Shulou(Shulou.com)06/01 Report--

Experimental environment:

CentOS 7

Httpd-2.4.6-40.el7.centos.x86_64

Need

Openssl,mod_ssl

Install (directly yum):

[root@localhost pki] # yum install httpd openssl mod_ssl-y

After installation, you can access the local computer and test the httpd server.

Mine is http://192.168.1.102/index.html.

Next modify / etc/httpd/conf.d/ssl.conf

Find it under

# General setup for the virtual host, inherited from global configuration

DocumentRoot "/ var/www/html"

ServerName www.example.com:443

Uncomment the above two lines and save them.

Just restart the httpd service.

You can access it using https://192.168.1.102/index.html.

Of course, the first visit prompts for untrusted certificates because no certificate is issued by CA.

The solution to the experimental environment is to create a private CA and issue a certificate to the httpd or choose to add trust to continue the access.

The steps for issuing the certificate are as follows:

(1) generate a private key

# (umask 077; openssl genrsa-out / etc/pki/CA/private/cakey.pem 4096)

(2) generate self-signed certificate

# openssl req-new-x509-key / etc/pki/CA/private/cakey.pem-out / etc/pki/CA/cacert.pem-days 365

-new: generate a new certificate signing request

-x509: generates a self-signed certificate designed to be used when creating a private CA

-key: the private file path used to generate the request

-out: the path to the generated request file; if the self-signed operation is performed, the signed certificate will be generated directly.

-days: the validity period of the certificate (in day)

(3) provide CA with the required directories and documents.

# mkdir-pv / etc/pki/CA/ {certs,crl,newcerts}

# touch / etc/pki/CA/ {serial,index.txt}

# echo 01 > / etc/pki/CA/serial

This host is a CA.

(4) the host using the certificate (httpd host) generates the private key

# mkdir / etc/httpd/ssl

# cd / etc/httpd/ssl

# (umask 077; openssl genrsa-out / etc/httpd/ssl/httpd.key 2048)

(5) generate a certificate signing request

# openssl req-new-key / etc/httpd/ssl/httpd.key-out / etc/httpd/ssl/httpd.csr-days 365

(6) sign the certificate on the CA host

# openssl ca-in / etc/httpd/ssl/httpd.csr-out / etc/pki/CA/certs/httpd.crt-days 365

Using configuration from / etc/pki/tls/openssl.cnf

Check that the request matches the signature

Signature ok

Certificate Details:

Serial Number: 1 (0x2)

Validity

Not Before: Apr 10 15:45:54 2016 GMT

Not After: Apr 10 15:45:54 2017 GMT

Subject:

CountryName = CN

StateOrProvinceName = beijing

OrganizationName = ops

OrganizationalUnitName = ops

CommonName = ops.com

EmailAddress = admin@ops.com

X509v3 extensions:

X509v3 Basic Constraints:

CA:FALSE

Netscape Comment:

OpenSSL Generated Certificate

X509v3 Subject Key Identifier:

08:A3:DD:98:D3:E0:42:58:5E:B7:24:43:6C:3D:B1:D8:02:34:16:46

X509v3 Authority Key Identifier:

Keyid:75:63:44:2C:46:80:2F:84:CE:EF:C6:F1:F2:E7:75:2E:EF:17:37:C2

Certificate is to be certified until Apr 10 15:45:54 2017 GMT (days)

Sign the certificate? [y/n]: y

1 out of 1 certificate requests certified, commit? [y/n] y

Write out database with 1 new entries

Data Base Updated

(7) View the information in the certificate:

# openssl x509-in / etc/pki/CA/certs/httpd.crt-noout-serial-subject

Note: due to the experimental environment, this certificate also needs to be imported into the browser.

Also pay attention to the local hosts file.

Welcome to subscribe "Shulou Technology Information " to get latest news, interesting things and hot topics in the IT industry, and controls the hottest and latest Internet news, technology news and IT industry trends.