HTTPS is a secure way of accessing data that is encrypted during transmission, HTTPS based on SSL .
First, installationApacheand theSSLModule
1, installationApache
#yum install httpd
2, installationSSLModule
#yum install mod_ssl
RestartApache:
#service httpd restart
Finished installingMod_sslwill create a defaultSSLcertificate, the path is located in/etc/pki/tls, you can now passHTTPSTo access the server:
https:// x . x . x . x /
If you do not use the default certificate, you can also use the OpenSSL Create the certificate manually.
II, using OpenSSL Create a certificate manually
1 , install openssl
# Yum install OpenSSL
2 , Generate server Private key
# Cd/etc/pki/tls
# OpenSSL genrsa-out server.key 1024x768
Span style= "COLOR: #2C2C29" > note: server.key is the private key.
3 , with the private key server.key file Generate certificate request file CSR
# OpenSSL req-new-key server.key-out SERVER.CSR
note: SERVER.CSR is the certificate request file.
This step requires you to enter some certificate information:
Country Name (2 letter code) [XX]:CN
State or province name (full name) []:shanghai
Locality Name (eg, city) [Default City]:shanghai
Organization Name (eg, company) [Default company LTD]:CCC
Organizational Unit Name (eg, section) []:BBB
Common name (eg, your name or your server ' s hostname) []:www.test.com
Email Address []:[email protected]
Enter the country, province, city, company, department, name or server name, e-mail, and then ask for a Challengepassword (password), no input, followed by direct return.
4 , generating a digital signature CRT file (certificate file)
#openssl x509 -days 365 -req -in server.csr -signkey server.key -outserver.crt
Request a file with a private key signing certificate, and the certificate's applicant authority and authority are themselves.
5 , edit Apache of the SSL configuration file
vim/etc/httpd/conf.d/ssl.conf
The/etc/httpd/conf.d/ssl.conf file configuration is as follows:
<virtualhost _default_:443>
documentroot "/var/www/https" // set up a Web page store directory
ServerName *:443 // Port of the server
directoryindex index.html Index.html.var // Home Name
Sslengine on
SSLCERTIFICATEFILE/ETC/PKI/TLS/SERVER.CRT // Certificate
Sslcertificatekeyfile/etc/pki/tls/server.key // private Key
</VirtualHost>
6 , restart Apache
#servicehttpd restart
Access https://ip/ , you can see the certificate information.
Because it is not a certificate issued by a third-party root certification authority, but a certificate issued by itself, the browser prompts the security certificate to be untrusted.
!!! Note: Home index.html The file permissions are 755 , otherwise the prompt will appear as above:
Forbidden
Youdon ' t has permission to access/main.html on the this server.
Workaround: Modify the home page index.html Read and Write permissions.
#Chmod755 index.html
Additional notes on the OpenSSL directive:
#openssl [operation]-out filename [bits]
Parameter description:
[Operation] The main operation has the following two:
Genrsa, establishing the RSA encryption public key
Req, create a credential request file or a voucher file
-out, followed by the output file name, that is the key name
Bits, the length of the public key that is encrypted with the Genrsa
-x509,x.509,certificatedata Management. A way to manage authentication
Example: Create a public Key with a length of 1024bits, and note the file name.
#openssl Genrsa-out Server.key 1024
Generate a Certificate request command:
#Openssl Req-new-key file.key-out file.csr-config/path/to/openssl.cnf
-config: Specifies the configuration file path for OpenSSL, which, when not specified, accesses the default path in UNIX format by default:/USR/LOCAL/SSL/OPENSSL.CNF.
Example:#openssl req -new -key server.key -outserver.csr
Configure SSL under the CentOS server installation