/ 中存储网

Apache服务器中配置ssl证书过程

2014-04-11 09:54:01 来源:ITJS.CN
mkdir demoCA

cp /usr/share/ssl/openssl.cnf ./demoCA

vi ./demoCA/openssl.cnf and edit the dir configuration of CA_default from ./demoCA to .

mkdir demoCA/certs

mkdir demoCA/crl

mkdir demoCA/newcerts

mkdir demoCA/private

echo "01" > demoCA/serial

touch demoCA/index.txt

cd demoCA

openssl req -new -x509 -keyout ./private/cakey.pem -out ./cacert.pem -days 3650(password input twice, 该密码多次用到,HTTPD启动也须用到, 10年有效期)

Country Name (2 letter code) [GB]:US

State or Province Name (full name) [Berkshire]:CA

Locality Name (eg, city) [Newbury]:San Clara

Organization Name (eg, company) [My Company Ltd]:Cisco

Organizational Unit Name (eg, section) []:WebEx

Common Name (eg, your name or your server's hostname) []:ServerDNSName(最好跟你SERVER名字一样)

Email Address []:

openssl genrsa -des3 -out server.key 1024

openssl req -new -key server.key -out server.csr

Country Name (2 letter code) [GB]:US

State or Province Name (full name) [Berkshire]:CA

Locality Name (eg, city) [Newbury]:San Clara

Organization Name (eg, company) [My Company Ltd]:Cisco

Organizational Unit Name (eg, section) []:WebEx

Common Name (eg, your name or your server's hostname) []:ServerDNSName

Email Address []:

Please enter the following 'extra' attributes

to be sent with your certificate request

A challenge password []:

An optional company name []:Cisco-WebEx Communication Inc.

mv server.csr newreq.pem

openssl ca -config ./openssl.cnf -policy policy_anything -out newcert.pem -infiles newreq.pem

mv newcert.pem server.crt

vi /etc/httpd/conf.d/ssl.conf并改变以下四行并确保没被注释。

SSLCertificateFile /etc/httpd/conf.d/demoCA/server.crt

SSLCertificateKeyFile /etc/httpd/conf.d/demoCA/server.key

SSLCACertificatePath /etc/httpd/conf.d/demoCA

SSLCACertificateFile /etc/httpd/conf.d/demoCA/cacert.pem

#SSLVerifyClient require

#SSLVerifyDepth  10

#SSLVerifyClient none(by default)

如果需要第三方签你的根证书,需把你的cacert.pem证书交与第三方认证机构进行签证。