1、生成私鑰
生成rsa私鑰,des3算法,2048位強度。server.key是祕鑰文件名,需要提供一個至少4位的密碼。
[root@localhost ~]# openssl genrsa -des3 -out server.key 2048 Generating RSA private key, 2048 bit long modulus ........................................................+++ ...................................+++ e is 65537 (0x10001) Enter pass phrase for server.key: Verifying - Enter pass phrase for server.key:
2、生成csr(證書籤名請求)
創建csr申請簽名請求文件,然後發送給證書頒發機構(費用高)、或者實現自簽名。
[root@localhost ~]# openssl req -new -key server.key -out server.csr Enter pass phrase for server.key: You are about to be asked to enter information that will be incorporated into your certificate request. What you are about to enter is what is called a Distinguished Name or a DN. There are quite a few fields but you can leave some blank For some fields there will be a default value, If you enter '.', the field will be left blank. ----- Country Name (2 letter code) [XX]:CN State or Province Name (full name) []:GuangDong Locality Name (eg, city) [Default City]:ShenZhen Organization Name (eg, company) [Default Company Ltd]:OPS Organizational Unit Name (eg, section) []:OPS Common Name (eg, your name or your server's hostname) []:www.test.com Email Address []: Please enter the following 'extra' attributes to be sent with your certificate request A challenge password []: An optional company name []:
3、刪除私鑰的密碼
[root@localhost ~]# ll total 16 -rw-r--r-- 1 root root 1013 Mar 5 15:17 server.csr -rw-r--r-- 1 root root 1751 Mar 5 15:13 server.key [root@localhost ~]# cp server.key server.key.org [root@localhost ~]# openssl rsa -in server.key.org -out server.key Enter pass phrase for server.key.org: writing RSA key
4、生成自簽名證書
[root@localhost ~]# openssl x509 -req -days 365 -in server.csr -signkey server.key -out server.crt Signature ok subject=/C=CN/ST=GuangDong/L=ShenZhen/O=OPS/OU=OPS/CN=www.test.com Getting Private key
5、apache設置SSL證書,並且實現http強制跳轉到https
[root@localhost ~]# vi /etc/http/http.conf LoadModule ssl_module modules/mod_ssl.so LoadModule socache_shmcb_module modules/mod_socache_shmcb.so LoadModule rewrite_module modules/mod_rewrite.so ServerName www.test.com:80 <Directory "/opt/abc/xyz"> Options Indexes FollowSymLinks AllowOverride None Require all granted RewriteEngine on RewriteCond %{SERVER_PORT} !^443$ RewriteRule ^(.*)?$ https://%{SERVER_NAME}/$1 [L,R] </Directory> Include /etc/httpd/extra/httpd-ssl.conf [root@localhost ~]# vi /etc/httpd/extra/httpd-ssl.conf <VirtualHost _default_:443> # General setup for the virtual host DocumentRoot "/opt/abc/xyz" ServerName www.test.com:443 ServerAdmin [email protected] ErrorLog "/usr/local/apache2.4.25/logs/error_log" TransferLog "/usr/local/apache2.4.25/logs/access_log" SSLEngine on SSLCertificateFile "/usr/local/apache/ssl/server.crt" SSLCertificateKeyFile "/usr/local/apache/ssl/server.key"
6、訪問測試
https://192.168.146.129