基于Apache的https(证书,密钥)的实现
请参照以前的博文,配置好DNS和基本的Apache服务:
DNS文章:http://iminmin.blog.51cto.com/689308/162631(正向解析)
http://iminmin.blog.51cto.com/689308/193710 (反向解析)
Apache文章:http://iminmin.blog.51cto.com/689308/192805
请按照上面的文章,或者自己搭建好基本的Apache服务并能正常访问。
1、安装mod_ssl模块,让Linux支持SSL:
yum install mod_ssl -y
2、创建证书和密钥文件:
cd /etc/pki/tls/certs
make httpd.crt //证书文件的名字可以随便写,扩展名不要变。最后会生成两个文件,一个证书文件.crt结尾,一个密钥.key结尾。
请参照以前的博文,配置好DNS和基本的Apache服务:
DNS文章:http://iminmin.blog.51cto.com/689308/162631(正向解析)
http://iminmin.blog.51cto.com/689308/193710 (反向解析)
Apache文章:http://iminmin.blog.51cto.com/689308/192805
请按照上面的文章,或者自己搭建好基本的Apache服务并能正常访问。
1、安装mod_ssl模块,让Linux支持SSL:
yum install mod_ssl -y
2、创建证书和密钥文件:
cd /etc/pki/tls/certs
make httpd.crt //证书文件的名字可以随便写,扩展名不要变。最后会生成两个文件,一个证书文件.crt结尾,一个密钥.key结尾。
------------------------------------------------------------------------------------
[root@rhce certs]# make httpd.crt
umask 77 ; \
/usr/bin/openssl genrsa -des3 1024 > links.key
Generating RSA private key, 1024 bit long modulus
...........................++++++
.........................++++++
e is 65537 (0x10001)
Enter pass phrase: //密码。
Verifying - Enter pass phrase: //确认密码和上面相同。
umask 77 ; \
/usr/bin/openssl req -utf8 -new -key links.key -x509 -days 365 -out lis.crt -set_serial 0
Enter pass phrase for httpd.key: //httpd.key 文件密码
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [GB]:GB
State or Province Name (full name) [Berkshire]:JIANGSU
Locality Name (eg, city) [Newbury]:XUZHOU
Organization Name (eg, company) [My Company Ltd]:QINGNIAO
Organizational Unit Name (eg, section) []:
Common Name (eg, your name or your server's hostname) []:www.rhce.cn//真实域名
Email Address []:root@rhce.cn
------------------------------------------------------------------------------------
3、编辑配置文件:/etc/http/conf .d/ssl.conf
×××和密钥文件的路径为我们创建的证书和密钥的所在位置。
umask 77 ; \
/usr/bin/openssl genrsa -des3 1024 > links.key
Generating RSA private key, 1024 bit long modulus
...........................++++++
.........................++++++
e is 65537 (0x10001)
Enter pass phrase: //密码。
Verifying - Enter pass phrase: //确认密码和上面相同。
umask 77 ; \
/usr/bin/openssl req -utf8 -new -key links.key -x509 -days 365 -out lis.crt -set_serial 0
Enter pass phrase for httpd.key: //httpd.key 文件密码
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [GB]:GB
State or Province Name (full name) [Berkshire]:JIANGSU
Locality Name (eg, city) [Newbury]:XUZHOU
Organization Name (eg, company) [My Company Ltd]:QINGNIAO
Organizational Unit Name (eg, section) []:
Common Name (eg, your name or your server's hostname) []:www.rhce.cn//真实域名
Email Address []:root@rhce.cn
------------------------------------------------------------------------------------
3、编辑配置文件:/etc/http/conf .d/ssl.conf
×××和密钥文件的路径为我们创建的证书和密钥的所在位置。
------------------------------------------------------------------------------------
[root@rhce certs]# vim /etc/httpd/conf.d/ssl.conf
SSLCertificateFile /etc/pki/tls/certs/httpd.crt
SSLCertificateKeyFile /etc/pki/tls/certs/httpd.key
SSLCertificateFile /etc/pki/tls/certs/httpd.crt
SSLCertificateKeyFile /etc/pki/tls/certs/httpd.key
------------------------------------------------------------------------------------
4、重新启动httpd服务。
------------------------------------------------------------------------------------
[root@rhce certs]# service httpd restart
停止 httpd: [确定]
启动 httpd:Apache/2.2.3 mod_ssl/2.2.3 (Pass Phrase Dialog)
Some of your private key files are encrypted for security reasons.
In order to read them you have to provide the pass phrases.
停止 httpd: [确定]
启动 httpd:Apache/2.2.3 mod_ssl/2.2.3 (Pass Phrase Dialog)
Some of your private key files are encrypted for security reasons.
In order to read them you have to provide the pass phrases.
Server rhce.cn:443 (RSA)
Enter pass phrase: //输入我们创建证书和密钥时的密码。
Enter pass phrase: //输入我们创建证书和密钥时的密码。
OK: Pass Phrase Dialog successful.
[确定]
[确定]
------------------------------------------------------------------------------------
5、测试。(https基于443端口,注意防火墙要开通此端口)
提示通过安全检查
提示下载证书,点是就可正常查看网页了。
