Install and configure SSL on the CentOS Server

Install and configure SSL on the CentOS Server

Https is a secure access method. Data is encrypted during transmission, and https is based on ssl.

1. Install the apache and ssl modules
1. install apache

#yum install httpd

2. Install the ssl module

#yum install mod_ssl

Restart apache:

#service httpd restart

After mod_ssl is installed, a default SSL certificate is created, which is located at/etc/pki/tls. Now you can access the server through https:

Https://X.X.X.X/

If you do not use the default certificate, you can also use openssl to manually create a certificate.

Ii. manually create a certificate using openssl
1. Install openssl

#yum install openssl

2. Generate the server Private Key

#cd /etc/pki/tls
#openssl genrsa -out server.key 1024

Note: server. key is the private key.

3. Use the private key server. key File to generate the csr file of the certificate request.

#openssl req -new -key server.key -out server.csr

Note: server. csr is the certificate request file.

In this step, enter some Certificate Information:
Country Name (2 letter code) [XX]: CN
State or Province Name (full name) []: shanghai
Locality Name (eg, city) [Default City]: shanghai
Organization Name (eg, company) [Default Company Ltd]: ccc
Organizational Unit Name (eg, section) []: bbb
Common Name (eg, your name or your server's hostname) []: www.test.com
Email Address []: a@a.com

Enter the country, province, city, company, department, name, server name, and email address. Then, you need to enter a challengepassword (password). You do not need to enter the password, and press enter directly.

4. Generate a digital signature crt file (Certificate file)

#openssl x509 -days 365 -req -in server.csr -signkey server.key -outserver.crt

Sign the certificate request file with the private key. Both the certificate applicant and the issuing authority are themselves.

5. Edit the ssl configuration file of apache

vim/etc/httpd/conf.d/ssl.conf

The configuration of the/etc/httpd/conf. d/ssl. conf file is as follows:

<VirtualHost _ default _: 443>

DocumentRoot "/var/www/https" // sets the webpage storage directory

ServerName *: 443 // server port

DirectoryIndex index.html. var // homepage name

SSLEngine on

SSLCertificateFile/etc/pki/tls/server. crt // Certificate

SSLCertificateKeyFile/etc/pki/tls/server. key // Private key

</VirtualHost>
6. Restart apache
#servicehttpd restart
Access https: // ip/to view the certificate information.

Because it is not a certificate issued by a third-party Root Certificate Authority, but a self-issued certificate, the browser will prompt that the security certificate is untrusted.

!!! Note: The File Permission of index.html on the first page is 755. Otherwise, the following message is displayed:

Forbidden

Youdon't have permission to access/main.html on this server.

Solution: Modify the ACL of index.html on the first page.

# Chmod755 index.html

Additional instructions on openssl commands:

# Openssl [operation]-outfilename [bits]

Parameter description:

[Operation] There are two main operations:

Create an RSA-encrypted Public key

Req: Create a credential file or a credential file.

-Out, followed by the output file name, that is, the key name

Bits, used for the length of the genrsa-encrypted Public Key

-X509, X.509, and CertificateData Management: A verification Management method.

For example, create a Public Key with a length of 1024bits. Pay attention to the file name.

# Opensslgenrsa-out Server. key 1024

Certificate generation Request command:

# Opensslreq-new-keyfile. key-out file. csr-config/path/to/openssl. cnf

-Config: Specifies the path of the openssl configuration file. If this parameter is not specified, the default path in Unix format is/usr/local/ssl/openssl. cnf by default.

Example :#openssl req -new -key server.key -outserver.csr