10.3. http支持https¶
10.3.1. 安装mod_ssl模块¶
[root@102 html]# yum -y install mod_ssl
10.3.2. 搭建ca服务器¶
这一步可以不用做,如果已经有ca服务器的话。
[root@102 CA]# cat /etc/pki/tls/openssl.cnf |grep '$dir'
certs = $dir/certs # Where the issued certs are kept
crl_dir = $dir/crl # Where the issued crl are kept
database = $dir/index.txt # database index file.
new_certs_dir = $dir/newcerts # default place for new certs.
certificate = $dir/cacert.pem # The CA certificate
serial = $dir/serial # The current serial number
crlnumber = $dir/crlnumber # the current crl number
crl = $dir/crl.pem # The current CRL
private_key = $dir/private/cakey.pem# The private key
RANDFILE = $dir/private/.rand # private random number file
serial = $dir/tsaserial # The current serial number (mandatory)
signer_cert = $dir/tsacert.pem # The TSA signing certificate
certs = $dir/cacert.pem # Certificate chain to include in reply
signer_key = $dir/private/tsakey.pem # The TSA private key (optional)
[root@102 CA]# touch index.txt
[root@102 CA]# echo 01 > serial
[root@102 CA]# (umask 066; openssl genrsa -out private/cakey.pem 2048)
Generating RSA private key, 2048 bit long modulus
.....+++
...........................................................+++
e is 65537 (0x10001)
[root@102 CA]# openssl req -x509 -new -key private/cakey.pem -out cacert.pem -days 3650
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [XX]:cn
State or Province Name (full name) []:beijing
Locality Name (eg, city) [Default City]:beijing
Organization Name (eg, company) [Default Company Ltd]:linuxpanda.tech
Organizational Unit Name (eg, section) []:opt
Common Name (eg, your name or your server's hostname) []:*.linuxpanda.tech
Email Address []:
10.3.3. http服务申请证书¶
[root@102 CA]# cd /etc/httpd/
[root@102 httpd]# ls
conf conf.d conf.modules.d logs modules run
[root@102 httpd]# mkdir ssl
[root@102 httpd]# cd ssl/
[root@102 ssl]# ls
[root@102 ssl]# (umask 066; openssl genrsa -out www.linuxpanda.tech.key 1024)
Generating RSA private key, 1024 bit long modulus
.................++++++
.....++++++
e is 65537 (0x10001)
[root@102 ssl]# ll
total 4
-rw-------. 1 root root 887 Jan 27 18:02 www.linuxpanda.tech.key
[root@102 ssl]# openssl req -new -key www.linuxpanda.tech.key -out www.linuxpanda.tech.csr
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [XX]:cn
State or Province Name (full name) []:beijing
Locality Name (eg, city) [Default City]:beijing
Organization Name (eg, company) [Default Company Ltd]:linuxpanda.tech
Organizational Unit Name (eg, section) []:linuxpanda.tech
Common Name (eg, your name or your server's hostname) []:*.linuxpanda.tech
Email Address []:
Please enter the following 'extra' attributes
to be sent with your certificate request
A challenge password []:
An optional company name []:
[root@102 ssl]# openssl ca -in www.linuxpanda.tech.csr -out /etc/pki/CA/certs/www.linuxapnda.tech.crt -days 700
[root@102 ssl]# cp /etc/pki/CA/certs/www.linuxapnda.tech.crt .
[root@102 ssl]# cp /etc/pki/CA/cacert.pem .
10.3.4. http配置文件修改¶
[root@102 ssl]# vim /etc/httpd/conf.d/ssl.conf
# 修改下面3行内容为对应的文件
SSLCertificateFile /etc/httpd/ssl/www.linuxapnda.tech.crt
SSLCertificateKeyFile /etc/httpd/ssl/www.linuxpanda.tech.key
SSLCertificateChainFile /etc/httpd/ssl/cacert.pem
10.3.5. 测试¶
[root@102 ssl]# curl https://www.linuxpanda.tech --cacert /etc/httpd/ssl/cacert.pem
浏览器模式,需要把对应的ca文件复制到主机上, 修改文件名为crt的,然后双击安装到收信人的根证书机构。