SSL Certificate Cannot Be Trusted

1. 安装mod_ssl

yum -y install httpd mod_ssl

sudo systemctl enable httpd.service

systemctl start httpd.service

2. 生成CSR文件(*.csr)

openssl genrsa -out private2020.key 2048

openssl req -new -key private.key -out certificate2020.csr

3. 获得已签名的证书文件(*.crt)后

cp private2020.key /etc/pki/tls/private/

cp certificate2020.crt /etc/pki/tls/certs/

 

4. 生成server-chain.crt

cat IntermediateCA.crt > server-chain2020.crt

cat RootCA.crt >> server-chain2020.crt

cp server-chain2020.crt /etc/pki/tls/certs/

5. vi /etc/httpd/conf.d/ssl.conf

SSLEngine on

SSLCertificateFile /etc/ssl/private/certificate2020.crt

SSLCertificateKeyFile /etc/ssl/private/private2020.key

SSLCertificateChainFile /etc/pki/tls/certs/server-chain2020.crt

4.重定向到HTTPS

vi /etc/httpd/conf/httpd.conf 

RewriteEngine On

RewriteCond %{HTTPS} off

RewriteRule (.*) https://%{HTTP_HOST}%{REQUEST_URI}

TraceEnable Off

ServerTokens ProductOnly

ServerSignature Off

Header always set Strict-Transport-Security "max-age=63072000; includeSubdomains; preload"

 

5. 重启httpd

systemctl restart httpd

 

 

参考：

https://medium.com/@hbayraktar/how-to-install-ssl-certificate-on-apache-for-centos-7-38c25b84d8b1 

https://community.tenable.com/s/article/Plugin-51192-SSL-Certificate-Cannot-Be-Trusted-fires-when-the-certificates-chain-cannot-be-completed