Linux https SSL Certificate instance

Prerequisites: you must first install the apache service (yum install httpd) in Linux)

1. View and install SSL (the installation package name is mod_ssl)

 

[Root @ localhost ~] # Rpm-qi motd_ssl
Package motd_ssl is not installed

[Root @ localhost yum. repos. d] # yum install mod_ssl
Loaded plugins: rhnplugin, security
This system is not registered with RHN.
RHN support will be disabled.
Setting up Install Process
Resolving Dependencies
--> Running transaction check
---> Package mod_ssl.i386. 2.3-31. el5 set to be updated
--> Finished Dependency Resolution

Dependencies Resolved

========================================================== ==================================
Package Arch Version Repository Size
========================================================== ==============================
Installing:
Mod_ssl i386. 2.3-31. el5 file 88 k

Transaction Summary
========================================================== ==========

Install 1 Package (s)
Update 0 Package (s)
Remove 0 Package (s)

Total download size: 88 k
Is this OK [y/N]: y
Downloading Packages:
Running rpm_check_debug
Running Transaction Test
Finished Transaction Test
Transaction Test Succeeded
Running Transaction
Installing: Maid 1/1

Installed:
Mod_ssl.i386. 2.3-31. el5

Complete!

2. manually create keys and certificates
[Root @ localhost yum. repos. d] # cd/etc/pki/tls/certs/
[Root @ localhost certs] # pwd
/Etc/pki/tls/certs

[Root @ localhost certs] # make auth. key (create an SSL private key named auth)
Umask 77;
/Usr/bin/openssl genrsa-des3 1024> auth. key
Generating RSA private key, 1024 bit long modulus
..................................... ++
...
E is 65537 (0x10001)
Enter pass phrase:
Verifying-Enter pass phrase:

[Root @ localhost certs] # make auth. crt (create a certificate named auth)
Umask 77;
/Usr/bin/openssl req-new-key auth. key-x509-days 365-out auth. crt-set_serial 0
Enter pass phrase for auth. key: (Enter the private key password)
You are about to be asked to enter information that will be ininitialized
Into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter., the field will be left blank.
-----
Country Name (2 letter code) [GB]: CN (Country)
State or Province Name (full name) [Berkshire]: liaoning (region)
Locality Name (eg, city) [Newbury]: dalian (city)
Organization Name (eg, company) [My Company Ltd]: IBM (Organization Name)
Organizational Unit Name (eg, section) []: IBM (full Name)
Common Name (eg, your name or your servers hostname) []: WWW. IBM. COM (public Name)
Email Address []: (Email)

3. modify the configuration file www.linuxidc.com
[Root @ localhost certs] # cp auth. key/etc/pki/tls/private/(private key import)
[Root @ localhost certs] # vi/etc/httpd/conf. d/ssl. conf
Modify rows 112 and 119:

SSLCertificateFile/etc/pki/tls/certs/localhost. crt
==== "SSLCertificateFile/etc/pki/tls/certs/auth. crt
SSLCertificateKeyFile/etc/pki/tls/private/localhost. key
==== "SSLCertificateKeyFile/etc/pki/tls/private/auth. key
4. Restart the apache service.
[Root @ localhost certs] # service httpd restart
Stop httpd: [failed]
Start httpd: Apache/2.2.3 mod_ssl/2.2.3 (Pass Phrase Dialog)
Some of your private key files are encrypted for security reasons.

 

In order to read them you have to provide the pass phrases.

Server localhost. localdomain: 443 (RSA)
Enter pass phrase: (Enter the private key password)

OK: Pass Phrase Dialog successful.
[OK]

[Root @ localhost certs] # netstat-tunal | grep 443
Tcp 0 0: 443: * LISTEN

(Listening to all external ports to the local port 443 is normal, indicating that the startup is successful)

4. Access and test the webpage (https: // 172.18.4.88)

1. Add security exceptions and view the certificate (we found that the Certificate Authority has become IBM)
2. Open the test page. The default page is displayed normally.

 

Note: If you have certificate settings, you will be prompted to enter the password the next time you start the APACHE service automatically. Otherwise, it will stay on the Service Startup interface. So after the test is complete, it is best to change ssl. conf to the original default localhost

Above