概述
本章,您将学习到关于 https 的相关知识。
由于涉及到的内容较多,本章节的内容被划分为三部分的文档:
- 第一部分 - https 的基础知识
- 第二部分 - 手动模拟出 SSL 证书
- 第三部分 - 在 Apache httpd 中进行配置
提示
实际生产环境下的 SSL 证书需要向证书品牌商申请,各个证书品牌商也有相关的文档进行说明。
模拟证书申请到签发的全过程
主机准备
准备两台主机:
| 角色 | 操作系统 | IPv4 地址 | 说明 |
|---|---|---|---|
| Web 服务器 | RL 8.10 | 192.168.100.20/24 | |
| CA | RL 10.2 | 192.168.100.21/24 | CA 即 Certificate Authority(证书颁发机构),用来给申请者的证书签名并颁发证书 |
对 CA 进行配置
日常的混淆
由于大多数人接触最多的是 Web https,因此日常交流过程会将 "CA 证书" 等同于 "SSL 证书",但严格来说没有 "CA 证书" 这个术语或概念。一方面,CA 机构有自己的证书,被称为 **根证书** 或 **中间 CA 证书**;另外一方面,申请者获得的签名证书更加标准的表述是 「CA 机构签发的证书」。所以,当有非从业人员人提到 "CA 证书" 时,你需要清楚它到底是指 CA 自己的证书还是 CA 机构签发的证书。
说明
CA 不仅可以给 Web 服务器颁发证书,软件代码的签名证书、邮件的签名证书、文档的签名证书等都需要 CA 这个机构进行签发
前面提到,CA 需要有自己的证书,即根证书或中间 CA 证书,相关的步骤为:
- 创建目录和文件
- 生成密钥
- 自签名证书文件
/etc/pki/tls/openssl.cnf 这个文件中定义了相关所需的文件与目录:
Shell > cat /etc/pki/tls/openssl.cnf
...
[ CA_default ]
dir = /etc/pki/CA # Where everything is kept
certs = $dir/certs # Where the issued certs are kept
crl_dir = $dir/crl # Where the issued crl are kept
database = $dir/index.txt # database index file.
#unique_subject = no # Set to 'no' to allow creation of
# several certs with same subject.
new_certs_dir = $dir/newcerts # default place for new certs.
certificate = $dir/cacert.pem # The CA certificate
serial = $dir/serial # The current serial number
crlnumber = $dir/crlnumber # the current crl number
# must be commented out to leave a V1 CRL
crl = $dir/crl.pem # The current CRL
private_key = $dir/private/cakey.pem # The private key
x509_extensions = usr_cert # The extensions to add to the cert
...
手动创建这些文件和目录:
Shell > mkdir /etc/pki/CA
Shell > mkdir /etc/pki/CA/{certs,crl,newcerts,private}
Shell > touch /etc/pki/CA/{index.txt,serial}
Shell > ls -l /etc/pki/CA/
total 16
drwxr-xr-x 2 root root 4096 Jul 9 11:54 certs
drwxr-xr-x 2 root root 4096 Jul 9 11:54 crl
-rw-r--r-- 1 root root 0 Jul 9 11:54 index.txt
drwxr-xr-x 2 root root 4096 Jul 9 11:54 newcerts
drwxr-xr-x 2 root root 4096 Jul 9 11:54 private
-rw-r--r-- 1 root root 0 Jul 9 11:54 serial
使用 openssl 命令生成 RSA 私钥:
Shell > openssl genrsa -out /etc/pki/CA/private/cakey.pem 2048
Shell > cat /etc/pki/CA/private/cakey.pem
-----BEGIN PRIVATE KEY-----
MIIEvQIBADANBgkqhkiG9w0BAQEFAASCBKcwggSjAgEAAoIBAQCqyB83qVqhoXen
Lk7R0BtenDmAuxXO+FZcnwgeAS1NB36hdHn2B4bAHW2iPjULMq9Omh1KGoAhcpIn
vwPA41pe2BMvQX9zjPJaAEZVtogfrHvw2mpe1uJEVKjDKzfyks8ZlNmQWfRUfZGt
jmWO3OhFr2i+HC2tLJ6IRfgexewf3GHviJdgwDG5GXvGnkBz7PwGHXT7JJkR9d2Y
yUJ7kwaCIPmDblvCiP3bvoyWcuUZI+0wS16o2JsD4thKxHyFQo7dH7MfzeG0+6ZK
