Apache httpd功能篇06—https第二部分

概述

本章,您将学习到关于 https 的相关知识。

由于涉及到的内容较多,本章节的内容被划分为三部分的文档:

  • 第一部分 - https 的基础知识
  • 第二部分 - 手动模拟出 SSL 证书
  • 第三部分 - 在 Apache httpd 中进行配置
提示
实际生产环境下的 SSL 证书需要向证书品牌商申请,各个证书品牌商也有相关的文档进行说明。

模拟证书申请到签发的全过程

主机准备

准备两台主机:

角色 操作系统 IPv4 地址 说明
Web 服务器 RL 8.10 192.168.100.20/24
CA RL 10.2 192.168.100.21/24 CA 即 Certificate Authority(证书颁发机构),用来给申请者的证书签名并颁发证书

对 CA 进行配置

日常的混淆
由于大多数人接触最多的是 Web https,因此日常交流过程会将 "CA 证书" 等同于 "SSL 证书",但严格来说没有 "CA 证书" 这个术语或概念。一方面,CA 机构有自己的证书,被称为 **根证书** 或 **中间 CA 证书**;另外一方面,申请者获得的签名证书更加标准的表述是 「CA 机构签发的证书」。所以,当有非从业人员人提到 "CA 证书" 时,你需要清楚它到底是指 CA 自己的证书还是 CA 机构签发的证书。

说明
CA 不仅可以给 Web 服务器颁发证书,软件代码的签名证书、邮件的签名证书、文档的签名证书等都需要 CA 这个机构进行签发

前面提到,CA 需要有自己的证书,即根证书或中间 CA 证书,相关的步骤为:

  1. 创建目录和文件
  2. 生成密钥
  3. 自签名证书文件

/etc/pki/tls/openssl.cnf 这个文件中定义了相关所需的文件与目录:

Shell > cat /etc/pki/tls/openssl.cnf
...
[ CA_default ]

dir             = /etc/pki/CA           # Where everything is kept
certs           = $dir/certs            # Where the issued certs are kept
crl_dir         = $dir/crl              # Where the issued crl are kept
database        = $dir/index.txt        # database index file.
#unique_subject = no                    # Set to 'no' to allow creation of
                                        # several certs with same subject.
new_certs_dir   = $dir/newcerts         # default place for new certs.

certificate     = $dir/cacert.pem       # The CA certificate
serial          = $dir/serial           # The current serial number
crlnumber       = $dir/crlnumber        # the current crl number
                                        # must be commented out to leave a V1 CRL
crl             = $dir/crl.pem          # The current CRL
private_key     = $dir/private/cakey.pem # The private key

x509_extensions = usr_cert              # The extensions to add to the cert
...

手动创建这些文件和目录:

Shell > mkdir /etc/pki/CA

Shell > mkdir /etc/pki/CA/{certs,crl,newcerts,private}

Shell > touch /etc/pki/CA/{index.txt,serial}

Shell > ls -l /etc/pki/CA/
total 16
drwxr-xr-x 2 root root 4096 Jul  9 11:54 certs
drwxr-xr-x 2 root root 4096 Jul  9 11:54 crl
-rw-r--r-- 1 root root    0 Jul  9 11:54 index.txt
drwxr-xr-x 2 root root 4096 Jul  9 11:54 newcerts
drwxr-xr-x 2 root root 4096 Jul  9 11:54 private
-rw-r--r-- 1 root root    0 Jul  9 11:54 serial

使用 openssl 命令生成 RSA 私钥:

Shell > openssl genrsa -out /etc/pki/CA/private/cakey.pem 2048

Shell > cat /etc/pki/CA/private/cakey.pem
-----BEGIN PRIVATE KEY-----
MIIEvQIBADANBgkqhkiG9w0BAQEFAASCBKcwggSjAgEAAoIBAQCqyB83qVqhoXen
Lk7R0BtenDmAuxXO+FZcnwgeAS1NB36hdHn2B4bAHW2iPjULMq9Omh1KGoAhcpIn
vwPA41pe2BMvQX9zjPJaAEZVtogfrHvw2mpe1uJEVKjDKzfyks8ZlNmQWfRUfZGt
jmWO3OhFr2i+HC2tLJ6IRfgexewf3GHviJdgwDG5GXvGnkBz7PwGHXT7JJkR9d2Y
yUJ7kwaCIPmDblvCiP3bvoyWcuUZI+0wS16o2JsD4thKxHyFQo7dH7MfzeG0+6ZK
A+RhKdXMz0zKmguy5gVr4SW332ExokB3EbDYJLCYezA3ZOUtqHF2Fuwt732xpwcM
SLJipD+PAgMBAAECggEARTaq1DOqHARlClfNsOHPHdZhxabMzV8/HPWE5Cgk9Gl7
rDKY9RmSxoyGsLDWbY3il5AFG9HGqQeWbU5QVp2ts++NQuMgJLP0Sn5/AuDhpTiR
2IikgIBFHl1TMhnzaDeQgHUfgY27ZHypjDXAOhiUeB2BbT7dUihZra/xwYMEUdqk
zEkaoC/ZqE4ARB9DFp+UkKiNZHccQfqg4le2Nbw3NqmrWOXK2opHbRwbKLOACvxT
3FoYTQvrtJP032SiU+9OwFRor6Z1wY+Ipa5/hlP1+p/B0M1qYN6gIoSY6yTzBOo1
0MjClzSFyAoe6cHKW0zpqXo6ugmnIoac1TH+NJx98QKBgQDhiPqqGuKPUPX+G9YD
1f7bPPNzWmL0w5FFL2WOizUMVMc86LzlQe8AfQrPpB6Jlmk+eW9xOxmpysd7HtwL
rXfMfNEnR7I5UIE/xbVp8kCCPjZvzddoc40dI30esh+bIAF4jnBmWd9GHuvkyTYi
Cjy9xjuvBeedvnk65aYpUOHfEQKBgQDB2cSDvpAA7ccoz0hMwK4ByVddMngkayoi
l61EayzWJTAePsLVabuzRDECnpNJ8x5klrI+rca5C7uRkm0sa2IUdwNmicy3MSfj
oCo1An1Q2kZ9TUR0hwrTrK92d/hNGpDAA9LwgAY1JScTTDXTerZ9wG0B9uymSWCW
lmc1Ftd0nwKBgGzwZWPVKKphSPE9MNsZeskbX9zQRAxGit0IT93SkAUszjA1m0iB
2Jg7zgUOGVIMPTnYHmRrT7IcKM7n0RIy8DLt93kpwIS+xi+vqDlMsqw2sMTAgNQL
PJZelglFsM6VXyCEbPaDYr3UIc2ZA3TdzQk9v4aDK6WeY6B3XROH5hKBAoGAeVjZ
xGLJAFvYfTpsludSxfmEv+l0/c87vBXYt+ijU5ZJ7dT53+BlSE3apDoiF3uiPfN7
tvLPYEzw6KqRvumlpwvtTAXc6ZxSzRIY+cAKNE+/Knbw8EUMyP7jg7SL8bA8hoae
SEDMIf6U3GarlyvNCyEm28D32Qw782hJSRl4XB8CgYEAuhj/btDHXwaeAMqDuchQ
c8dCv8BWsEX/Pe2lHykLO6Uah5eTMayCN0P5UxHAiObsLbY9XJxPtnzBm06KxJSA
AUusN6ABp+2gWIsNPicziTADEqJoc+JTX+4X+5gV6BYsbI8XKEzHnXlHMvIcCwek
L00TFemu3G5OrXg3BZtQ+f8=
-----END PRIVATE KEY-----

说明:

  • genrsa 命令 - 使用 RSA 生成私钥
  • -out /etc/pki/CA/private/cakey.pem - 指定输出路径。cakey.pem 是一个 PEM 格式的私钥文件
  • 2048 - 私钥长度为 2048 位(比特)

利用私钥文件创建自签名文件:

Shell > openssl req -new -x509 -key /etc/pki/CA/private/cakey.pem -out /etc/pki/CA/cacert.pem -days 365
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [XX]:CN
State or Province Name (full name) []:HuBei
Locality Name (eg, city) [Default City]:JingZhou
Organization Name (eg, company) [Default Company Ltd]:company
Organizational Unit Name (eg, section) []:it
Common Name (eg, your name or your server's hostname) []:My Root CA
Email Address []:

说明:

  • req 命令 - 创建签名文件
  • -new 选项 - 新的证书请求
  • -x509 选项 - 指定输出格式为 X.509 标准的‌自签名证书‌,而不是普通的 CSR(Certificate Signing Request,证书签名请求)
  • -key /etc/pki/CA/private/cakey.pem - 指定私钥文件
  • -out /etc/pki/CA/cacert.pem - 指定生成的自签名证书保存的文件名和路径
  • -days 365 - 证书的有效期为 365 天

命令的输出交互中依次是:

  • Country Name (C)‌ - 国家代码
  • State or Province Name (ST)‌ - 省份或州
  • Locality Name (L)‌ - 城市
  • Organization Name (O)‌ - 组织机构名称
  • Organizational Unit Name (OU)‌ - 部门名称
  • Common Name (CN)‌ - 通用名称。对于 CA 证书,通常填写 CA 的名称(如 "My Root CA");对于服务器证书,则填写域名。
  • Email Address‌ - 联系邮箱(可选)

查看自签名证书的信息:

Shell > openssl x509 -in /etc/pki/CA/cacert.pem -noout -text
Certificate:
    Data:
        Version: 3 (0x2)
        Serial Number:
            2f:eb:d3:58:27:05:27:0d:46:e1:cf:ee:83:67:5f:3f:29:f3:ca:8a
        Signature Algorithm: sha256WithRSAEncryption
        Issuer: C=CN, ST=HuBei, L=JingZhou, O=company, OU=it, CN=My Root CA
        Validity
            Not Before: Jul  9 04:25:28 2026 GMT
            Not After : Jul  9 04:25:28 2027 GMT
        Subject: C=CN, ST=HuBei, L=JingZhou, O=company, OU=it, CN=My Root CA
        Subject Public Key Info:
            Public Key Algorithm: rsaEncryption
                Public-Key: (2048 bit)
                Modulus:
                    00:aa:c8:1f:37:a9:5a:a1:a1:77:a7:2e:4e:d1:d0:
                    1b:5e:9c:39:80:bb:15:ce:f8:56:5c:9f:08:1e:01:
                    2d:4d:07:7e:a1:74:79:f6:07:86:c0:1d:6d:a2:3e:
                    35:0b:32:af:4e:9a:1d:4a:1a:80:21:72:92:27:bf:
                    03:c0:e3:5a:5e:d8:13:2f:41:7f:73:8c:f2:5a:00:
                    46:55:b6:88:1f:ac:7b:f0:da:6a:5e:d6:e2:44:54:
                    a8:c3:2b:37:f2:92:cf:19:94:d9:90:59:f4:54:7d:
                    91:ad:8e:65:8e:dc:e8:45:af:68:be:1c:2d:ad:2c:
                    9e:88:45:f8:1e:c5:ec:1f:dc:61:ef:88:97:60:c0:
                    31:b9:19:7b:c6:9e:40:73:ec:fc:06:1d:74:fb:24:
                    99:11:f5:dd:98:c9:42:7b:93:06:82:20:f9:83:6e:
                    5b:c2:88:fd:db:be:8c:96:72:e5:19:23:ed:30:4b:
                    5e:a8:d8:9b:03:e2:d8:4a:c4:7c:85:42:8e:dd:1f:
                    b3:1f:cd:e1:b4:fb:a6:4a:03:e4:61:29:d5:cc:cf:
                    4c:ca:9a:0b:b2:e6:05:6b:e1:25:b7:df:61:31:a2:
                    40:77:11:b0:d8:24:b0:98:7b:30:37:64:e5:2d:a8:
                    71:76:16:ec:2d:ef:7d:b1:a7:07:0c:48:b2:62:a4:
                    3f:8f
                Exponent: 65537 (0x10001)
        X509v3 extensions:
            X509v3 Subject Key Identifier:
                53:44:9E:50:28:7F:4D:C9:AA:D9:44:22:3D:D6:9F:19:B8:97:E1:70
            X509v3 Authority Key Identifier:
                53:44:9E:50:28:7F:4D:C9:AA:D9:44:22:3D:D6:9F:19:B8:97:E1:70
            X509v3 Basic Constraints: critical
                CA:TRUE
    Signature Algorithm: sha256WithRSAEncryption
    Signature Value:
        01:16:bf:6e:2a:a4:fb:f7:fc:27:fd:b1:98:9e:2e:a8:be:cc:
        2c:13:2d:57:06:fa:d8:4d:84:31:bd:d0:5e:4b:95:31:86:3e:
        8d:11:0e:ae:a5:09:76:15:cc:92:eb:97:e1:c8:31:a8:88:c1:
        05:25:be:e5:ac:14:ab:e0:4a:35:2e:c3:7d:ec:96:81:70:63:
        dd:36:35:e6:3f:ee:6f:de:4a:37:6f:57:32:a8:de:91:3a:57:
        29:91:5d:ca:da:59:eb:67:89:39:72:9b:ce:54:58:44:46:1b:
        a3:9b:71:d1:3a:4e:9f:01:fe:82:96:a2:cf:c3:8b:0a:1a:9e:
        87:d0:70:56:09:a1:ef:97:f9:dc:0c:2b:db:f9:ea:1a:80:03:
        0b:1a:7f:28:69:87:88:c8:3c:46:79:fc:1b:ef:a3:4c:bc:1b:
        f3:6a:2a:9d:2f:82:1c:12:13:2b:3e:10:b9:c8:24:7a:4d:fb:
        11:44:f1:1e:a3:ad:63:fe:88:8f:20:6f:ee:69:73:73:75:bc:
        f6:e7:c7:32:a0:c3:e8:94:aa:15:06:53:16:35:27:62:1e:5c:
        bb:3c:b0:f9:c9:1d:77:80:07:67:2a:0c:20:b1:31:71:94:23:
        24:88:fb:d5:fa:bb:04:7a:6c:c5:70:54:62:1a:c8:9e:56:d7:
        a9:53:e1:c5

