CentOS 7 自建 SSL 憑證
有時候,內部使用的網站、或是測試用的網站一開始不一定需要使用由SSL憑證機構核發的SSL架站。如此一來,就需要自行建立SSL憑證來滿足使用需求。
本文會以CentOS 7 自建 SSL 憑證作為範例撰寫操作步驟。
Step 1
安裝產生SSL憑證的軟體
1 |
[andy@www ~]$ yum install mod_ssl openssl |
Step 2
建立私鑰
1 |
[andy@www ~]$ openssl genrsa -out ca.key 2048 |
Step 3
建立簽證檔
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 |
openssl req -new -key ca.key -out ca.csr You are about to be asked to enter information that will be incorporated into your certificate request. What you are about to enter is what is called a Distinguished Name or a DN. There are quite a few fields but you can leave some blank For some fields there will be a default value, If you enter '.', the field will be left blank. ----- Country Name (2 letter code) [XX]: TW State or Province Name (full name) []: Taipei Locality Name (eg, city) [Default City]: Taipei Organization Name (eg, company) [Default Company Ltd]: Testing CO. Organizational Unit Name (eg, section) []: Common Name (eg, your name or your server's hostname) []: Testing.com Email Address []: [email protected] Please enter the following 'extra' attributes to be sent with your certificate request A challenge password []: An optional company name []: |
Step 4
產生CA簽證
贊助廣告
1 |
[andy@www ~]$ openssl x509 -req -days 3650 -in ca.csr -signkeyca.key -out ca.crt |
Step 5
檔案整理、修改設定檔
把這些憑證檔統一存放在一個目錄中
(本文範例是移動到家目錄,建議移動到一個比較安全的地方)
1 2 3 |
[andy@www ~]$ cp ca.key /etc/mySSL/ca.key [andy@www ~]$ cp ca.csr /etc/mySSL/ca.csr [andy@www ~]$ cp ca.crt /etc/mySSL/ca.crt |
修改Apache設定檔
1 |
[andy@www ~]$ sudo vim /etc/httpd/conf.d/ssl.conf |
找到『SSLCertificateFile、SSLCertificateKeyFile』2個設定值,修改成剛才的路徑
1 2 |
SSLCertificateFile /etc/mySSL/ca.crt SSLCertificateKeyFile /etc/mySSL/ca.key |
存檔離開
1 |
:wq |
Step 6
重啟Apache (httpd) 、設定防火牆
重啟apache
1 |
[andy@www ~]$ sudo systemctl restart httpd |
如果沒看到https或是port 443,請添加設定至防火牆,允許https通過防火牆
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 |
[andy@www ~]$ sudo firewall-cmd --list-all public (active) target: default icmp-block-inversion: no interfaces: eth0 sources: services: dhcpv6-client http ssh ports: protocols: masquerade: no forward-ports: sourceports: icmp-blocks: rich rules: [andy@www ~]$ sudo firewall-cmd --permanent --zone=public --add-service=https |
大功告成!