A+RhKdXMz0zKmguy5gVr4SW332ExokB3EbDYJLCYezA3ZOUtqHF2Fuwt732xpwcM
SLJipD+PAgMBAAECggEARTaq1DOqHARlClfNsOHPHdZhxabMzV8/HPWE5Cgk9Gl7
rDKY9RmSxoyGsLDWbY3il5AFG9HGqQeWbU5QVp2ts++NQuMgJLP0Sn5/AuDhpTiR
2IikgIBFHl1TMhnzaDeQgHUfgY27ZHypjDXAOhiUeB2BbT7dUihZra/xwYMEUdqk
zEkaoC/ZqE4ARB9DFp+UkKiNZHccQfqg4le2Nbw3NqmrWOXK2opHbRwbKLOACvxT
3FoYTQvrtJP032SiU+9OwFRor6Z1wY+Ipa5/hlP1+p/B0M1qYN6gIoSY6yTzBOo1
0MjClzSFyAoe6cHKW0zpqXo6ugmnIoac1TH+NJx98QKBgQDhiPqqGuKPUPX+G9YD
1f7bPPNzWmL0w5FFL2WOizUMVMc86LzlQe8AfQrPpB6Jlmk+eW9xOxmpysd7HtwL
rXfMfNEnR7I5UIE/xbVp8kCCPjZvzddoc40dI30esh+bIAF4jnBmWd9GHuvkyTYi
Cjy9xjuvBeedvnk65aYpUOHfEQKBgQDB2cSDvpAA7ccoz0hMwK4ByVddMngkayoi
l61EayzWJTAePsLVabuzRDECnpNJ8x5klrI+rca5C7uRkm0sa2IUdwNmicy3MSfj
oCo1An1Q2kZ9TUR0hwrTrK92d/hNGpDAA9LwgAY1JScTTDXTerZ9wG0B9uymSWCW
lmc1Ftd0nwKBgGzwZWPVKKphSPE9MNsZeskbX9zQRAxGit0IT93SkAUszjA1m0iB
2Jg7zgUOGVIMPTnYHmRrT7IcKM7n0RIy8DLt93kpwIS+xi+vqDlMsqw2sMTAgNQL
PJZelglFsM6VXyCEbPaDYr3UIc2ZA3TdzQk9v4aDK6WeY6B3XROH5hKBAoGAeVjZ
xGLJAFvYfTpsludSxfmEv+l0/c87vBXYt+ijU5ZJ7dT53+BlSE3apDoiF3uiPfN7
tvLPYEzw6KqRvumlpwvtTAXc6ZxSzRIY+cAKNE+/Knbw8EUMyP7jg7SL8bA8hoae
SEDMIf6U3GarlyvNCyEm28D32Qw782hJSRl4XB8CgYEAuhj/btDHXwaeAMqDuchQ
c8dCv8BWsEX/Pe2lHykLO6Uah5eTMayCN0P5UxHAiObsLbY9XJxPtnzBm06KxJSA
AUusN6ABp+2gWIsNPicziTADEqJoc+JTX+4X+5gV6BYsbI8XKEzHnXlHMvIcCwek
L00TFemu3G5OrXg3BZtQ+f8=
-----END PRIVATE KEY-----
说明:
genrsa命令 - 使用 RSA 生成私钥-out /etc/pki/CA/private/cakey.pem- 指定输出路径。cakey.pem 是一个 PEM 格式的私钥文件2048- 私钥长度为 2048 位(比特)
利用私钥文件创建自签名文件:
Shell > openssl req -new -x509 -key /etc/pki/CA/private/cakey.pem -out /etc/pki/CA/cacert.pem -days 365
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [XX]:CN
State or Province Name (full name) []:HuBei
Locality Name (eg, city) [Default City]:JingZhou
Organization Name (eg, company) [Default Company Ltd]:company
Organizational Unit Name (eg, section) []:it
Common Name (eg, your name or your server's hostname) []:My Root CA
Email Address []:
说明:
req命令 - 创建签名文件-new选项 - 新的证书请求-x509选项 - 指定输出格式为 X.509 标准的自签名证书,而不是普通的 CSR(Certificate Signing Request,证书签名请求)-key /etc/pki/CA/private/cakey.pem- 指定私钥文件-out /etc/pki/CA/cacert.pem- 指定生成的自签名证书保存的文件名和路径-days 365- 证书的有效期为 365 天
命令的输出交互中依次是:
- Country Name (C) - 国家代码
- State or Province Name (ST) - 省份或州
- Locality Name (L) - 城市
- Organization Name (O) - 组织机构名称
- Organizational Unit Name (OU) - 部门名称
- Common Name (CN) - 通用名称。对于 CA 证书,通常填写 CA 的名称(如 "My Root CA");对于服务器证书,则填写域名。
- Email Address - 联系邮箱(可选)
查看自签名证书的信息:
Shell > openssl x509 -in /etc/pki/CA/cacert.pem -noout -text
