日期:2014-05-17  浏览次数:20648 次

rhel5.5_Apache配置openssl支持https服务

《rhel5.5_Apache配置openssl支持https服务》

1:切换到openssl证书目录:
# cd /etc/pki/tls/certs

2:创建私钥:
# make server.key
umask 77 ; \
??? /usr/bin/openssl genrsa -des3 1024 > server.key
Generating RSA private key, 1024 bit long modulus
.++++++
...++++++
e is 65537 (0x10001)
Enter pass phrase:? 123456
Verifying - Enter pass phrase:? 123456

3:重写私钥,清除密码,让httpd启动时不必输入密码?
# openssl rsa -in server.key -out server.key
Enter pass phrase for server.key: 123456
writing RSA key

4:证书签发请求(Certificate Signing Request) (CSR)
# make server.csr
umask 77 ; \
??? /usr/bin/openssl req -utf8 -new -key server.key -out server.csr
Enter pass phrase for server.key:
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter ’.’, the field will be left blank.
-----
Country Name (2 letter code) [GB]:cn
State or Province Name (full name) [Berkshire]:fujian
Locality Name (eg, city) [Newbury]:xiamen
Organization Name (eg, company) [My Company Ltd]:xmu
Organizational Unit Name (eg, section) []:eda
Common Name (eg, your name or your server’s hostname) []:192.168.1.105???? (注: 此处应与httpd.conf中的ServerName一致, 否则提示证书错误)
Email Address []:clough@eda.com
Please enter the following ’extra’ attributes
to be sent with your certificate request
A challenge password []:cliff
An optional company name []:xmu

5:给自己创建CA并签名
# openssl x509 -in server.csr -req -signkey server.key -days 365 -out server.crt
Signature ok
subject=/C=cn/ST=fujian/L=xiamen/O=lexie/OU=lexie/CN=192.168.1.105/emailAddress=clough@sohu.com
Getting Private key

6:调整/etc/httpd/conf.d/ssl.conf正确引用上面创建的证书。
# vi /etc/httpd/conf.d/ssl.conf

SSLCertificateFile /etc/pki/tls/certs/server.crt
SSLCertificateKeyFile /etc/pki/tls/certs/server.key

7: 启动服务
# service httpd restart