https搭建(openssl)(未成)
http://www.openssl.org/source/openssl-1.0.1.tar.gz
http://www.openssl.org/contrib/ssl.ca-0.1.tar.gz
# tar zxf openssl-1.0.1.tar.gz
# cd openssl-1.0.1
# ./config
# make && make install
制作证书
# tar zxvf ssl.ca-0.1.tar.gz
# cd ssl.ca-0.1
#./new-root-ca.sh (生成根证书)
No Root CA key round. Generating one
Generating RSA private key, 1024 bit long modulus
...........................++++++
....++++++
e is 65537 (0x10001)
Enter pass phrase for ca.key: (输入一个密码)
Verifying - Enter pass phrase for ca.key: (再输入一次密码)
......
Self-sign the root CA... (签署根证书)
Enter pass phrase for ca.key: (输入刚刚设置的密码)
........
........ (下面开始签署)
Country Name (2 letter code) [MY]:aa
State or Province Name (full name) [Perak]:aa
Locality Name (eg, city) [Sitiawan]:aa
Organization Name (eg, company) [My Directory Sdn Bhd]:aa
Organizational Unit Name (eg, section) [Certification Services Division]:aa
Common Name (eg, MD Root CA) []:aa
Email Address []:aa@126.com
这样就生成了ca.key和ca.crt两个文件,下面还要为我们的服务器生成一个证书:
# ./new-server-cert.sh server (这个证书的名字是server)
......
......
Country Name (2 letter code) [MY]:aa
State or Province Name (full name) [Perak]:aa
Locality Name (eg, city) [Sitiawan]:aa
Organization Name (eg, company) [My Directory Sdn Bhd]:aa
Organizational Unit Name (eg, section) [Secure Web Server]:aa
Common Name (eg, www.domain.com) []:localhost
Email Address []:aa@126.com
这样就生成了server.csr和server.key这两个文件。
还需要签署一下才能使用的:
# ./sign-server-cert.sh server
CA signing: server.csr -> server.crt:
Using configuration from ca.config
Enter pass phrase for ./ca.key: (输入上面设置的根证书密码)
Check that the request matches the signature
Signature ok
The Subject's Distinguished Name is as follows
countryName :PRINTABLE:'aa'
stateOrProvinceName :PRINTABLE:'aa'
localityName :PRINTABLE:'aa'
organizationName :PRINTABLE:'aa'
organizationalUnitName:PRINTABLE:'aa'
commonName :PRINTABLE:'localhost'
emailAddress :IA5STRING:'aa@126.com'
Certificate is to be certified until Jan 19 21:59:46 2011 GMT (365 days)
Sign the certificate? [y/n]:y
1 out of 1 certificate requests certified, commit? [y/n]y
Write out database with 1 new entries
Data Base Updated
CA verifying: server.crt <-> CA cert
server.crt: OK
根据Apache的配置文件extra / httpd-ssl.conf 里面的设置,将证书放在适当的位置。默认是在conf目录下
# mv server.key /usr/local/apache/conf/
# mv server.crt /usr/local/apache/conf/
注:aa为随意写的
重新编译apache(添加enable-ssl参数)
# cd /usr/src/httpd-2.2.4
# ./configure --prefix=/usr/local/apache --enable-so --enable-mods-shared=all --with-apr=/usr/local/apr --with-apr-util=/usr/local/apr-util --enable-ssl
# make && make install
# ls /usr/local/apache/modules (看有没有mod_ssl.so)
# vi /usr/local/apache/conf/httpd.conf
LoadModules ssl_module modules/mod_ssl.so
Include conf/extra/httpd-ssl.conf
:wq
# setenforce 0
# chcon -c -v -R -u system_u -r object_r -t textrel_shlib_t /usr/local/apache/modules/mod_ssl.so
# setenforce 1
# service httpd restart (需要执行2次)
# netstat -ntpl | grep 443
注:https的网站目录在/usr/local/apache/conf/extra/httpd-ssl.conf中指定
本文转自linux博客51CTO博客,原文链接http://blog.51cto.com/yangzhiming/862905如需转载请自行联系原作者
yangzhimingg
