1、httpd上生成证书
# mkdir /etc/httpd/ssl
# cd /etc/httpd/ssl
# (umask 077;openssl genrsa -out httpd.key 1024)
Generating RSA private key, 1024 bit long modulus
..........................................++++++
..............++++++
e is 65537 (0x10001)
[root@kvm ssl]# openssl req -new -key httpd.key -out httpd.csr -days 3655
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [XX]:CN
State or Province Name (full name) []:BJ
Locality Name (eg, city) [Default City]:BJ
Organization Name (eg, company) [Default Company Ltd]:JLC
Organizational Unit Name (eg, section) []:JSB
Common Name (eg, your name or your server's hostname) []:
Email Address []:admin@bjwf.com
Please enter the following 'extra' attributes
to be sent with your certificate request
A challenge password []:
An optional company name []:
2、自建CA
# cd /etc/pki/CA
# (umask 077;openssl genrsa -out private/cakey.pem 2048)
Generating RSA private key, 2048 bit long modulus
...............................................................+++
......+++
e is 65537 (0x10001)
[root@kvm CA]# openssl req -new -x509 -key private/cakey.pem -out cacert.pem -days 3655
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [XX]:CN
State or Province Name (full name) []:BJ
Locality Name (eg, city) [Default City]:BJ
Organization Name (eg, company) [Default Company Ltd]:JLC
Organizational Unit Name (eg, section) []:JSB
Common Name (eg, your name or your server's hostname) []:ca.bjwf.com
Email Address []:ca@bjwf.com
# touch index.txt serial #准备文件
# echo 01 > serial
# openssl ca -in httpd.csr -out httpd.crt -days 365 #CA签署证书
Using configuration from /etc/pki/tls/openssl.cnf
Check that the request matches the signature
Signature ok
Certificate Details:
Serial Number: 1 (0x1)
Validity
Not Before: Jun 23 08:06:22 2016 GMT
Not After : Jun 23 08:06:22 2017 GMT
Subject:
countryName = CN
stateOrProvinceName = BJ
organizationName = JLC
organizationalUnitName = JSB
commonName =
emailAddress = admin@bjwf.com
X509v3 extensions:
X509v3 Basic Constraints:
CA:FALSE
Netscape Comment:
OpenSSL Generated Certificate
X509v3 Subject Key Identifier:
83:60:A6:B7:E5:EF:E1:50:A6:69:E2:BD:3A:60:50:AF:A6:36:1B:39
X509v3 Authority Key Identifier:
keyid:B2:5F:33:01:B3:1A:B5:B9:2B:0F:C0:A5:37:48:AE:FD:3E:49:09:5F
Certificate is to be certified until Jun 23 08:06:22 2017 GMT (365 days)
Sign the certificate? [y/n]:y
1 out of 1 certificate requests certified, commit? [y/n]y
Write out database with 1 new entries
Data Base Updated
3、配置https
# yum -y install mod_ssl
# cd /etc/httpd/conf.d
# vim ssl.conf
<VirtualHost 192.168.130.250:443>
...
DocumentRoot "/var/www/html/a.com"
ServerName a.com:443
...
SSLCertificateFile /etc/httpd/ssl/httpd.crt #指明服务器证书的位置
...
SSLCertificateKeyFile /etc/httpd/ssl/httpd.key #指明服务器密钥的位置
...
</VirtualHost>
# httpd -t
Syntax OK
# service httpd restart #查看https服务端口是否监听