通過yum來安裝mod_ssl
[root@controller ~]# yum install -y mod_ssl //在線安裝mod_ssl
已加載插件:fastestmirror
centos | 3.6 kB 00:00:00
iaas | 2.9 kB 00:00:00
Loading mirror speeds from cached hostfile
正在解決依賴關係
--> 正在檢查事務
---> 軟件包 mod_ssl.x86_64.1.2.4.6-40.el7.centos.4 將被 安裝
--> 解決依賴關係完成
依賴關係解決
========================================================================================================================================
Package 架構 版本 源 大小
========================================================================================================================================
正在安裝:
mod_ssl x86_64 1:2.4.6-40.el7.centos.4 iaas 104 k
事務概要
========================================================================================================================================
安裝 1 軟件包
總下載量:104 k
安裝大小:224 k
Downloading packages:
Running transaction check
Running transaction test
Transaction test succeeded
Running transaction
正在安裝 : 1:mod_ssl-2.4.6-40.el7.centos.4.x86_64 1/1
驗證中 : 1:mod_ssl-2.4.6-40.el7.centos.4.x86_64 1/1
已安裝:
mod_ssl.x86_64 1:2.4.6-40.el7.centos.4
完畢!
HTTP 服務器上配置mod_ssl
1.建立服務器密鑰
[root@controller ~]# cd /etc/pki/tls/certs/ //進入HTTP服務器配置文件所在目錄
[root@controller ~]# make server.key //建立服務器密鑰
umask 77 ; \
/usr/bin/openssl genrsa -des3 1024 > server.key
Generating RSA private key, 1024 bit long modulus
................++++++
......++++++
e is 65537 (0x10001)
Enter pass phrase: //在這裏輸入口令
Verifying - Enter pass phrase: //確認口令,再次輸入
[root@controller ~]# openssl rsa -in server.key -out server.key //從密鑰中刪除密碼(以避免系統啓動後被詢問口令)
Enter pass phrase for server.key: //輸入口令
writing RSA key
2.建立服務器公鑰
[root@controller ~]# make server.csr //建立服務器密鑰
umask 77 ; \
/usr/bin/openssl req -utf8 -new -key server.key -out server.csr
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [GB]:CN //輸入國名
State or Province Name (full name) [Berkshire]:Xinjiang //輸入省名
Locality Name (eg, city) [Newbury]:Shihezi //輸入城市名
Organization Name (eg, company) [My Company Ltd]:www.msdn.com //輸入組織名(任意)
Organizational Unit Name (eg, section) []: //不輸入,直接回車
Common Name (eg, your name or your server‘s hostname) []:www.msdn.com ← 輸入通稱(任意)
Email Address []:[email protected] //輸入電子郵箱地址
Please enter the following ’extra' attributes
to be sent with your certificate request
A challenge password []: //不輸入,直接回車
An optional company name []: //不輸入,直接回車
3.建立服務器證書
[root@controller ~]# openssl x509 -in server.csr -out server.pem -req -signkey server.key -days 365 //建立服務器證書
Signature ok
subject=/C=CN/ST=Xinjiang/L=Shihezi/O=www.51cto.com/emailAddress=[email protected]
Getting Private key
Enter pass phrase for server.key:
140645233670048:error:28069065:lib(40):UI_set_result:result too small:ui_lib.c:869:You must type in 4 to 8191 characters
Enter pass phrase for server.key:
[root@controller ~]# chmod 400 server.* //修改權限爲400
4.設置SSL
[root@controller ~]# vi /etc/httpd/conf.d/ssl.conf //修改SSL的設置文件
#DocumentRoot "/var/www/html" //找到這一行,將行首的“#”去掉
Ⅴ
DocumentRoot "/var/www/html" //變爲此狀態
5.重新啓動HTTP服務,讓SSL生效
[root@controller]# systemctl restart httpd.service //重新啓動HTTP服務器
本地配置文件/etc/httpd/conf.d/ssl_saturn.conf:
Listen 443 https
SSLPassPhraseDialog exec:/usr/libexec/httpd-ssl-pass-dialog
SSLSessionCache shmcb:/run/httpd/sslcache(512000)
SSLSessionCacheTimeout 300
SSLRandomSeed startup file:/dev/urandom 256
SSLRandomSeed connect builtin
SSLCryptoDevice builtin
<VirtualHost _default_:443>
DocumentRoot "/var/www/html"
ErrorLog logs/ssl_error_log
TransferLog logs/ssl_access_log
LogLevel warn
SSLEngine on
SSLProtocol all -SSLv2
SSLCipherSuite HIGH:MEDIUM:!aNULL:!MD5:!SEED:!IDEA
SSLCertificateFile /etc/pki/tls/certs/localhost.crt
SSLCertificateKeyFile /etc/pki/tls/private/localhost.key
<Files ~ "\.(cgi|shtml|phtml|php3?)$">
SSLOptions +StdEnvVars
</Files>
<Directory "/var/www/cgi-bin">
SSLOptions +StdEnvVars
</Directory>
BrowserMatch "MSIE [2-5]" \
nokeepalive ssl-unclean-shutdown \
downgrade-1.0 force-response-1.0
CustomLog logs/ssl_request_log \
"%t %h %{SSL_PROTOCOL}x %{SSL_CIPHER}x \"%r\" %b"
</VirtualHost>