https是以安全为目标的http通道,在http下加入了SSL层,https的安全基础是ssl,因此加密的详细内容就需要ssl。
下面简介在https2.2下设置https服务的步骤
1.创建私有CA:
使用openssl命令,详细介绍:http://blog.51cto.com/papapa213/2096589
1)创建CA的私钥:
(umask 077;openssl genrsa -out /etc/pki/CA/private/cakey.pem 2048)
2)生成自签证书:
openssl req -new -x509 -key /etc/pki/CA/private/cakey.pem -out /etc/pki/CA/cacert.pem -days 3653
之后需要在交互界面填写相应信息,国家、地区、城市、单位等,生成的证书为加密后数据
3)完善CA所需目录及文本文件结构:
touch /etc/pki/CA/index.txt
echo 01 > /etc/pki/CA/serial
2.创建https站点:
1)为httpd服务器生成密钥并生成证书请求
openssl genrsa -out /etc/httpd/ssl/httpd.key 2048 openssl req -new -key /etc/httpd/ssl/httpd.key -out httpd.csr -days 3653
2)在CA上签发证书:
openssl ca -in /etc/httpd/ssl/httpd.csr -out /etc/pki/CA/certs/httpd.crt -days 3653
3)将CA上签发的证书传送到httpd服务器:
cp /etc/pki/CA/certs/httpd.crt /etc/httpd/ssl/
4)删除证书请求文件
rm -f /etc/httpd/ssl/httpd.csr
5)在httpd服务器上配置ssl支持
①安装mod_ssl模块:
yum -y install mod_ssl
②修改/etc/httpd/conf.d/ssl.conf配置文件中的内容
<VirtualHost 192.168.109.2:443> .... DocumentRoot "/myvhost/https" ServerName .... SSLCertificateFile /etc/httpd/ssl/httpd.crt SSLCertificateKeyFile /etc/httpd/ssl/httpd.key ...
③添加新的网页:
echo "https" > /mychost/https/index.html
此时访问https://192.168.109.2
