生成server.key文件。这里主要是使用最新版本的openssl。
[root@svnsubv ~]# openssl genrsa -out server.key 2048
Generating RSA private key, 2048 bit long modulus
........................+++
..................................................................................+++
e is 65537 (0x10001)
[root@svnsubv ~]#
[root@svnsubv ~]# ls -l server.key
-rw------- 1 root root 1679 Jun 22 15:36 server.key
[root@svnsubv ~]#
[root@svnsubv ~]# openssl req -new -key server.key -out certreq.csr
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [AU]:CN
State or Province Name (full name) [Some-State]:BJ
Locality Name (eg, city) []:BJ
Organization Name (eg, company) [Internet Widgits Pty Ltd]:Lenovo
Organizational Unit Name (eg, section) []:IT
Common Name (e.g. server FQDN or YOUR name) []:申请的域名
Email Address []:
Please enter the following 'extra' attributes
to be sent with your certificate request
A challenge password []:
An optional company name []:
[root@svnsubv ~]#
[root@svnsubv ~]# ls -l certreq.csr
-rw------- 1 root root 997 Jun 22 15:39 certreq.csr
[root@svnsubv ~]#
密钥生成后,有两个文件提供出来:
certreq.cer 这是认证文件,是提供给的主要文件。
certreq.csr 这是我发送给的提供商用来生成certreq.cer的文件。
修改/etc/hosts文件,要注册本地ip和申请的域名。
参考这里:http://www.itrus.cn/html/fuwuyuzhichi/fuwuqizhengshuanzhuangpeizhizhinan/435.html
将certreq.cer复制并命名为server.crt和ca.crt。放到服务器端/etc/httpd/extra目录下(其他目录也可,但在之后的配置时需要相应修改)。同时将server.key也上传到/etc/httpd/extra中。
接下来修改httpd.conf,即apache的配置。
增加如下内容:
LoadModule ssl_module modules/mod_ssl.so
这里要注意,如果apache安装时使用了--enable-ssl=static参数,这表示ssl功能已经在编译安装时内置,这时则不需要这一行。
增加如下行(或去掉已有的注释)
Include conf/extra/httpd_ssl.conf
修改httpd_ssl.conf文件。保证如下内容:
SSLProtocol all -SSLv2 -SSLv3
SSLHonorCipherOrder on
SSLCipherSuite HIGH:!RC4:!MD5:!aNULL:!eNULL:!NULL:!DH:!EDH:!EXP:+MEDIUM
SSLCertificateFile /etc/httpd/extra/server.crt
SSLCertificateKeyFile /etc/httpd/extra/server.key
SSLCertificateChainFile /etc/httpd/extra/ca.crt
最后做http自动强制转为https的设置。修改httpd-vhosts.conf文件。
<VirtualHost *:80>
RewriteEngine On
RewriteCond %{SERVER_PORT} !^443$
RewriteRule ^(.*)?$ https://%{SERVER_NAME}$1 [L,R]
# RewriteBase /
# RewriteCond %{SERVER_PORT} 443
# RewriteRule ^(.*)$ https://%{SERVER_NAME}%{REQUEST_URI} [L,R]
</VirtualHost>