https 全称是: Hypertext Transfer Protocol over Secure Socket Layer ,是以安全为目标的 http 通道,也可以说是 http 的安全版本。即是 http 系加入 ssl 层,当然 https 的安全是基于 ssl ,然而 https 加密的详细内容就需要 ssl

https 是有 netspace 开发并内置于浏览器中的用于对数据进行压缩内核解压并在网络上传送的结果。 http 是应用的 tcp 80 端口,而 https 应用的 tcp 443 端口

https 主要作用可以分为两种:一种是建立一个信息安全通道,来保证数据传输的安全;另一种就是确认网站的真实性

 当然在开启是https服务是必须先安装http软件包,

# rpm  -hiv  httpd-2.2.3-31.el5

#rpm   -vhi  distcache-1.4.5-14.1

# rpm  -vhi mod_ssl-2.2.3-31.el5 

1 /etc/httpd/ 目录下面创建文嘉 ssl 并在目录文件 ssl 下面创建目录文件 private 

  #cd  /etc/httpd

 

  #mkdir  -pv ./ssl/private

   mkdir: created directory `ssl'

   mkdir :created directory `/ssl/private’

 

2 tree 命令查看 ssl 的树目录

  # tree   ssl/

   ssl

`-- private

 

1 directory, 0 files

3 基于 ssl 的认证,为了保障安全,需要用 CA 来颁发证书,以确定身份,,因为只有 CA

  才有权限为其他用户颁发证书,在 CA 颁发证书之前必须先为自己做自签认证,

接下来;去配置 CA

 

4 生成密钥文件

   [root@station90 private]# openssl  genrsa 1024 >cakey.pem

Generating RSA private key, 1024 bit long modulus

.....++++++

..++++++

e is 65537 (0x10001)

 

 

5 CA 生成请求文件

 [root@station90 CA ]# openssl  req  -x509 -new -key cakey.pem  -out cacert.pem –days 3600

You are about to be asked to enter information that will be incorporated

into your certificate request.

What you are about to enter is what is called a Distinguished Name or a DN.

There are quite a few fields but you can leave some blank

For some fields there will be a default value,

If you enter '.', the field will be left blank.

-----

Country Name (2 letter code) [GB]:CN

State or Province Name (full name) [Berkshire]:HENAN

Locality Name (eg, city) [Newbury]:ZZ

Organization Name (eg, company) [My Company Ltd]:ZZU

Organizational Unit Name (eg, section) []:CA

Common Name (eg, your name or your server's hostname) []:windbbs.test.com

Email Address []:windbbs@test.com

 

Please enter the following 'extra' attributes

to be sent with your certificate request

A challenge password []:

An optional company name []:

6   修改 cakey.pem 的权限修改为 600 以提高安全性

 

[root@station90 private]# chmod 600 cakey.pem

  当然为了提高安全性,还可以把文件 cacert.pem 的权限改为 600 但是必须把该文件的的属组改为 apache 不然的, https 不能运行

 

7 查看文件 cacert.pem 的文件的权限

 #[root@station90 CA]# ll

total 12

-rw------- 1 root root  688 Mar  7 22:35 cacert.pem

drwx------ 2 root root 4096 Mar  7 22:39 private

[root@station90 CA]# ll   ./privare

 -rw------- 1 root root 887 Mar  7 21:54 cakey.pem

 

8 创建文件 newcerts  index.txt serial 文件

   # mkdir  newcerts  

#touch   index.txt

并给文件 serial 文件一个初值,应为在后面 CA 在为其做自签是需要序列号,

 #vim  serial 

   并给其初始值为 00

 

9 修改文件 /etc/pki/tls/openssl.conf

 [ CA_default ]

 

dir             = /etc/pki/CA           # Where everything is kept

certs           = $dir/certs            # Where the issued certs are kept

crl_dir         = $dir/crl              # Where the issued crl are kept

database        = $dir/index.txt        # database index file.

#unique_subject = no                    # Set to 'no' to allow creation of

                                        # several ctificates with same subject.

new_certs_dir   = $dir/newcerts         # default place for new certs.

 

certificate     = $dir/cacert.pem       # The CA certificate

serial          = $dir/serial           # The current serial number

crlnumber       = $dir/crlnumber        # the current crl number

                                                              

10 生成 key 文件,但是需要进入到自己建的目录中, /etc/httpd/ssl

[root@station90 ssl]# pwd

/etc/httpd/ssl

[root@station90ssl]#openssl  genrsa 1024  >private/windbbs.test.com.key

Generating RSA private key, 1024 bit long modulus

............++++++

............................++++++

e is 65537 (0x10001

   Generating RSA private key, 1024 bit long modulus

............++++++

............................++++++

e is 65537 (0x10001)

 

11 CA 生成请求文件

 

 

 

 

[root@station90 ssl]# openssl  req  -new -key private/windbbs.test.com.key  -out windbbs.test.com.csr 

You are about to be asked to enter information that will be incorporated

into your certificate request.

What you are about to enter is what is called a Distinguished Name or a DN.

There are quite a few fields but you can leave some blank

For some fields there will be a default value,

If you enter '.', the field will be left blank.

-----

Country Name (2 letter code) [GB]:CN

State or Province Name (full name) [Berkshire]:HENAN

Locality Name (eg, city) [Newbury]:ZZ

Organization Name (eg, company) [My Company Ltd]:ZZU

Organizational Unit Name (eg, section) []:CA

Common Name (eg, your name or your server's hostname) []:windbbs.test.com

Email Address []:windbbs@test.com

 

Please enter the following 'extra' attributes

to be sent with your certificate request

A challenge password []:

An optional company name []:

 

 

 

12 CA 生成自签文件

 

[root@station90 ssl] #openssl  ca  -in ./private/windbbs.test.com.csr  -out  windbbs.test.com.crt  -days  3600

 

13 下该修改文件 /etc/httpd/conf.d/ssl.conf 文件指出证书的位置,应为证书和密钥我们放在 /etc/httpd/ssl 下面,所以我们应该修改文件

#vim  /etc/httpd/conf.d/ssl.conf

把一下两行 SSLCertificateFile

           SSLCertificateKeyFile

改成

 

 SSLCertificateFile  /etc/httpd/ssl/httpd.crt

SSLCertificateKeyFile  /etc/httpd/ssl/httpd.key

 

 

14

并重启 apache

 

[root@station90 ssl]#service  httpd restart

14 重启后可以用用客户机验证,如果不成功请检查做的步骤