Install and configure SSL on the CentOS Server
Https is a secure access method. Data is encrypted during transmission, and https is based on ssl.
1. Install the apache and ssl modules
1. install apache
#yum install httpd
2. Install the ssl module
#yum install mod_ssl
Restart apache:
#service httpd restart
After mod_ssl is installed, a default SSL certificate is created, which is located at/etc/pki/tls. Now you can access the server through https:
Https://X.X.X.X/
If you do not use the default certificate, you can also use openssl to manually create a certificate.
Ii. manually create a certificate using openssl
1. Install openssl
#yum install openssl
2. Generate the server Private Key
#cd /etc/pki/tls
#openssl genrsa -out server.key 1024
Note: server. key is the private key.
3. Use the private key server. key File to generate the csr file of the certificate request.
#openssl req -new -key server.key -out server.csr
Note: server. csr is the certificate request file.
In this step, enter some Certificate Information:
Country Name (2 letter code) [XX]: CN
State or Province Name (full name) []: shanghai
Locality Name (eg, city) [Default City]: shanghai
Organization Name (eg, company) [Default Company Ltd]: ccc
Organizational Unit Name (eg, section) []: bbb
Common Name (eg, your name or your server's hostname) []: www.test.com
Email Address []: a@a.com
Enter the country, province, city, company, department, name, server name, and email address. Then, you need to enter a challengepassword (password). You do not need to enter the password, and press enter directly.
4. Generate a digital signature crt file (Certificate file)
#openssl x509 -days 365 -req -in server.csr -signkey server.key -outserver.crt
Sign the certificate request file with the private key. Both the certificate applicant and the issuing authority are themselves.
5. Edit the ssl configuration file of apache
vim/etc/httpd/conf.d/ssl.conf
The configuration of the/etc/httpd/conf. d/ssl. conf file is as follows:
<VirtualHost _ default _: 443>
DocumentRoot "/var/www/https" // sets the webpage storage directory
ServerName *: 443 // server port
DirectoryIndex index.html. var // homepage name
SSLEngine on
SSLCertificateFile/etc/pki/tls/server. crt // Certificate
SSLCertificateKeyFile/etc/pki/tls/server. key // Private key
</VirtualHost>
6. Restart apache
#servicehttpd restart
Access https: // ip/to view the certificate information.
Because it is not a certificate issued by a third-party Root Certificate Authority, but a self-issued certificate, the browser will prompt that the security certificate is untrusted.
!!! Note: The File Permission of index.html on the first page is 755. Otherwise, the following message is displayed:
Forbidden
Youdon't have permission to access/main.html on this server.
Solution: Modify the ACL of index.html on the first page.
# Chmod755 index.html
Additional instructions on openssl commands:
# Openssl [operation]-outfilename [bits]
Parameter description:
[Operation] There are two main operations:
Create an RSA-encrypted Public key
Req: Create a credential file or a credential file.
-Out, followed by the output file name, that is, the key name
Bits, used for the length of the genrsa-encrypted Public Key
-X509, X.509, and CertificateData Management: A verification Management method.
For example, create a Public Key with a length of 1024bits. Pay attention to the file name.
# Opensslgenrsa-out Server. key 1024
Certificate generation Request command:
# Opensslreq-new-keyfile. key-out file. csr-config/path/to/openssl. cnf
-Config: Specifies the path of the openssl configuration file. If this parameter is not specified, the default path in Unix format is/usr/local/ssl/openssl. cnf by default.
Example :#openssl req -new -key server.key -outserver.csr