1.安装openssl
yum install -y openssl
2.修改配置文件
在/etc/pki/tls/openssl.conf的172行
basicConstraints=CA:TRUE,打开CA
3.创建CA
[root@slavedb ~]# /etc/pki/tls/misc/CA -newca
CA certificate filename (or enter to create)
Making CA certificate ...
Generating a 2048 bit RSA private key
..............................................................................................+++
...............+++
writing new private key to '/etc/pki/CA/private/./cakey.pem'
Enter PEM pass phrase:
Verifying - Enter PEM pass phrase:
-----
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [XX]:CN
State or Province Name (full name) []:beijing
Locality Name (eg, city) [Default City]:haidian
Organization Name (eg, company) [Default Company Ltd]:xuegod
Organizational Unit Name (eg, section) []:IT
Common Name (eg, your name or your server's hostname) []:slavedb
Email Address []:1@163.com
Please enter the following 'extra' attributes
to be sent with your certificate request
A challenge password []:
An optional company name []:
Using configuration from /etc/pki/tls/openssl.cnf
Enter pass phrase for /etc/pki/CA/private/./cakey.pem:
Check that the request matches the signature
Signature ok
Certificate Details:
Serial Number:
f4:5a:65:88:11:9f:46:b6
Validity
Not Before: Sep 14 01:45:15 2019 GMT
Not After : Sep 13 01:45:15 2022 GMT
Subject:
countryName = CN
stateOrProvinceName = beijing
organizationName = xuegod
organizationalUnitName = IT
commonName = slavedb
emailAddress = 1@163.com
X509v3 extensions:
X509v3 Subject Key Identifier:
9A:A5:C3:EA:07:80:4B:E0:08:7E:AF:E5:A8:17:A7:41:1D:10:C5:CD
X509v3 Authority Key Identifier:
keyid:9A:A5:C3:EA:07:80:4B:E0:08:7E:AF:E5:A8:17:A7:41:1D:10:C5:CD
X509v3 Basic Constraints:
CA:TRUE
Certificate is to be certified until Sep 13 01:45:15 2022 GMT (1095 days)
Write out database with 1 new entries
Data Base Updated
CA公钥路径
/etc/pki/CA/cacert.pem
CA私钥路径
/etc/pki/CA/private/cakey.pem
3.使用证书创建https
echo '<h1> https test page </h1>' > /var/www/html/index.html
生成ssl私钥,此时公钥还未创建
[root@slavedb ~]# openssl genrsa -des3 -out /etc/httpd/conf.d/server.key
Generating RSA private key, 2048 bit long modulus
.................+++
..+++
e is 65537 (0x10001)
Enter pass phrase for /etc/httpd/conf.d/server.key:
Verifying - Enter pass phrase for /etc/httpd/conf.d/server.key:
这里输入的是保护私钥的密码:123456,输2次
创建服务器公钥
[root@slavedb ~]# openssl req -new -key /etc/httpd/conf.d/server.key -out /server.csr
Enter pass phrase for /etc/httpd/conf.d/server.key:
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [XX]:CN
State or Province Name (full name) []:beijing
Locality Name (eg, city) [Default City]:haidian
Organization Name (eg, company) [Default Company Ltd]:xuegod
Organizational Unit Name (eg, section) []:IT
Common Name (eg, your name or your server's hostname) []:masterdb #如果不基于ip访问,此处的要与url一致
Email Address []:1@163.com
Please enter the following 'extra' attributes
to be sent with your certificate request
A challenge password []:
An optional company name []:
将公钥推送给CA服务器
scp /server.csr 10.10.10.21:/tmp/
CA签名
[root@slavedb ~]# openssl ca -keyfile /etc/pki/CA/private/cakey.pem -cert /etc/pki/CA/cacert.pem -in /tmp/server.csr -out /server.crt
Using configuration from /etc/pki/tls/openssl.cnf
Enter pass phrase for /etc/pki/CA/private/cakey.pem:
Check that the request matches the signature
Signature ok
Certificate Details:
Serial Number:
f4:5a:65:88:11:9f:46:b8
Validity
Not Before: Sep 14 02:56:29 2019 GMT
Not After : Sep 13 02:56:29 2020 GMT
Subject:
countryName = CN
stateOrProvinceName = beijing
organizationName = xuegod
organizationalUnitName = IT
commonName = masterdb
emailAddress = 1@163.com
X509v3 extensions:
X509v3 Basic Constraints:
CA:TRUE
Netscape Comment:
OpenSSL Generated Certificate
X509v3 Subject Key Identifier:
E1:3C:CE:05:C8:B3:38:43:57:FF:85:CB:6B:C5:5C:BE:11:0D:AD:B6
X509v3 Authority Key Identifier:
keyid:50:11:77:D6:09:B0:94:29:16:A5:5D:09:FA:0A:2A:83:58:46:6E:5A
Certificate is to be certified until Sep 13 02:56:29 2020 GMT (365 days)
Sign the certificate? [y/n]:y
1 out of 1 certificate requests certified, commit? [y/n]y
Write out database with 1 new entries
Data Base Updated
CA发送已签的server.crt给服务器
scp /server.crt 10.10.10.25:/
到此证书签名完成
yum install mode-ssl
cp /server.crt /etc/httpd/conf.d/
在/etc/httpd/conf.d/ssl.conf里100行修改
SSLCertificateFile /etc/httpd/conf.d/server.crt
SSLCertificateKeyFile /etc/httpd/conf.d/server.key
重启httpd
访问ip
在生产中实现https只需要生成的server.csr推送给CA,再部署server.crt