標籤:openssl 基於 https
1.安裝模組
[[email protected] yum.repos.d]# yum -y install mod_ssl
[[email protected] yum.repos.d]# rpm -ql mod_ssl
/etc/httpd/conf.d/ssl.conf 設定檔
/usr/lib/httpd/modules/mod_ssl.so
/var/cache/mod_ssl
/var/cache/mod_ssl/scache.dir
/var/cache/mod_ssl/scache.pag
/var/cache/mod_ssl/scache.sem
[[email protected] yum.repos.d]#
2.找一台主機提供CA
cd /etc/pki/CA
(umask 077 ; openssl genrsa -out private/cakey.pem 2048 ) 產生私密金鑰
vim ../tls/openssl.conf 編輯常用資訊
openssl req -new -x509 -key private/cakey.pem -out cacert.pem -days 3655 產生自簽認證
vim ../tls/openssl.conf
dir = /etc/pki/CA
mkdir certs crl newcerts
touch index.txt
echo 01 >serial
httpd伺服器端:
cd /etc/httpd
mkdir ssl
cd ssl
(umask 077;openssl genrsa 1024 > httpd.key)
openssl req -new -key httpd.key -out httpd.csr 建立一個認證簽署請求
scp httpd.csr 192.168.1.51:/tmp 把認證填好以後發送給CA伺服器
CA伺服器:簽署
openssl ca -in /tmp/httpd.csr -out /tmp/httpd.crt -days 365
cd /etc/pki/CA
cat index.txt
cat serial
http伺服器:把簽訂好的認證複製到本地
scp 192.168.1.51:/tmp/httpd.crt ./
最後刪掉CA伺服器tmp裡的認證
cd /etc/httpd/conf.d
cp ssl.conf ssl.conf.bak
vim ssl.conf
AddType application/x-x509-ca-cert .crt
AddType application/x-pkcs7-crl .crl
<VirtualHost 192.168.1.50:443>
ServerName b.com
DocumentRoot "/www/b.com"
ErrorLog logs/ssl_error_log
TransferLog logs/ssl_accgess_log
LogLevel warn
SSLEngine on
SSLProtocol all -SSLv2 不支援SSLv2
SSLCertificateFile /etc/httpd/ssl/httpd.crt 認證儲存位置
SSLCertificateKeyFile /etc/httpd/ssl/httpd.key 私密金鑰檔案位置
檢查文法 重啟服務
https:www.b.com
把CA伺服器裡/etc/pki/CA/cacert.pem複製PC端讓PC端認可此憑證授權單位
改成cacert.crt 雙擊匯入瀏覽器
本文出自 “營運成長路” 部落格,謝絕轉載!
基於openssl的https服務配置
Start building with 50+ products and up to 12 months usage for Elastic Compute Service
1 on 1 presale consultation
24/7 Technical Support 6 Free Tickets per Quarter Faster Response
Alibaba Cloud offers highly flexible support services tailored to meet your exact needs.
A comprehensive suite of global cloud computing services to power your business
Payment Methods We Support
