https 全称是: Hypertext Transfer Protocol over Secure Socket Layer ,是以安全为目标的http通道,也可以说是http的安全版本。即是http系加入ssl层,当然https的安全是基于ssl,然而https加密的详细内容就需要ssl 。
https是有netspace开发并内置于浏览器中的用于对数据进行压缩内核解压并在网络上传送的结果。 http是应用的tcp的80 端口,而https应用的tcp的443端口
https主要作用可以分为两种:一种是建立一个信息安全通道,来保证数据传输的安全;另一种就是确认网站的真实性
当然在开启是https服务是必须先安装http软件包,
# rpm -hiv httpd-2.2.3-31.el5
#rpm -vhi distcache-1.4.5-14.1
# rpm -vhi mod_ssl-2.2.3-31.el5
1 在/etc/httpd/目录下面创建文嘉ssl 并在目录文件ssl下面创建目录文件private
#cd /etc/httpd
#mkdir -pv ./ssl/private
mkdir: created directory `ssl'
mkdir :created directory `/ssl/private’
2 用tree命令查看ssl的树目录
# tree ssl/
ssl
`-- private
1 directory, 0 files
3 基于ssl的认证,为了保障安全,需要用CA来颁发证书,以确定身份,,因为只有CA
才有权限为其他用户颁发证书,在CA颁发证书之前必须先为自己做自签认证,
接下来;去配置CA
4 生成密钥文件
[root@station90 private]# openssl genrsa 1024 >cakey.pem
Generating RSA private key, 1024 bit long modulus
.....++++++
..++++++
e is 65537 (0x10001)
5 为CA 生成请求文件
[root@station90 CA ]# openssl req -x509 -new -key cakey.pem -out cacert.pem –days 3600
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [GB]:CN
State or Province Name (full name) [Berkshire]:<b>HENAN</b>
<b></b>
Locality Name (eg, city) [Newbury]:<b>ZZ</b>
Organization Name (eg, company) [My Company Ltd]:<b>ZZU</b>
Organizational Unit Name (eg, section) []:CA
Common Name (eg, your name or your server's hostname) []:<b>windbbs.test.com</b>
Email Address []:<b>[email protected]</b>
<b> </b>
Please enter the following 'extra' attributes
to be sent with your certificate request
A challenge password []:
An optional company name []:
6 修改cakey.pem的权限修改为600, 以提高安全性
[root@station90 private]# chmod 600 cakey.pem
当然为了提高安全性,还可以把文件cacert.pem 的权限改为600 但是必须把该文件的的属组改为apache 不然的,https不能运行
7查看文件cacert.pem的文件的权限
#[root@station90 CA]# ll
total 12
-rw------- 1 root root 688 Mar 7 22:35 cacert.pem
drwx------ 2 root root 4096 Mar 7 22:39 private
[root@station90 CA]# ll ./privare
-rw------- 1 root root 887 Mar 7 21:54 cakey.pem
8 创建文件newcerts index.txt 及serial 文件
# mkdir newcerts
#touch index.txt
并给文件serial 文件一个初值,应为在后面CA 在为其做自签是需要序列号,
#vim serial
并给其初始值为00
9 修改文件/etc/pki/tls/openssl.conf
[ CA_default ]
dir = /etc/pki/CA # Where everything is kept
certs = $dir/certs # Where the issued certs are kept
crl_dir = $dir/crl # Where the issued crl are kept
database = $dir/index.txt # database index file.
#unique_subject = no # Set to 'no' to allow creation of
# several ctificates with same subject.
new_certs_dir = $dir/newcerts # default place for new certs.
certificate = $dir/cacert.pem # The CA certificate
serial = $dir/serial # The current serial number
crlnumber = $dir/crlnumber # the current crl number
10 生成key文件,但是需要进入到自己建的目录中,/etc/httpd/ssl
[root@station90 ssl]# pwd
/etc/httpd/ssl
[root@station90ssl]#openssl genrsa 1024 >private/windbbs.test.com.key
............++++++
............................++++++
e is 65537 (0x10001
Generating RSA private key, 1024 bit long modulus
11 为CA生成请求文件
[root@station90 ssl]# openssl req -new -key private/windbbs.test.com.key -out windbbs.test.com.csr
State or Province Name (full name) [Berkshire]:HENAN
Locality Name (eg, city) [Newbury]:ZZ
Organization Name (eg, company) [My Company Ltd]:ZZU
Common Name (eg, your name or your server's hostname) []:windbbs.test.com
Email Address []:[email protected]
12 为CA 生成自签文件
[root@station90 ssl] #openssl ca -in ./private/windbbs.test.com.csr -out windbbs.test.com.crt -days 3600
13 下该修改文件/etc/httpd/conf.d/ssl.conf 文件指出证书的位置,应为证书和密钥我们放在/etc/httpd/ssl下面,所以我们应该修改文件
#vim /etc/httpd/conf.d/ssl.conf
把一下两行SSLCertificateFile
SSLCertificateKeyFile
改成
SSLCertificateFile /etc/httpd/ssl/httpd.crt
SSLCertificateKeyFile /etc/httpd/ssl/httpd.key
14
并重启apache
[root@station90 ssl]#service httpd restart
14 重启后可以用用客户机验证,如果不成功请检查做的步骤
本文转自 freehat08 51CTO博客,原文链接:http://blog.51cto.com/freehat/284336,如需转载请自行联系原作者
![搭建httpd服务[图]](data:image/gif;base64,R0lGODlhAQABAIAAAP///wAAACwAAAAAAQABAAACAkQBADs=)