位置:海鸟网 > IT > linux/Unix >

Linux https SSL证书实例

 前提: 必须先在Linux下安装apache 服务 (yum install httpd)

1.查看并安装SSL (安装包的名字是mod_ssl)



[root@localhost ~]# rpm -qi motd_ssl
package motd_ssl is not installed

[root@localhost yum.repos.d]# yum install mod_ssl
Loaded plugins: rhnplugin, security
This system is not registered with RHN.
RHN support will be disabled.
Setting up Install Process
Resolving Dependencies
--> Running transaction check
---> Package mod_ssl.i386 1:2.2.3-31.el5 set to be updated
--> Finished Dependency Resolution

Dependencies Resolved

====================================================================================================================================
Package Arch Version Repository Size
====================================================================================================================================
Installing:
mod_ssl i386 1:2.2.3-31.el5 file 88 k

Transaction Summary
====================================================================================================================================
Install 1 Package(s) 
Update 0 Package(s) 
Remove 0 Package(s) 

Total download size: 88 k
Is this ok [y/N]: y
Downloading Packages:
Running rpm_check_debug
Running Transaction Test
Finished Transaction Test
Transaction Test Succeeded
Running Transaction
Installing : mod_ssl 1/1

Installed:
mod_ssl.i386 1:2.2.3-31.el5 

Complete!


2.手动创建密钥和证书
[root@localhost yum.repos.d]# cd /etc/pki/tls/certs/
[root@localhost certs]# pwd
/etc/pki/tls/certs

[root@localhost certs]# make auth.key (创建一个名为auth的SSL私钥)
umask 77 ; \
/usr/bin/openssl genrsa -des3 1024 > auth.key
Generating RSA private key, 1024 bit long modulus
.....................................++++++
............................++++++
e is 65537 (0x10001)
Enter pass phrase:
Verifying - Enter pass phrase:

[root@localhost certs]# make auth.crt (创建一个名为auth的证书)
umask 77 ; \
/usr/bin/openssl req -new -key auth.key -x509 -days 365 -out auth.crt -set_serial 0
Enter pass phrase for auth.key: (输入刚才的私钥密码)
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [GB]:CN (国家)
State or Province Name (full name) [Berkshire]:liaoning (地区)
Locality Name (eg, city) [Newbury]:dalian (城市)
Organization Name (eg, company) [My Company Ltd]:IBM (组织机构名)
Organizational Unit Name (eg, section) []:IBM (全名)
Common Name (eg, your name or your server's hostname) []: (公共名称)
Email Address []: (邮箱)

3.修改配置文件
[root@localhost certs]# cp auth.key /etc/pki/tls/private/ (私钥导入)
[root@localhost certs]# vi /etc/httpd/conf.d/ssl.conf
修改112、 119行:

SSLCertificateFile /etc/pki/tls/certs/localhost.crt
====》SSLCertificateFile /etc/pki/tls/certs/auth.crt
SSLCertificateKeyFile /etc/pki/tls/private/localhost.key
====》SSLCertificateKeyFile /etc/pki/tls/private/auth.key
4.重启apache服务
[root@localhost certs]# service httpd restart
停止httpd: [失败]
启动httpd:Apache/2.2.3 mod_ssl/2.2.3 (Pass Phrase Dialog)
Some of your private key files are encrypted for security reasons.



In order to read them you have to provide the pass phrases.

Server localhost.localdomain:443 (RSA)
Enter pass phrase: (输入私钥密码)

OK: Pass Phrase Dialog successful.
[确定]

[root@localhost certs]# netstat -tunal |grep 443
tcp 0 0 :::443 :::* LISTEN

(监听外部所有端口 到本机的443端口正常 说明启动成功)

4.访问并测试网页 (https:// 172.18.4.88)

1.增加安全例外,查看证书 (我们发现证书颁发机构已经变成了IBM)
 2.打开测试页,默认网页正常显示




注意: 如果有证书设置的话,下次开机自动启动APACHE服务时,会提示你输入密码。否则会一直停留在服务启动界面。所以试验完成后,最好将ssl.conf 修改成原来默认的localhost

以上