CENTOS 6.9 下Apache 使用自签证书配置HTTPS

CENTOS 6.9 下Apache 使用自签证书配置HTTPS

自签SSL证书.jpg

第一步、检查OpenSSL

openssl version -a

OpenSSL 1.0.1、1.0.2-beta、1.0.1f和1.0.2 beta 1等。其中1.0.1和1.0.1f可以通过升级到OpenSSL 1.0.1g版本修复;1.0.2-beta和1.0.2-beta1将在OpenSSL 1.0.2-beta2中修复。

如果OpenSSL是上述版本中的一个,请升级到安全版本。

第二步、生成证书

使用工具:OpenSSL

2.1 创建私钥

$openssl genrsa -aes256 -out server.key 2048

结果:

Generating RSA private key, 2048 bit long modulus ................................................................................... ........................................................+++
 ............+++ 
e is 65537 (0x10001)
Enter pass phrase for server.key
//输入密码
Verifying - Enter pass phrase for server.key: 
//输入密码

移除密码
openssl rsa -in server.key -out server.key

2.2 生成证书请求文件

openssl req -new -key server.key -out server.csr

结果:

Enter pass phrase for server.key:
//输入密码
You are about to be asked to enter information that will be incorporated 
into your certificate request. 
What you are about to enter is what is called a Distinguished Name or a DN. 
There are quite a few fields but you can leave some blank 
For some fields there will be a default value, 
If you enter '.', the field will be left blank. 
----
Country Name (2 letter code) [AU]:CN 
State or Province Name (full name) [Some-State]:Beijing 
Locality Name (eg, city) []:Beijing 
Organization Name (eg, company) [Internet Widgits Pty Ltd]:XDIANNAO.COM
Organizational Unit Name (eg, section) []:XDIANNAO     
Common Name (e.g. server FQDN or YOUR name) []:TEST.XDIANNAO.COM 
Email Address []:你的Email地址
Please enter the following 'extra' attributes 
to be sent with your certificate request 
A challenge password []: 
An optional company name []:

2.3 生成证书文件

执行:

openssl x509 -in server.csr -out server.crt -req -signkey server.key -days 3650

结果:

Signature ok 
subject=/C=CN/ST=Beijing/L=Beijing/O=XDIANNAO.COM/OU=XDIANNAO/CN=test.xdiannao.com/emailAddress=你的邮件地址
Getting Private key 
Enter pass phrase for server.key:
//输入密码

检查结果

上述步骤执行完毕之后,应该获得了三个文件:server.crt server.csr server.key

第三步、配置apache HTTPS

首先需要安装ssl版块,否则无法启用HTTPS

3.1 安装ssl模块

yum install mod_ssl 

3.2 新建ssl证书目录并上传证书

上传证书:

mv ~/tmp/cert/server.crt /etc/httpd/conf/ssl/ 
mv ~/tmp/cert/server.key /etc/httpd/conf/ssl/ 
cd /etc/httpd/conf/ssl 
ls
#检查证书是否正确上传到目录中;

3.3 编辑配置文件

安装完成后,在目录/etc/httpd/conf.d 下应该生成ssl.conf 配置文件

#   Server Certificate: 
# Point SSLCertificateFile at a PEM encoded certificate.  If 
# the certificate is encrypted, then you will be prompted for a 
# pass phrase.  Note that a kill -HUP will prompt again.  A new 
# certificate can be generated using the genkey(1) command. 
SSLCertificateFile /etc/httpd/conf/ssl/server.crt
#将SSLCertificateFile 文件路径更改为之前新建的证书目录

#   Server Private Key: 
#   If the key is not combined with the certificate, use this 
#   directive to point at the key file.  Keep in mind that if 
#   you've both a RSA and a DSA private key you can configure 
#   both in parallel (to also allow the use of DSA ciphers, etc.) 
SSLCertificateKeyFile /etc/httpd/conf/ssl/server.key 
#将SSLCertificateKeyFile 文件路径更改为之前新建的证书目录

3.4 配置VirtualHost启用HTTPS

#HTTP服务 监听 8090端口 域名TEST.XDIANNAO.COM 或者IP 
<VirtualHost *:8090>
    ServerAdmin 邮箱地址
    #网站目录
    DocumentRoot /var/www/html/路径
    #网站域名
    ServerName test.xdiannao.com 
    #域名2
    ServerAlias 
    #错误日志
    ErrorLog logs/test_xdiannao_com-error_log
    #访问日志
    CustomLog logs/test_xdiannao_com-access_log common 
</VirtualHost>
#HTTPS服务 监听 8090端口 
<VirtualHost *:8099>
    SSLEngine on
    #证书路径
    SSLCertificateFile /etc/httpd/conf/ssl/server.crt
    #证书路径
    SSLCertificateKeyFile /etc/httpd/conf/ssl/server.key
    <Directory /var/www/html/路径>
        AllowOverride All
    </Directory>    
    ServerAdmin email@example.com 
DocumentRoot /var/www/html/路径 
ServerName test.xdainano.com
</VirtualHost>

3.5 编辑防火墙开放端口

vi /etc/sysconfig/iptables
#按 i 进行编辑
#添加下面一条到文件中
-A INPUT -p tcp --dport 8099 -j ACCEPT 
#保存
#按ESC
:wq 
service iptables restart

3.6 重启apache 启用HTTPS

service httpd restart 

测试HTTPS是否工作

使用浏览器访问:HTTPS://域名:8099

版权所有©艾克斯记事-转载文章请注明出处(带链接)

发表评论

电子邮件地址不会被公开。 必填项已用*标注