Linux下ssl+http 实现 HTTPS 访问服务器设置
2013-07-17 23:43
507 查看
yum install httpd php
1.配置CA服务器
vim /etc/pki/tls/openssl.cnf
修改第45行,更改存放证书目录
dir = ../../CA
dir = /etc/CA
修改第178行,让服务器支持自签名
#basicConstraints=CA:FALSE
自签名的证书可以使用
basicConstraints=CA:TRUE
cd /etc/pki/CA
配置生成CA证书脚本 42行
vim /etc/pki/tls/misc/CA
CATOP=../../CA
CATOP=/etc/CA
运行脚本生成CA证书
/etc/pki/tls/misc/CA -newca
CA certificate filename (or enter to create) 回车
Making CA certificate ...
Generating a 1024 bit RSA private key
.++++++
....................................................................................++++++
writing new private key to '/etc/CA/private/./cakey.pem'
Enter PEM pass phrase: 输入保护密码 111111
Verifying - Enter PEM pass phrase: 确认密码 111111
-----
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [GB]:CN
State or Province Name (full name) [Berkshire]:BEIJING
Locality Name (eg, city) [Newbury]:HD
Organization Name (eg, company) [My Company Ltd]:school
Organizational Unit Name (eg, section) []:it
Common Name (eg, your name or your server's hostname) []:server11.com
Email Address []:chengfeng56@126.com
Please enter the following 'extra' attributes
to be sent with your certificate request
A challenge password []:
An optional company name []:
Using configuration from /etc/pki/tls/openssl.cnf
Enter pass phrase for /etc/CA/private/./cakey.pem:111111
Check that the request matches the signature
Signature ok
Certificate Details:
Serial Number: 0 (0x0)
Validity
Not Before: Jul 17 01:20:16 2013 GMT
Not After : Jul 16 01:20:16 2016 GMT
Subject:
countryName = CN
stateOrProvinceName = BEIJING
organizationName = school
organizationalUnitName = it
commonName = server11.com
emailAddress = chengfeng56@126.com
X509v3 extensions:
X509v3 Basic Constraints:
CA:TRUE
Netscape Comment:
OpenSSL Generated Certificate
X509v3 Subject Key Identifier:
37:A5:4E:79:72:DF:51:1A:EF:9D:43:D1:9C:2E:24:92:70:D3:FF:64
X509v3 Authority Key Identifier:
keyid:37:A5:4E:79:72:DF:51:1A:EF:9D:43:D1:9C:2E:24:92:70:D3:FF:64
Certificate is to be certified until Jul 16 01:20:16 2016 GMT (1095 days)
Write out database with 1 new entries
Data Base Updated
配置web服务器 生成web自己的私钥
openssl genrsa -des3 -out /etc/httpd/conf.d/server.key
Generating RSA private key, 512 bit long modulus
........++++++++++++
......++++++++++++
e is 65537 (0x10001)
Enter pass phrase for /etc/httpd/conf.d/server.key: 111111
Verifying - Enter pass phrase for /etc/httpd/conf.d/server.key: 111111
(使用身份标识+公钥)生成证书请求
openssl req -new -key /etc/httpd/conf.d/server.key -out /tmp/server.csr
Enter pass phrase for /etc/httpd/conf.d/server.key:111111
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [GB]:CN
State or Province Name (full name) [Berkshire]:BEIJING
Locality Name (eg, city) [Newbury]:HD
Organization Name (eg, company) [My Company Ltd]:school
Organizational Unit Name (eg, section) []:it
Common Name (eg, your name or your server's hostname) []:server11.com
Email Address []:chengfeng56@126.com
