CentOS-Apache-SSL架設

woff

設定檔位置

• /etc/httpd/conf/httpd.conf
• /etc/httpd/conf.d/ssl.conf
  

產生key檔

• [root@localhost ~]# openssl genrsa -out www.key 1024
  
  • Generating RSA private key, 1024 bit long modulus
  • .................................++++++
  • .........++++++
  • e is 65537 (0x10001)
    

利用key建立憑證csr檔

• [root@localhost ~]# openssl req -new -key www.key -out www.csr
  You are about to be asked to enter information that will be incorporated
  into your certificate request.
  What you are about to enter is what is called a Distinguished Name or a DN.
  There are quite a few fields but you can leave some blank
  For some fields there will be a default value,
  If you enter '.', the field will be left blank.
  -----
  Country Name (2 letter code) [GB]:TW
  State or Province Name (full name) [Berkshire]:Taipei
  Locality Name (eg, city) [Newbury]:Taipei
  Organization Name (eg, company) [My Company Ltd]:www
  Organizational Unit Name (eg, section) []:
  Common Name (eg, your name or your server's hostname) []:www.ne226.kirnel.com
  Email Address []:webmaster@ne226.kirnel.com
  
  Please enter the following 'extra' attributes
  to be sent with your certificate request
  A challenge password []:
  An optional company name []:
  

利用key,csr建立crt檔

• [root@localhost ~]# openssl x509 -req -days 365 -in www.csr -signkey www.key -out www.crt
  Signature ok
  subject=/C=TW/ST=Taipei/L=Taipei/O=www/CN=www.ne226.kirnel.com/emailAddress=webmaster@ne226.kirnel.com
  Getting Private key
  

搬到適當地點

• [root@localhost ~]# cp www.crt /etc/pki/tls/certs/
• [root@localhost ~]# cp www.key /etc/pki/tls/private/
• [root@localhost ~]# cp www.csr /etc/pki/tls/private/
  

修改檔案/etc/httpd/conf.d/ssl.conf

• #   Server Certificate:
  # Point SSLCertificateFile at a PEM encoded certificate.  If
  # the certificate is encrypted, then you will be prompted for a
  # pass phrase.  Note that a kill -HUP will prompt again.  A new
  # certificate can be generated using the genkey(1) command.
  SSLCertificateFile /etc/pki/tls/certs/www.crt
  
  #   Server Private Key:
  #   If the key is not combined with the certificate, use this
  #   directive to point at the key file.  Keep in mind that if
  #   you've both a RSA and a DSA private key you can configure
  #   both in parallel (to also allow the use of DSA ciphers, etc.)
  SSLCertificateKeyFile /etc/pki/tls/private/www.key
  

重啟

• #service httpd restart