httpd密钥认证详细配置

#CA生成一对密钥
[root@localhost ~]# cd /etc/pki/CA
[root@localhost CA]# ls
certs  crl  newcerts  private
[root@localhost CA]# (umask 077;openssl genrsa -out private/cakey.pem 2048)
Generating RSA private key, 2048 bit long modulus
.....+++
............................+++
e is 65537 (0x10001)
[root@localhost CA]# openssl rsa -in private/cakey.pem -pubout
writing RSA key
-----BEGIN PUBLIC KEY-----
MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEA4f3NOf/sGr3QEWGShWNP
4xoJPNYpsoBhUuRSPGRmuSYiJCtxplDVTNzUCLssKCCdl2sM3ijBa+Pelju3w8a5
iq9LgAVYKNsOjCdyN5PsAroQRAmdHANPlRfnJj/u3tNRKDlEP7pEuI1nKzZyykkU
ION1ni7o+d4D41nO9UkheK6ds6YbyCvRoIl+yqv6WtpV6UUgRMOIlXv9kYjMIBj4
Qa6SYNm6kMm+R8aLI8hzzdrRte2bFfvPmKYC3nMrPekS0HW7G0alYlyZIb/X9DUs
UB9tG2v++UA7ZqW1tZkiP50peNumcWSP/MNIftKP1z0z/3IPvJHLeMDHOJk2xJrJ
ywIDAQAB
-----END PUBLIC KEY-----

#CA生成自签署证书
[root@localhost CA]# openssl req -new -x509 -key private/cakey.pem -out cacert.pem
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
**----**
Country Name (2 letter code) [XX]:CN
State or Province Name (full name) []:HuBei
Locality Name (eg, city) [Default City]:WuHan
Organization Name (eg, company) [Default Company Ltd]:runtime.example.com
Organizational Unit Name (eg, section) []:runtime.example.com
Common Name (eg, your name or your server's hostname) []:runtime.example.com
Email Address []:1@2.com
[root@localhost CA]# openssl x509 -text -in cacert.pem
内容省略....
[root@localhost CA]# mkdir certs newcerts crl
[root@localhost CA]# touch index.txt && echo 01 > serial
[root@localhost CA]# ls
cacert.pem  certs  crl  index.txt  newcerts  private  serial
[root@localhost CA]# cat serial
01

#服务端生成密钥
[root@whb ~]# cd /etc/httpd24 && mkdir ssl && cd ssl
[root@whb ssl]# (umask 077;openssl genrsa -out httpd.key 2048)
Generating RSA private key, 2048 bit long modulus
........................................................................+++
.....................................................................................+++
e is 65537 (0x10001)
[root@whb ssl]# 

#服务端生成证书签署请求
[root@whb ssl]# openssl req -new -key httpd.key -days 365 -out httpd.csr
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [XX]:CN
State or Province Name (full name) []:HuBei
Locality Name (eg, city) [Default City]:WuHan
Organization Name (eg, company) [Default Company Ltd]:runtime.example.com
Organizational Unit Name (eg, section) []:runtime.example.com
Common Name (eg, your name or your server's hostname) []:runtime.example.com
Email Address []:1@2.com

Please enter the following 'extra' attributes
to be sent with your certificate request
A challenge password []:
An optional company name []:
#服务端把证书签署请求文件发送给CD
服务端：
[root@whb ssl]# scp httpd.csr root@192.168.86.137:/root
root@192.168.86.137's password: 
httpd.csr                                                                 100% 1082    26.4KB/s   00:00    
[root@whb ssl]# 
客户端：
[root@localhost CA]# cd
[root@localhost ~]# ls
1     3.sh             apr-1.6.5.tar.gz        cai.sh        httpd-2.4.38.tar.bz2  program.sh
1.sh  anaconda-ks.cfg  apr-util-1.6.1          db-backup.sh  httpd.csr             shu.sh
2.sh  apr-1.6.5        apr-util-1.6.1.tar.bz2  httpd-2.4.38  mkuser.sh             whb
[root@localhost ~]# openssl ca -in /root/httpd.csr -out httpd.crt -days 365
[root@localhost ~]# ls
1     3.sh             apr-1.6.5.tar.gz        cai.sh        httpd-2.4.38.tar.bz2  mkuser.sh   whb
1.sh  anaconda-ks.cfg  apr-util-1.6.1          db-backup.sh  httpd.crt             program.sh
2.sh  apr-1.6.5        apr-util-1.6.1.tar.bz2  httpd-2.4.38  httpd.csr             shu.sh

#签署服务端提交上来的证书
[root@localhost ~]# openssl ca -in /root/httpd.csr -out httpd.crt -days 365
[root@localhost ~]# ls
1     3.sh             apr-1.6.5.tar.gz        cai.sh        httpd-2.4.38.tar.bz2  mkuser.sh   whb
1.sh  anaconda-ks.cfg  apr-util-1.6.1          db-backup.sh  httpd.crt             program.sh
2.sh  apr-1.6.5        apr-util-1.6.1.tar.bz2  httpd-2.4.38  httpd.csr             shu.sh

#把签署好的证书httpd.crt发给服务端
客户端：
[root@localhost ~]# scp httpd.crt root@192.168.86.138:/root/
httpd.crt                                                                 100% 4718   193.2KB/s   00:00    
[root@localhost ~]# 
服务端：
[root@whb ~]# ls
1  2  3  anaconda-ks.cfg  httpd-2.4.38  httpd-2.4.38.tar.bz2  httpd.crt  httpd.csr  lol  upload
[root@whb ~]# mv httpd.crt /etc/httpd24/ssl/
[root@whb ~]# cd /etc/httpd24/ssl
[root@whb ssl]# ls
httpd.crt  httpd.csr  httpd.key
[root@whb ssl]# 

#ssl配置：
[root@100 ~]# vim /etc/httpd24/extra/httpd-ssl.conf 
/DocumentRoot   //搜索
修改为以下内容：
DocumentRoot "/usr/local/apache/htdocs/runtime"
ServerName runtime.example.com:443
ServerAdmin you@example.com
ErrorLog "/usr/local/apache/logs/runtime.example.com-error_log"
TransferLog "/usr/local/apache/logs/runtime.example.com-access_log"
紧接着将
 SSLCertificateFile "/etc/httpd24/server.crt"  改为 SSLCertificateFile "/etc/httpd24/ssl/httpd.crt"
SSLCertificateKeyFile "/etc/httpd24/server.key"  改为   SSLCertificateKeyFile "/etc/httpd24/ssl/httpd.key"
#检查是否有语法错误
[root@whb ~]# cd /etc/httpd24
[root@100 httpd24]# apachectl restart

来源：51CTO

作者：wx5e782fbb12ee3

链接：https://blog.51cto.com/14763231/2483864