制作Apache免费自签名SSL证书,配置Apache反向代理开启后端服务器https证书验证

生成CA根证书 + 服务端证书(源服务器) + 客户端证书(反向代理服务器)的详细介绍和实现方法

生成CA根证书

创建ca-openssl.cnf文件

[req]
distinguished_name  = req_distinguished_name
req_extensions = v3_req

[req_distinguished_name]
countryName           = Country Name (2 letter code)
countryName_default = CN
stateOrProvinceName   = State or Province Name (full name)
stateOrProvinceName_default = Some-State
organizationName          = Organization Name (eg, company)
organizationName_default = Internet Widgits Pty Ltd
commonName            = Common Name (eg, YOUR name)
commonName_default = AbelCA

[v3_req]
basicConstraints = CA:true
keyUsage = critical, keyCertSign

生成CA根证书

openssl req -x509 -new -newkey rsa:2048 -nodes -keyout ca.key -out ca.pem -config ca-openssl.cnf -days 3650 -extensions v3_req

生成服务端证书(源服务器)

创建server-openssl.cnf文件

[req]
distinguished_name  = req_distinguished_name
req_extensions     = v3_req

[req_distinguished_name]
countryName           = Country Name (2 letter code)
countryName_default   = CN
stateOrProvinceName   = State or Province Name (full name)
stateOrProvinceName_default = Shanghai
localityName          = Locality Name (eg, city)
localityName_default  = Shanghai
organizationName          = Organization Name (eg, company)
organizationName_default  = Example, Co.
commonName            = Common Name (eg, YOUR name)
commonName_max        = 64

####################################################################
[ ca ]
default_ca  = CA_default        # The default ca section

####################################################################
[ CA_default ]

dir     = . # Where everything is kept
certs       = $dir # Where the issued certs are kept
crl_dir     = $dir      # Where the issued crl are kept
database    = $dir/index.txt    # database index file.
new_certs_dir   = $dir      # default place for new certs.
certificate = $dir/ca.pem   # The CA certificate
serial      = $dir/serial       # The current serial number
crlnumber   = $dir/crlnumber    # the current crl number
crl     = $dir/crl.pem      # The current CRL
private_key = $dir/private/cakey.pem# The private key
RANDFILE    = $dir/private/.rand    # private random number file

[v3_req]
basicConstraints = CA:FALSE
keyUsage = nonRepudiation, digitalSignature, keyEncipherment
subjectAltName = @alt_names

[alt_names]
DNS.1 = bluepost.cn
DNS.2 = *.bluepost.cn
IP.1 = 115.155.2.10

记得修改上述配置文件中的 alt_names ,将域名和IP改为自己的域名和IP,如果多个域名,可以按DNS.1/DNS.2/…来添加,同时还支持IP地址的形式,填入IP.1 = x.x.x.x就可以了。
一定要将需要签名的域名都加入,通过IP访问的需要将服务器公网IP和域名加上,否则会报错安全证书没有指定主题备用名称

生成服务端证书

# 创建服务端私钥
openssl genrsa -out server.key.rsa 2048
# 将私钥转换成更通用的 pkcs#8 格式
openssl pkcs8 -topk8 -in server.key.rsa -out server.key -nocrypt
# 根据私钥生成请求文件
openssl req -new -key server.key -out server.csr -config server-openssl.cnf
# 结合私钥和请求文件创建服务端证书,有效期10年
openssl x509 -req -CA ca.pem -CAkey ca.key -CAcreateserial -in server.csr -out server.pem -extensions v3_req -extfile server-openssl.cnf -days 3650

生成客户端证书(反向代理服务器)

反向代理服务器httpd-ssl.cnf需要配置SSLProxyMachineCertificateFile

# 创建客户端私钥
openssl genrsa -out proxy_client.key 2048
# 根据私钥生成请求文件
openssl req -new -key proxy_client.key -out proxy_client.csr
# 结合私钥和请求文件创建服务端证书,有效期10年
openssl x509 -req -CA ca.pem -CAkey ca.key -CAcreateserial -in proxy_client.csr -out proxy_client.pem -days 3650
# 将私钥和对应的证书链合成 PKCS#12 格式,KeyStore 密码和私钥密码均为 123456
openssl pkcs12 -export -CAfile ca.pem -in proxy_client.pem  -inkey proxy_client.key -out proxy_client.p12 -passout pass:123456
# 把客户端证书和密钥合成一个文件,用于 **反向代理服务器作为客户端证书配置** 
# 注意秘钥必需是pkcs1格式,如果不是,需要用命令 openssl rsa -in private-pkcs8.key -outform private.key
cat proxy_client.key proxy_client.pem > client_key_crt.pem

转载请注明:半亩方塘 » 制作Apache免费自签名SSL证书,配置Apache反向代理开启后端服务器https证书验证

页面: 1 2