Configure SSL for HTTPS access in Apache

Bad condition: Ca and Apache are the same host

First, use the local machine as the CA Server:

[[Email protected] ~] # Yum-y install OpenSSL-devel

[[Email protected] ~] # Vi/etc/pki/tls/OpenSSL. CNF

[Ca_default]

Dir =..././CA

Changed:

[Ca_default]

Dir =/etc/pki/CA

To reduce unnecessary repeated operations, you can pre-define some of the following content in [req_distinguished_name]. You can just customize the content.

: WQ

[[Email protected] ~] # Cd/etc/pki/CA

[[Email protected] CA] # mkdir certs newcerts CRL

[[Email protected] CA] # Touch index.txt

[[Email protected] CA] # echo 00> serial

[[Email protected] CA] # (umask 077; OpenSSL genrsa-out private/cakey. pem 2048) # generate a self-Signed key

[[Email protected] CA] # OpenSSL req-New-X509-key private/cakey. pem-out cacert. pem-days 3657 # generate a self-signed certificate

You are about to be asked to enter information that will be ininitialized

Into your certificate request.

What you are about to enter is what is called a distinguished name or a DN.

There are quite a few fields but you can leave some blank

For some fields there will be a default value,

If you enter '.', the field will be left blank.

-----

Country name (2 letter code) [CN]:

State or province name (full name) [Bj]:

Locality name (eg, city) [Haidian]:

Organization Name (eg, company) [text]:

Organizational unit name (eg, section) [Dev]:

Common name (eg, your name or your server's hostname) []: ca.text.com

Email Address []: [email protected]

Because OpenSSL. CNF defines part of the content. Press enter until the common name (eg, your name or your server's hostname) []: (this is the name of the CA Service, customizable)

The last mailbox can also be customized.

After all the attacks are completed, Our CA server is complete. continue to do so.

Dynamic Apache compilation and installation:

[[Email protected] CA] # tar-XF httpd-2.2.9.tar-C/usr/local/src/

[[Email protected] CA] # cd/usr/local/src/httpd-2.2.9/

[[Email protected] httpd-2.2.9] #. /configure -- prefix =/usr/local/apache2 -- sysconfdir =/etc/httpd -- With-z =/usr/local/zlib/-- With-defined ded-Apr -- enable-so -- enable-mod-shared = most

[[Email protected] httpd-2.2.9] # Make; make install

Configure SSL for Apache:

[[Email protected] CA] # rpm-Qa | grep mod_ssl

[[Email protected] CA] # Yum-y install mod_ssl # directly use yum for installation without mod_ssl

[[Email protected] CA] # rpm-QL mod_ssl # view the location of the configuration file generated by mod_ssl

[[Email protected] CA] # cd/etc/httpd

[[Email protected] httpd] # mkdir SSL

[[Email protected] httpd] # cd SSL

[[Email protected] SSL] # (umask 077; OpenSSL genrsa-out httpd. Key 2048) # generate a key

[[Email protected] SSL] # OpenSSL req-New-key httpd. Key-out httpd. CSR # generate a Certificate Signing Request

You are about to be asked to enter information that will be ininitialized

Into your certificate request.

What you are about to enter is what is called a distinguished name or a DN.

There are quite a few fields but you can leave some blank

For some fields there will be a default value,

If you enter '.', the field will be left blank.

-----

Country name (2 letter code) [CN]:

State or province name (full name) [Bj]:

Locality name (eg, city) [Haidian]:

Organization Name (eg, company) [text]:

Organizational unit name (eg, section) [Dev]:

# The above five items must be consistent with the settings of the CA server. This experiment is performed on a host, so press Enter.

Common name (eg, your name or your server's hostname) []: text.bj.com # It must be the address accessed by the client, instead of the address set by the above Ca

Email Address []: [email protected] # custom

[[Email protected] SSL] # OpenSSL ca-in httpd. CSR-out httpd. CRT-days 3657 # ca sign the command, and press y and enter twice (because both are on one machine, you can directly sign it. If you are on different machines, copy the HTTP Certificate Signing Request file to the CA server and then copy it back)

[[Email protected] SSL] # vi/etc/httpd/CONF. d/SSL. conf

The default port 443 remains unchanged.

Check whether the following two statements exist.

Addtype application/x-x509-ca-cert. CRT

Addtype applications/x-pkcs7-crl. CRL

<Virtualhost _ default_443>

Changed:

<Virtualhost 192.168.1.99: 443> # web server or web virtual host IP Address

Add the following two sentences

Servername text.bj.com # address defined above

DocumentRoot "/var/www/html" # website directory location. For example, if you set a virtual host, this location must be consistent with the location defined by the virtual host in the Apache configuration file.

Sslengine on # enable

Sslcertificatefile/etc/httpd/SSL/httpd. CRT # certificate storage location

Sslcertificatekeyfile/etc/httpd/SSL/httpd. Key # key storage location

: WQ

[[Email protected] SSL] # echo text.bj.com>/var/www/html/index.html

[[Email protected] SSL] #/etc/init. d/httpd start

[[Email protected] SSL] # netstat-tnlp # Check whether port 443 is enabled

Https://text.bj.com access

Prompt "the security certificate for this website is untrusted"

Solution:

Copy/etc/pki/CA/cacert. pem to the client and install it. (change the winpc suffix to. CRT and double-click it)

This article from ", mineral water" blog, please be sure to keep this source http://guwenqiang.blog.51cto.com/5462040/1431571