openssl加密机制( 五 ) _openssl生成证书

-------------注意，这里的01不能写成1 ，否则也会报错。
CA给自己颁发证书，序列号为1.至此， CA自建证书完毕。
第二步：配置web网站，新建虚拟主机
# yum -y install httpd
安装web服务应用程序包
这里以虚拟主机为例，配置一台虚拟主机。
首先
在主配置文件/etc/httpd/conf/httpd.conf中注释掉主服务器的 “/var/www/html”
然后新建虚拟主机
ServerName www.a.comDocumentRoot "/www/website/"ErrorLog /www/website/logs/error.logCustomLog /www/website/logs/access.log common
在index.html中随便写上一段话，这是网站的首页。
然后在物理机hosts文件中配置解析

文章插图
目录下边有个hosts文件
然后就可以在浏览器里搜索了。
不过这里可能会遇到问题，我就遇到了一个很让人头疼的问题，浏览器死活连接不上，原因可能是防火墙的问题，这时就需要关掉防火墙了。
# chkconfig iptables off# service iptables stop
好了，虚拟web主机建好了，下面开始建
除了可以实现自签证书，还可以为web服务器提供ssl服务。
Ssl服务对于ip是一对一的，有一个虚拟主机，就可以配置一个ssl服务。
第三步：Ssl服务的配置
安装模块
# yum -y install mod_ssl
Ssl服务的配置文件/etc/httpd/conf.d/ssl.conf
在编辑ssl配置文件之前，要先为web服务器颁发一个证书。
Web服务器自己生成一个证书请求
# cd /etc/httpd# (umask 077;openssl genrsa -out private.key 2048)Generating RSA private key, 2048 bit long modulus.............................................................................................................................................+++...+++e is 65537 (0x10001)[root@luliming httpd]# openssl req -new -key private.key -out private.csrYou are about to be asked to enter information that will be incorporatedinto your certificate request.What you are about to enter is what is called a Distinguished Name or a DN.There are quite a few fields but you can leave some blankFor some fields there will be a default value,If you enter '.', the field will be left blank.-----Country Name (2 letter code) [XX]:cnState or Province Name (full name) []:henanLocality Name (eg, city) [Default City]:zhengzhouOrganization Name (eg, company) [Default Company Ltd]:mageduOrganizational Unit Name (eg, section) []:techCommon Name (eg, your name or your server's hostname) []:www.a.comEmail Address []:magedu@163.comPlease enter the following 'extra' attributesto be sent with your certificate requestA challenge password []:An optional company name []:# lsconfconf.dlogsmodulesprivate.csrprivate.keyrun
让CA为它颁发证书，注意，由于笔者是在同一台电脑上配置的，本机就是CA机关，所以，直接在/etc/httpd/目录下为web服务器颁发ca证书，如果不是在同一台主机，还需要web服务器向CA发送申请，由CA为其签署。
签证
openssl ca -in private.csr -out private.crt -days 365Using configuration from /etc/pki/tls/openssl.cnfCheck that the request matches the signatureSignature okCertificate Details:Serial Number: 1 (0x1)ValidityNot Before: Aug 22 22:25:47 2013 GMTNot After : Aug 22 22:25:47 2014 GMTSubject:countryName= cnstateOrProvinceName= henanorganizationName= mageduorganizationalUnitName= techcommonName= www.a.comemailAddress= magedu@163.comX509v3 extensions:X509v3 Basic Constraints:CA:FALSENetscape Comment:OpenSSL Generated CertificateX509v3 Subject Key Identifier:6B:A2:C3:A9:E3:A4:49:28:23:40:DA:77:3F:5B:94:28:EA:34:E3:4BX509v3 Authority Key Identifier:keyid:14:45:59:59:0C:93:35:19:72:18:FA:EE:FA:56:7A:AE:8A:07:E8:D2Certificate is to be certified until Aug 22 22:25:47 2014 GMT (365 days)Sign the certificate? [y/n]:y1 out of 1 certificate requests certified, commit? [y/n]yWrite out database with 1 new entriesData Base Updated