Apache配置SSL 實現https訪問

標籤：ca服務端配置 apache動態編譯 apache配置ssl 實現https訪問

本次壞境：CA和apache為同一台主機

先使本機作為CA服務端：

[[email protected]~]#yum -y install openssl openssl-devel

[[email protected]~]#vi /etc/pki/tls/openssl.cnf

[ CA_default ]

dir = ../../CA

改為：

[ CA_default ]

dir= /etc/pki/CA

為了減少不必要的重複操作，可以預先定義[ req_distinguished_name ]下面的一些內容，自訂即可，具體的就不多說了

:wq

[[email protected]~]#cd /etc/pki/CA 

[[email protected] CA]# mkdir certs newcerts crl

[[email protected] CA]# touch index.txt

[[email protected] CA]# echo 00 > serial

[[email protected] CA]# (umask 077; openssl genrsa -out private/cakey.pem 2048)  ##產生自簽密鑰

[[email protected] CA]# openssl req -new -x509 -key private/cakey.pem -out cacert.pem -days 3657  ##產生自簽認證

You are about to be asked to enter information that will be incorporated

into your certificate request.

What you are about to enter is what is called a Distinguished Name or a DN.

There are quite a few fields but you can leave some blank

For some fields there will be a default value,

If you enter ‘.‘, the field will be left blank.

-----

Country Name (2 letter code) [CN]:

State or Province Name (full name) [BJ]:

Locality Name (eg, city) [HaiDian]:

Organization Name (eg, company) [TEXT]:

Organizational Unit Name (eg, section) [DEV]:

Common Name (eg, your name or your server‘s hostname) []:ca.text.com

Email Address []:[email protected]

由於openssl.cnf裡面定義了部分內容，上面一直敲斷行符號，直到Common Name (eg, your name or your server‘s hostname) []:  （此為CA服務名稱，可自訂）

最後一個郵箱也可自訂

都敲完後，我們的CA服務端就完成了，繼續往下做

Apache動態編譯安裝：

[[email protected] CA]# tar -xf httpd-2.2.9.tar -C /usr/local/src/

[[email protected] CA]#cd /usr/local/src/httpd-2.2.9/

[[email protected] httpd-2.2.9]# ./configure --prefix=/usr/local/apache2 --sysconfdir=/etc/httpd --with-z=/usr/local/zlib/ --with-included-apr --enable-so --enable-mods-shared=most

[[email protected] httpd-2.2.9]#make;make install

Apache配置ssl：

[[email protected] CA]# rpm -qa |grep mod_ssl

[[email protected] CA]# yum -y install mod_ssl ##如沒有mod_ssl直接使用yum安裝即可

[[email protected] CA]# rpm -ql mod_ssl  ##查看mod_ssl產生的設定檔位置

[[email protected] CA]# cd /etc/httpd

[[email protected] httpd]# mkdir ssl

[[email protected] httpd]# cd ssl

[[email protected] ssl]# (umask 077; openssl genrsa -out httpd.key 2048)  ##產生密鑰

[[email protected] ssl]#openssl req -new -key httpd.key -out httpd.csr  ##產生認證簽署請求

You are about to be asked to enter information that will be incorporated

into your certificate request.

What you are about to enter is what is called a Distinguished Name or a DN.

There are quite a few fields but you can leave some blank

For some fields there will be a default value,

If you enter ‘.‘, the field will be left blank.

-----

Country Name (2 letter code) [CN]:

State or Province Name (full name) [BJ]:

Locality Name (eg, city) [HaiDian]:

Organization Name (eg, company) [TEXT]:

Organizational Unit Name (eg, section) [DEV]:

## 上面五條一定要和CA伺服器設定一致，本次實驗都是在一台主機上，所以直接敲斷行符號即可

Common Name (eg, your name or your server‘s hostname) []:text.bj.com  ##一定要是用戶端訪問的地址，而不是上面CA設定的地址

Email Address []:[email protected]  ##自訂

[[email protected] ssl]#openssl ca -in httpd.csr -out httpd.crt -days 3657  ## ca簽署命令，敲兩次y和斷行符號即可（由雩都在一台機器上，直接簽署就可以了，如果在不同機器上，把http的認證簽署請求檔案拷貝到CA服務端簽署後拷貝回來就可以了）

[[email protected] ssl]#vi /etc/httpd/conf.d/ssl.conf

預設443連接埠不變

查看下面兩句是否存在，不存在加上

AddType application/x-x509-ca-cert .crt

AddType application/x-pkcs7-crl .crl

<VirtualHost _ default_443>

改為：

<VirtualHost 192.168.1.99:443>  ##web伺服器或web虛擬機器主機IP地址

添加下面兩句

ServerName text.bj.com  ##上面定義的地址

DocumentRoot "/var/www/html"  ##網站目錄位置，如設定的虛擬機器主機，此位置需和apache設定檔裡虛擬機器主機定義的位置一致

SSLEngine on  ##確保開啟

SSLCertificateFile /etc/httpd/ssl/httpd.crt  ## 認證存放位置

SSLCertificateKeyFile /etc/httpd/ssl/httpd.key  ##密鑰存放位置

:wq

[[email protected] ssl]#echo text.bj.com > /var/www/html/index.html

[[email protected] ssl]#/etc/init.d/httpd start

[[email protected] ssl]#netstat –tnlp  ##查看443連接埠是否開啟

訪問https://text.bj.com  

提示“該網站的安全性憑證不受信任”

解決：

拷貝/etc/pki/CA/cacert.pem到用戶端上安裝即可（winPC尾碼改為.crt後雙擊安裝）

本文出自 “、礦泉水” 部落格，請務必保留此出處http://guwenqiang.blog.51cto.com/5462040/1431571