1. Install mod_ssl online
Yum-y Install Mod_ssl
See If OpenSSL is installed successfully
Rpm-qa |grep OpenSSL
2. establishing a server key
OpenSSL genrsa-out Server.key 1024
3. establishing the server public key
OpenSSL Req-new-key server.key-out SERVER.CSR
4. establishing a server certificate
OpenSSL x509-req-days 365-in server.csr-signkey server.key-out server.crt
5. modify the SSL settings file
/etc/httpd/conf.d/ssl.conf
# # This isThe Apache server configuration file providing SSL support.# It contains the configuration directives to instruct the Server how to# serve pages over an HTTPS connection. For detailing information on these # directives see<url:http://httpd.apache.org/docs/2.2/mod/mod_ssl.html># # does not simply read the instructionsinchHere without understanding# what they Do. They'Re here only as hints or reminders. If you are unsure# Consult the online docs. You have been warned. #LoadModule Ssl_module Modules/mod_ssl.soloadmodule jk_module Modules/Mod_jk.sojkworkersfile"conf/workers.properties"Jklogfile"Logs/mod_jk.log"# # When we also provide SSL we had to listen to the # the HTTPS portinchaddition. #Listen443# # # SSL Global context#### all SSL configurationinch Thiscontext applies both to## the main server and all SSL-enabledVirtualhosts.### Pass Phrase dialog:# Configure the pass Phrase gathering process.# The filtering Dialog program (' builtin
'is a internal# Terminal Dialog) have to provide the pass phrase on stdout. Sslpassphrasedialog builtin# Inter-Process Session cache:# Configure The SSL session cache:first the mechanism # to use and second the expiring timeout (inchseconds). Sslsessioncache SHMCB:/var/cache/mod_ssl/scache (512000) Sslsessioncachetimeout -# semaphore:# Configure The path to the mutual exclusion Semaphore the# SSL engine uses internally forinter-process Synchronization. Sslmutexdefault# Pseudo Random number Generator (PRNG): # Configure One or more sources to seed the PRNG of the # SSL library. The seed data should be of good random quality.# WARNING! On some platforms/dev/random blocksifNot enough entropy# isAvailable. This means and cannot use the/dev/Random device# because it would leads to veryLongConnection times ( as Long as# It requires to make more entropy available). But usually those# platforms additionally provide a/dev/urandom device which doesn'T# block. So,ifAvailable, use ThisOne instead. Read the mod_ssl user# Manual forMore details. Sslrandomseed Startup file:/dev/urandom thesslrandomseed Connect builtin#sslrandomseed startup file:/dev/random +#SSLRandomSeed Connect file:/dev/random +#SSLRandomSeed Connect file:/dev/urandom +# # Use"Sslcryptodevice"To enable any supported hardware# accelerators. use"OpenSSL engine-v"To list supported# engine names. Note:if you enable a accelerator and the# server does not start, consult the error logs and ensure# your accelerator isfunctioning properly. #SSLCryptoDevice builtin#sslcryptodevice ubsec#### SSL Virtual Host context##<virtualhost _default_:443># General Setup forTheVirtualHost, inherited from GlobalConfiguration#documentroot"/var/www/html"#ServerName www.example.com:443Jkmount/* Tomcat1servername 192.168.1.134:443# Use separate log files for the SSL virtual host; Note that loglevel# isn't inherited from Httpd.conf.ErrorLog Logs/ssl_error_logtransferlog logs/ssl_access_logloglevel warn# SSL Engine switch:# enable/disable SSL for this virtual host. Sslengine on# SSL Protocol support:# List The Enable Protocol levels with which clients would be able to# connect. Disable SSLv2 access by Default:sslprotocol all-sslv2# SSL Cipher suite:# List The ciphers that's the client is permitted T o negotiate.# See the mod_ssl documentation for a complete list. Sslciphersuite all:! Adh:! export:! sslv2:rc4+rsa:+high:+medium:+low# Server certificate:# Point Sslcertificatefile at a PEM encoded Certificate. if# The certificate is encrypted and then you'll be a prompted for a# pass phrase. Note that a kill-hup'll prompt again. A new# certificate can be generated using the Genkey (1) command. #SSLCertificateFile/etc/pki/tls/certs/localhost.crt# Ser Ver Private key:# If The Key is not combiNed with the certificate, use this# directive-to-point at the key file. Keep in mind this if# you ' ve both a RSA and a DSA private key you can configure# both in parallel (to also allow the use O F DSA ciphers, etc.) #SSLCertificateKeyFile/ETC/PKI/TLS/PRIVATE/LOCALHOST.KEYSSLCERTIFICATEFILE/ETC/HTTPD/CONF/SERVER.CRT sslcertificatekeyfile/etc/httpd/conf/server.key# server Certificate chain:# point sslcertificatechainfile at a file Containing the# concatenation of PEM encoded CA certificates which form the# certificate chain for the server certificate. alternatively# the referenced file can be a same as sslcertificatefile# when the CA