安装ssl
[root@server_1 ~]# yum install mod_ssl -y
创建key
[root@server_1 ~]# cd /etc/pki/tls/certs/
[root@server_1 certs]# make test.crt
umask 77 ; \
/usr/bin/openssl genrsa -aes128 2048 > test.key
Generating RSA private key, 2048 bit long modulus
............+++
.......................................................................................+++
e is 65537 (0x10001)
Enter pass phrase: //输入密码
Verifying - Enter pass phrase: //确认密码
umask 77 ; \
/usr/bin/openssl req -utf8 -new -key test.key -x509 -days 365 -out test.crt -set_serial 0
Enter pass phrase for test.key: //与上述密码相同
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [XX]:CN //国家代码
State or Province Name (full name) []:shanxi //省份
Locality Name (eg, city) [Default City]:xian //城市
Organization Name (eg, company) [Default Company Ltd]:openlab //公司名
Organizational Unit Name (eg, section) []:tech //部门
Common Name (eg, your name or your server's hostname) []:www.test.com //域名
Email Address []:openlab@163.com //邮箱
编辑配置文件
[root@server_1 ~]# vim /etc/httpd/conf.d/vhost.conf
修改如下内容
<VirtualHost 192.168.19.102>
SSLEngine on
SSLProtocol all -SSLv2
SSLCipherSuite HIGH:MEDIUM:!aNULL:!MD5
SSLCertificateFile /etc/pki/tls/certs/test.crt
SSLCertificateKeyFile /etc/pki/tls/certs/test.key
DocumentRoot /www/100
ServerName 192.168.19.102
ServerAdmin root@localhost
</VirtualHost>
[root@test_1 certs]# echo this is https test > /www/100/index.html
配置防火墙
[root@server_1 certs]# firewall-cmd --add-port=443/tcp --per
[root@server_1 certs]# systemctl restart firewalld
[root@server_1 certs]# systemctl restart httpd
**Enter SSL pass phrase for 192.168.19.102:443 (RSA) : ****
这里重启httpd时需要输入之前配置好的RSA密钥
客户端测试
Firefox访问 https://192.168.19.102
会提示此链接不安全,继续访问的话可以看到内容
this is https test
curl --insure https://192.168.19.102
this is https test