Network Security Internet Technology Development Database Servers Mobile Phone Android Software Apple Software Computer Software News IT Information

In addition to Weibo, there is also WeChat

Please pay attention

WeChat public account

Shulou

Use https to access apache services

2025-04-04 Update From: SLTechnology News&Howtos shulou NAV: SLTechnology News&Howtos > Network Security >

Share

Shulou(Shulou.com)06/01 Report--

Experimental environment:

CentOS 7

Httpd-2.4.6-40.el7.centos.x86_64

Need

Openssl,mod_ssl

Install (directly yum):

[root@localhost pki] # yum install httpd openssl mod_ssl-y

After installation, you can access the local computer and test the httpd server.

Mine is http://192.168.1.102/index.html.

Next modify / etc/httpd/conf.d/ssl.conf

Find it under

# General setup for the virtual host, inherited from global configuration

DocumentRoot "/ var/www/html"

ServerName www.example.com:443

Uncomment the above two lines and save them.

Just restart the httpd service.

You can access it using https://192.168.1.102/index.html.

Of course, the first visit prompts for untrusted certificates because no certificate is issued by CA.

The solution to the experimental environment is to create a private CA and issue a certificate to the httpd or choose to add trust to continue the access.

The steps for issuing the certificate are as follows:

(1) generate a private key

# (umask 077; openssl genrsa-out / etc/pki/CA/private/cakey.pem 4096)

(2) generate self-signed certificate

# openssl req-new-x509-key / etc/pki/CA/private/cakey.pem-out / etc/pki/CA/cacert.pem-days 365

-new: generate a new certificate signing request

-x509: generates a self-signed certificate designed to be used when creating a private CA

-key: the private file path used to generate the request

-out: the path to the generated request file; if the self-signed operation is performed, the signed certificate will be generated directly.

-days: the validity period of the certificate (in day)

(3) provide CA with the required directories and documents.

# mkdir-pv / etc/pki/CA/ {certs,crl,newcerts}

# touch / etc/pki/CA/ {serial,index.txt}

# echo 01 > / etc/pki/CA/serial

This host is a CA.

(4) the host using the certificate (httpd host) generates the private key

# mkdir / etc/httpd/ssl

# cd / etc/httpd/ssl

# (umask 077; openssl genrsa-out / etc/httpd/ssl/httpd.key 2048)

(5) generate a certificate signing request

# openssl req-new-key / etc/httpd/ssl/httpd.key-out / etc/httpd/ssl/httpd.csr-days 365

(6) sign the certificate on the CA host

# openssl ca-in / etc/httpd/ssl/httpd.csr-out / etc/pki/CA/certs/httpd.crt-days 365

Using configuration from / etc/pki/tls/openssl.cnf

Check that the request matches the signature

Signature ok

Certificate Details:

Serial Number: 1 (0x2)

Validity

Not Before: Apr 10 15:45:54 2016 GMT

Not After: Apr 10 15:45:54 2017 GMT

Subject:

CountryName = CN

StateOrProvinceName = beijing

OrganizationName = ops

OrganizationalUnitName = ops

CommonName = ops.com

EmailAddress = admin@ops.com

X509v3 extensions:

X509v3 Basic Constraints:

CA:FALSE

Netscape Comment:

OpenSSL Generated Certificate

X509v3 Subject Key Identifier:

08:A3:DD:98:D3:E0:42:58:5E:B7:24:43:6C:3D:B1:D8:02:34:16:46

X509v3 Authority Key Identifier:

Keyid:75:63:44:2C:46:80:2F:84:CE:EF:C6:F1:F2:E7:75:2E:EF:17:37:C2

Certificate is to be certified until Apr 10 15:45:54 2017 GMT (days)

Sign the certificate? [y/n]: y

1 out of 1 certificate requests certified, commit? [y/n] y

Write out database with 1 new entries

Data Base Updated

(7) View the information in the certificate:

# openssl x509-in / etc/pki/CA/certs/httpd.crt-noout-serial-subject

Note: due to the experimental environment, this certificate also needs to be imported into the browser.

Also pay attention to the local hosts file.

Welcome to subscribe "Shulou Technology Information " to get latest news, interesting things and hot topics in the IT industry, and controls the hottest and latest Internet news, technology news and IT industry trends.

Views: 0

*The comments in the above article only represent the author's personal views and do not represent the views and positions of this website. If you have more insights, please feel free to contribute and share.

Share To

Network Security

Wechat

© 2024 shulou.com SLNews company. All rights reserved.

12
Report