为Apache配置SSL密钥

2019独角兽企业重金招聘Python工程师标准>>>

 生成server.key文件。这里主要是使用最新版本的openssl。

[root@svnsubv ~]# openssl genrsa -out server.key 2048
Generating RSA private key, 2048 bit long modulus
........................+++
..................................................................................+++
e is 65537 (0x10001)
[root@svnsubv ~]# 

[root@svnsubv ~]# ls -l server.key
-rw------- 1 root root 1679 Jun 22 15:36 server.key
[root@svnsubv ~]# 

[root@svnsubv ~]# openssl req -new -key server.key -out certreq.csr
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [AU]:CN
State or Province Name (full name) [Some-State]:BJ
Locality Name (eg, city) []:BJ
Organization Name (eg, company) [Internet Widgits Pty Ltd]:Lenovo
Organizational Unit Name (eg, section) []:IT
Common Name (e.g. server FQDN or YOUR name) []:申请的域名
Email Address []:

Please enter the following 'extra' attributes
to be sent with your certificate request
A challenge password []:
An optional company name []:
[root@svnsubv ~]# 

[root@svnsubv ~]# ls -l certreq.csr
-rw------- 1 root root 997 Jun 22 15:39 certreq.csr
[root@svnsubv ~]# 

密钥生成后，有两个文件提供出来：

certreq.cer 这是认证文件，是提供给的主要文件。

certreq.csr 这是我发送给的提供商用来生成certreq.cer的文件。

 

修改/etc/hosts文件，要注册本地ip和申请的域名。

 

参考这里：http://www.itrus.cn/html/fuwuyuzhichi/fuwuqizhengshuanzhuangpeizhizhinan/435.html

将certreq.cer复制并命名为server.crt和ca.crt。放到服务器端/etc/httpd/extra目录下（其他目录也可，但在之后的配置时需要相应修改）。同时将server.key也上传到/etc/httpd/extra中。

 

接下来修改httpd.conf，即apache的配置。

增加如下内容：

LoadModule ssl_module modules/mod_ssl.so 

这里要注意，如果apache安装时使用了--enable-ssl=static参数，这表示ssl功能已经在编译安装时内置，这时则不需要这一行。

 

增加如下行（或去掉已有的注释）

Include conf/extra/httpd_ssl.conf

 

修改httpd_ssl.conf文件。保证如下内容：

SSLProtocol all -SSLv2 -SSLv3
SSLHonorCipherOrder on
SSLCipherSuite HIGH:!RC4:!MD5:!aNULL:!eNULL:!NULL:!DH:!EDH:!EXP:+MEDIUM
SSLCertificateFile /etc/httpd/extra/server.crt
SSLCertificateKeyFile /etc/httpd/extra/server.key
SSLCertificateChainFile /etc/httpd/extra/ca.crt

 

最后做http自动强制转为https的设置。修改httpd-vhosts.conf文件。

<VirtualHost *:80>
 RewriteEngine On
 RewriteCond %{SERVER_PORT} !^443$
 RewriteRule ^(.*)?$ https://%{SERVER_NAME}$1 [L,R]
# RewriteBase /
# RewriteCond %{SERVER_PORT} 443
# RewriteRule ^(.*)$ https://%{SERVER_NAME}%{REQUEST_URI} [L,R]
</VirtualHost>

转载于:https://my.oschina.net/shawnplaying/blog/699309