Linux https SSL证书实例

发布时间：2014-09-05 17:24:31作者：知识屋

前提：必须先在Linux下安装apache 服务 (yum install httpd)

1.查看并安装SSL （安装包的名字是mod_ssl）

[root@localhost ~]# rpm -qi motd_ssl
package motd_ssl is not installed

[root@localhost yum.repos.d]# yum install mod_ssl
Loaded plugins: rhnplugin, security
This system is not registered with RHN.
RHN support will be disabled.
Setting up Install Process
Resolving Dependencies
--> Running transaction check
---> Package mod_ssl.i386 1:2.2.3-31.el5 set to be updated
--> Finished Dependency Resolution

Dependencies Resolved

=============================================================
Package Arch Version Repository Size
===========================================================
Installing:
mod_ssl i386 1:2.2.3-31.el5 file 88 k

Transaction Summary
================================================

Install 1 Package(s)
Update 0 Package(s)
Remove 0 Package(s)

Total download size: 88 k
Is this ok [y/N]: y
Downloading Packages:
Running rpm_check_debug
Running Transaction Test
Finished Transaction Test
Transaction Test Succeeded
Running Transaction
Installing : mod_ssl 1/1

Installed:
mod_ssl.i386 1:2.2.3-31.el5

Complete!

2.手动创建密钥和证书
[root@localhost yum.repos.d]# cd /etc/pki/tls/certs/
[root@localhost certs]# pwd
/etc/pki/tls/certs

[root@localhost certs]# make auth.key (创建一个名为auth的SSL私钥）
umask 77 ;
/usr/bin/openssl genrsa -des3 1024 > auth.key
Generating RSA private key, 1024 bit long modulus
.....................................++++++
............................++++++
e is 65537 (0x10001)
Enter pass phrase:
Verifying - Enter pass phrase:

[root@localhost certs]# make auth.crt (创建一个名为auth的证书）
umask 77 ;
/usr/bin/openssl req -new -key auth.key -x509 -days 365 -out auth.crt -set_serial 0
Enter pass phrase for auth.key: (输入刚才的私钥密码）
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter ., the field will be left blank.
-----
Country Name (2 letter code) [GB]:CN (国家）
State or Province Name (full name) [Berkshire]:liaoning （地区）
Locality Name (eg, city) [Newbury]:dalian (城市）
Organization Name (eg, company) [My Company Ltd]:IBM （组织机构名）
Organizational Unit Name (eg, section) []:IBM （全名）
Common Name (eg, your name or your servers hostname) []:WWW.IBM.COM （公共名称）
Email Address []: （邮箱）

3.修改配置文件 www.linuxidc.com
[root@localhost certs]# cp auth.key /etc/pki/tls/private/ （私钥导入）
[root@localhost certs]# vi /etc/httpd/conf.d/ssl.conf
修改112、 119行：

SSLCertificateFile /etc/pki/tls/certs/localhost.crt
====》SSLCertificateFile /etc/pki/tls/certs/auth.crt
SSLCertificateKeyFile /etc/pki/tls/private/localhost.key
====》SSLCertificateKeyFile /etc/pki/tls/private/auth.key
4.重启apache服务
[root@localhost certs]# service httpd restart
停止httpd: [失败]
启动httpd：Apache/2.2.3 mod_ssl/2.2.3 (Pass Phrase Dialog)
Some of your private key files are encrypted for security reasons.

In order to read them you have to provide the pass phrases.

Server localhost.localdomain:443 (RSA)
Enter pass phrase: (输入私钥密码）

OK: Pass Phrase Dialog successful.
[确定]

[root@localhost certs]# netstat -tunal |grep 443
tcp 0 0 :::443 :::* LISTEN

（监听外部所有端口到本机的443端口正常说明启动成功）

4.访问并测试网页（https:// 172.18.4.88)

1.增加安全例外，查看证书 (我们发现证书颁发机构已经变成了IBM）
2.打开测试页，默认网页正常显示

注意：如果有证书设置的话，下次开机自动启动APACHE服务时，会提示你输入密码。否则会一直停留在服务启动界面。所以试验完成后，最好将ssl.conf 修改成原来默认的localhost

以上

（免责声明：文章内容如涉及作品内容、版权和其它问题，请及时与我们联系，我们将在第一时间删除内容，文章内容仅供参考）