https 全稱是: Hypertext Transfer Protocol over Secure Socket Layer ,是以安全為目标的http通道,也可以說是http的安全版本。即是http系加入ssl層,當然https的安全是基于ssl,然而https加密的詳細内容就需要ssl 。
https是有netspace開發并内置于浏覽器中的用于對資料進行壓縮核心解壓并在網絡上傳送的結果。 http是應用的tcp的80 端口,而https應用的tcp的443端口
https主要作用可以分為兩種:一種是建立一個資訊安全通道,來保證資料傳輸的安全;另一種就是确認網站的真實性
當然在開啟是https服務是必須先安裝http軟體包,
# rpm -hiv httpd-2.2.3-31.el5
#rpm -vhi distcache-1.4.5-14.1
# rpm -vhi mod_ssl-2.2.3-31.el5
1 在/etc/httpd/目錄下面建立文嘉ssl 并在目錄檔案ssl下面建立目錄檔案private
#cd /etc/httpd
#mkdir -pv ./ssl/private
mkdir: created directory `ssl'
mkdir :created directory `/ssl/private’
2 用tree指令檢視ssl的樹目錄
# tree ssl/
ssl
`-- private
1 directory, 0 files
3 基于ssl的認證,為了保障安全,需要用CA來頒發證書,以确定身份,,因為隻有CA
才有權限為其他使用者頒發證書,在CA頒發證書之前必須先為自己做自簽認證,
接下來;去配置CA
4 生成密鑰檔案
[root@station90 private]# openssl genrsa 1024 >cakey.pem
Generating RSA private key, 1024 bit long modulus
.....++++++
..++++++
e is 65537 (0x10001)
5 為CA 生成請求檔案
[root@station90 CA ]# openssl req -x509 -new -key cakey.pem -out cacert.pem –days 3600
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [GB]:CN
State or Province Name (full name) [Berkshire]:<b>HENAN</b>
<b></b>
Locality Name (eg, city) [Newbury]:<b>ZZ</b>
Organization Name (eg, company) [My Company Ltd]:<b>ZZU</b>
Organizational Unit Name (eg, section) []:CA
Common Name (eg, your name or your server's hostname) []:<b>windbbs.test.com</b>
Email Address []:<b>[email protected]</b>
<b> </b>
Please enter the following 'extra' attributes
to be sent with your certificate request
A challenge password []:
An optional company name []:
6 修改cakey.pem的權限修改為600, 以提高安全性
[root@station90 private]# chmod 600 cakey.pem
當然為了提高安全性,還可以把檔案cacert.pem 的權限改為600 但是必須把該檔案的的屬組改為apache 不然的,https不能運作
7檢視檔案cacert.pem的檔案的權限
#[root@station90 CA]# ll
total 12
-rw------- 1 root root 688 Mar 7 22:35 cacert.pem
drwx------ 2 root root 4096 Mar 7 22:39 private
[root@station90 CA]# ll ./privare
-rw------- 1 root root 887 Mar 7 21:54 cakey.pem
8 建立檔案newcerts index.txt 及serial 檔案
# mkdir newcerts
#touch index.txt
并給檔案serial 檔案一個初值,應為在後面CA 在為其做自簽是需要序列号,
#vim serial
并給其初始值為00
9 修改檔案/etc/pki/tls/openssl.conf
[ CA_default ]
dir = /etc/pki/CA # Where everything is kept
certs = $dir/certs # Where the issued certs are kept
crl_dir = $dir/crl # Where the issued crl are kept
database = $dir/index.txt # database index file.
#unique_subject = no # Set to 'no' to allow creation of
# several ctificates with same subject.
new_certs_dir = $dir/newcerts # default place for new certs.
certificate = $dir/cacert.pem # The CA certificate
serial = $dir/serial # The current serial number
crlnumber = $dir/crlnumber # the current crl number
10 生成key檔案,但是需要進入到自己建的目錄中,/etc/httpd/ssl
[root@station90 ssl]# pwd
/etc/httpd/ssl
[root@station90ssl]#openssl genrsa 1024 >private/windbbs.test.com.key
............++++++
............................++++++
e is 65537 (0x10001
Generating RSA private key, 1024 bit long modulus
11 為CA生成請求檔案
[root@station90 ssl]# openssl req -new -key private/windbbs.test.com.key -out windbbs.test.com.csr
State or Province Name (full name) [Berkshire]:HENAN
Locality Name (eg, city) [Newbury]:ZZ
Organization Name (eg, company) [My Company Ltd]:ZZU
Common Name (eg, your name or your server's hostname) []:windbbs.test.com
Email Address []:[email protected]
12 為CA 生成自簽檔案
[root@station90 ssl] #openssl ca -in ./private/windbbs.test.com.csr -out windbbs.test.com.crt -days 3600
13 下該修改檔案/etc/httpd/conf.d/ssl.conf 檔案指出證書的位置,應為證書和密鑰我們放在/etc/httpd/ssl下面,是以我們應該修改檔案
#vim /etc/httpd/conf.d/ssl.conf
把一下兩行SSLCertificateFile
SSLCertificateKeyFile
改成
SSLCertificateFile /etc/httpd/ssl/httpd.crt
SSLCertificateKeyFile /etc/httpd/ssl/httpd.key
14
并重新開機apache
[root@station90 ssl]#service httpd restart
14 重新開機後可以用用客戶機驗證,如果不成功請檢查做的步驟
本文轉自 freehat08 51CTO部落格,原文連結:http://blog.51cto.com/freehat/284336,如需轉載請自行聯系原作者
![搭建httpd服務[圖]](data:image/gif;base64,R0lGODlhAQABAIAAAP///wAAACwAAAAAAQABAAACAkQBADs=)