让CentOS服务器支持https(安全http协议)
本帖最后由 Sian 于 2014-7-27 09:12 编辑1、安装mod_ssl
通过yum来在线安装mod_ssl
# yum -y install mod_ssl ← 在线安装mod_ssl
Loaded plugins: security
base | 3.7 kB 00:00
epel | 4.4 kB 00:00
extras | 3.4 kB 00:00
updates | 3.4 kB 00:00
Setting up Install Process
Resolving Dependencies
--> Running transaction check
---> Package mod_ssl.x86_64 1:2.2.15-31.el6.centos will be installed
--> Finished Dependency Resolution
Dependencies Resolved
====================================================================================================
Package Arch Version Repository Size
====================================================================================================
Installing:
mod_ssl x86_64 1:2.2.15-31.el6.centos updates 91 k
Transaction Summary
====================================================================================================
Install 1 Package(s)
Total download size: 91 k
Installed size: 183 k
Downloading Packages:
mod_ssl-2.2.15-31.el6.centos.x86_64.rpm |91 kB 00:00
Running rpm_check_debug
Running Transaction Test
Transaction Test Succeeded
Running Transaction
Installing : 1:mod_ssl-2.2.15-31.el6.centos.x86_64 1/1
Verifying: 1:mod_ssl-2.2.15-31.el6.centos.x86_64 1/1
Installed:
mod_ssl.x86_64 1:2.2.15-31.el6.centos
Complete!
2、HTTP 服务器上配置mod_ssl
建立服务器密钥
#cd /etc/pki/tls/certs/ ← 进入HTTP服务器配置文件所在目录
#make server.key ← 建立服务器密钥
umask 77 ; \
/usr/bin/openssl genrsa -aes128 2048 > server.key
Generating RSA private key, 2048 bit long modulus
.....................................................................................................................................................................................................................................+++
....................................................................................+++
e is 65537 (0x10001)
Enter pass phrase: ← 在这里输入口令
Verifying - Enter pass phrase: ← 确认口令,再次输入
# openssl rsa -in server.key -out server.key ← 从密钥中删除密码(以避免系统启动后被询问口令)
Enter pass phrase for server.key: ← 输入口令
writing RSA key
建立服务器公钥
# make server.csr ← 建立服务器密钥
umask 77 ; \
/usr/bin/openssl req -utf8 -new -key server.key -out server.csr
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) :CN ← 输入国名
State or Province Name (full name) []:HuNan ← 输入省名
Locality Name (eg, city) :ChangSha ← 输入城市名
Organization Name (eg, company) :www.example.com ← 输入组织名(任意)
Organizational Unit Name (eg, section) []: ← 不输入,直接回车
Common Name (eg, your name or your server's hostname) []:www.example.com ← 输入通称(任意)
Email Address []:[email protected] ← 输入电子邮箱地址
Please enter the following 'extra' attributes
to be sent with your certificate request
A challenge password []: ← 不输入,直接回车
An optional company name []: ← 不输入,直接回车
建立服务器证书
#openssl x509 -in server.csr -out server.pem -req -signkey server.key -days 365 ← 建立服务器证书
Signature ok
subject=/C=CN/ST=HuNan/L=ChangSha/O=www.example.com/CN=www.example.com/[email protected]
Getting Private keySignature ok
#chmod 400 server.* ← 修改权限为400
设置SSL
#vi /etc/httpd/conf.d/ssl.conf ← 修改SSL的设置文件
#DocumentRoot "/var/www/html" ← 找到这一行,将行首的“#”去掉
↓
DocumentRoot "/var/www/html" ← 变为此状态
重新启动HTTP服务,让SSL生效
# service httpd restart
Stopping httpd:
Starting httpd: httpd: apr_sockaddr_info_get() failed for Crayfish
httpd: Could not reliably determine the server's fully qualified domain name, using 127.0.0.1 for ServerName
#
页:
[1]