Apache與Nginx SSL證書申請及配置

在作實驗的時候不免有時候會用到ssl證書，在局域網環境下徹底沒有必要去買一個ssl證書，因此這裏咱們自建一個CA服務器，對局域網內須要證書的服務器，提供證書頒發的服務。

直接上操做：
準備一臺服務器做爲CA服務器：

[root@localhost CA]# (umask 077;openssl genrsa -out /etc/pki/CA/private/cakey.pem 2048)
[root@localhost CA]# openssl req -new -x509 -key /etc/pki/CA/private/cakey.pem -out /etc/pki/CA/cacert.pem -days 3650
---
Country Name (2 letter code) [XX]:CN
State or Province Name (full name) []:Shanghai
Locality Name (eg, city) [Default City]:Shanghai
Organization Name (eg, company) [Default Company Ltd]:u9time       ##公司名，客戶端申請要與此保持一致
Organizational Unit Name (eg, section) []:ca
Common Name (eg, your name or your server's hostname) []:ca.u9time.com       ##自簽證書的完整域名
Email Address []:

[root@lvs CA]# touch index.txt        ##做爲一臺CA證書爲別人頒發證書時會在此文件進行記錄索引文檔，文件名與位置由配置文件決定
[root@lvs CA]# echo "01" > serial   ##做爲一臺CA證書爲別人頒發證書時會在此文件進行記錄序號，文件名與位置由配置文件決定

客戶端主機（apache或nginx）生成證書申請CSR文件

[root@localhost ssl]# (umask 077;openssl genrsa -out /etc/httpd/ssl/httpd.key 2048)
[root@localhost ssl]# openssl req -new -key /etc/httpd/ssl/httpd.key -out /etc/httpd/ssl/httpd.csr -days 365   ##輸入相關信息，用於生成csr文件
---
Country Name (2 letter code) [XX]:CN
State or Province Name (full name) []:Shanghai
Locality Name (eg, city) [Default City]:Shanghai
Organization Name (eg, company) [Default Company Ltd]:u9time     ##公司信息要與CA一致
Organizational Unit Name (eg, section) []:ops
Common Name (eg, your name or your server's hostname) []:www.u9time.com     ##這裏填寫申請證書的完整域名，能夠是其餘域名好比www.ddong.com
Email Address []:
Please enter the following 'extra' attributes
to be sent with your certificate request
A challenge password []:www.u9time.com
An optional company name []:

[root@localhost ssl]# scp -p httpd.csr root@192.168.157.3:/root/                   ##將證書請求文件發送給CA服務器簽署生成證書

CA服務器簽署證書：

[root@localhost ~]# openssl ca -in httpd.csr -out httpd.crt -days 365
y
y
[root@localhost ~]# scp -p httpd.crt root@192.168.157.9:/etc/httpd/ssl/

apache2.4服務器配置：

[root@localhost ~]# yum install httpd mod_ssl -y
[root@localhost ~]# chmod 600 /etc/httpd/ssl/
[root@localhost ~]# vim /etc/httpd/conf.d/u9time_ssl.conf
<VirtualHost *:80>
    # This first-listed virtual host is also the default for *:80
    ServerName www.u9time.com
    ServerAlias www1.u9time.com www2.u9time.com
    DocumentRoot "/var/www/html/u9time"
</VirtualHost>

<VirtualHost *:443>
    # This first-listed virtual host is also the default for *:80

    ServerName www.u9time.com
    ServerAlias www1.u9time.com www2.u9time.com
    DocumentRoot "/var/www/html/u9time"

    ErrorLog logs/ssl_error_log
    TransferLog logs/ssl_access_log
    LogLevel warn
    SSLEngine on
    SSLProtocol all -SSLv2 -SSLv3
    SSLCipherSuite HIGH:3DES:!aNULL:!MD5:!SEED:!IDEA

    SSLCertificateFile "/etc/httpd/ssl/u9time.crt"
    SSLCertificateKeyFile "/etc/httpd/ssl/u9time.key"
</VirtualHost>

nginx服務器的配置：

前提是nginx安裝時已經編譯了ssl模塊
[root@localhost conf.d]# cat u9time.conf 
server {

    listen 80;
    server_name www.u9time.com;
    root /var/www/html/u9;

    location / {
    }

}

server {

    listen 443;
    server_name www.u9time.com;
    root /var/www/html/u9;

    ssl on;
    ssl_certificate /etc/httpd/ssl/u9time.crt;  #證書文件
    ssl_certificate_key /etc/httpd/ssl/u9time.key;   #KEY文件

    ssl_session_cache   shared:SSL:10m;
        ssl_session_timeout 10m;
    location / {
    }

}