Certificate:
Data:
Version: 3 (0x2)
Serial Number:
2f:eb:d3:58:27:05:27:0d:46:e1:cf:ee:83:67:5f:3f:29:f3:ca:8a
Signature Algorithm: sha256WithRSAEncryption
Issuer: C=CN, ST=HuBei, L=JingZhou, O=company, OU=it, CN=My Root CA
Validity
Not Before: Jul 9 04:25:28 2026 GMT
Not After : Jul 9 04:25:28 2027 GMT
Subject: C=CN, ST=HuBei, L=JingZhou, O=company, OU=it, CN=My Root CA
Subject Public Key Info:
Public Key Algorithm: rsaEncryption
Public-Key: (2048 bit)
Modulus:
00:aa:c8:1f:37:a9:5a:a1:a1:77:a7:2e:4e:d1:d0:
1b:5e:9c:39:80:bb:15:ce:f8:56:5c:9f:08:1e:01:
2d:4d:07:7e:a1:74:79:f6:07:86:c0:1d:6d:a2:3e:
35:0b:32:af:4e:9a:1d:4a:1a:80:21:72:92:27:bf:
03:c0:e3:5a:5e:d8:13:2f:41:7f:73:8c:f2:5a:00:
46:55:b6:88:1f:ac:7b:f0:da:6a:5e:d6:e2:44:54:
a8:c3:2b:37:f2:92:cf:19:94:d9:90:59:f4:54:7d:
91:ad:8e:65:8e:dc:e8:45:af:68:be:1c:2d:ad:2c:
9e:88:45:f8:1e:c5:ec:1f:dc:61:ef:88:97:60:c0:
31:b9:19:7b:c6:9e:40:73:ec:fc:06:1d:74:fb:24:
99:11:f5:dd:98:c9:42:7b:93:06:82:20:f9:83:6e:
5b:c2:88:fd:db:be:8c:96:72:e5:19:23:ed:30:4b:
5e:a8:d8:9b:03:e2:d8:4a:c4:7c:85:42:8e:dd:1f:
b3:1f:cd:e1:b4:fb:a6:4a:03:e4:61:29:d5:cc:cf:
4c:ca:9a:0b:b2:e6:05:6b:e1:25:b7:df:61:31:a2:
40:77:11:b0:d8:24:b0:98:7b:30:37:64:e5:2d:a8:
71:76:16:ec:2d:ef:7d:b1:a7:07:0c:48:b2:62:a4:
3f:8f
Exponent: 65537 (0x10001)
X509v3 extensions:
X509v3 Subject Key Identifier:
53:44:9E:50:28:7F:4D:C9:AA:D9:44:22:3D:D6:9F:19:B8:97:E1:70
X509v3 Authority Key Identifier:
53:44:9E:50:28:7F:4D:C9:AA:D9:44:22:3D:D6:9F:19:B8:97:E1:70
X509v3 Basic Constraints: critical
CA:TRUE
Signature Algorithm: sha256WithRSAEncryption
Signature Value:
01:16:bf:6e:2a:a4:fb:f7:fc:27:fd:b1:98:9e:2e:a8:be:cc:
2c:13:2d:57:06:fa:d8:4d:84:31:bd:d0:5e:4b:95:31:86:3e:
8d:11:0e:ae:a5:09:76:15:cc:92:eb:97:e1:c8:31:a8:88:c1:
05:25:be:e5:ac:14:ab:e0:4a:35:2e:c3:7d:ec:96:81:70:63:
dd:36:35:e6:3f:ee:6f:de:4a:37:6f:57:32:a8:de:91:3a:57:
29:91:5d:ca:da:59:eb:67:89:39:72:9b:ce:54:58:44:46:1b:
a3:9b:71:d1:3a:4e:9f:01:fe:82:96:a2:cf:c3:8b:0a:1a:9e:
87:d0:70:56:09:a1:ef:97:f9:dc:0c:2b:db:f9:ea:1a:80:03:
0b:1a:7f:28:69:87:88:c8:3c:46:79:fc:1b:ef:a3:4c:bc:1b:
f3:6a:2a:9d:2f:82:1c:12:13:2b:3e:10:b9:c8:24:7a:4d:fb:
11:44:f1:1e:a3:ad:63:fe:88:8f:20:6f:ee:69:73:73:75:bc:
f6:e7:c7:32:a0:c3:e8:94:aa:15:06:53:16:35:27:62:1e:5c:
bb:3c:b0:f9:c9:1d:77:80:07:67:2a:0c:20:b1:31:71:94:23:
24:88:fb:d5:fa:bb:04:7a:6c:c5:70:54:62:1a:c8:9e:56:d7:
a9:53:e1:c5
/etc/pki/tls/openssl.cnf 文件中定义了申请者 CSR 文件中的 C、ST、O 必须和 CA 根证书中的一致。
Shell > cat /etc/pki/tls/openssl.cnf
...
