httpd服务（续）

配置加密 https

• 配置之前需要源码安装httpd 服务（不会的请参考上一篇博客 httpd服务）

• 说明：
  root@localhost 是服务端
  root@super 是客户端

• 操作过程：

**//生成一对密钥**
[root@super ~]# cd /etc/pki/CA
[root@super CA]# ls
certs  crl  newcerts  private
[root@super CA]# (umask 077;openssl genrsa -out private/cakey.pem 2048)
Generating RSA private key, 2048 bit long modulus
.............+++
................+++
e is 65537 (0x10001)
[root@96 CA]# openssl rsa -in private/cakey.pem -pubout
……过程略

**//生成自签署证书**
[root@super CA]# openssl req -new -x509 -key private/cakey.pem -out cacert.pem -days 365
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [XX]:CN
State or Province Name (full name) []:hubei
Locality Name (eg, city) [Default City]：shiyan
Organization Name (eg, company) [Default Company Ltd]:zhao.example.com
Organizational Unit Name (eg, section) []:zhao.example.com
Common Name (eg, your name or your server's hostname) []:zhao.example.com
Email Address []:123@0.com

**//读出证书的内容**
[root@super CA]# openssl x509 -text -in cacert.pem     
……过程略
[root@super CA]# mkdir certs newcerts crl     
[root@super CA]# touch index.txt && echo 01 > serial

**//服务端生成密钥**
[root@localhost ~]# cd /etc/httpd38  && mkdir ssl && cd ssl
[root@localhost ssl]# (umask 077;openssl genrsa -out httpd.key 2048)
Generating RSA private key, 2048 bit long modulus
.....................+++
................+++
e is 65537 (0x10001)

**//服务端生成证书签署请求**
[root@localhost ssl]# openssl req -new -key httpd.key -days 365 -out httpd.csr
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
**//下面填写的要与服务端保持一致**
Country Name (2 letter code) [XX]:CN
State or Province Name (full name) []:hubei
Locality Name (eg, city) [Default City]:shiyan
Organization Name (eg, company) [Default Company Ltd]:zhao.example.com
Organizational Unit Name (eg, section) []:zhao.example.com
Common Name (eg, your name or your server's hostname) []:zhao.example.com
Email Address []:123@0.com

Please enter the following 'extra' attributes
to be sent with your certificate request
A challenge password []:                    **//此处不设置密码直接回车**
An optional company name []:

**//服务端把证书签署请求文件发送给CA**
[root@localhost ssl]# scp httpd.csr root@192.168.xxx.xxx:/root     **//客户端ip**
httpd.csr                                                            100% 1082    21.2KB/s   00:00    
[root@super ~]# ls
httpd.csr

**//签署服务端提交上来的证书**
[root@super ~]# openssl ca -in /root/httpd.csr -out httpd.crt -days 365
[root@super ~]# ls
httpd.crt     httpd.csr

**//CA把签署好的证书httpd.crt发给服务端**
[root@super ~]# scp httpd.crt root@192.168.206.129:/root/      **//服务端ip**
[root@localhost ~]# ls
httpd.crt 
[root@localhost ~]# mv httpd.crt /etc/httpd24/ssl/
[root@localhost ~]# cd /etc/httpd24/ssl/
[root@localhost ssl]# ls
httpd.crt  httpd.csr  httpd.key 

**//ssl配置**
**// 配置虚拟主机**
[root@localhost ~]# vim /etc/httpd38/extra/httpd-ssl.conf 
//末行模式下搜索：/DocumentRoot  
修改为以下内容：
DocumentRoot "/usr/local/apache/htdocs/aaa"
ServerName   zhao.example.com:443
ServerAdmin you@example.com
ErrorLog "/usr/local/apache/logs/zhao.example.com-error_log"
TransferLog "/usr/local/apache/logs/zhao.example.com-access_log"

//末行模式下搜索：/SSLCertificateFile 
 SSLCertificateFile "/etc/httpd38/server.crt"  改为 SSLCertificateFile "/etc/httpd38/ssl/httpd.crt"

//末行模式下搜索：/SSLCertificateKeyFile 
SSLCertificateKeyFile "/etc/httpd38/server.key"  改为   SSLCertificateKeyFile "/etc/httpd38/ssl/httpd.key"

**//配置完成之后检查一下配置文件是否有语法错误：**
[root@localhost ~]# apachectl -t
Syntax OK
[root@localhost ~]# vim   /etc/httpd38/httpd.conf
Include /etc/httpd24/extra/httpd-ssl.conf    **//将此行的注释取消**
LoadModule ssl_module modules/mod_ssl.so   **//将此行的注释取消**

[root@localhost ~]# vim   /etc/httpd38/extra/httpd-ssl.conf 
**//末行模式下搜索：/SSLSessionCache 然后给这一行添加注释**       
#SSLSessionCache        "shmcb:/usr/local/apache/logs/ssl_scache(512000)"  

[root@localhost ~]# cd  /usr/local/apache/htdocs/
[root@localhost htdocs]# mkdir  aaa   
[root@localhost htdocs]# ls
aaa    index.html
[root@localhost htdocs]# cd  aaa/
[root@localhost aaa]# echo  "I am a spider  man"  > index.html
[root@localhost httpd24]# apachectl -t
Syntax OK
**//重启服务**
[root@localhost httpd24]# apachectl restart
//查看https端口(443)起来没有
[root@localhost httpd24]# ss -antl
State       Recv-Q Send-Q      Local Address:Port                     Peer Address:Port              
LISTEN      0      50                      *:139                                 *:*                  
LISTEN      0      128                     *:111                                 *:*                  
LISTEN      0      128                     *:22                                  *:*                  
LISTEN      0      100             127.0.0.1:25                                  *:*                  
LISTEN      0      50                      *:445                                 *:*                                                                        
LISTEN      0      128                    :::80                                 :::*                                    
LISTEN      0      100                   ::1:25                                 :::*                  
LISTEN      0      128                    :::443                                :::*          

**//下面的操作需要先返回电脑桌面**
1、点击桌面上的‘我的电脑’
2、点击进入：C:\windows\systemd32\drivers\etc\
3、把里面的hosts文件拖到电脑桌面上双击用记事本打开
4、在hosts文件里的最后一行加上你ip和你的域名（域名就是你上面设置的 ServerName）
192.168.206.129   zhao.example.com
5、关闭并保存文件，然后把文件拖回原来的位置
6、刷新一下‘我的电脑’