Configure SSL under the CentOS server installation

HTTPS is a secure way of accessing data that is encrypted during transmission, HTTPS based on SSL .

First, installationApacheand theSSLModule
1, installationApache

#yum install httpd

2, installationSSLModule

#yum install mod_ssl

RestartApache:

#service httpd restart

Finished installingMod_sslwill create a defaultSSLcertificate, the path is located in/etc/pki/tls, you can now passHTTPSTo access the server:

https:// x . x . x . x /

If you do not use the default certificate, you can also use the OpenSSL Create the certificate manually.

II, using OpenSSL Create a certificate manually
1 , install openssl

# Yum install OpenSSL

2 , Generate server Private key

# Cd/etc/pki/tls
# OpenSSL genrsa-out server.key 1024x768

Span style= "COLOR: #2C2C29" > note: server.key is the private key.

3 , with the private key server.key file Generate certificate request file CSR

# OpenSSL req-new-key server.key-out SERVER.CSR

note: SERVER.CSR is the certificate request file.

This step requires you to enter some certificate information:
Country Name (2 letter code) [XX]:CN
State or province name (full name) []:shanghai
Locality Name (eg, city) [Default City]:shanghai
Organization Name (eg, company) [Default company LTD]:CCC
Organizational Unit Name (eg, section) []:BBB
Common name (eg, your name or your server ' s hostname) []:www.test.com
Email Address []:[email protected]

Enter the country, province, city, company, department, name or server name, e-mail, and then ask for a Challengepassword (password), no input, followed by direct return.

4 , generating a digital signature CRT file (certificate file)

#openssl x509 -days 365 -req -in server.csr -signkey server.key -outserver.crt

Request a file with a private key signing certificate, and the certificate's applicant authority and authority are themselves.

5 , edit Apache of the SSL configuration file

vim/etc/httpd/conf.d/ssl.conf

The/etc/httpd/conf.d/ssl.conf file configuration is as follows:

<virtualhost _default_:443>

documentroot "/var/www/https"  // set up a Web page store directory

ServerName *:443  // Port of the server

directoryindex index.html Index.html.var // Home Name

Sslengine on

SSLCERTIFICATEFILE/ETC/PKI/TLS/SERVER.CRT  // Certificate

Sslcertificatekeyfile/etc/pki/tls/server.key  // private Key

</VirtualHost>
6 , restart Apache
#servicehttpd restart
Access https://ip/ , you can see the certificate information.

Because it is not a certificate issued by a third-party root certification authority, but a certificate issued by itself, the browser prompts the security certificate to be untrusted.

!!! Note: Home index.html The file permissions are 755 , otherwise the prompt will appear as above:

Forbidden

Youdon ' t has permission to access/main.html on the this server.

Workaround: Modify the home page index.html Read and Write permissions.

#Chmod755 index.html

Additional notes on the OpenSSL directive:

#openssl [operation]-out filename [bits]

Parameter description:

[Operation] The main operation has the following two:

Genrsa, establishing the RSA encryption public key

Req, create a credential request file or a voucher file

-out, followed by the output file name, that is the key name

Bits, the length of the public key that is encrypted with the Genrsa

-x509,x.509,certificatedata Management. A way to manage authentication

Example: Create a public Key with a length of 1024bits, and note the file name.

#openssl Genrsa-out Server.key 1024

Generate a Certificate request command:

#Openssl Req-new-key file.key-out file.csr-config/path/to/openssl.cnf

-config: Specifies the configuration file path for OpenSSL, which, when not specified, accesses the default path in UNIX format by default:/USR/LOCAL/SSL/OPENSSL.CNF.

Example:#openssl req -new -key server.key -outserver.csr

Configure SSL under the CentOS server installation