[ policy_match ]
countryName = match
stateOrProvinceName = match
organizationName = match
organizationalUnitName = optional
commonName = supplied
emailAddress = optional
...
Web 服务器生成 CSR 文件
生成 RSA 私钥:
Shell > cd /usr/local/apache2/ && mkdir web-ssl
Shell > cd web-ssl/
Shell > openssl genrsa -out httpd-key.pem 2048
Generating RSA private key, 2048 bit long modulus (2 primes)
...............................................................+++++
........................................................................+++++
e is 65537 (0x010001)
生成 CSR 文件:
Shell > cd /usr/local/apache2/web-ssl/
Shell > openssl req -new -key httpd-key.pem -out httpd.csr
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [XX]:CN
State or Province Name (full name) []:HuBei
Locality Name (eg, city) [Default City]:WuHan
Organization Name (eg, company) [Default Company Ltd]:company
Organizational Unit Name (eg, section) []:all
Common Name (eg, your name or your server's hostname) []:www.reada.org
Email Address []:
Please enter the following 'extra' attributes
to be sent with your certificate request
A challenge password []:
An optional company name []:
Shell > ls -l /usr/local/apache2/web-ssl
total 8
-rw-r--r-- 1 root root 1001 Jul 9 19:10 httpd.csr
-rw------- 1 root root 1679 Jul 9 19:05 httpd-key.pem
将 CSR 文件发送给 CA 进行签发:
Shell > cd /usr/local/apache2/web-ssl/
Shell > scp -P 22 httpd.csr root@192.168.100.21:/tmp/
CA 对申请者提交的证书进行签发
前面手动创建了 /etc/pki/CA/index.txt 和 /etc/pki/CA/serial 这两个文件,这两个文件表示的含义为:
- index.txt - 签名证书的颁发数据记录
- serial - 序列号,需要有一个初始值,见下面的操作
Shell > echo "00" > /etc/pki/CA/serial
对申请者提交的证书进行签发(确认无误后键入两次 y 即可):
Shell > cd /etc/pki/CA/
Shell > openssl ca -in /tmp/httpd.csr -out /tmp/httpd.crt -days 360
Using configuration from /etc/pki/tls/openssl.cnf
Check that the request matches the signature
Signature ok
Certificate Details:
Serial Number: 0 (0x0)
Validity
Not Before: Jul 9 11:32:15 2026 GMT
Not After : Jul 4 11:32:15 2027 GMT
Subject:
countryName = CN
stateOrProvinceName = HuBei
organizationName = company
organizationalUnitName = all
commonName = www.reada.org
X509v3 extensions:
X509v3 Basic Constraints:
CA:FALSE
X509v3 Subject Key Identifier:
10:24:00:56:69:29:CD:6B:60:37:B9:18:D7:A6:02:B9:E3:AD:BA:50
X509v3 Authority Key Identifier:
53:44:9E:50:28:7F:4D:C9:AA:D9:44:22:3D:D6:9F:19:B8:97:E1:70
Certificate is to be certified until Jul 4 11:32:15 2027 GMT (360 days)
Sign the certificate? [y/n]:y
1 out of 1 certificate requests certified, commit? [y/n]y
Write out database with 1 new entries
Database updated
再次查看 index.txt 和 serial 文件的内容:
Shell > cat /etc/pki/CA/index.txt
V 270704113215Z 00 unknown /C=CN/ST=HuBei/O=company/OU=all/CN=www.reada.org
Shell > cat /etc/pki/CA/serial
01
将签发的 httpd.crt 文件发送给 Web 服务器:
Shell > scp -P 22 /tmp/httpd.crt root@192.168.100.20:/usr/local/apache2/web-ssl/
此时 Web 服务器的 /usr/local/apache2/web-ssl/ 目录下有三个文件:
- httpd-key.pem - RSA 私钥文件
- httpd.csr - 证书签名请求文件
- httpd.crt - CA 签发后的证书文件
后续 Web 服务器关于 SSL 证书的配置在第三部分进行说明。
版权声明:「自由转载-保持署名-非商业性使用-禁止演绎 3.0 国际」(CC BY-NC-ND 3.0)
用一杯咖啡支持我们,我们的每一篇[文档]都经过实际操作和精心打磨,而不是简单地从网上复制粘贴。期间投入了大量心血,只为能够真正帮助到您。
暂无评论