/etc/pki/tls/openssl.cnf 文件中定义了申请者 CSR 文件中的 C、ST、O 必须和 CA 根证书中的一致。

Shell > cat /etc/pki/tls/openssl.cnf
...
[ policy_match ]
countryName             = match
stateOrProvinceName     = match
organizationName        = match
organizationalUnitName  = optional
commonName              = supplied
emailAddress            = optional
...

Web 服务器生成 CSR 文件

生成 RSA 私钥:

Shell > cd /usr/local/apache2/ && mkdir web-ssl

Shell > cd web-ssl/

Shell > openssl genrsa -out httpd-key.pem 2048
Generating RSA private key, 2048 bit long modulus (2 primes)
...............................................................+++++
........................................................................+++++
e is 65537 (0x010001)

生成 CSR 文件:

Shell > cd /usr/local/apache2/web-ssl/

Shell > openssl req -new -key httpd-key.pem -out httpd.csr
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [XX]:CN
State or Province Name (full name) []:HuBei
Locality Name (eg, city) [Default City]:WuHan
Organization Name (eg, company) [Default Company Ltd]:company
Organizational Unit Name (eg, section) []:all
Common Name (eg, your name or your server's hostname) []:www.reada.org
Email Address []:

Please enter the following 'extra' attributes
to be sent with your certificate request
A challenge password []:
An optional company name []:

Shell > ls -l /usr/local/apache2/web-ssl
total 8
-rw-r--r-- 1 root root 1001 Jul  9 19:10 httpd.csr
-rw------- 1 root root 1679 Jul  9 19:05 httpd-key.pem

将 CSR 文件发送给 CA 进行签发:

Shell > cd /usr/local/apache2/web-ssl/

Shell > scp -P 22 httpd.csr root@192.168.100.21:/tmp/

CA 对申请者提交的证书进行签发

前面手动创建了 /etc/pki/CA/index.txt/etc/pki/CA/serial 这两个文件,这两个文件表示的含义为:

