一、前言

最近学习了密码学相关的知识和证书生成，然后尝试了自己生成证书且在apache上启用https访问。本文记录下相应的操作过程，实验环境为centos 6.8，apache 版本为httpd-2.4.33。

二、搭建apache 服务

具体不细说了，可参考我此前编写的编译安装的文章https://www.jianshu.com/p/f8e4046820d6

另外要说明下在编译安装完httpd服务后，还需要安装SSL模块，此时可以用yum命令安装mod_ssl，安装完成后将会在/etc/httpd/conf.d/目录下自动生成ssl.conf文件。（使用yum安装httpd服务的可以忽略此步骤）

yum install -y mod_ssl

三、构建私有CA并签发https证书

1、建议私有CA

[root[root@localhost ~]# cd /etc/pki/CA/private/   #CA私钥的存放位置
@localhost private]# (umask 077;openssl genrsa -out CA.key 4096)  #创建CA的私钥
Generating RSA private key, 4096 bit long modulus
...................................++
..................++
e is 65537 (0x10001)
[root@localhost private]# ll
total 4
-rw-------. 1 root root 3247 Apr 17 00:26 CA.key
[root@localhost private]# cd ..
[root@localhost CA]# cd certs/   #CA证书的存放位置
[root@localhost certs]# openssl req -new -x509 -key /etc/pki/CA/private/CA.key -out CA.crt -days 3650 #自签CA证书，有效期为十年
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [XX]:CN
State or Province Name (full name) []:guangdong
Locality Name (eg, city) [Default City]:shenzhen
Organization Name (eg, company) [Default Company Ltd]:magedu
Organizational Unit Name (eg, section) []:ops
Common Name (eg, your name or your server's hostname) []:ca.magedu.com
Email Address []:

[root@localhost ~]# touch /etc/pki/CA/{serial,index.txt}  #生成私有CA必要文件
[root@localhost ~]# echo 00 > /etc/pki/CA/serial   #将序列号写入到serial文件中

2、创建服务器证书并签发

[root@localhost ~]# cd /usr/local/httpd/    #httpd的安装路径
[root@localhost httpd]# mkdir ssl
[root@localhost httpd]# cd ssl/
[root@localhost ssl]# (umask 077;openssl genrsa -out httpd.key 4096)  #创建http服务器的私钥
Generating RSA private key, 4096 bit long modulus
.......................++
..............................................................................................................................................................................................................................++
e is 65537 (0x10001)

[root@localhost ssl]# openssl req -new -key /usr/local/httpd/ssl/httpd.key -out /usr/local/httpd/ssl/httpd.csr -days 365   #发起httpd的证书请求
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [XX]:CN
State or Province Name (full name) []:guangdong
Locality Name (eg, city) [Default City]:shenzhen
Organization Name (eg, company) [Default Company Ltd]:magedu
Organizational Unit Name (eg, section) []:ops
Common Name (eg, your name or your server's hostname) []:web.magedu.com
Email Address []:

Please enter the following 'extra' attributes
to be sent with your certificate request
A challenge password []:
An optional company name []:

[root@localhost ssl]# openssl ca -in /usr/local/httpd/ssl/httpd.csr -out /usr/local/httpd/ssl/httpd.crt  -days 365 -cert /etc/pki/CA/certs/CA.crt -keyfile /etc/pki/CA/private/CA.key  #利用CA证书和CA的私钥签发httpd的证书
Using configuration from /etc/pki/tls/openssl.cnf
Check that the request matches the signature
Signature ok
Certificate Details:
        Serial Number: 0 (0x0)
        Validity
            Not Before: Apr 16 16:53:50 2018 GMT
            Not After : Apr 16 16:53:50 2019 GMT
        Subject:
            countryName               = CN
            stateOrProvinceName       = guangdong
            organizationName          = magedu
            organizationalUnitName    = ops
            commonName                = web.magedu.com
        X509v3 extensions:
            X509v3 Basic Constraints: 
                CA:FALSE
            Netscape Comment: 
                OpenSSL Generated Certificate
            X509v3 Subject Key Identifier: 
                93:F0:36:6A:C6:06:04:B0:B2:47:08:E2:84:6C:BA:4B:C5:DF:CD:91
            X509v3 Authority Key Identifier: 
                keyid:03:F1:28:A6:2D:8A:64:D3:30:91:18:F7:67:AC:3E:28:B2:85:ED:47

Certificate is to be certified until Apr 16 16:53:50 2019 GMT (365 days)
Sign the certificate? [y/n]:y


1 out of 1 certificate requests certified, commit? [y/n]y
Write out database with 1 new entries
Data Base Updated

[root@localhost ssl]# ll
total 16
-rw-r--r--. 1 root root 7191 Apr 17 00:53 httpd.crt
-rw-r--r--. 1 root root 1704 Apr 17 00:50 httpd.csr
-rw-------. 1 root root 3243 Apr 17 00:48 httpd.key

四、启用https访问

[root@localhost ~]# vim /etc/httpd/conf.d/ssl.conf   #此处为验证证书效果，可直接在此文件中修改；正确的https证书修改方式，后续学习后再分享
...
SSLCertificateFile "/usr/local/httpd/ssl/httpd.crt"       #更改为此前生产的服务器证书
SSLCertificateKeyFile "/usr/local/httpd/ssl/httpd.key"    #更改为此前生产的服务器密钥
...
:wq
[root@localhost ~]# service httpd restart
Stopping httpd:                                            [  OK  ]
Starting httpd: httpd: Could not reliably determine the server's fully qualified domain name, using localhost.localdomain for ServerName
                                                           [  OK  ]

证书生效