https是以安全爲目標的http通道,在http下加入了SSL層,https的安全基礎是ssl,因此加密的詳細內容就需要ssl。
下面簡介在https2.2下設置https服務的步驟
1.創建私有CA:
使用openssl命令,詳細介紹:https://blog.51cto.com/papapa213/2096589
1)創建CA的私鑰:
(umask 077;openssl genrsa -out /etc/pki/CA/private/cakey.pem 2048)
2)生成自簽證書:
openssl req -new -x509 -key /etc/pki/CA/private/cakey.pem -out /etc/pki/CA/cacert.pem -days 3653
之後需要在交互界面填寫相應信息,國家、地區、城市、單位等,生成的證書爲加密後數據
3)完善CA所需目錄及文本文件結構:
touch /etc/pki/CA/index.txt
echo 01 > /etc/pki/CA/serial
2.創建https站點:
1)爲httpd服務器生成密鑰並生成證書請求
openssl genrsa -out /etc/httpd/ssl/httpd.key 2048 openssl req -new -key /etc/httpd/ssl/httpd.key -out httpd.csr -days 3653
2)在CA上籤發證書:
openssl ca -in /etc/httpd/ssl/httpd.csr -out /etc/pki/CA/certs/httpd.crt -days 3653
3)將CA上籤發的證書傳送到httpd服務器:
cp /etc/pki/CA/certs/httpd.crt /etc/httpd/ssl/
4)刪除證書請求文件
rm -f /etc/httpd/ssl/httpd.csr
5)在httpd服務器上配置ssl支持
①安裝mod_ssl模塊:
yum -y install mod_ssl
②修改/etc/httpd/conf.d/ssl.conf配置文件中的內容
<VirtualHost 192.168.109.2:443> .... DocumentRoot "/myvhost/https" ServerName .... SSLCertificateFile /etc/httpd/ssl/httpd.crt SSLCertificateKeyFile /etc/httpd/ssl/httpd.key ...
③添加新的網頁:
echo "https" > /mychost/https/index.html
此時訪問https://192.168.109.2
