SSL的自簽憑證,窮人SSL,雖然網頁會跳SSL不合法的警告,此文主要參考[1]提供的指令。
SSL的憑證信任鍊 trust china 是這樣: 根憑證機構(Root CA) =授權=> 中繼憑證機構(Intermedia CA) =授權=> 終端憑證機構(Endpoint CA)
* CA就是授權機構 certificate authority
一、自簽Root CA
建立私鑰
# openssl genrsa -out RootCA.key 2048
產生根憑證申請檔
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [GB]:TW
State or Province Name (full name) [Berkshire]:Taiwan
Locality Name (eg, city) [Newbury]:Taichung
Organization Name (eg, company) [My Company Ltd]:Somewhere Co.Ltd.
Organizational Unit Name (eg, section) []:Sleep Dep.
Common Name (eg, your name or your server's hostname) []:hostname.example.com
Email Address []:<按ENTER>
Please enter the following 'extra' attributes
to be sent with your certificate request
A challenge password []:<按ENTER>
An optional company name []:<按ENTER>
利用申請檔產生憑證檔
# openssl x509 -req -days 3650 -sha256 -extensions v3_ca -signkey RootCA.key -in RootCA.req -out RootCA.crt
產生憑證檔RootCA.crt
接下來要拿根憑證來簽發終端憑證,因為沒有中繼憑證,所以直接來作伺服器憑證,也就是終端憑證。
二、製作終端憑證(伺服器憑證)
建立伺服器私鑰
# openssl genrsa -out ServerCert.key 2048
同上,產生憑證申請檔
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [GB]:TW
State or Province Name (full name) [Berkshire]:Taiwan
Locality Name (eg, city) [Newbury]:Taichung
Organization Name (eg, company) [My Company Ltd]:Eat Co.Ltd.
Organizational Unit Name (eg, section) []:Pizza Dep.
Common Name (eg, your name or your server's hostname) []:hostname.example.com
Email Address []:<按ENTER>
Please enter the following 'extra' attributes
to be sent with your certificate request
A challenge password []:<按ENTER>
An optional company name []:<按ENTER>
Common Name 中可以使用 wildcard寫法,例如 *.example.com
產生流水號檔
產生憑證檔一樣簽十年
三、SELINUX 及搬移
複製到指定的位置
# cp ServerCert.key /etc/pki/tls/private/
# cp *.crt /etc/pki/tls/certs
四、APACHE上設定
修改 /etc/httpd/conf.d/ssl.conf
# 註解這兩項
#SSLCertificateFile /etc/pki/tls/certs/localhost.crt
#SSLCertificateKeyFile /etc/pki/tls/private/localhost.key
# 修改
Listen 443
ServerName hostname.example.com:443
SSLEngine on
# 加入這三項
SSLCertificateFile /etc/pki/tls/certs/ServerCert.crt
SSLCertificateKeyFile /etc/pki/tls/private/ServerCert.key
SSLCACertificateFile /etc/pki/tls/certs/RootCA.crt
其中ServerName要和上面設定的一樣
重新啟動 apache
錯誤排除
啟動失敗log檔在 /etc/httpd/logs/ssl_error_log 或是 /var/log/message 看你的設定。
[warn] RSA server certificate CommonName (CN) `somehost.example.com' does NOT match server name!?
可能解法:你的 ServerCert.key 檔裡面設定的網域名稱和你的 ssl.conf中設定的名稱不一樣
[error] Unable to configure RSA server private key
可能解法:你的 ServerCert.key 檔不正確,請檢查或重新建立
相關連結
[Centos7] HTTPS/SSL憑證的SELINUX設置