Please enter the following 'extra' attributes
to be sent with your certificate request
A challenge password []:
An optional company name []:
将证书请求发送给CA
CA服务器对证书请求进行数字签名
openssl ca -keyfile /etc/CA/private/cakey.pem -cert /etc/CA/cacert.pem -in /tmp/server.csr -out /tmp/server.crt
/etc/CA/private/cakey.pem ca私钥
/tmp/server.csr 证书请求
/etc/CA/cacert.pem ca证书
/tmp/server.crt 数字证书名字
/etc/httpd/conf.d web私钥
报错:
failed to update database
TXT_DB error number 2
解决:
cd /etc/CA 修改yes为no
vim index.txt.attr
unique_subject = yes
unique_subject = no
将签名后的数字证书颁发给web服务器
cp /tmp/server.crt /etc/httpd/conf.d/
配置web支持ssl实现https
yum install mod_ssl
vim /etc/httpd/conf.d/ssl.conf
修改112行 数字证书签名
SSLCertificateFile /etc/pki/tls/certs/localhost.crt
SSLCertificateFile /etc/httpd/conf.d/server.crt
修改119行 web私钥
SSLCertificateKeyFile /etc/pki/tls/private/localhost.key
SSLCertificateKeyFile /etc/httpd/conf.d/server.key
启动 httpd 服务
service httpd restart
输入密码
验证安全可信度
把/etc/CA/private/cakey.pem 文件复制到ftp
下在后把此文件导入到浏览器
火狐 编辑 配置 高级 查看证书 导入 找到ca证书 选三个勾 ok
1.配置CA服务器
vim /etc/pki/tls/openssl.cnf
修改第45行,更改存放证书目录
dir = ../../CA
dir = /etc/CA
修改第178行,让服务器支持自签名
#basicConstraints=CA:FALSE
自签名的证书可以使用
basicConstraints=CA:TRUE
cd /etc/pki/CA
配置生成CA证书脚本 42行
vim /etc/pki/tls/misc/CA
CATOP=../../CA
CATOP=/etc/CA
运行脚本生成CA证书
/etc/pki/tls/misc/CA -newca
CA certificate filename (or enter to create) 回车
Making CA certificate ...
Generating a 1024 bit RSA private key
.++++++
....................................................................................++++++
writing new private key to '/etc/CA/private/./cakey.pem'
Enter PEM pass phrase: 输入保护密码 111111
Verifying - Enter PEM pass phrase: 确认密码 111111
-----
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [GB]:CN
State or Province Name (full name) [Berkshire]:BEIJING
Locality Name (eg, city) [Newbury]:HD
Organization Name (eg, company) [My Company Ltd]:school
Organizational Unit Name (eg, section) []:it
Common Name (eg, your name or your server's hostname) []:server11.com
Email Address []:chengfeng56@126.com
Please enter the following 'extra' attributes
to be sent with your certificate request
A challenge password []:
An optional company name []:
Using configuration from /etc/pki/tls/openssl.cnf
Enter pass phrase for /etc/CA/private/./cakey.pem:111111
Check that the request matches the signature
Signature ok
Certificate Details:
Serial Number: 0 (0x0)
Validity
Not Before: Jul 17 01:20:16 2013 GMT
Not After : Jul 16 01:20:16 2016 GMT
Subject:
countryName = CN
stateOrProvinceName = BEIJING
organizationName = school
organizationalUnitName = it
commonName = server11.com
emailAddress = chengfeng56@126.com
X509v3 extensions:
X509v3 Basic Constraints:
CA:TRUE
Netscape Comment:
OpenSSL Generated Certificate
X509v3 Subject Key Identifier:
37:A5:4E:79:72:DF:51:1A:EF:9D:43:D1:9C:2E:24:92:70:D3:FF:64
X509v3 Authority Key Identifier:
keyid:37:A5:4E:79:72:DF:51:1A:EF:9D:43:D1:9C:2E:24:92:70:D3:FF:64
