Linux https SSL证书实例

必须先在Linux下安装apache 服务 (yum install httpd)

1.查看并安装SSL （安装包的名字是mod_ssl）

 

[root@localhost ~]# rpm -qi motd_ssl package motd_ssl is not installed

[root@localhost yum.repos.d]# yum install mod_ssl Loaded plugins: rhnplugin, security This system is not registered with RHN. RHN support will be disabled. Setting up Install Process Resolving Dependencies --> Running transaction check ---> Package mod_ssl.i386 1:2.2.3-31.el5 set to be updated --> Finished Dependency Resolution

Dependencies Resolved

============================================================= Package Arch Version Repository Size =========================================================== Installing: mod_ssl i386 1:2.2.3-31.el5 file 88 k

Transaction Summary ================================================

Install 1 Package(s)  Update 0 Package(s)  Remove 0 Package(s)

Total download size: 88 k Is this ok [y/N]: y Downloading Packages: Running rpm_check_debug Running Transaction Test Finished Transaction Test Transaction Test Succeeded Running Transaction Installing : mod_ssl 1/1

Installed: mod_ssl.i386 1:2.2.3-31.el5

Complete!

2.手动创建密钥和证书 [root@localhost yum.repos.d]# cd /etc/pki/tls/certs/ [root@localhost certs]# pwd /etc/pki/tls/certs

[root@localhost certs]# make auth.key (创建一个名为auth的SSL私钥） umask 77 ;  /usr/bin/openssl genrsa -des3 1024 > auth.key Generating RSA private key, 1024 bit long modulus .....................................++++++ ............................++++++ e is 65537 (0x10001) Enter pass phrase: Verifying - Enter pass phrase:

[root@localhost certs]# make auth.crt (创建一个名为auth的证书） umask 77 ;  /usr/bin/openssl req -new -key auth.key -x509 -days 365 -out auth.crt -set_serial 0 Enter pass phrase for auth.key: (输入刚才的私钥密码） You are about to be asked to enter information that will be incorporated into your certificate request. What you are about to enter is what is called a Distinguished Name or a DN. There are quite a few fields but you can leave some blank For some fields there will be a default value, If you enter ., the field will be left blank. ----- Country Name (2 letter code) [GB]:CN (国家） State or Province Name (full name) [Berkshire]:liaoning （地区） Locality Name (eg, city) [Newbury]:dalian (城市） Organization Name (eg, company) [My Company Ltd]:IBM （组织机构名） Organizational Unit Name (eg, section) []:IBM （全名） Common Name (eg, your name or your servers hostname) []:WWW.IBM.COM （公共名称） Email Address []: （邮箱）

3.修改配置文件 www.linuxidc.com [root@localhost certs]# cp auth.key /etc/pki/tls/private/ （私钥导入） [root@localhost certs]# vi /etc/httpd/conf.d/ssl.conf 修改112、 119行：

SSLCertificateFile /etc/pki/tls/certs/localhost.crt ====》SSLCertificateFile /etc/pki/tls/certs/auth.crt SSLCertificateKeyFile /etc/pki/tls/private/localhost.key ====》SSLCertificateKeyFile /etc/pki/tls/private/auth.key 4.重启apache服务 [root@localhost certs]# service httpd restart 停止httpd: [失败] 启动httpd：Apache/2.2.3 mod_ssl/2.2.3 (Pass Phrase Dialog) Some of your private key files are encrypted for security reasons.

 

In order to read them you have to provide the pass phrases.

Server localhost.localdomain:443 (RSA) Enter pass phrase: (输入私钥密码）

OK: Pass Phrase Dialog successful. [确定]

[root@localhost certs]# netstat -tunal |grep 443 tcp 0 0 :::443 :::* LISTEN

（监听外部所有端口 到本机的443端口正常 说明启动成功）

4.访问并测试网页 （https:// 172.18.4.88)

1.增加安全例外，查看证书 (我们发现证书颁发机构已经变成了IBM）  2.打开测试页，默认网页正常显示

 

注意： 如果有证书设置的话，下次开机自动启动APACHE服务时，会提示你输入密码。否则会一直停留在服务启动界面。所以试验完成后，最好将ssl.conf 修改成原来默认的localhost

转载于:https://www.cnblogs.com/nolie/archive/2013/03/08/2950004.html