2009年10月29日 星期四

CentOS-Apache-SSL架設

設定檔位置
  • /etc/httpd/conf/httpd.conf
  • /etc/httpd/conf.d/ssl.conf
產生key檔
  • [root@localhost ~]# openssl genrsa -out www.key 1024
    • Generating RSA private key, 1024 bit long modulus
    • .................................++++++
    • .........++++++
    • e is 65537 (0x10001)
利用key建立憑證csr檔
  • [root@localhost ~]# openssl req -new -key www.key -out www.csr
    You are about to be asked to enter information that will be incorporated
    into your certificate request.
    What you are about to enter is what is called a Distinguished Name or a DN.
    There are quite a few fields but you can leave some blank
    For some fields there will be a default value,
    If you enter '.', the field will be left blank.
    -----
    Country Name (2 letter code) [GB]:TW
    State or Province Name (full name) [Berkshire]:Taipei
    Locality Name (eg, city) [Newbury]:Taipei
    Organization Name (eg, company) [My Company Ltd]:www
    Organizational Unit Name (eg, section) []:
    Common Name (eg, your name or your server's hostname) []:www.ne226.kirnel.com
    Email Address []:webmaster@ne226.kirnel.com

    Please enter the following 'extra' attributes
    to be sent with your certificate request
    A challenge password []:
    An optional company name []:
利用key,csr建立crt檔
  • [root@localhost ~]# openssl x509 -req -days 365 -in www.csr -signkey www.key -out www.crt
    Signature ok
    subject=/C=TW/ST=Taipei/L=Taipei/O=www/CN=www.ne226.kirnel.com/emailAddress=webmaster@ne226.kirnel.com
    Getting Private key
搬到適當地點
  • [root@localhost ~]# cp www.crt /etc/pki/tls/certs/
  • [root@localhost ~]# cp www.key /etc/pki/tls/private/
  • [root@localhost ~]# cp www.csr /etc/pki/tls/private/
修改檔案/etc/httpd/conf.d/ssl.conf
  • #   Server Certificate:
    # Point SSLCertificateFile at a PEM encoded certificate.  If
    # the certificate is encrypted, then you will be prompted for a
    # pass phrase.  Note that a kill -HUP will prompt again.  A new
    # certificate can be generated using the genkey(1) command.
    SSLCertificateFile /etc/pki/tls/certs/www.crt

    #   Server Private Key:
    #   If the key is not combined with the certificate, use this
    #   directive to point at the key file.  Keep in mind that if
    #   you've both a RSA and a DSA private key you can configure
    #   both in parallel (to also allow the use of DSA ciphers, etc.)
    SSLCertificateKeyFile /etc/pki/tls/private/www.key
重啟
  • #service httpd restart
測試
  • https://www.ne226.kirnel.com


張貼者:

沒有留言:

張貼留言

訂閱: 張貼留言 (Atom)