CENTOS 6.9 下Apache 使用自签证书配置HTTPS
第一步、检查OpenSSL
openssl version -a
OpenSSL 1.0.1、1.0.2-beta、1.0.1f和1.0.2 beta 1等。其中1.0.1和1.0.1f可以通过升级到OpenSSL 1.0.1g版本修复;1.0.2-beta和1.0.2-beta1将在OpenSSL 1.0.2-beta2中修复。
如果OpenSSL是上述版本中的一个,请升级到安全版本。
第二步、生成证书
使用工具:OpenSSL
2.1 创建私钥
$openssl genrsa -aes256 -out server.key 2048
结果:
Generating RSA private key, 2048 bit long modulus ................................................................................... ........................................................+++
............+++
e is 65537 (0x10001)
Enter pass phrase for server.key
//输入密码
Verifying - Enter pass phrase for server.key:
//输入密码
移除密码openssl rsa -in server.key -out server.key
2.2 生成证书请求文件
openssl req -new -key server.key -out server.csr
结果:
Enter pass phrase for server.key:
//输入密码
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
----
Country Name (2 letter code) [AU]:CN
State or Province Name (full name) [Some-State]:Beijing
Locality Name (eg, city) []:Beijing
Organization Name (eg, company) [Internet Widgits Pty Ltd]:XDIANNAO.COM
Organizational Unit Name (eg, section) []:XDIANNAO
Common Name (e.g. server FQDN or YOUR name) []:TEST.XDIANNAO.COM
Email Address []:你的Email地址
Please enter the following 'extra' attributes
to be sent with your certificate request
A challenge password []:
An optional company name []:
2.3 生成证书文件
执行:
openssl x509 -in server.csr -out server.crt -req -signkey server.key -days 3650
结果:
Signature ok
subject=/C=CN/ST=Beijing/L=Beijing/O=XDIANNAO.COM/OU=XDIANNAO/CN=test.xdiannao.com/emailAddress=你的邮件地址
Getting Private key
Enter pass phrase for server.key:
//输入密码
检查结果
上述步骤执行完毕之后,应该获得了三个文件:server.crt
server.csr
server.key
第三步、配置apache HTTPS
首先需要安装ssl版块,否则无法启用HTTPS
3.1 安装ssl模块
yum install mod_ssl
3.2 新建ssl证书目录并上传证书
上传证书:
mv ~/tmp/cert/server.crt /etc/httpd/conf/ssl/
mv ~/tmp/cert/server.key /etc/httpd/conf/ssl/
cd /etc/httpd/conf/ssl
ls
#检查证书是否正确上传到目录中;
3.3 编辑配置文件
安装完成后,在目录/etc/httpd/conf.d 下应该生成ssl.conf 配置文件
# Server Certificate:
# Point SSLCertificateFile at a PEM encoded certificate. If
# the certificate is encrypted, then you will be prompted for a
# pass phrase. Note that a kill -HUP will prompt again. A new
# certificate can be generated using the genkey(1) command.
SSLCertificateFile /etc/httpd/conf/ssl/server.crt
#将SSLCertificateFile 文件路径更改为之前新建的证书目录
# Server Private Key:
# If the key is not combined with the certificate, use this
# directive to point at the key file. Keep in mind that if
# you've both a RSA and a DSA private key you can configure
# both in parallel (to also allow the use of DSA ciphers, etc.)
SSLCertificateKeyFile /etc/httpd/conf/ssl/server.key
#将SSLCertificateKeyFile 文件路径更改为之前新建的证书目录
3.4 配置VirtualHost启用HTTPS
#HTTP服务 监听 8090端口 域名TEST.XDIANNAO.COM 或者IP
<VirtualHost *:8090>
ServerAdmin 邮箱地址
#网站目录
DocumentRoot /var/www/html/路径
#网站域名
ServerName test.xdiannao.com
#域名2
ServerAlias
#错误日志
ErrorLog logs/test_xdiannao_com-error_log
#访问日志
CustomLog logs/test_xdiannao_com-access_log common
</VirtualHost>
#HTTPS服务 监听 8090端口
<VirtualHost *:8099>
SSLEngine on
#证书路径
SSLCertificateFile /etc/httpd/conf/ssl/server.crt
#证书路径
SSLCertificateKeyFile /etc/httpd/conf/ssl/server.key
<Directory /var/www/html/路径>
AllowOverride All
</Directory>
ServerAdmin email@example.com
DocumentRoot /var/www/html/路径
ServerName test.xdainano.com
</VirtualHost>
3.5 编辑防火墙开放端口
vi /etc/sysconfig/iptables
#按 i 进行编辑
#添加下面一条到文件中
-A INPUT -p tcp --dport 8099 -j ACCEPT
#保存
#按ESC
:wq
service iptables restart
3.6 重启apache 启用HTTPS
service httpd restart
测试HTTPS是否工作
使用浏览器访问:HTTPS://域名:8099
版权所有©艾克斯记事-转载文章请注明出处(带链接)