linux下https的搭建总结

来源:岁月联盟 编辑:exp 时间:2012-05-05

一:CA服务器的搭建[root@zzu ~]# yum install openssl*[root@zzu ~]# cd /etc/pki/[root@zzu pki]# vim tls/openssl.cnf45 dir             = /etc/pki/CA88 countryName                 = optional 89 stateOrProvinceName     = optional 90 organizationName          = optional136 countryName_default             = CN  一些默认选项141 stateOrProvinceName_default     = beijing 一些默认选项144 localityName_default            = beijing一些默认选项[root@zzu pki]# cd CA [root@zzu CA]# mkdir certs newcerts crl   创建3个目录和两个文件[root@zzu CA]# touch index.txt serial  www.2cto.com  [root@zzu CA]# echo "01">serial 根索引文件[root@zzu CA]#openssl genrsa 1024 >private/cakey.pem 创建ca的私钥文件[root@zzu CA]# chmod 600 private/cakey.pem 改变私钥的权限[root@zzu CA]#openssl req -new -key private/cakey.pem -days 3650 -x509 -out cacert.pem 为ca产生一份证书二.为www服务器颁发证书[root@zzu ~]# cd /etc/httpd/[[root@zzu httpd]# mkdir certs[root@zzu httpd]# cd certs/ [root@zzu certs]#openssl genrsa 1024 > httpd.key 产生服务器的私钥[root@zzu certs]# openssl req -new -key httpd.key -out httpd.csr产生服务器的请求文件[root@zzu certs]# openssl ca -in httpd.csr -out httpd.cert 产生服务器的证书文件[root@zzu certs]#cp /etc/pki/CA/cacert.pem ./ 拷贝ca的证书文件[root@zzu certs]#chmod 600 *[root@zzu certs]#yum install mod_ssl*改变文件的权限增加安全性[root@zzu certs]#vim /etc/httpd/conf.d/ssl.conf  捆绑证书文件和钥匙文件112 SSLCertificateFile /etc/httpd/certs/httpd.cert  www.2cto.com  119 SSLCertificateKeyFile /etc/httpd/certs/httpd.key128 SSLCertificateChainFile /etc/httpd/certs/cacert.pemimage imageimageimage
image
 192.168.1.200 www.abc.com
image
 [root@zzu certs]# netstat -tupln |grep httpd tcp        0      0 :::80                       :::*                        LISTEN      5544/httpd          tcp        0      0 :::443                      :::*                        LISTEN      5544/httpd         
image
 关闭原来的80端口[root@zzu certs]# vim /etc/httpd/conf/httpd.conf134 #Listen 80 注释掉该行[root@zzu certs]# service httpd restart Stopping httpd:                                            [  OK  ] Starting httpd:                                            [  OK  ][root@zzu certs]# netstat -tupln|grep httpd tcp        0      0 :::443                      :::*                        LISTEN      5483/httpdimage image这样www.abc.com 就只能够使用https进行访问啦 补充:一:为www.abc.com 颁发证书192.168.1.200的主机[root@zzu certs]#vim /etc/httpd/conf.d/ssl.confnameVirtualHost 192.168.1.200:443<VirtualHost 192.168.1.200:443> DocumentRoot "/var/www/html" ServerName www.abc.com:443 ErrorLog logs/ssl_error_log TransferLog logs/ssl_access_log LogLevel warn   www.2cto.com  SSLEngine on SSLProtocol all -SSLv2 SSLCipherSuite ALL:!ADH:!EXPORT:!SSLv2:RC4+RSA:+HIGH:+MEDIUM:+LOW SSLCertificateFile /etc/httpd/certs/httpd.cert SSLCertificateKeyFile /etc/httpd/certs/httpd.key SSLCertificateChainFile /etc/pki/CA/cacert.pem <Files ~ "/.(cgi|shtml|phtml|php3?)$">     SSLOptions +StdEnvVars </Files> <Directory "/var/www/cgi-bin">     SSLOptions +StdEnvVars </Directory> SetEnvIf User-Agent ".*MSIE.*" /          nokeepalive ssl-unclean-shutdown /          downgrade-1.0 force-response-1.0 CustomLog logs/ssl_request_log /           "%t %h %{SSL_PROTOCOL}x %{SSL_CIPHER}x /"%r/" %b" </VirtualHost> 二:为 tec.abc.com 颁发证书192.168.1.100的主机[root@zzu certs]#vim /etc/httpd/conf.d/ssl.conf<VirtualHost 192.168.1.100:443> DocumentRoot "/var/www/tec" ServerName tec.abc.com:443 ErrorLog logs/ssl_error_log TransferLog logs/ssl_access_log LogLevel warn SSLEngine on SSLProtocol all -SSLv2 SSLCipherSuite ALL:!ADH:!EXPORT:!SSLv2:RC4+RSA:+HIGH:+MEDIUM:+LOW SSLCertificateFile /etc/httpd/certs/httpd1.cert SSLCertificateKeyFile /etc/httpd/certs/httpd1.key SSLCertificateChainFile /etc/pki/CA/cacert.pem <Files ~ "/.(cgi|shtml|phtml|php3?)$">     SSLOptions +StdEnvVars </Files>   www.2cto.com  <Directory "/var/www/cgi-bin">     SSLOptions +StdEnvVars </Directory> SetEnvIf User-Agent ".*MSIE.*" /          nokeepalive ssl-unclean-shutdown /          downgrade-1.0 force-response-1.0 CustomLog logs/ssl_request_log /           "%t %h %{SSL_PROTOCOL}x %{SSL_CIPHER}x /"%r/" %b" </VirtualHost>   摘自 再别combridge 的BLOG