(1)建立一個 私密金鑰檔server.key
# openssl genrsa -out server.key 2048
Generating RSA private key, 2048 bit long modulus
.....................+++
...................+++
e is 65537 (0x10001)
(2)# stat server.key
File: ‘server.key’
Size: 1675 Blocks: 8 IO Block: 4096 普通檔案
Device: fd01h/64769d Inode: 2760360 Links: 1
Access: (0644/-rw-r--r--) Uid: ( 0/ root) Gid: ( 0/ root)
Access: 2019-12-11 17:33:29.764947258 +0800
Modify: 2019-12-11 17:30:46.760935711 +0800
Change: 2019-12-11 17:30:46.760935711 +0800
Birth: -
(3)# cat server.key
-----BEGIN RSA PRIVATE KEY-----
MIIEowIBAAKCAQEAzvU1dEVpXBiQoo6BlcggpHXia1awV44y3whXVlt27LENRnUV
9KDb0Uv20A7mNWN9IONFsojbgA9cquyL066ZpO1aEk6jdStDGzgDCNLXX4M6abiW
D8vITE1q+3oJOZTC+78gSFGolzzGYYmRm16oXOJ/R7OJEBRg82cIgDj61XRd66Ys
Nnr7ekMfMpbXBU9gfOS8JgNT7akK8UsedzLjoLO7Fl2zg6Dev17LBUanlhdQgJQ/
0ufkTb/FaG8m6Drp4EwfGvawD49oL2ciRTG9r7fFHlv8bl5LJpfV2hBZ5nPeeTQt
DOOTObiGFDg3cpvSaDQuDBhb5+1FYT5g5uAJNQIDAQABAoIBADM9Xsi0zsswgc7d
fZP6Aqr1TOPKiMqEuG+j/wuwhZdAlsrU/mSc1w/QwQDuT2z0fux/mKgFXmMsaoMf
Idd9KSk+YsiZk7rUxT6d9ZJfsVdChFnci7rJd4P8vvoYUuRgwo3V2kZNgXJAZ9WK
W/Sd0Q1+PokgGFVU1lQtNFuav+/M95ChjJ+YNfVzdbth+CkUxZBAU99JwF2Hqw+T
Dc0S9TGt/YMVPDUlQVUIq7R8pthFdy87DvLRsSlZD2PpvAljrQGjkKk47R/rK1VT
5wZYvhCDF5Yb9YZfhWSp5W7Ss/El1awvkldF4UHozQUZlqKhZfW/CwHtpeurnl67
7sWGOxkCgYEA9/cF4Wv7iZ1ogQhDYCE6U1clV0FSShwoW9vkF4QWVFzlJvKdl6YJ
NgBSkP8LSSIfKihQNI788b5ErfOff4xf+/+QxbBqzNo8sGVybWSsp5LYqM90q3px
SfuFEBl9Yd8bj39bDCGlKlqgR4cZ7ioCzOzaULKFScR1t+hSDZD1Y2MCgYEA1aoD
owfDW06Fj3KfI4obMbv6ttiMkSqETafoQHibFo9EIZSj0NrjISclNLyMCEN/Pgf0
zu935p3VpAwAZ+q80faO8pmRn/v7/KoA4YW96L/c3mE2VX3NM5bPl4OLwy13UDzh
o9MJxMreEzqQCy5oOqoRLucFpZo+oMcsSzwW4IcCgYEA7K2xxTpmezHtv8t9U9Ij
c8zobWKCAw7hTtyR2AhRr/CDISvOVCM9A3hHVvK5ePLCwGB+PcyFjtDHiSnSgdIh
A80qCCedqS5dYxlRoSzIx6IYfviVKd/TJoSWu4k47iQgkFVFOE0c81JRTjScAYHD
7oncz821/3Uvz3xGZYCJWHUCgYAne/6mDxYz9mPKKYVtHOV/oFxpk8UOQowmiaPq
3h7S4XDWv9AyFXEpvEEs6Lb8A/Ussm20HB7NOFe1tB4TFhcEugqanHSD2x4rCAOX
qY55x5L6aX6P9+qG4RTFzCJ01B8bbdTI4IQKoO6/IPBjkJTkWm9IeprZipKORaBS
2uzjWwKBgDHDnu0QLrx1g7qQDLxhXJd1Ku2488N533+2EFEVcbVq2rtYYtBH1G8x
uzogsvzyN9srmDmllib46lNiW/gH2VTJsMbvWo2hJhEmXZ60d8NmINz6PBA1hs5H
TjaV1Tqj40n/88YRmejzQptphXA+I+yNoruj2Z867zJZHcryI/qz
-----END RSA PRIVATE KEY-----
(4-1)建立憑證要求檔server.csr
# sudo openssl req -new -key server.key -out server.csr
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [XX]:TW
State or Province Name (full name) []:Kinmen
Locality Name (eg, city) [Default City]:kinmen
Organization Name (eg, company) [Default Company Ltd]:kmvs
Organizational Unit Name (eg, section) []:teach
Common Name (eg, your name or your server's hostname) []:163.25.20.92
Email Address []:tr@gmail.com
Please enter the following 'extra' attributes
to be sent with your certificate request
A challenge password []:abc123abc123
An optional company name []:treehrt
(4-2)# stat server.csr
File: ‘server.csr’
Size: 1115 Blocks: 8 IO Block: 4096 普通檔案
