一:CA服务器的搭建
[root@zzu ~]# yum install openssl*
[root@zzu ~]# cd /etc/pki/
[root@zzu pki]# vim tls/openssl.cnf
45 dir = /etc/pki/CA
88 countryName = optional
89 stateOrProvinceName = optional
90 organizationName = optional
136 countryName_default = CN 一些默认选项
141 stateOrProvinceName_default = beijing 一些默认选项
144 localityName_default = beijing一些默认选项
[root@zzu pki]# cd CA
[root@zzu CA]# mkdir certs newcerts crl 创建3个目录和两个文件
[root@zzu CA]# touch index.txt serial
[root@zzu CA]# echo "01">serial 根索引文件
[root@zzu CA]#openssl genrsa 1024 >private/cakey.pem 创建ca的私钥文件
[root@zzu CA]# chmod 600 private/cakey.pem 改变私钥的权限
[root@zzu CA]#openssl req -new -key private/cakey.pem -days 3650 -x509 -out cacert.pem 为ca产生一份证书
二.为www服务器颁发证书
[root@zzu ~]# cd /etc/httpd/
[[root@zzu httpd]# mkdir certs
[root@zzu httpd]# cd certs/
[root@zzu certs]#openssl genrsa 1024 > httpd.key 产生服务器的私钥
[root@zzu certs]# openssl req -new -key httpd.key -out httpd.csr产生服务器的请求文件
[root@zzu certs]# openssl ca -in httpd.csr -out httpd.cert 产生服务器的证书文件
[root@zzu certs]#cp /etc/pki/CA/cacert.pem ./ 拷贝ca的证书文件
[root@zzu certs]#chmod 600 *
[root@zzu certs]#yum install mod_ssl*改变文件的权限增加安全性
[root@zzu certs]#vim /etc/httpd/conf.d/ssl.conf 捆绑证书文件和钥匙文件
112 SSLCertificateFile /etc/httpd/certs/httpd.cert
119 SSLCertificateKeyFile /etc/httpd/certs/httpd.key
128 SSLCertificateChainFile /etc/httpd/certs/cacert.pem
192.168.1.200 www.abc.com
[root@zzu certs]# netstat -tupln |grep httpd
tcp 0 0 :::80 :::* LISTEN 5544/httpd
tcp 0 0 :::443 :::* LISTEN 5544/httpd
关闭原来的80端口
[root@zzu certs]# vim /etc/httpd/conf/httpd.conf
134 #Listen 80 注释掉该行
[root@zzu certs]# service httpd restart
Stopping httpd: [ OK ]
Starting httpd: [ OK ]
[root@zzu certs]# netstat -tupln|grep httpd
tcp 0 0 :::443 :::* LISTEN 5483/httpd
这样www.abc.com 就只能够使用https进行访问啦
补充:
一:为www.abc.com 颁发证书192.168.1.200的主机
[root@zzu certs]#vim /etc/httpd/conf.d/ssl.conf
nameVirtualHost 192.168.1.200:443
DocumentRoot "/var/www/html"
ServerName www.abc.com:443
ErrorLog logs/ssl_error_log
TransferLog logs/ssl_access_log
LogLevel warn
SSLEngine on
SSLProtocol all -SSLv2
SSLCipherSuite ALL:!ADH:!EXPORT:!SSLv2:RC4+RSA:+HIGH:+MEDIUM:+LOW
SSLCertificateFile /etc/httpd/certs/httpd.cert
SSLCertificateKeyFile /etc/httpd/certs/httpd.key
SSLCertificateChainFile /etc/pki/CA/cacert.pem
SSLOptions +StdEnvVars
SSLOptions +StdEnvVars
SetEnvIf User-Agent ".*MSIE.*" \
nokeepalive ssl-unclean-shutdown \
downgrade-1.0 force-response-1.0
CustomLog logs/ssl_request_log \
"%t %h %{SSL_PROTOCOL}x %{SSL_CIPHER}x \"%r\" %b"
二:为 tec.abc.com 颁发证书192.168.1.100的主机
[root@zzu certs]#vim /etc/httpd/conf.d/ssl.conf
DocumentRoot "/var/www/tec"
ServerName tec.abc.com:443
ErrorLog logs/ssl_error_log
TransferLog logs/ssl_access_log
LogLevel warn
SSLEngine on
SSLProtocol all -SSLv2
SSLCipherSuite ALL:!ADH:!EXPORT:!SSLv2:RC4+RSA:+HIGH:+MEDIUM:+LOW
SSLCertificateFile /etc/httpd/certs/httpd1.cert
SSLCertificateKeyFile /etc/httpd/certs/httpd1.key
SSLCertificateChainFile /etc/pki/CA/cacert.pem
SSLOptions +StdEnvVars
SSLOptions +StdEnvVars
SetEnvIf User-Agent ".*MSIE.*" \
nokeepalive ssl-unclean-shutdown \
downgrade-1.0 force-response-1.0
CustomLog logs/ssl_request_log \
"%t %h %{SSL_PROTOCOL}x %{SSL_CIPHER}x \"%r\" %b"
欢迎加入郑州阳仔的网络工程师自由交流群--132444800(请注明自己的身份,就说是51cto的博友)