Shulou(Shulou.com)06/03 Report--

This bad situation: CA and apache are the same host.

First make the local machine as the CA server:

[root@localhost~] # yum-y install openssl openssl-devel

[root@localhost~] # vi / etc/pki/tls/openssl.cnf

[CA_default]

Dir =.. /.. / CA

Change to:

[CA_default]

Dir= / etc/pki/CA

In order to reduce unnecessary repetitive operations, you can pre-define some of the contents below [req_distinguished_name] and customize them, not to mention the details.

: wq

[root@localhost~] # cd / etc/pki/CA

[root@localhost CA] # mkdir certs newcerts crl

[root@localhost CA] # touch index.txt

[root@localhost CA] # echo 00 > serial

[root@localhost CA] # (umask 077; openssl genrsa-out private/cakey.pem 2048) # # generate a self-signed key

[root@localhost CA] # openssl req-new-x509-key private/cakey.pem-out cacert.pem-days 3657 # # generate self-signed certificate

You are about to be asked to enter information that will be incorporated

Into your certificate request.

What you are about to enter is what is called a Distinguished Name or a DN.

There are quite a few fields but you can leave some blank

For some fields there will be a default value

If you enter'., the field will be left blank.

-

Country Name (2 letter code) [CN]:

State or Province Name (full name) [BJ]:

Locality Name (eg, city) [HaiDian]:

Organization Name (eg, company) [TEXT]:

Organizational Unit Name (eg, section) [DEV]:

Common Name (eg, your name or your server's hostname) []: ca.text.com

Email Address []: text@text.com

Because part of the content is defined in openssl.cnf, hit enter until Common Name (eg, your name or your server's hostname) []: (this is the name of the CA service and can be customized)

The last mailbox can also be customized.

After we have finished knocking, our CA server is finished, and we will move on.

Apache dynamic compilation installation:

[root@localhost CA] # tar-xf httpd-2.2.9.tar-C / usr/local/src/

[root@localhost CA] # cd / usr/local/src/httpd-2.2.9/

[root@localhost httpd-2.2.9] # / configure-- prefix=/usr/local/apache2-- sysconfdir=/etc/httpd-- with-z=/usr/local/zlib/-- with-included-apr-- enable-so-- enable-mods-shared=most

[root@localhost httpd-2.2.9] # make;make install

Apache configuration ssl:

[root@localhost CA] # rpm-qa | grep mod_ssl

[root@localhost CA] # yum-y install mod_ssl # # if you don't have mod_ssl, you can install it directly using yum.

[root@localhost CA] # rpm-ql mod_ssl # # View the location of the configuration file generated by mod_ssl

[root@localhost CA] # cd / etc/httpd

[root@localhost httpd] # mkdir ssl

[root@localhost httpd] # cd ssl

[root@localhost ssl] # (umask 077; openssl genrsa-out httpd.key 2048) # # generate key

[root@localhost ssl] # openssl req-new-key httpd.key-out httpd.csr # # generate a certificate signing request

You are about to be asked to enter information that will be incorporated

Into your certificate request.

What you are about to enter is what is called a Distinguished Name or a DN.

There are quite a few fields but you can leave some blank

For some fields there will be a default value

If you enter'., the field will be left blank.

-

Country Name (2 letter code) [CN]:

State or Province Name (full name) [BJ]:

Locality Name (eg, city) [HaiDian]:

Organization Name (eg, company) [TEXT]:

Organizational Unit Name (eg, section) [DEV]:

# # the above five must be consistent with the settings of the CA server. This experiment is all on the same host, so you can simply hit enter.

Common Name (eg, your name or your server's hostname) []: text.bj.com # # must be the address accessed by the client, not the address set by CA above

Email Address []: httpd@text.com # # Custom

[root@localhost ssl] # openssl ca-in httpd.csr-out httpd.crt-days 3657 # # ca sign the command, hit y twice and enter (since they are all on the same machine, just sign directly. If on different machines, copy the http certificate signing request file to the CA server for signature and then copy it back)

[root@localhost ssl] # vi / etc/httpd/conf.d/ssl.conf

The default port 443 remains unchanged

Check whether the following two sentences exist, do not exist and add

AddType application/x-x509-ca-cert .crt

AddType application/x-pkcs7-crl .crl

Change to:

# # IP address of web server or web virtual host

Add the following two sentences

ServerName text.bj.com # # address defined above

DocumentRoot "/ var/www/html" # # website directory location, such as the set virtual host, which must be the same as the location defined by the virtual host in the apache configuration file

SSLEngine on # # make sure it is enabled

SSLCertificateFile / etc/httpd/ssl/httpd.crt # # Certificate location

SSLCertificateKeyFile / etc/httpd/ssl/httpd.key # # key location

: wq

[root@localhost ssl] # echo text.bj.com > / var/www/html/index.html

[root@localhost ssl] # / etc/init.d/httpd start

[root@localhost ssl] # netstat-tnlp # # check whether port 443 is open

Visit https://text.bj.com

Prompt "the security certificate of this site is not trusted"

Resolve:

Copy / etc/pki/CA/cacert.pem to the client and install it (double-click the installation after changing the winPC suffix to .crt)

Welcome to subscribe "Shulou Technology Information " to get latest news, interesting things and hot topics in the IT industry, and controls the hottest and latest Internet news, technology news and IT industry trends.