Shulou(Shulou.com)06/01 Report--

1. Install mod_ssl

2. Create a CA on another machine

Cd / etc/pki/CA

(umask 077; openssl genrsa-out private/cakey.pem 2048)

3. The permission to generate files is 600.

4 、 vim.. / tls/openssl.cnf

5. Find [req_distinguished_name]

6. Change the default city to CN

7. Change the default province name stateOrProvinceName_default to Hebei

8. The name of the city localityName_default has been changed to Zhengzhou

9. Change the name of the organization 0.organizationName_default to MageEdu

10. Department name organizationalUnitName_default = Tech

11. Generate self-signed certificate: openssl req-new-x509-key private/cakey.pem-out cacert.pem-days 3655

12. Set the hostname ca.mageedu.com

13. Vim.. / tls/openssl.cnf standing on the CA directory

14. The editor found dir = / etc/pki/CA

15. Stand on CA and mkdir certs crl newcerts

16 、 touch index.txt

17, echo 01 > serial

18. Go back to the server:

19 、 cd / etc/httpd/httpd/

20 、 mkdir ssl;;;cd ssl

21. (umask 077; openssl genrsa 1024 > httpd.key)

22. Openssl req-new-key httpd.key-out httpd.csr

23. Be sure to be consistent with the information on CA

24. Hostname: let's see which virtual host you give to use our virtual host definition in vim / etc/httpd/conf.d/v...

25. Send the certificate request to CA and scp httpd.csr 192.168.9.250:/tmp on the ssl directory.

26. Go to the 9.250 server openssl ca-in / tmp/httpd.csr-out / tmp/httpd.crt-days 3650

27. Cd / etc/pki/CA;cat serial was found to be 02

28. Let's go back to the server and scp to 9.250 to get an integer

Scp 192.168.9.250:/tmp/httpd.crt. /

29. Go to 9.250 and delete rm httpd.c* under tmp.

30. Configure the server side: cd / etc/httpd/con.d;; vim ssl.conf;;; / cp ssl.conf ssl.conf.org

31. Go to edit and edit the hostname ServerName hello.magedu.com below

32. Edit DocumentRoot "/ www/magedu.com"

33. Edit SSLCertificateFile / etc/httpd/ssl/httpd.crt Edit the certificate file issued by CA

34. Edit the SSLCertificateKeyFile / etc/httpd/ssl/httpd,key definition private key file and save it

35. Httpd-t restart

36. Since there is no formal ca authorization, we need to modify the host file locally so that he can recognize the hello.magedu.com

37. Enter https://hello.magedu.com in the address bar

38. If we find the certificate of distrust, we need to go back to 9.250 / etc/pki/CA/ to download cacert.pem to the physical host.

39. Change cacert.pem to cacert.crt. You can install certificates and import them into browsers. Put it in a trusted certification authority

40. Remember that only one ssl host can be set up with one address

Welcome to subscribe "Shulou Technology Information " to get latest news, interesting things and hot topics in the IT industry, and controls the hottest and latest Internet news, technology news and IT industry trends.