Linux 학습 노트 – https 간단한 구성

인스턴스는 다음과 같습니다.
CA 호스트 192.168.191.160
웹 서버 호스트 192.168.191.150, httpd 설정은 이전 블로그의
CA는 인증서에 서명하여 웹 서버에 전송하고/etc/httpd/conf.d/ssl를 설정합니다.conf
1. CA 호스트에서 자체 서명 인증서 생성

cd /etc/pki/CA
(umask 077;openssl genrsa -out private/cakey.pem 2048) # 

 
vim/etc/pki/tls/openssl.cnf 참조 및 작업 디렉터리dir 및 서명 시 기본 매개 변수 수정

[ CA_default ]

dir             = /etc/pki/CA           # Where everything is kept
certs           = $dir/certs            # Where the issued certs are kept
crl_dir         = $dir/crl              # Where the issued crl are kept
database        = $dir/index.txt        # database index file.
#unique_subject = no                    # Set to 'no' to allow creation of
                                        # several ctificates with same subject.
new_certs_dir   = $dir/newcerts         # default place for new certs.

certificate     = $dir/cacert.pem       # The CA certificate
serial          = $dir/serial           # The current serial number
crlnumber       = $dir/crlnumber        # the current crl number
                                        # must be commented out to leave a V1 CRL
crl             = $dir/crl.pem          # The current CRL
private_key     = $dir/private/cakey.pem# The private key
RANDFILE        = $dir/private/.rand    # private random number file
...
[ req_distinguished_name ]
countryName                     = Country Name (2 letter code)
countryName_default             = CN
countryName_min                 = 2
countryName_max                 = 2

stateOrProvinceName             = State or Province Name (full name)
stateOrProvinceName_default     = Guangdong

localityName                    = Locality Name (eg, city)
localityName_default            = Guangzhou

0.organizationName              = Organization Name (eg, company)
0.organizationName_default      = cqy

# we can do this but it is not needed normally :-)
#1.organizationName             = Second Organization Name (eg, company)
#1.organizationName_default     = World Wide Web Pty Ltd

organizationalUnitName          = Organizational Unit Name (eg, section)
organizationalUnitName_default  = tech

openssl req -new -x509 -key private/cakey.pem -out cacert.pem -days 3655
# 
mkdir certs crl newcerts   # 
touch index.txt              # 
echo 01 > serial

2. 웹 서버 생성 인증서 서명 요청

cd /etc/httpd/
mkdir ssl
cd ssl
(umask 077;openssl genrsa 1024 > httpd.key)  # 
openssl req -new -key httpd.key -out httpd.csr # 
scp httpd.csr  192.168.191.160:/tmp

3. CA 호스트 도움말 웹 서버 인증

openssl ca -in /tmp/httpd.csr  -out /tmp/httpd.crt -days 3650
scp /tmp/httpd.crt 192.168.191.150:/etc/httpd/ssl/

넷째, 웹 서버 설정/etc/httpd/conf.d/ssl.conf
vim/etc/httpd/conf.d/ssl.conf 추가 수정 사항은 다음과 같습니다.

<VirtualHost 192.168.191.150:443>     # IP
Servername              # ， httpd.conf 
DocumentRoot "/www/cqy150"            # ， httpd.conf 
...
SSLCertificateFile /etc/httpd/ssl/httpd.crt      # 
SSLCertificateKeyFile /etc/httpd/ssl/httpd.key   # 
...
</VirtualHost>

5. httpd 서버 재부팅

[root@localhost conf.d]# service httpd restart
Stopping httpd:                                            [  OK  ]
Starting httpd:                                            [  OK  ]
[root@localhost conf.d]# netstat -tunl | grep 443
tcp        0      0 :::443                      :::*                        LISTEN