樹心幽徑

20190603為fedora Linux 的 httpd 裝SSL自簽憑證
2019/06/03,12:12

(1-1)  了解系統版本現況

#openssl version

OpenSSL 1.0.1e-fips 11 Feb 2013

# uname -a

Linux localhost.localdomain 3.19.8 #1 SMP Fri Jan 8 12:41:11 CST 2016 i686 i686 i386 GNU/Linux

(1-2)建立設定檔目錄

#mkdir /etc/httpd/ssl

#cd /etc/httpd/ssl

(2-1)編輯設定檔

# vi ssl.conf

(2-2)顯示設定檔

# cat ssl.conf
[req]
prompt = no
default_md = sha256
default_bits = 2048
distinguished_name = dn
x509_extensions = v3_req

[dn]
C = TW
ST = Taiwan
L = Kinmen.
O = Tree Inc.
OU = IT Department
emailAddress = treehrt@insecta.idv.tw
CN = localhost

[v3_req]
subjectAltName = @alt_names

[alt_names]
DNS.1 = *.localhost
DNS.2 = localhost
DNS.3 = 163.25.20.1

 

(3)建立ssl金鑰server.key及ssl自簽憑證server.crt

# openssl req -x509 -new -nodes -sha256 -utf8 -days 3650 -newkey rsa:2048 -keyout server.key -out server.crt -config ssl.conf
Generating a 2048 bit RSA private key
........................................................+++
............................+++
writing new private key to 'server.key'
-----

# ls -l
總計 12
-rw-r--r-- 1 root root 1424  6月  4 20:35 server.crt
-rw-r--r-- 1 root root 1704  6月  4 20:35 server.key
-rw-r--r-- 1 root root  345  6月  4 20:34 ssl.conf

(4-1)裝ca-certificates

# yum install ca-certificates

Updated:
  ca-certificates.noarch 0:2014.2.1-1.5.fc19

Complete!

(4-2)# update-ca-trust force-enable

(4-3)# cp server.crt /etc/pki/ca-trust/source/anchors/


(4-4)# update-ca-trust extract

 

(5)安裝mod_ssl模組

# yum install mod_ssl

 :

Installed:
  mod_ssl.i686 1:2.4.10-1.fc19                                                 

Complete!

(6-1)# ls  /etc/httpd/conf.d/ssl.conf -l
-rw-r--r-- 1 root root 9426  7月 31  2014 /etc/httpd/conf.d/ssl.conf

(6-2)# vi /etc/httpd/conf.d/ssl.conf

:

# General setup for the virtual host, inherited from global configuration
DocumentRoot "/var/www/html"
ServerName insecta.idv.tw:443
                            
:

SSLProtocol all -SSLv2 -SSLv3

:

SSLCertificateFile /etc/httpd/ssl/server.crt
:

SSLCertificateKeyFile /etc/httpd/ssl/server.key


(7)# ls -l /etc/httpd/ssl/
總計 12
-rw-r--r-- 1 root root 1424  6月  4 20:35 server.crt
-rw-r--r-- 1 root root 1704  6月  4 20:35 server.key
-rw-r--r-- 1 root root  345  6月  4 20:34 ssl.conf

 

(8)# vi /usr/local/apache2/conf/httpd.conf

:

Include conf/extra/httpd-ssl.conf

:

:
LoadModule ssl_module /usr/lib/httpd/modules/mod_ssl.so
:

 

(9)# vi /usr/local/apache2/conf/extra/httpd-ssl.conf

:

SSLCertificateFile "/etc/httpd/ssl/server.crt":

SSLCertificateKeyFile "/etc/httpd/ssl/server.key"

:

(10)重啟httpd

/usr/local/apache2/bin/apachectl restart


(11)用firefox連https://insecta.idv.tw 成功,截圖如下:

alt

 

REF0:http://blog.davidou.org/archives/1206

REF1:https://www.opencli.com/linux/rhel-centos-7-install-apache-mod_ssl

 
Accessible and Valid XHTML 1.0 Strict and CSS Powered by LifeType