Certificate is to be certified until Jul 16 01:20:16 2016 GMT (1095 days)
Write out database with 1 new entries
Data Base Updated
配置web服务器 生成web自己的私钥
openssl genrsa -des3 -out /etc/httpd/conf.d/server.key
Generating RSA private key, 512 bit long modulus
........++++++++++++
......++++++++++++
e is 65537 (0x10001)
Enter pass phrase for /etc/httpd/conf.d/server.key: 111111
Verifying - Enter pass phrase for /etc/httpd/conf.d/server.key: 111111
(使用身份标识+公钥)生成证书请求
openssl req -new -key /etc/httpd/conf.d/server.key -out /tmp/server.csr
Enter pass phrase for /etc/httpd/conf.d/server.key:111111
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [GB]:CN
State or Province Name (full name) [Berkshire]:BEIJING
Locality Name (eg, city) [Newbury]:HD
Organization Name (eg, company) [My Company Ltd]:school
Organizational Unit Name (eg, section) []:it
Common Name (eg, your name or your server's hostname) []:server11.com
Email Address []:chengfeng56@126.com
Please enter the following 'extra' attributes
to be sent with your certificate request
A challenge password []:
An optional company name []:
将证书请求发送给CA
CA服务器对证书请求进行数字签名
openssl ca -keyfile /etc/CA/private/cakey.pem -cert /etc/CA/cacert.pem -in /tmp/server.csr -out /tmp/server.crt
/etc/CA/private/cakey.pem ca私钥
/tmp/server.csr 证书请求
/etc/CA/cacert.pem ca证书
/tmp/server.crt 数字证书名字
/etc/httpd/conf.d web私钥
报错:
failed to update database
TXT_DB error number 2
解决:
cd /etc/CA 修改yes为no
vim index.txt.attr
unique_subject = yes
unique_subject = no
将签名后的数字证书颁发给web服务器
cp /tmp/server.crt /etc/httpd/conf.d/
配置web支持ssl实现https
yum install mod_ssl
vim /etc/httpd/conf.d/ssl.conf
修改112行 数字证书签名
SSLCertificateFile /etc/pki/tls/certs/localhost.crt
SSLCertificateFile /etc/httpd/conf.d/server.crt
修改119行 web私钥
SSLCertificateKeyFile /etc/pki/tls/private/localhost.key
SSLCertificateKeyFile /etc/httpd/conf.d/server.key
启动 httpd 服务
service httpd restart
输入密码
验证安全可信度
把/etc/CA/private/cakey.pem 文件复制到ftp
下在后把此文件导入到浏览器
火狐 编辑 配置 高级 查看证书 导入 找到ca证书 选三个勾 ok
内容来自用户分享和网络整理,不保证内容的准确性,如有侵权内容,可联系管理员处理 
相关文章推荐
- Android中使用https(HTTP+SSL)访问服务器
- [转]C#、VB.NET使用HttpWebRequest访问https地址(SSL)的实现
- 轻松把玩HttpClient之配置ssl,采用设置信任自签名证书实现https
- linux Apache设置https访问以及加载mod_ssl.so模块
- Linux下SVN服务器同时支持Apache的http和https及svnserve独立服务器三种模式且使用相同的访问权限账号
- C#、VB.NET使用HttpWebRequest访问https地址(SSL)的实现方法
- HTTP协议的介绍,Web服务器配置,虚拟主机的配置,如何用SSL实现HTTPS。
- C#、VB.NET使用HttpWebRequest访问https地址(SSL)的实现方法
- 轻松把玩HttpClient之配置ssl,采用设置信任自签名证书实现https
- 三步实现通过域名访问tomcat的http和https服务器
- C#、VB.NET使用HttpWebRequest访问https地址(SSL)的实现
- Nginx实现ssl一级、二级域名证书部署并用https访问代理转发服务器
- C#、VB.NET使用HttpWebRequest访问https地址(SSL)的实现
- linux Apache设置https访问以及加载mod_ssl.so模块以及问题解决
- Linux实现https方式访问站点
- tomcat设置http自动跳转为https访问
- IIS中遇到无法预览的问题(HTTP 错误 401.3 - Unauthorized 由于 Web 服务器上此资源的访问控制列表(ACL)配置或加密设置,您无权查看此目录或页面。)
- windows下快速安装可以通过http和https访问的subversion服务器
- IIS中遇到无法预览的问题(HTTP 错误 401.3 - Unauthorized 由于 Web 服务器上此资源的访问控制列表(ACL)配置或加密设置,您无权查看此目录或页面。)
- linux 下设置 git 使用 http/https 代理