Skip to main content

 路由器设置 > 路由器问答 >

linux下https如何搭建

2012-05-09 14:45 浏览:

一:CA服务器的搭建

[root@zzu ~]# yum install openssl*

[root@zzu ~]# cd /etc/pki/

[root@zzu pki]# vim tls/openssl.cnf

45 dir             = /etc/pki/CA

88 countryName                 = optional 
89 stateOrProvinceName     = optional 
90 organizationName          = optional

136 countryName_default             = CN  一些默认选项

141 stateOrProvinceName_default     = beijing 一些默认选项

144 localityName_default            = beijing一些默认选项

[root@zzu pki]# cd CA 
[root@zzu CA]# mkdir certs newcerts crl   创建3个目录和两个文件

[root@zzu CA]# touch index.txt serial

[root@zzu CA]# echo "01">serial 根索引文件

[root@zzu CA]#openssl genrsa 1024 >private/cakey.pem 创建ca的私钥文件

[root@zzu CA]# chmod 600 private/cakey.pem 改变私钥的权限

[root@zzu CA]#openssl req -new -key private/cakey.pem -days 3650 -x509 -out cacert.pem 为ca产生一份证书

二.为www服务器颁发证书

[root@zzu ~]# cd /etc/httpd/

[[root@zzu httpd]# mkdir certs

[root@zzu httpd]# cd certs/ 
[root@zzu certs]#openssl genrsa 1024 > httpd.key 产生服务器的私钥

[root@zzu certs]# openssl req -new -key httpd.key -out httpd.csr产生服务器的请求文件

[root@zzu certs]# openssl ca -in httpd.csr -out httpd.cert 产生服务器的证书文件

[root@zzu certs]#cp /etc/pki/CA/cacert.pem ./ 拷贝ca的证书文件

[root@zzu certs]#chmod 600 *

[root@zzu certs]#yum install mod_ssl*改变文件的权限增加安全性

[root@zzu certs]#vim /etc/httpd/conf.d/ssl.conf  捆绑证书文件和钥匙文件

112 SSLCertificateFile /etc/httpd/certs/httpd.cert

119 SSLCertificateKeyFile /etc/httpd/certs/httpd.key

128 SSLCertificateChainFile /etc/httpd/certs/cacert.pem

image

image

image

image

image

192.168.1.200 www.abc.com

image

[root@zzu certs]# netstat -tupln |grep httpd 
tcp        0      0 :::80                       :::*                        LISTEN      5544/httpd          
tcp        0      0 :::443                      :::*                        LISTEN      5544/httpd    

image     

关闭原来的80端口

[root@zzu certs]# vim /etc/httpd/conf/httpd.conf

134 #Listen 80 注释掉该行

[root@zzu certs]# service httpd restart 
Stopping httpd:                                            [  OK  ] 
Starting httpd:                                            [  OK  ]

[root@zzu certs]# netstat -tupln|grep httpd 
tcp        0      0 :::443                      :::*                        LISTEN      5483/httpd

image

image

这样www.abc.com 就只能够使用https进行访问啦

补充:

一:为www.abc.com 颁发证书192.168.1.200的主机

[root@zzu certs]#vim /etc/httpd/conf.d/ssl.conf

nameVirtualHost 192.168.1.200:443

<VirtualHost 192.168.1.200:443> 
DocumentRoot "/var/www/html" 
ServerName www.abc.com:443 
ErrorLog logs/ssl_error_log 
TransferLog logs/ssl_access_log 
LogLevel warn 
SSLEngine on 
SSLProtocol all -SSLv2 
SSLCipherSuite ALL:!ADH:!EXPORT:!SSLv2:RC4+RSA:+HIGH:+MEDIUM:+LOW 
SSLCertificateFile /etc/httpd/certs/httpd.cert 
SSLCertificateKeyFile /etc/httpd/certs/httpd.key 
SSLCertificateChainFile /etc/pki/CA/cacert.pem 
<Files ~ "\.(cgi|shtml|phtml|php3?)$"> 
    SSLOptions +StdEnvVars 
</Files> 
<Directory "/var/www/cgi-bin"> 
    SSLOptions +StdEnvVars 
</Directory> 
SetEnvIf User-Agent ".*MSIE.*" \ 
  nokeepalive ssl-unclean-shutdown \ 
  downgrade-1.0 force-response-1.0 
CustomLog logs/ssl_request_log \ 
   "%t %h %{SSL_PROTOCOL}x %{SSL_CIPHER}x \"%r\" %b" 
</VirtualHost>

二:为 tec.abc.com 颁发证书192.168.1.100的主机

[root@zzu certs]#vim /etc/httpd/conf.d/ssl.conf

<VirtualHost 192.168.1.100:443> 
DocumentRoot "/var/www/tec" 
ServerName tec.abc.com:443 
ErrorLog logs/ssl_error_log 
TransferLog logs/ssl_access_log 
LogLevel warn 
SSLEngine on 
SSLProtocol all -SSLv2 
SSLCipherSuite ALL:!ADH:!EXPORT:!SSLv2:RC4+RSA:+HIGH:+MEDIUM:+LOW 
SSLCertificateFile /etc/httpd/certs/httpd1.cert 
SSLCertificateKeyFile /etc/httpd/certs/httpd1.key 
SSLCertificateChainFile /etc/pki/CA/cacert.pem 
<Files ~ "\.(cgi|shtml|phtml|php3?)$"> 
    SSLOptions +StdEnvVars 
</Files> 
<Directory "/var/www/cgi-bin"> 
    SSLOptions +StdEnvVars 
</Directory> 
SetEnvIf User-Agent ".*MSIE.*" \ 
         nokeepalive ssl-unclean-shutdown \ 
         downgrade-1.0 force-response-1.0 
CustomLog logs/ssl_request_log \ 
          "%t %h %{SSL_PROTOCOL}x %{SSL_CIPHER}x \"%r\" %b" 
</VirtualHost>。