  • index.txt - 签名证书的颁发数据记录
  • serial - 序列号,需要有一个初始值,见下面的操作
Shell > echo "00" > /etc/pki/CA/serial

对申请者提交的证书进行签发(确认无误后键入两次 y 即可):

Shell > cd /etc/pki/CA/

Shell > openssl ca -in /tmp/httpd.csr -out /tmp/httpd.crt -days 360 
Using configuration from /etc/pki/tls/openssl.cnf
Check that the request matches the signature
Signature ok
Certificate Details:
        Serial Number: 0 (0x0)
        Validity
            Not Before: Jul  9 11:32:15 2026 GMT
            Not After : Jul  4 11:32:15 2027 GMT
        Subject:
            countryName               = CN
            stateOrProvinceName       = HuBei
            organizationName          = company
            organizationalUnitName    = all
            commonName                = www.reada.org
        X509v3 extensions:
            X509v3 Basic Constraints:
                CA:FALSE
            X509v3 Subject Key Identifier:
                10:24:00:56:69:29:CD:6B:60:37:B9:18:D7:A6:02:B9:E3:AD:BA:50
            X509v3 Authority Key Identifier:
                53:44:9E:50:28:7F:4D:C9:AA:D9:44:22:3D:D6:9F:19:B8:97:E1:70
Certificate is to be certified until Jul  4 11:32:15 2027 GMT (360 days)
Sign the certificate? [y/n]:y

1 out of 1 certificate requests certified, commit? [y/n]y
Write out database with 1 new entries
Database updated

再次查看 index.txt 和 serial 文件的内容:

Shell > cat /etc/pki/CA/index.txt
V       270704113215Z           00      unknown /C=CN/ST=HuBei/O=company/OU=all/CN=www.reada.org

Shell > cat /etc/pki/CA/serial
01

将签发的 httpd.crt 文件发送给 Web 服务器:

Shell > scp -P 22 /tmp/httpd.crt root@192.168.100.20:/usr/local/apache2/web-ssl/

此时 Web 服务器的 /usr/local/apache2/web-ssl/ 目录下有三个文件:

  • httpd-key.pem - RSA 私钥文件
  • httpd.csr - 证书签名请求文件
  • httpd.crt - CA 签发后的证书文件

后续 Web 服务器关于 SSL 证书的配置在第三部分进行说明。

Avatar photo

关于 陸風睿

GNU/Linux 从业者、开源爱好者、技术钻研者,撰写文档既是兴趣也是工作内容之一。Q - "281957576";WeChat - "jiulongxiaotianci",Github - https://github.com/jimcat8
用一杯咖啡支持我们,我们的每一篇[文档]都经过实际操作和精心打磨,而不是简单地从网上复制粘贴。期间投入了大量心血,只为能够真正帮助到您。
暂无评论

发送评论 编辑评论


				
|´・ω・)ノ
ヾ(≧∇≦*)ゝ
(☆ω☆)
(╯‵□′)╯︵┴─┴
 ̄﹃ ̄
(/ω\)
∠( ᐛ 」∠)_
(๑•̀ㅁ•́ฅ)
→_→
୧(๑•̀⌄•́๑)૭
٩(ˊᗜˋ*)و
(ノ°ο°)ノ
(´இ皿இ`)
⌇●﹏●⌇
(ฅ´ω`ฅ)
(╯°A°)╯︵○○○
φ( ̄∇ ̄o)
ヾ(´・ ・`。)ノ"
( ง ᵒ̌皿ᵒ̌)ง⁼³₌₃
(ó﹏ò。)
Σ(っ °Д °;)っ
( ,,´・ω・)ノ"(´っω・`。)
╮(╯▽╰)╭
o(*////▽////*)q
>﹏<
( ๑´•ω•) "(ㆆᴗㆆ)
😂
😀
😅
😊
🙂
🙃
😌
😍
😘
😜
😝
😏
😒
🙄
😳
😡
😔
😫
😱
😭
💩
👻
🙌
🖕
👍
👫
👬
👭
🌚
🌝
🙈
💊
😶
🙏
🍦
🍉
😣
Source: github.com/k4yt3x/flowerhd
颜文字
Emoji
小恐龙
花!
上一篇