Summary of https construction in linux

1. set up a CA server [root @ zzu ~] # Yuminstallopenssl * [root @ zzu ~] # Cd/etc/pki/[root @ zzupki] # vimtls/openssl. cnf45dir/etc/pki/CA88countryNameop...
1. set up a CA server [root @ zzu ~] # Yum install openssl * [root @ zzu ~] # Cd/etc/pki/[root @ zzu pki] # vim tls/openssl. cnf45 dir =/etc/pki/CA88 countryName = optional 89 environment = optional 90 organizationName = optional136 countryName_default = CN some default options: 141 environment = beijing some default options: 144 localityName_default = beijing [root @ zzu pki] # cd CA [root @ zzu CA] # mkdir certs newcerts crl create three directories and two files [root @ zzu CA] # touch index.txt serial www.2cto. Com [root @ zzu CA] # echo "01"> serial root index file [root @ zzu CA] # openssl genrsa 1024> private/cakey. [root @ zzu ca] # chmod 600 private/cakey. pem changes the permission of the private key [root @ zzu CA] # openssl req-new-key private/cakey. pem-days 3650-x509-out cacert. pem generates a certificate for ca II. issue a certificate to the www server [root @ zzu ~] # Cd/etc/httpd/[[root @ zzu httpd] # mkdir certs [root @ zzu httpd] # cd certs/[root @ zzu certs] # openssl genrsa 1024> httpd. key generates the server's private key [root @ zzu certs] # openssl req-new-key httpd. key-out httpd. csr generates the server's request file [root @ zzu certs] # openssl ca-in httpd. csr-out httpd. cert generates the server certificate file [root @ zzu certs] # cp/etc/pki/CA/cacert. pem. /copy the ca certificate file [root @ zzu certs] # chmod 600 * [root @ zzu certs] # yum install mod_ssl * change file permissions to increase security [root @ zzu certs] # vim/etc/httpd/conf. d/ssl. conf bind the certificate file and key file 112 SSLCertificateFile/etc/httpd/certs/httpd. cert www.2cto.com 119 SSLCertificateKeyFile/etc/httpd/certs/httpd. key128 SSLCertificateChainFile/etc/httpd/certs/cacert. pem

192.168.1.200 www.abc.com

[Root @ zzu certs] # netstat-tupln | grep httpd tcp 0 0 ::: 80 ::: * LISTEN 5544/httpd tcp 0 ::: 443 ::: * LISTEN 5544/httpd

Disable the original port 80 [root @ zzu certs] # vim/etc/httpd/conf/httpd. conf134 # comment out the line [root @ zzu certs] # service httpd restart Stopping httpd: [OK] Starting httpd: [OK] [root @ zzu certs] # netstat-tupln | grep httpd tcp 0: 443 ::: * LISTEN 5483/httpd: www.abc.com can only be accessed over https. Supplement: 1: [root @ zzu certs] # vim/etc/httpd/conf. d/ssl. confnameVirtualHost 192.168.1.200: 443 DocumentRoot "/var/www/html" ServerName www.abc.com: 443 ErrorLog logs/ssl_error_log TransferLog logs/ssl_access_log LogLevel warn logs SSLEngine on SSLProtocol all-SSLv2 SSLCipherSuite ALL :! ADH :! EXPORT :! SSLv2: RC4 + RSA: + HIGH: + MEDIUM: + LOW SSLCertificateFile/etc/httpd/certs/httpd. cert SSLCertificateKeyFile/etc/httpd/certs/httpd. key SSLCertificateChainFile/etc/pki/CA/cacert. pem SSLOptions + StdEnvVars   SSLOptions + StdEnvVars SetEnvIf User-Agent ". * MSIE. * "\ nokeepalive ssl-unclean-shutdown \ downgrade-1.0 force-response-1.0 CustomLog logs/ssl_request_log \" % t % h % {SSL_PROTOCOL} x % {SSL_CIPHER} x \" % r \ "% B" II. issue the certificate 192.168.1.100 to tec.abc.com for the host [root @ zzu certs] # vim/etc/httpd/conf. d/ssl. conf DocumentRoot "/var/www/tec" ServerName tec.abc.com: 443 ErrorLog logs/ssl_error_log TransferLog logs/ssl_access_log LogLevel warn SSLEngine on SSLProtocol all-SSLv2 SSLCipherSuite ALL :! ADH :! EXPORT :! SSLv2: RC4 + RSA: + HIGH: + MEDIUM: + LOW SSLCertificateFile/etc/httpd/certs/httpd1.cert SSLCertificateKeyFile/etc/httpd/certs/httpd1.key SSLCertificateChainFile/etc/pki/CA/cacert. pem SSLOptions + StdEnvVars Www.2cto.com SSLOptions + StdEnvVars SetEnvIf User-Agent ". * MSIE. * "\ nokeepalive ssl-unclean-shutdown \ downgrade-1.0 force-response-1.0 CustomLog logs/ssl_request_log \" % t % h % {SSL_PROTOCOL} x % {SSL_CIPHER} x \" % r \ "% B" From the BLOG of combridge again