自签名证书签发相对于商业证书流程简单,费用低廉,更新容易。所以在开发领域、甚至一些小众场景下特别常见,比如公司的内网服务、网站安全证书、企业路由器设备的管理后台、用于管理企业员工的“安全准入客户端”等不乏使用这个方案。
接下来我们就介绍如何在Ubuntu22.04部署SSL自签名证书,我们先设定,本次服务器的IP为:192.168.1.25,使用apache2作为网站发布的软件,并且系统以root进行登录。
一:CA证书的生成
1、安装SSL模块
apt install ssl-cert a2enmod ssl
2、生成私钥和证书请求:
openssl req -newkey rsa:2048 -nodes -keyout ca.key -out ca.csrCountry Name (2 letter code) [AU]:CN
State or Province Name (full name) [Some-State]:Beijing
Locality Name (eg, city) []:Beijing
Organization Name (eg, company) [Internet Widgits Pty Ltd]:BBM
Organizational Unit Name (eg, section) []:BBM
Common Name (e.g. server FQDN or YOUR name) []:192.168.29.60
Email Address []:xxxx@qq.comPlease enter the following 'extra' attributes
to be sent with your certificate request
A challenge password []:
An optional company name []:3、自签发证书
openssl x509 -req -days 365 -in ca.csr -signkey ca.key -out ca.crt4、生成服务器证书
创建csr,证书签名文件(Certificate Singing Request)
openssl genrsa -out server.key 2048
openssl req -new -key server.key -out server.csrCountry Name (2 letter code) [AU]:CN
State or Province Name (full name) [Some-State]:BJ
Locality Name (eg, city) []:BJ
Organization Name (eg, company) [Internet Widgits Pty Ltd]:BBM
Organizational Unit Name (eg, section) []:BBM
Common Name (e.g. server FQDN or YOUR name) []:192.168.29.60
Email Address []:XXXXXX@qq.comPlease enter the following 'extra' attributes
to be sent with your certificate request
A challenge password []:
An optional company name []:openssl x509 -req -in server.csr -CA ca.crt -CAkey ca.key -CAcreateserial -out server.crt -days 365openssl x509 -req -days 365 -in server.csr -signkey server.key -out server.crt5、生成客户端证书
openssl genrsa -out client.key 2048生成client.key
openssl req -new -key client.key -out client.csrCountry Name (2 letter code) [AU]:CN
State or Province Name (full name) [Some-State]:BJ
Locality Name (eg, city) []:BJ
Organization Name (eg, company) [Internet Widgits Pty Ltd]:BBM
Organizational Unit Name (eg, section) []:BBM
Common Name (e.g. server FQDN or YOUR name) []:192.168.29.60
Email Address []:XXXXXX@qq.comPlease enter the following 'extra' attributes
to be sent with your certificate request
A challenge password []:
An optional company name []:openssl x509 -req -in client.csr -CA ca.crt -CAkey ca.key -CAcreateserial -out client.crt -days 3656、至此,所有证书生成完成
二:在Ubuntu22.04的apache2上面配置ssl
1、为ubuntu安装open ssl
apt-get install openssl
apt-get install libssl-dev2、启动SSL模块
a2enmod ssl3、在Apache2的安装目录下创建一个用于存放证书的ssl目录。如果已经有此目录,则此步可以忽略。
mkdir /etc/ssl/certs/
mkdir /etc/ssl/private/4、将证书文件和私钥文件上传到Apache2证书目录
cp /root/server.ctr /etc/ssl/certs/
cp /root/server.key /etc/ssl/private/5、执行以下命令,启用SSL模块
sudo a2enmod ssl
(1)、/sites-available目录存放的是可用的虚拟主机。
(2)、/sites-enabled目录存放的是已经启用的虚拟主机。
(3)、SSL模块启用后,会在/etc/apache2/sites-available目录生成SSL证书配置文件default-ssl.conf。
4、编辑default-ssl.conf文件,修改与证书相关的配置。
vim /etc/apache2/sits-enabled/default-ssl.conf
修改监听端口:VirtualHost_default_:443
添加如下两句:SSLEngine on
SSLPROTOCOL all -SSLv2 -SSLv3
SSLOptions +StrictRequire
service apache2 restart
修改ports.conf
修改监听端口
5、执行以下命令,将default-ssl.conf映射至/etc/apache2/sites-enabled目录,实现两者之间的自动关联。
ln -s /etc/apache2/sites-available/default-ssl.conf /etc/apache2/sites-enabled/001-ssl.conf6、执行以下命令,重新加载Apache2配置文件。
sudo /etc/init.d/apache2 force-reload
7、执行以下命令,重启Apache2服务。
sudo /etc/init.d/apache2 restart
8、验证访问
https://192.168.29.60/
