apache SSL配置
本次坏境:CA和apache为同一台主机先使本机作为CA服务端:
#yum -y install openssl openssl-devel
#vi /etc/pki/tls/openssl.cnf
[ CA_default ]
dir = ../../CA
改为:
[ CA_default ]
dir= /etc/pki/CA
为了减少不必要的重复操作,可以预先定义[ req_distinguished_name ]下面的一些内容,自定义即可,具体的就不多说了
:wq
#cd /etc/pki/CA
# mkdir certs newcerts crl
# touch index.txt
# echo 00 > serial
# (umask 077; openssl genrsa -out private/cakey.pem 2048)##生成自签密钥
# openssl req -new -x509 -key private/cakey.pem -out cacert.pem -days 3657##生成自签证书
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) :
State or Province Name (full name) :
Locality Name (eg, city) :
Organization Name (eg, company) :
Organizational Unit Name (eg, section) :
Common Name (eg, your name or your server's hostname) []:ca.text.com
Email Address []:text@text.com
由于openssl.cnf里面定义了部分内容,上面一直敲回车,直到Common Name (eg, your name or your server's hostname) []:(此为CA服务名称,可自定义)
最后一个邮箱也可自定义
都敲完后,我们的CA服务端就完成了,继续往下做
Apache动态编译安装:
# tar -xf httpd-2.2.9.tar -C /usr/local/src/
#cd /usr/local/src/httpd-2.2.9/
# ./configure --prefix=/usr/local/apache2 --sysconfdir=/etc/httpd --with-z=/usr/local/zlib/ --with-included-apr --enable-so --enable-mods-shared=most
#make;make install
Apache配置ssl:
# rpm -qa |grep mod_ssl
# yum -y install mod_ssl ##如没有mod_ssl直接使用yum安装即可
# rpm -ql mod_ssl##查看mod_ssl生成的配置文件位置
# cd /etc/httpd
# mkdir ssl
# cd ssl
# (umask 077; openssl genrsa -out httpd.key 2048)##生成密钥
#openssl req -new -key httpd.key -out httpd.csr##生成证书签署请求
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) :
State or Province Name (full name) :
Locality Name (eg, city) :
Organization Name (eg, company) :
Organizational Unit Name (eg, section) :
## 上面五条一定要和CA服务器设置一致,本次实验都是在一台主机上,所以直接敲回车即可
Common Name (eg, your name or your server's hostname) []:text.bj.com##一定要是客户端访问的地址,而不是上面CA设置的地址
Email Address []:httpd@text.com##自定义
#openssl ca -in httpd.csr -out httpd.crt -days 3657## ca签署命令,敲两次y和回车即可(由于都在一台机器上,直接签署就可以了,如果在不同机器上,把http的证书签署请求文件拷贝到CA服务端签署后拷贝回来就可以了)
#vi /etc/httpd/conf.d/ssl.conf
默认443端口不变
查看下面两句是否存在,不存在加上
AddType application/x-x509-ca-cert .crt
AddType application/x-pkcs7-crl .crl
改为:
##web服务器或web虚拟主机IP地址
添加下面两句
ServerName text.bj.com##上面定义的地址
DocumentRoot "/var/www/html"##网站目录位置,如设置的虚拟主机,此位置需和apache配置文件里虚拟主机定义的位置一致
SSLEngine on##确保开启
SSLCertificateFile /etc/httpd/ssl/httpd.crt## 证书存放位置
SSLCertificateKeyFile /etc/httpd/ssl/httpd.key##密钥存放位置
页:
[1]