https搭建（openssl）(未成)

# tar zxf openssl-1.0.1.tar.gz # cd openssl-1.0.1  # ./config  # make && make install

 

制作证书

# tar zxvf ssl.ca-0.1.tar.gz

# cd ssl.ca-0.1

#./new-root-ca.sh (生成根证书)

No Root CA key round. Generating one

Generating RSA private key, 1024 bit long modulus ...........................++++++ ....++++++ e is 65537 (0x10001) Enter pass phrase for ca.key: (输入一个密码) Verifying - Enter pass phrase for ca.key: (再输入一次密码) ...... Self-sign the root CA... (签署根证书) Enter pass phrase for ca.key: (输入刚刚设置的密码) ........ ........ (下面开始签署) Country Name (2 letter code) [MY]:aa State or Province Name (full name) [Perak]:aa Locality Name (eg, city) [Sitiawan]:aa Organization Name (eg, company) [My Directory Sdn Bhd]:aa Organizational Unit Name (eg, section) [Certification Services Division]:aa Common Name (eg, MD Root CA) []:aa Email Address []:aa@126.com 这样就生成了ca.key和ca.crt两个文件，下面还要为我们的服务器生成一个证书：

# ./new-server-cert.sh server (这个证书的名字是server) ...... ...... Country Name (2 letter code) [MY]:aa State or Province Name (full name) [Perak]:aa Locality Name (eg, city) [Sitiawan]:aa Organization Name (eg, company) [My Directory Sdn Bhd]:aa Organizational Unit Name (eg, section) [Secure Web Server]:aa Common Name (eg, ) []:localhost Email Address []:aa@126.com 这样就生成了server.csr和server.key这两个文件。

还需要签署一下才能使用的： # ./sign-server-cert.sh server CA signing: server.csr -> server.crt: Using configuration from ca.config Enter pass phrase for ./ca.key: (输入上面设置的根证书密码) Check that the request matches the signature Signature ok The Subject's Distinguished Name is as follows countryName :PRINTABLE:'aa' stateOrProvinceName :PRINTABLE:'aa' localityName :PRINTABLE:'aa' organizationName :PRINTABLE:'aa' organizationalUnitName:PRINTABLE:'aa' commonName :PRINTABLE:'localhost' emailAddress  :IA5STRING:'aa@126.com' Certificate is to be certified until Jan 19 21:59:46 2011 GMT (365 days) Sign the certificate? [y/n]:y 1 out of 1 certificate requests certified, commit? [y/n]y Write out database with 1 new entries Data Base Updated CA verifying: server.crt <-> CA cert server.crt: OK

根据Apache的配置文件extra / httpd-ssl.conf 里面的设置，将证书放在适当的位置。默认是在conf目录下

# mv server.key  /usr/local/apache/conf/

# mv server.crt   /usr/local/apache/conf/

 

注：aa为随意写的

重新编译apache（添加enable-ssl参数）

# cd /usr/src/httpd-2.2.4

# ./configure --prefix=/usr/local/apache --enable-so --enable-mods-shared=all --with-apr=/usr/local/apr --with-apr-util=/usr/local/apr-util --enable-ssl

# make && make install

# ls /usr/local/apache/modules    (看有没有mod_ssl.so)

# vi /usr/local/apache/conf/httpd.conf

LoadModules ssl_module  modules/mod_ssl.so

Include conf/extra/httpd-ssl.conf

:wq

# setenforce 0

# chcon -c -v -R -u system_u -r object_r -t textrel_shlib_t /usr/local/apache/modules/mod_ssl.so # setenforce 1

# service httpd restart  (需要执行2次)

# netstat -ntpl | grep 443

 

验证：

 

注：https的网站目录在/usr/local/apache/conf/extra/httpd-ssl.conf中指定 

本文转自linux博客51CTO博客，原文链接http://blog.51cto.com/yangzhiming/862905如需转载请自行联系原作者

yangzhimingg