Apache 와 Nginx SSL 인증서 신청 및 설정

실험 을 할 때 ssl 인증 서 를 사용 하 는 것 을 피하 기 어렵 습 니 다. 랜 환경 에서 ssl 인증 서 를 살 필요 가 전혀 없습니다. 그래서 저 희 는 CA 서버 를 만 들 고 랜 내 에 인증서 가 필요 한 서버 에 인증서 발급 서 비 스 를 제공 합 니 다.
직접 올 리 기: CA 서버 로 서버 준비 하기:

[root@localhost CA]# (umask 077;openssl genrsa -out /etc/pki/CA/private/cakey.pem 2048)
[root@localhost CA]# openssl req -new -x509 -key /etc/pki/CA/private/cakey.pem -out /etc/pki/CA/cacert.pem -days 3650
---
Country Name (2 letter code) [XX]:CN
State or Province Name (full name) []:Shanghai
Locality Name (eg, city) [Default City]:Shanghai
Organization Name (eg, company) [Default Company Ltd]:u9time       ##   ，            
Organizational Unit Name (eg, section) []:ca
Common Name (eg, your name or your server's hostname) []:ca.u9time.com       ##         
Email Address []:

[root@lvs CA]# touch index.txt        ##    CA                       ，             
[root@lvs CA]# echo "01" > serial   ##    CA                     ，             

클 라 이언 트 호스트 (apache 또는 nginx) 생 성 인증서 신청 CSR 파일

[root@localhost ssl]# (umask 077;openssl genrsa -out /etc/httpd/ssl/httpd.key 2048)
[root@localhost ssl]# openssl req -new -key /etc/httpd/ssl/httpd.key -out /etc/httpd/ssl/httpd.csr -days 365   ##      ，    csr  
---
Country Name (2 letter code) [XX]:CN
State or Province Name (full name) []:Shanghai
Locality Name (eg, city) [Default City]:Shanghai
Organization Name (eg, company) [Default Company Ltd]:u9time     ##      CA  
Organizational Unit Name (eg, section) []:ops
Common Name (eg, your name or your server's hostname) []:www.u9time.com     ##             ，         www.ddong.com
Email Address []:
Please enter the following 'extra' attributes
to be sent with your certificate request
A challenge password []:www.u9time.com
An optional company name []:

[root@localhost ssl]# scp -p httpd.csr [email protected]:/root/                   ##          CA         

CA 서버 서명 인증서:

[root@localhost ~]# openssl ca -in httpd.csr -out httpd.crt -days 365
y
y
[root@localhost ~]# scp -p httpd.crt [email protected]:/etc/httpd/ssl/

apache 2.4 서버 설정:

[root@localhost ~]# yum install httpd mod_ssl -y
[root@localhost ~]# chmod 600 /etc/httpd/ssl/
[root@localhost ~]# vim /etc/httpd/conf.d/u9time_ssl.conf

    # This first-listed virtual host is also the default for *:80
    ServerName www.u9time.com
    ServerAlias www1.u9time.com www2.u9time.com
    DocumentRoot "/var/www/html/u9time"



    # This first-listed virtual host is also the default for *:80

    ServerName www.u9time.com
    ServerAlias www1.u9time.com www2.u9time.com
    DocumentRoot "/var/www/html/u9time"

    ErrorLog logs/ssl_error_log
    TransferLog logs/ssl_access_log
    LogLevel warn
    SSLEngine on
    SSLProtocol all -SSLv2 -SSLv3
    SSLCipherSuite HIGH:3DES:!aNULL:!MD5:!SEED:!IDEA

    SSLCertificateFile "/etc/httpd/ssl/u9time.crt"
    SSLCertificateKeyFile "/etc/httpd/ssl/u9time.key"

nginx 서버 설정:

   nginx        ssl  
[root@localhost conf.d]# cat u9time.conf 
server {

    listen 80;
    server_name www.u9time.com;
    root /var/www/html/u9;

    location / {
    }

}

server {

    listen 443;
    server_name www.u9time.com;
    root /var/www/html/u9;

    ssl on;
    ssl_certificate /etc/httpd/ssl/u9time.crt;  #    
    ssl_certificate_key /etc/httpd/ssl/u9time.key;   #KEY  

    ssl_session_cache   shared:SSL:10m;
        ssl_session_timeout 10m;
    location / {
    }

}