目标
在同一台主机建立站点并访问,自建CA为该站颁发证书,使得在火狐浏览器访问该站时锁标识为绿色。
前提
- 已安装 apache 和 openssl
- ubuntu 自带 apache 和 openssl
- 可使用以下命令查看二者的版本,若需更新查看该链接
apache2 -version
openssl version
- 本文使用 apache 2.2.22 和 openssl 1.0.1
实现
使用OpenSSL自建CA
注意,本阶段操作均在普通用户权限下进行。
1.1 创建工作环境
cd && mkdir -p myCA/signedcerts && mkdir myCA/private && cd myCA
1.2 创建证书数据库
echo '01' > serial && touch index.txt
1.3 创建 ca 配置文件
sudo nano ~/myCA/caconfig.cnf
其内容如下:
# My sample caconfig.cnf file.
#
# Default configuration to use when one is
not provided on the command line.
#
[ ca ]
default_ca = local_ca
#
#
# Default location of directories and files
needed to generate certificates.
#
[ local_ca ]
dir = /home/<username>/myCA
certificate = $dir/cacert.pem
database = $dir/index.txt
new_certs_dir = $dir/signedcerts
private_key = $dir/private/cakey.pem
serial = $dir/serial
#
#
# Default expiration and encryption policies
for certificates.
#
default_crl_days = 365
default_days = 1825
default_md = sha1
#
policy = local_ca_policy
x509_extensions = local_ca_extensions
#
#
# Copy extensions specified in the
certificate request
#
copy_extensions = copy
#
#
# Default policy to use when generating
server certificates. The following
# fields must be defined in the server
certificate.
#
[ local_ca_policy ]
commonName = supplied
stateOrProvinceName = supplied
countryName = supplied
emailAddress = supplied
organizationName = supplied
organizationalUnitName = supplied
#
#
# x509 extensions to use when generating
server certificates.
#
[ local_ca_extensions ]
basicConstraints = CA:false
#
#
# The default root certificate generation
policy.
#
[ req ]
default_bits = 2048
default_keyfile =
/home/<username>/myCA/private/cakey.pem
default_md = sha1
#
prompt = no
distinguished_name =
root_ca_distinguished_name
x509_extensions = root_ca_extensions
#
#
# Root Certificate Authority distinguished
name. Change these fields to match
# your local environment!
#
[ root_ca_distinguished_name ]
commonName = MyOwn Root
Certificate Authority
stateOrProvinceName = NC
countryName = US
emailAddress =
root@tradeshowhell.com
organizationName = Trade Show Hell
organizationalUnitName = IT Department
#
[ root_ca_extensions ]
basicConstraint