(1-1) 了解系統版本現況
#openssl version
OpenSSL 1.0.1e-fips 11 Feb 2013
# uname -a
Linux localhost.localdomain 3.19.8 #1 SMP Fri Jan 8 12:41:11 CST 2016 i686 i686 i386 GNU/Linux
(1-2)建立設定檔目錄
#mkdir /etc/httpd/ssl
#cd /etc/httpd/ssl
(2-1)編輯設定檔
# vi ssl.conf
(2-2)顯示設定檔
# cat ssl.conf
[req]
prompt = no
default_md = sha256
default_bits = 2048
distinguished_name = dn
x509_extensions = v3_req
[dn]
C = TW
ST = Taiwan
L = Kinmen.
O = Tree Inc.
OU = IT Department
emailAddress = treehrt@insecta.idv.tw
CN = localhost
[v3_req]
subjectAltName = @alt_names
[alt_names]
DNS.1 = *.localhost
DNS.2 = localhost
DNS.3 = 163.25.20.1
(3)建立ssl金鑰server.key及ssl自簽憑證server.crt
# openssl req -x509 -new -nodes -sha256 -utf8 -days 3650 -newkey rsa:2048 -keyout server.key -out server.crt -config ssl.conf
Generating a 2048 bit RSA private key
........................................................+++
............................+++
writing new private key to 'server.key'
-----
# ls -l
總計 12
-rw-r--r-- 1 root root 1424 6月 4 20:35 server.crt
-rw-r--r-- 1 root root 1704 6月 4 20:35 server.key
-rw-r--r-- 1 root root 345 6月 4 20:34 ssl.conf
(4-1)裝ca-certificates
# yum install ca-certificates
Updated:
ca-certificates.noarch 0:2014.2.1-1.5.fc19
Complete!
(4-2)# update-ca-trust force-enable
(4-3)# cp server.crt /etc/pki/ca-trust/source/anchors/
(4-4)# update-ca-trust extract
(5)安裝mod_ssl模組
# yum install mod_ssl
:
Installed:
mod_ssl.i686 1:2.4.10-1.fc19
Complete!
(6-1)# ls /etc/httpd/conf.d/ssl.conf -l
-rw-r--r-- 1 root root 9426 7月 31 2014 /etc/httpd/conf.d/ssl.conf
(6-2)# vi /etc/httpd/conf.d/ssl.conf
:
# General setup for the virtual host, inherited from global configuration
DocumentRoot "/var/www/html"
ServerName insecta.idv.tw:443
:
SSLProtocol all -SSLv2 -SSLv3
:
SSLCertificateFile /etc/httpd/ssl/server.crt
:
SSLCertificateKeyFile /etc/httpd/ssl/server.key
(7)# ls -l /etc/httpd/ssl/
總計 12
-rw-r--r-- 1 root root 1424 6月 4 20:35 server.crt
-rw-r--r-- 1 root root 1704 6月 4 20:35 server.key
-rw-r--r-- 1 root root 345 6月 4 20:34 ssl.conf
(8)# vi /usr/local/apache2/conf/httpd.conf
:
Include conf/extra/httpd-ssl.conf
:
:
LoadModule ssl_module /usr/lib/httpd/modules/mod_ssl.so
:
(9)# vi /usr/local/apache2/conf/extra/httpd-ssl.conf
:
SSLCertificateFile "/etc/httpd/ssl/server.crt":
SSLCertificateKeyFile "/etc/httpd/ssl/server.key"
:
(10)重啟httpd
/usr/local/apache2/bin/apachectl restart
(11)用firefox連https://insecta.idv.tw 成功,截圖如下:
REF0:http://blog.davidou.org/archives/1206
REF1:https://www.opencli.com/linux/rhel-centos-7-install-apache-mod_ssl