Apache配置SSL实现https访问

本次坏境：CA和apache为同一台主机

创新互联公司技术团队十余年来致力于为客户提供成都网站建设、网站制作、品牌网站设计、成都全网营销、搜索引擎SEO优化等服务。经过多年发展，公司拥有经验丰富的技术团队，先后服务、推广了成百上千家网站，包括各类中小企业、企事单位、高校等机构单位。

先使本机作为CA服务端：

[root@localhost~]#yum -y install openssl openssl-devel

[root@localhost~]#vi /etc/pki/tls/openssl.cnf

[ CA_default ]

dir = ../../CA

改为：

[ CA_default ]

dir= /etc/pki/CA

为了减少不必要的重复操作，可以预先定义[ req_distinguished_name ]下面的一些内容，自定义即可，具体的就不多说了

:wq

[root@localhost~]#cd /etc/pki/CA 

[root@localhost CA]# mkdir certs newcerts crl

[root@localhost CA]# touch index.txt

[root@localhost CA]# echo 00 > serial

[root@localhost CA]# (umask 077; openssl genrsa -out private/cakey.pem 2048)  ##生成自签密钥

[root@localhost CA]# openssl req -new -x509 -key private/cakey.pem -out cacert.pem -days 3657  ##生成自签证书

You are about to be asked to enter information that will be incorporated

into your certificate request.

What you are about to enter is what is called a Distinguished Name or a DN.

There are quite a few fields but you can leave some blank

For some fields there will be a default value,

If you enter '.', the field will be left blank.

-----

Country Name (2 letter code) [CN]:

State or Province Name (full name) [BJ]:

Locality Name (eg, city) [HaiDian]:

Organization Name (eg, company) [TEXT]:

Organizational Unit Name (eg, section) [DEV]:

Common Name (eg, your name or your server's hostname) []:ca.text.com

Email Address []:text@text.com

由于openssl.cnf里面定义了部分内容，上面一直敲回车，直到Common Name (eg, your name or your server's hostname) []:  （此为CA服务名称，可自定义）

最后一个邮箱也可自定义

都敲完后，我们的CA服务端就完成了，继续往下做

Apache动态编译安装：

[root@localhost CA]# tar -xf httpd-2.2.9.tar -C /usr/local/src/

[root@localhost CA]#cd /usr/local/src/httpd-2.2.9/

[root@localhost httpd-2.2.9]# ./configure --prefix=/usr/local/apache2 --sysconfdir=/etc/httpd --with-z=/usr/local/zlib/ --with-included-apr --enable-so --enable-mods-shared=most

[root@localhost httpd-2.2.9]#make;make install

Apache配置ssl：

[root@localhost CA]# rpm -qa |grep mod_ssl

[root@localhost CA]# yum -y install mod_ssl ##如没有mod_ssl直接使用yum安装即可

[root@localhost CA]# rpm -ql mod_ssl  ##查看mod_ssl生成的配置文件位置

[root@localhost CA]# cd /etc/httpd

[root@localhost httpd]# mkdir ssl

[root@localhost httpd]# cd ssl

[root@localhost ssl]# (umask 077; openssl genrsa -out httpd.key 2048)  ##生成密钥

[root@localhost ssl]#openssl req -new -key httpd.key -out httpd.csr  ##生成证书签署请求

You are about to be asked to enter information that will be incorporated

into your certificate request.

What you are about to enter is what is called a Distinguished Name or a DN.

There are quite a few fields but you can leave some blank

For some fields there will be a default value,

If you enter '.', the field will be left blank.

-----

Country Name (2 letter code) [CN]:

State or Province Name (full name) [BJ]:

Locality Name (eg, city) [HaiDian]:

Organization Name (eg, company) [TEXT]:

Organizational Unit Name (eg, section) [DEV]:

## 上面五条一定要和CA服务器设置一致，本次实验都是在一台主机上，所以直接敲回车即可

Common Name (eg, your name or your server's hostname) []:text.bj.com  ##一定要是客户端访问的地址，而不是上面CA设置的地址

Email Address []:httpd@text.com  ##自定义

[root@localhost ssl]#openssl ca -in httpd.csr -out httpd.crt -days 3657  ## ca签署命令，敲两次y和回车即可（由于都在一台机器上，直接签署就可以了，如果在不同机器上，把http的证书签署请求文件拷贝到CA服务端签署后拷贝回来就可以了）

[root@localhost ssl]#vi /etc/httpd/conf.d/ssl.conf

默认443端口不变

查看下面两句是否存在，不存在加上

AddType application/x-x509-ca-cert .crt

AddType application/x-pkcs7-crl .crl

改为：

 ##web服务器或web虚拟主机IP地址

添加下面两句

ServerName text.bj.com  ##上面定义的地址

DocumentRoot "/var/www/html"  ##网站目录位置，如设置的虚拟主机，此位置需和apache配置文件里虚拟主机定义的位置一致

SSLEngine on  ##确保开启

SSLCertificateFile /etc/httpd/ssl/httpd.crt  ## 证书存放位置

SSLCertificateKeyFile /etc/httpd/ssl/httpd.key  ##密钥存放位置

:wq

[root@localhost ssl]#echo text.bj.com > /var/www/html/index.html

[root@localhost ssl]#/etc/init.d/httpd start

[root@localhost ssl]#netstat –tnlp  ##查看443端口是否开启

访问https://text.bj.com  

提示“该网站的安全证书不受信任”

解决：

拷贝/etc/pki/CA/cacert.pem到客户端上安装即可（winPC后缀改为.crt后双击安装）

当前文章：Apache配置SSL实现https访问
网站地址：http://bjjierui.cn/article/ggppdo.html