Device: fd01h/64769d Inode: 2760361 Links: 1
Access: (0644/-rw-r--r--) Uid: ( 0/ root) Gid: ( 0/ root)
Access: 2019-05-27 23:57:46.717889608 +0800
Modify: 2019-12-11 17:40:15.761976020 +0800
Change: 2019-12-11 17:40:15.761976020 +0800
Birth: -
(4-3)# cat server.csr
-----BEGIN CERTIFICATE REQUEST-----
MIIC/TCCAeUCAQAwgYIxCzAJBgNVBAYTAlRXMQ8wDQYDVQQIDAZLaW5tZW4xDzAN
BgNVBAcMBmtpbm1lbjENMAsGA1UECgwEa212czEOMAwGA1UECwwFdGVhY2gxFTAT
BgNVBAMMDDE2My4yNS4yMC45MjEbMBkGCSqGSIb3DQEJARYMdHJAZ21haWwuY29t
MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAzvU1dEVpXBiQoo6Blcgg
pHXia1awV44y3whXVlt27LENRnUV9KDb0Uv20A7mNWN9IONFsojbgA9cquyL066Z
pO1aEk6jdStDGzgDCNLXX4M6abiWD8vITE1q+3oJOZTC+78gSFGolzzGYYmRm16o
XOJ/R7OJEBRg82cIgDj61XRd66YsNnr7ekMfMpbXBU9gfOS8JgNT7akK8UsedzLj
oLO7Fl2zg6Dev17LBUanlhdQgJQ/0ufkTb/FaG8m6Drp4EwfGvawD49oL2ciRTG9
r7fFHlv8bl5LJpfV2hBZ5nPeeTQtDOOTObiGFDg3cpvSaDQuDBhb5+1FYT5g5uAJ
NQIDAQABoDUwFgYJKoZIhvcNAQkCMQkMB3RyZWVocnQwGwYJKoZIhvcNAQkHMQ4M
DGFiYzEyM2FiYzEyMzANBgkqhkiG9w0BAQUFAAOCAQEAAS+F1ZmRM43oycUxRPSs
Ghx+k7TsdLVspVu7zUKuG/BsmJ5PoPGvCHuAJmeYnhgMW1JcP+6KrkyFtTgw0Gk7
mJuK4FFKQjdngHkvc2F9M2qfarZ379s5ti/o8eiXgFV2chfsFEuJ2wgUXTgxiDed
MAZha3gVLMVufdKijlQSDCLO6WHgchzUza4dKICPz6AJQGOHcjqkT3Pr+cYzt+37
uoUvenedfgFrxUBT/w0YGBMkryHILCWmjgcV4XKzt6BdeivxOafIIEmvQqJbTRkt
d6hFXDFStsGrp7mukulNdxLNjwYV1v6F33hVAkVP1vmBTrdJKyfP5TkKMn2H3rFK
/w==
-----END CERTIFICATE REQUEST-----
(5-1)$ vi ssl.conf
[req]
prompt = no
default_md = sha256
default_bits = 2048
distinguished_name = dn
x509_extensions = v3_req
[dn]
C = TW
ST = Taiwan
L = Taipei
O = Tree Inc.
OU = IT Department
emailAddress = treehrt@insecta.idv.tw
CN = localhost
[v3_req]
subjectAltName = @alt_names
[alt_names]
DNS.1 = *.localhost
DNS.2 = localhost
DNS.3 = 192.168.2.100
(5-2)建立出 私密金鑰 (server.key) 與 憑證檔案 (server.crt)
sudo openssl req -x509 -new -nodes -sha256 -utf8 -days 3650 -newkey rsa:2048 -keyout server.key -out server.crt -config ssl.conf
[sudo] password for treehrt:
Generating a 2048 bit RSA private key
.........+++
................+++
writing new private key to 'server.key'
-----
(5-3) 顯示自簽憑證檔內容
$ cat server.crt
-----BEGIN CERTIFICATE-----
MIID5TCCAs2gAwIBAgIJAP+j2xBoRWsCMA0GCSqGSIb3DQEBCwUAMIGWMQswCQYD
VQQGEwJUVzEPMA0GA1UECAwGVGFpd2FuMQ8wDQYDVQQHDAZUYWlwZWkxEjAQBgNV
:
VaZ/BRqgO/SvwN8zBn4RFqzIHje9LB9xWP3AX+I3kHyX875Y4waw9GI=
-----END CERTIFICATE-----
(5-4)匯入自簽憑證到「受信任的根憑證授權單位」
$ sudo cp server.crt /usr/local/share/ca-certificates/server.crt
$ sudo update-ca-certificates
Updating certificates in /etc/ssl/certs...
0 added, 0 removed; done.
Running hooks in /etc/ca-certificates/update.d...
done.
done.
(5-5)$ sudo systemctl restart apache2
以上沒成功。
:
:
(5-6)設定browser,以firefox為例:
在about:preferences#privacy/偏好設定/憑證/檢視憑證/伺服器/新增例外網站/
輸入位置:https://localhost/取得憑證/無可用資訊?????。
仍沒有成功。
:
(6)終於成功如下截圖
(7-1)pietty要和伺服器連線的信任rsa2 key fingerprint(ssh-rsa 2048):
(7-2)SSL參考