certificates is directly appended To the server# certificate for convinience. #SSLCertificateChainFile/etc/pki/tls/certs/server-chain.crt# Certificate Authority (CA): # Set The CA Certificate verification path where to find ca# certificates for client authentication or Alte rnatively one# huge file containing all of the them (file must be PEM encoded) #SSLCACertificatefile/etc/pki/tls/certs/ca-bundle.crt# Client Authentication (type): # Client certificate Verification type and Depth. Types are# None, optional, require and Optional_no_ca. Depth is a# number which specifies what deeply to verify the Certifi cate# issuer chain before deciding the certificate is not valid. #SSLVerifyClient require#sslverifydepth 10# Access Control : # with Sslrequire your can do per-directory access control based# on arbitrary complex Boolean expressions containing serv er# variable checks and other lookup directives. The syntax is a# mixture between C and Perl. See the Mod_ssl documentation# for more details.#<location/> #SSLRequire (%{ssl_cipher}!~ m/^ (exp| NULL)/# and%{ssl_client_s_dn_o} eq "Snake Oil, Ltd." # and%{ssl_client_s_dn_ou} in {"Staff", "CA", "Dev"} # and%{time_wday} >= 1 and%{time_wday} <= 5 # and%{time_hour} >= 8 and%{time_hour} <=) # or%{REMOTE_ADDR} =~ m/^192.76.162. [0-9]+$/#</location># SSL Engine options:# Set Various options for the SSL engine.# o fakebasicauth:# Translate the client to a Basic authorisation. This means that# the standard Auth/dbmauth methods can is used for access control. the# user name is the ' one line ' version of the client's certificate.# Note that's no password is obtained from the US Er. Every entry in the user# file needs this password: ' Xxj31zmtzzkva '. # o exportcertdata:# This exports both additional enviro Nment Variables:ssl_client_cert and# Ssl_server_cert. These contain the pem-encoded certificates of the# Server (always existing) and the client (only existing when client# AUT Hentication is used). This can is used to import the certificates# into CGI scripts.# o stdenvvars:# This exports the standard SSL/TLS related ' Ssl_* ' Environment variables.# Per default this exportation are switched off for performance reasons,# because the EXTRACTI On step are an expensive operation and are usually# useless for serving static content. So one usually enables the# ExportatIon for CGI and SSI requests only.# O strictrequire:# this denies access when "Sslrequiressl" or "sslrequire" Applied even# un Der A "Satisfy any" situation, i.e. when it applies access was denied# and no other module can change it.# o optrenegotiate:# This enables optimized SSL connection renegotiation handling when ssl# directives is used in per-directory context. #SSLOptions +fakebasicauth +exportcertdata +strictrequire<files ~ ". (cgi|shtml|phtml|php3?) $ "> Ssloptions +stdenvvars</files><directory"/var/www/cgi-bin "> Ssloptions +stdenvvars</ directory># SSL Protocol adjustments:# the safe and default but still SSL/TLS standard compliant shutdown# approach are That's mod_ssl sends the close notify alert but doesn ' t wait for for# the close notify alert from client. When you need a different shutdown# approach you can use one of the following variables:# o ssl-unclean-shutdown:# this fo RCEs an unclean shutdown when the connection are closed, i.e. no# SSL close notify alert is send or allowed to received. This violates# the SSL/TLS standard and is needed for some brain-dead browsers. use# this if you receive I/O errors because of the standard approach where# Mod_ssl sends the close notify alert.# O SSL -accurate-shutdown:# This forces a accurate shutdown when the connection are closed, i.e. a# SSL close Notify Alert is Sen D and Mod_ssl waits for the close notify# alert of the client. This is 100% SSL/TLS standard compliant, but in# practice often causes hanging connections with brain-dead browsers. use# This is browsers where you know the their SSL implementation# works correctly. # notice:most Problems of broken clients is also related to the http# keep-alive facility, so you usually additionally W Ant to disable# keep-alive for those clients, too. Use variable "nokeepalive" for this.# Similarly, one have to force some clients to use http/1.0 to workaround# their broken H ttp/1.1 implementation. Use variables "downgrade-1.0" and# "force-response-1.0" for this.Setenvif user-agent ". *msie.*" nokeepalive ssl-unclean-shutdown downgrade-1.0 force-response-1.0# Per-Server Logging:# The home of a custom SSL log file. The use of this is want a# compact Non-error SSL logfile on a virtual host basis. Customlog logs/ssl_request_log "%t%h%{ssl_protocol}x%{ssl_cipher}x"%r "%b" </VirtualHost>
6. Restart httpd
Service httpd Restart
Note: CRT files must be consistent with the path in the ssl.conf file
Open HTTPS under Linux