不操千曲而后晓声,观千剑而后识器。这篇文章主要讲述CentOS7下配置证书,搭建web服务器相关的知识,希望能为你提供帮助。
1)环境:
node1:192.168.10.41
,CA服务器
node2:192.168.10.42
, web服务器
node3:192.168.10.43
,客户端
================以下在CA证书服务器上配置==============
2)配置CA服务器(node1):
a)yum install openssl
/安装CA组件
vim /etc/pki/tls/openssl.conf
certificate
=
$dir/ca.crt
证书保存位置
private_key = $dir/private/ca.key
/私钥保存
[ req_distinguished_name ]
countryName = Country Name (2 letter code)
countryName_default = CN
countryName_min = 2
countryName_max = 2
stateOrProvinceName = State or Province Name (full name)
stateOrProvinceName_default = SHANXI
localityName = Locality Name (eg, city)
localityName_default = XIAN
0.organizationName = Organization Name (eg, company)
0.organizationName_default = CONTOSO
#准备文件
cd /etc/pki/CA
touch index.txt
echo 00 >
index.txt
#生成私钥:
[root@node1 CA](umask 077;openssl genrsa -out private/ca.key -des3 2048)
#CA生成CA自签名证书
[root@node1 CA]openssl req -new -x509 -days 7300 -key private/ca.key >
ca.crt
Enter pass phrase for private/ca.key: #输入密码
Country Name (2 letter code) [CN]: #回车
State or Province Name (full name) [SHANXI]:#回车
Locality Name (eg, city) [XIAN]:#回车
Organization Name (eg, company) [CONTOSO]:#回车
Organizational Unit Name (eg, section) []:IT #写入部门名称
Common Name (eg, your name or your servers hostname) []:node1.contoso.com
#服务器名称,一定能解析。
Email Address []:ca@aiops.net.cn
#可写可不写
==============以下在web服务器node2上配置============
[root@node2]yum install -y httpd mod_ssl
[root@node2]echo "this is test web" >
/var/www/html/index.html
[root@node2]openssl genrsa -out /etc/httpd/httpd.key
/生成web私钥
[root@node2]openssl req -new -key /etc/httpd/httpd.key -out /tmp/httpd.csr
/生成web证书申请的请求文件
Country Name (2 letter code) [XX]:CN #与CA一致
State or Province Name (full name) []:SHANXI
#与CA一致
Locality Name (eg, city) [Default City]:XIAN
#与CA一致
Organization Name (eg, company) [Default Company Ltd]:CONTOSO
#与CA一致
Organizational Unit Name (eg, section) []:web #自己填写
Common Name (eg, your name or your servers hostname) []:www.contoso.com
#与主机名称一致
Email Address []:web@123.com
Please enter the following extra attributes
to be sent with your certificate request
A challenge password []: #回车
An optional company name []:#回车
[root@node2] scp /tmp/httpd.csr node1:/tmp
/发送请求文件到CA服务器
============以下在CA服务器上操作==============
[root@node1 CA]# openssl ca -in /tmp/httpd.csr -out /tmp/httpd.crt
/CA服务器给web服务器颁发证书(注意操作目录在/etc/pki/CA)
[root@node1 CA]# scp /tmp/httpd.crt node2:/etc/httpd/
拷贝证书文件到web服务器
===========以下在web服务器上操作===========
[root@node2] yum install -y mod_ssl
/为apache安装支持文件
[root@node2 conf.d]# vim www.conf
DocumentRoot /var/www/html
ServerName www.contoso.com
ServerAlias www.contoso.com
RewriteEngine On
RewriteRule ^(.*)$ https://www.contoso.com$1 [R=301,L]
<
/VirtualHost>
<
VirtualHost 192.168.10.42:443>
DocumentRoot /var/www/html
ServerName www.contoso.com
ServerAlias www.contoso.com
SSLEngine on
SSLCertificateFile /etc/httpd/httpd.crt
SSLCertificateKeyFile /etc/httpd/httpd.key
<
/VirtualHost>
=========客户端验证========
scp node1:/etc/pki/CA/ca.crt
.
/从CA服务器拷贝证书到本地任意位置
cat ca.srt >
>
/etc/pki/tls/certs/ca-bundle.crt
curl http://www.contoso.com
===========配置nginx============
yum install Nginx
[root@node2 nginx]# cat nginx.conf
vim nginx.conf
/修改以下参数
listen 80;
server_name www.aiops.net.cn aiops.net.cn;
#root /usr/share/nginx/html;
return 301 https://www.aiops.net.cn/$request_uri;
listen 443 ssl;
server_name www.aiops.net.cn;
root /usr/share/nginx/html;
开启
ssl on;
开启ssl
ssl_certificate "/etc/nginx/cert/nginx.crt";
ssl_certificate_key "/etc/nginx/cert/nginx.key";
# ssl_session_cache shared:SSL:1m;
ssl_session_timeout 10m;
ssl_protocols SSLv2 SSLv3 TLSv1;
客户端测试通apache一样
【CentOS7下配置证书,搭建web服务器】
推荐阅读
- is not in the sudoers files的解决办法
- U盘被禁用该怎样解除?
- 如何设置U盘为只读模式?
- 如何将U盘分区?
- U盘无法显示文件如何处理?
- 格式化U盘如何分配单元大小?
- U盘中的文件显示不全怎样办?
- U盘文件最佳格式如何选择?
- u盘无法重命名的原因与处理办法