一:CA服务器的搭建
[root@ www.linuxidc.com ~]# yum install openssl*
[root@ www.linuxidc.com ~]# cd /etc/pki/
[root@ www.linuxidc.com pki]# vim tls/openssl.cnf
dir = /etc/pki/CA
countryName = optional
stateOrProvinceName = optional
organizationName = optional
countryName_default = CN 一些默认选项
stateOrProvinceName_default = beijing 一些默认选项
localityName_default = beijing一些默认选项
[root@ www.linuxidc.com pki]# cd CA
[root@ www.linuxidc.com CA]# mkdir certs newcerts crl 创建3个目录和两个文件
[root@ www.linuxidc.com CA]# touch index.txt serial
[root@ www.linuxidc.com CA]# echo "01">serial 根索引文件
[root@ www.linuxidc.com CA]#openssl genrsa 1024 >private/cakey.pem 创建ca的私钥文件
[root@ www.linuxidc.com CA]# chmod 600 private/cakey.pem 改变私钥的权限
[root@ www.linuxidc.com CA]#openssl req -new -key private/cakey.pem -days 3650 -x509 -out cacert.pem 为ca产生一份证书
二.为www服务器颁发证书
[root@ www.linuxidc.com ~]# cd /etc/httpd/
[[root@ www.linuxidc.com httpd]# mkdir certs
[root@ www.linuxidc.com httpd]# cd certs/
[root@ www.linuxidc.com certs]#openssl genrsa 1024 > httpd.key 产生服务器的私钥
[root@ www.linuxidc.com certs]# openssl req -new -key httpd.key -out httpd.csr产生服务器的请求文件
[root@ www.linuxidc.com certs]# openssl ca -in httpd.csr -out httpd.cert 产生服务器的证书文件
[root@ www.linuxidc.com certs]#cp /etc/pki/CA/cacert.pem ./ 拷贝ca的证书文件
[root@ www.linuxidc.com certs]#chmod 600 *
[root@ www.linuxidc.com certs]#yum install mod_ssl*改变文件的权限增加安全性
[root@ www.linuxidc.com certs]#vim /etc/httpd/conf.d/ssl.conf 捆绑证书文件和钥匙文件
SSLCertificateFile /etc/httpd/certs/httpd.cert
SSLCertificateKeyFile /etc/httpd/certs/httpd.key
SSLCertificateChainFile /etc/httpd/certs/cacert.pem
192.168.1.200 www.abc.com
[root@ www.linuxidc.com certs]# netstat -tupln |grep httpd
tcp 0 0 :::80 :::* LISTEN 5544/httpd
tcp 0 0 :::443 :::* LISTEN 5544/httpd
关闭原来的80端口
[root@ www.linuxidc.com certs]# vim /etc/httpd/conf/httpd.conf
134 #Listen 80 注释掉该行
[root@ www.linuxidc.com certs]# service httpd restart
Stopping httpd: [ OK ]
Starting httpd: [ OK ]
[root@ www.linuxidc.com certs]# netstat -tupln|grep httpd
tcp 0 0 :::443 :::* LISTEN 5483/httpd
这样www.abc.com 就只能够使用https进行访问啦
补充:
一:为www.abc.com 颁发证书192.168.1.200的主机
[root@zzu certs]#vim /etc/httpd/conf.d/ssl.conf
nameVirtualHost 192.168.1.200:443
<VirtualHost 192.168.1.200:443>
DocumentRoot "/var/www/html"
ServerName www.abc.com:443
ErrorLog logs/ssl_error_log
TransferLog logs/ssl_access_log
LogLevel warn
SSLEngine on
SSLProtocol all -SSLv2
SSLCipherSuite ALL:!ADH:!EXPORT:!SSLv2:RC4+RSA:+HIGH:+MEDIUM:+LOW
SSLCertificateFile /etc/httpd/certs/httpd.cert
SSLCertificateKeyFile /etc/httpd/certs/httpd.key
SSLCertificateChainFile /etc/pki/CA/cacert.pem
<Files ~ "\.(cgi|shtml|phtml|php3?)$">
SSLOptions +StdEnvVars
</Files>
<Directory "/var/www/cgi-bin">
SSLOptions +StdEnvVars
</Directory>
SetEnvIf User-Agent ".*MSIE.*" \
nokeepalive ssl-unclean-shutdown \
downgrade-1.0 force-response-1.0
CustomLog logs/ssl_request_log \
"%t %h %{SSL_PROTOCOL}x %{SSL_CIPHER}x \"%r\" %b"
</VirtualHost>
二:为 tec.abc.com 颁发证书192.168.1.100的主机
[root@zzu certs]#vim /etc/httpd/conf.d/ssl.conf
<VirtualHost 192.168.1.100:443>
DocumentRoot "/var/www/tec"
ServerName tec.abc.com:443
ErrorLog logs/ssl_error_log
TransferLog logs/ssl_access_log
LogLevel warn
SSLEngine on
SSLProtocol all -SSLv2
SSLCipherSuite ALL:!ADH:!EXPORT:!SSLv2:RC4+RSA:+HIGH:+MEDIUM:+LOW
SSLCertificateFile /etc/httpd/certs/httpd1.cert
SSLCertificateKeyFile /etc/httpd/certs/httpd1.key
SSLCertificateChainFile /etc/pki/CA/cacert.pem
<Files ~ "\.(cgi|shtml|phtml|php3?)$">
SSLOptions +StdEnvVars
</Files>
<Directory "/var/www/cgi-bin">
SSLOptions +StdEnvVars
</Directory>
SetEnvIf User-Agent ".*MSIE.*" \
nokeepalive ssl-unclean-shutdown \
downgrade-1.0 force-response-1.0
CustomLog logs/ssl_request_log \
"%t %h %{SSL_PROTOCOL}x %{SSL_CIPHER}x \"%r\" %b"
</VirtualHost>