通过yum来安装mod_ssl
[root@controller ~]# yum install -y mod_ssl //在线安装mod_ssl已加载插件:fastestmirrorcentos | 3.6 kB 00:00:00 iaas | 2.9 kB 00:00:00 Loading mirror speeds from cached hostfile正在解决依赖关系--> 正在检查事务---> 软件包 mod_ssl.x86_64.1.2.4.6-40.el7.centos.4 将被 安装--> 解决依赖关系完成依赖关系解决======================================================================================================================================== Package 架构 版本 源 大小========================================================================================================================================正在安装: mod_ssl x86_64 1:2.4.6-40.el7.centos.4 iaas 104 k事务概要========================================================================================================================================安装 1 软件包总下载量:104 k安装大小:224 kDownloading packages:Running transaction checkRunning transaction testTransaction test succeededRunning transaction 正在安装 : 1:mod_ssl-2.4.6-40.el7.centos.4.x86_64 1/1 验证中 : 1:mod_ssl-2.4.6-40.el7.centos.4.x86_64 1/1 已安装: mod_ssl.x86_64 1:2.4.6-40.el7.centos.4 完毕!1.建立服务器密钥
[root@controller ~]# cd /etc/pki/tls/certs/ //进入HTTP服务器配置文件所在目录[root@controller ~]# make server.key //建立服务器密钥umask 77 ; /usr/bin/openssl genrsa -des3 1024 > server.keyGenerating RSA private key, 1024 bit long modulus................++++++......++++++e is 65537 (0x10001)Enter pass phrase: //在这里输入口令Verifying - Enter pass phrase: //确认口令,再次输入[root@controller ~]# openssl rsa -in server.key -out server.key //从密钥中删除密码(以避免系统启动后被询问口令)Enter pass phrase for server.key: //输入口令writing RSA key2.建立服务器公钥
[root@controller ~]# make server.csr //建立服务器密钥umask 77 ; /usr/bin/openssl req -utf8 -new -key server.key -out server.csrYou are about to be asked to enter information that will be incorporatedinto your certificate request.What you are about to enter is what is called a Distinguished Name or a DN.There are quite a few fields but you can leave some blankFor some fields there will be a default value,If you enter ‘.‘, the field will be left blank.-----Country Name (2 letter code) [GB]:CN //输入国名State or Province Name (full name) [Berkshire]:Xinjiang //输入省名Locality Name (eg, city) [Newbury]:Shihezi //输入城市名Organization Name (eg, company) [My Company Ltd]:www.msdn.com //输入组织名(任意)Organizational Unit Name (eg, section) []: //不输入,直接回车Common Name (eg, your name or your server‘s hostname) []:www.msdn.com ← 输入通称(任意)Email Address []:zq@qq.com //输入电子邮箱地址Please enter the following ’extra‘ attributesto be sent with your certificate requestA challenge password []: //不输入,直接回车An optional company name []: //不输入,直接回车3.建立服务器证书
[root@controller ~]# openssl x509 -in server.csr -out server.pem -req -signkey server.key -days 365 //建立服务器证书Signature oksubject=/C=CN/ST=Xinjiang/L=Shihezi/O=www.51cto.com/emailAddress=xiandian@qq.comGetting Private keyEnter pass phrase for server.key:140645233670048:error:28069065:lib(40):UI_set_result:result too small:ui_lib.c:869:You must type in 4 to 8191 charactersEnter pass phrase for server.key:[root@controller ~]# chmod 400 server.* //修改权限为4004.设置SSL
[root@controller ~]# vi /etc/httpd/conf.d/ssl.conf //修改SSL的设置文件#DocumentRoot "/var/www/html" //找到这一行,将行首的“#”去掉ⅤDocumentRoot "/var/www/html" //变为此状态5.重新启动HTTP服务,让SSL生效
[root@controller]# systemctl restart httpd.service //重新启动HTTP服务器本地配置文件/etc/httpd/conf.d/ssl_saturn.conf:
Listen 443 httpsSSLPassPhraseDialog exec:/usr/libexec/httpd-ssl-pass-dialogSSLSessionCache shmcb:/run/httpd/sslcache(512000)SSLSessionCacheTimeout 300SSLRandomSeed startup file:/dev/urandom 256SSLRandomSeed connect builtinSSLCryptoDevice builtin<VirtualHost _default_:443>DocumentRoot "/var/www/html"ErrorLog logs/ssl_error_logTransferLog logs/ssl_access_logLogLevel warnSSLEngine onSSLProtocol all -SSLv2SSLCipherSuite HIGH:MEDIUM:!aNULL:!MD5:!SEED:!IDEASSLCertificateFile /etc/pki/tls/certs/localhost.crtSSLCertificateKeyFile /etc/pki/tls/private/localhost.key<Files ~ "\.(cgi|shtml|phtml|php3?)$"> SSLOptions +StdEnvVars</Files><Directory "/var/www/cgi-bin"> SSLOptions +StdEnvVars</Directory>BrowserMatch "MSIE [2-5]" nokeepalive ssl-unclean-shutdown downgrade-1.0 force-response-1.0CustomLog logs/ssl_request_log "%t %h %{SSL_PROTOCOL}x %{SSL_CIPHER}x \"%r\" %b"</VirtualHost> 
