_64 已安装。
依赖关系解决。
================================================================================
软件包 架构 版本 仓库 大小
================================================================================
安装:
mod_ssl x86_64 1:2.4.37-43.module_el8.5.0+1022+b541f3b1 AppStream 136 k
事务概要
================================================================================
安装 1 软件包
总下载:136 k
安装大小:266 k
下载软件包:
mod_ssl-2.4.37-43.module_el8.5.0+1022+b541f3b1. 162 kB/s | 136 kB 00:00
--------------------------------------------------------------------------------
总计 162 kB/s | 136 kB 00:00
运行事务检查
事务检查成功。
运行事务测试
事务测试成功。
运行事务
准备中 : 1/1
安装 : mod_ssl-1:2.4.37-43.module_el8.5.0+1022+b541f3b1.x86_64 1/1
运行脚本: mod_ssl-1:2.4.37-43.module_el8.5.0+1022+b541f3b1.x86_64 1/1
验证 : mod_ssl-1:2.4.37-43.module_el8.5.0+1022+b541f3b1.x86_64 1/1
已安装:
mod_ssl-1:2.4.37-43.module_el8.5.0+1022+b541f3b1.x86_64
完毕!
[root@localhost conf.d]# ls
autoindex.conf php.conf ssl.conf welcome.conf
nextcloud.conf README userdir.conf
[root@localhost conf.d]# ll
总用量 36
-rw-r--r--. 1 root root 2926 11月 12 12:58 autoindex.conf
-rw-r--r--. 1 root root 300 3月 30 15:23 nextcloud.conf
-rw-r--r--. 1 root root 1617 2月 15 22:26 php.conf
-rw-r--r--. 1 root root 400 11月 12 12:58 README
-rw-r--r--. 1 root root 8720 11月 12 12:54 ssl.conf
-rw-r--r--. 1 root root 1252 11月 12 12:54 userdir.conf
-rw-r--r--. 1 root root 574 11月 12 12:54 welcome.conf
[root@localhost conf.d]#
[root@localhost conf.d]# setenforce 0
[root@localhost conf.d]# gedit ssl.conf
[root@localhost conf.d]# ls
autoindex.conf php.conf ssl.conf welcome.conf
nextcloud.conf README userdir.conf
[root@localhost conf.d]# vi ssl.conf
[root@localhost conf.d]# vi ssl.conf
在文件中的编辑以下配置并保存:
# 监听端口
Listen 443 https
# Https 根路径
DocumentRoot "/var/www/html"
# 服务器域名
ServerName localhost
# 服务器签名证书文件
SSLCertificateFile /data/ssl/server/server.pem
# 服务器秘钥文件
SSLCertificateKeyFile /data/ssl/server/server.key
# 开启客户端证书认证(双向认证)
# SSLVerifyClient require
# CA 证书(双向认证)
# SSLCACertificateFile /data/ssl/ca/ca.pem
监听端口
Listen 443 https
Https 根路径
DocumentRoot “/var/www/html”
服务器域名
ServerName localhost
服务器签名证书文件
SSLCertificateFile /data/ssl/server/server.pem
服务器秘钥文件
SSLCertificateKeyFile /data/ssl/server/server.key
开启客户端证书认证(双向认证)
SSLVerifyClient require
CA 证书(双向认证)
SSLCACertificateFile /data/ssl/ca/ca.pem
2、启动/重新启动 Apache Httpd 服务器。
[centos@host ~]$ sudo systemctl start httpd.service
或者
[centos@host ~]$ sudo systemctl restart httpd.service
更多推荐
所有评论(0)