1.安装模块
[root@localhost yum.repos.d]# yum -y install mod_ssl
[root@localhost yum.repos.d]# rpm -ql mod_ssl
/etc/httpd/conf.d/ssl.conf 配置文件
/usr/lib/httpd/modules/mod_ssl.so
/var/cache/mod_ssl
/var/cache/mod_ssl/scache.dir
/var/cache/mod_ssl/scache.pag
/var/cache/mod_ssl/scache.sem
[root@localhost yum.repos.d]#
2.找一台主机提供CA
cd /etc/pki/CA
(umask 077 ; openssl genrsa -out private/cakey.pem 2048 ) 生成私钥
vim ../tls/openssl.conf 编辑常用信息
openssl req -new -x509 -key private/cakey.pem -out cacert.pem -days 3655 生成自签证书
vim ../tls/openssl.conf
dir = /etc/pki/CA
mkdir certs crl newcerts
touch index.txt
echo 01 >serial
httpd服务器端:
cd /etc/httpd
mkdir ssl
cd ssl
(umask 077;openssl genrsa 1024 > httpd.key)
openssl req -new -key httpd.key -out httpd.csr 创建一个证书签署请求
scp httpd.csr 192.168.1.51:/tmp 把证书填好以后发送给CA服务器
CA服务器:签署
openssl ca -in /tmp/httpd.csr -out /tmp/httpd.crt -days 365
cd /etc/pki/CA
cat index.txt
cat serial
http服务器:把签订好的证书复制到本地
scp 192.168.1.51:/tmp/httpd.crt ./
最后删掉CA服务器tmp里的证书
cd /etc/httpd/conf.d
cp ssl.conf ssl.conf.bak
vim ssl.conf
AddType application/x-x509-ca-cert .crt
AddType application/x-pkcs7-crl .crl
<VirtualHost 192.168.1.50:443>
ServerName b.com
DocumentRoot "/www/b.com"
ErrorLog logs/ssl_error_log
TransferLog logs/ssl_accgess_log
LogLevel warn
SSLEngine on
SSLProtocol all -SSLv2 不支持SSLv2
SSLCertificateFile /etc/httpd/ssl/httpd.crt 证书保存位置
SSLCertificateKeyFile /etc/httpd/ssl/httpd.key 私钥文件位置
检查语法 重启服务
https:www.b.com
把CA服务器里/etc/pki/CA/cacert.pem复制PC端让PC端认可此证书颁发机构
改成cacert.crt 双击导入浏览器
本文出自 “运维成长路” 博客,谢绝转载!
原文地址:http://coolcl.blog.51cto.com/4514424/1826641