apache与nginx ssl证书配置及申请

在做实验的时候难免有时候会用到ssl证书，在局域网环境下完全没有必要去买一个ssl证书，所以这里我们自建一个CA服务器，对局域网内需要证书的服务器，提供证书颁发的服务。

直接上操作：
准备一台服务器作为CA服务器：

[root@localhost CA]# (umask 077;openssl genrsa -out /etc/pki/CA/private/cakey.pem 2048)
[root@localhost CA]# openssl req -new -x509 -key /etc/pki/CA/private/cakey.pem -out /etc/pki/CA/cacert.pem -days 3650
---
Country Name (2 letter code) [XX]:CN
State or Province Name (full name) []:Shanghai
Locality Name (eg, city) [Default City]:Shanghai
Organization Name (eg, company) [Default Company Ltd]:u9time       ##公司名，客户端申请要与此保持一致
Organizational Unit Name (eg, section) []:ca
Common Name (eg, your name or your server's hostname) []:ca.u9time.com       ##自签证书的完整域名
Email Address []:

[root@lvs CA]# touch index.txt        ##作为一台CA证书为别人颁发证书时会在此文件进行记录索引文档，文件名与位置由配置文件决定
[root@lvs CA]# echo "01" > serial   ##作为一台CA证书为别人颁发证书时会在此文件进行记录序号，文件名与位置由配置文件决定

客户端主机（apache或nginx）生成证书申请CSR文件

[root@localhost ssl]# (umask 077;openssl genrsa -out /etc/httpd/ssl/httpd.key 2048)
[root@localhost ssl]# openssl req -new -key /etc/httpd/ssl/httpd.key -out /etc/httpd/ssl/httpd.csr -days 365   ##输入相关信息，用于生成csr文件
---
Country Name (2 letter code) [XX]:CN
State or Province Name (full name) []:Shanghai
Locality Name (eg, city) [Default City]:Shanghai
Organization Name (eg, company) [Default Company Ltd]:u9time     ##公司信息要与CA一致
Organi
5b4
zational Unit Name (eg, section) []:ops
Common Name (eg, your name or your server's hostname) []:www.u9time.com     ##这里填写申请证书的完整域名，可以是其他域名比如www.ddong.com
Email Address []:
Please enter the following 'extra' attributes
to be sent with your certificate request
A challenge password []:www.u9time.com
An optional company name []:

[root@localhost ssl]# scp -p httpd.csr root@192.168.157.3:/root/                   ##将证书请求文件发送给CA服务器签署生成证书

CA服务器签署证书：

[root@localhost ~]# openssl ca -in httpd.csr -out httpd.crt -days 365
y
y
[root@localhost ~]# scp -p httpd.crt root@192.168.157.9:/etc/httpd/ssl/

apache2.4服务器配置：

[root@localhost ~]# yum install httpd mod_ssl -y
[root@localhost ~]# chmod 600 /etc/httpd/ssl/
[root@localhost ~]# vim /etc/httpd/conf.d/u9time_ssl.conf
<VirtualHost *:80>
# This first-listed virtual host is also the default for *:80
ServerName www.u9time.com
ServerAlias www1.u9time.com www2.u9time.com
DocumentRoot "/var/www/html/u9time"
</VirtualHost>

<VirtualHost *:443>
# This first-listed virtual host is also the default for *:80

ServerName www.u9time.com
ServerAlias www1.u9time.com www2.u9time.com
DocumentRoot "/var/www/html/u9time"

ErrorLog logs/ssl_error_log
TransferLog logs/ssl_access_log
LogLevel
16c8
warn
SSLEngine on
SSLProtocol all -SSLv2 -SSLv3
SSLCipherSuite HIGH:3DES:!aNULL:!MD5:!SEED:!IDEA

SSLCertificateFile "/etc/httpd/ssl/u9time.crt"
SSLCertificateKeyFile "/etc/httpd/ssl/u9time.key"
</VirtualHost>

nginx服务器的配置：

前提是nginx安装时已经编译了ssl模块
[root@localhost conf.d]# cat u9time.conf
server {

listen 80;
server_name www.u9time.com;
root /var/www/html/u9;

location / {
}

}

server {

listen 443;
server_name www.u9time.com;
root /var/www/html/u9;

ssl on;
ssl_certificate /etc/httpd/ssl/u9time.crt;  #证书文件
ssl_certificate_key /etc/httpd/ssl/u9time.key;   #KEY文件

ssl_session_cache   shared:SSL:10m;
ssl_session_timeout 10m;
location / {
}

}