Complete keystone certificate encrypted HTTPS service upgrade

By yum install mod_ssl

[root@controller ~]# yum install -y mod_ssl             //在线安装mod_ssl
已加载插件：fastestmirror
centos                                                                                                           | 3.6 kB  00:00:00     
iaas                                                                                                             | 2.9 kB  00:00:00     
Loading mirror speeds from cached hostfile
正在解决依赖关系
--> 正在检查事务
---> 软件包 mod_ssl.x86_64.1.2.4.6-40.el7.centos.4 将被 安装
--> 解决依赖关系完成

依赖关系解决

========================================================================================================================================
 Package                      架构                        版本                                          源                         大小
========================================================================================================================================
正在安装:
 mod_ssl                      x86_64                      1:2.4.6-40.el7.centos.4                       iaas                      104 k

事务概要
========================================================================================================================================
安装  1 软件包

总下载量：104 k
安装大小：224 k
Downloading packages:
Running transaction check
Running transaction test
Transaction test succeeded
Running transaction
  正在安装    : 1:mod_ssl-2.4.6-40.el7.centos.4.x86_64                                                                              1/1 
  验证中      : 1:mod_ssl-2.4.6-40.el7.centos.4.x86_64                                                                              1/1 

已安装:
  mod_ssl.x86_64 1:2.4.6-40.el7.centos.4                                                                                                

完毕！

Mod_ssl on the HTTP server configuration

1. Establish server key

[root@controller ~]#  cd /etc/pki/tls/certs/　   //进入HTTP服务器配置文件所在目录
[root@controller ~]#  make server.key　      //建立服务器密钥
umask 77 ; \
/usr/bin/openssl genrsa -des3 1024 > server.key
Generating RSA private key, 1024 bit long modulus
................++++++
......++++++
e is 65537 (0x10001)
Enter pass phrase:　                         //在这里输入口令
Verifying - Enter pass phrase:　             //确认口令，再次输入
[root@controller ~]#  openssl rsa -in server.key -out server.key　       //从密钥中删除密码（以避免系统启动后被询问口令）
Enter pass phrase for server.key:　          //输入口令
writing RSA key

2. Establish server's public key

[root@controller ~]#  make server.csr　      //建立服务器密钥
umask 77 ; \

/usr/bin/openssl req -utf8 -new -key server.key -out server.csr

You are about to be asked to enter information that will be incorporated

into your certificate request.

What you are about to enter is what is called a Distinguished Name or a DN.

There are quite a few fields but you can leave some blank

For some fields there will be a default value,

If you enter '.', the field will be left blank.

-----

Country Name (2 letter code) [GB]:CN　           //输入国名

State or Province Name (full name) [Berkshire]:Xinjiang     //输入省名

Locality Name (eg, city) [Newbury]:Shihezi　             //输入城市名

Organization Name (eg, company) [My Company Ltd]:www.msdn.com　      //输入组织名（任意）

Organizational Unit Name (eg, section) []:　 //不输入，直接回车

Common Name (eg, your name or your server‘s hostname) []:www.msdn.com　 ← 输入通称（任意）

Email Address []:[email protected] 　            //输入电子邮箱地址

Please enter the following ’extra' attributes

to be sent with your certificate request

A challenge password []:　               //不输入，直接回车

An optional company name []: 　          //不输入，直接回车

3. Establish server certificate

[root@controller ~]#  openssl x509 -in server.csr -out server.pem -req -signkey server.key -days 365　               //建立服务器证书
Signature ok
subject=/C=CN/ST=Xinjiang/L=Shihezi/O=www.51cto.com/[email protected]
Getting Private key
Enter pass phrase for server.key:
140645233670048:error:28069065:lib(40):UI_set_result:result too small:ui_lib.c:869:You must type in 4 to 8191 characters
Enter pass phrase for server.key:
[root@controller ~]#  chmod 400 server.*        //修改权限为400

4. Set SSL

[root@controller ~]#  vi /etc/httpd/conf.d/ssl.conf　    //修改SSL的设置文件
#DocumentRoot "/var/www/html"　      //找到这一行，将行首的“#”去掉
Ⅴ
DocumentRoot "/var/www/html"　       //变为此状态

5. Restart the HTTP service for SSL to take effect

[root@controller]#  systemctl restart httpd.service　    //重新启动HTTP服务器

Local profiles /etc/httpd/conf.d/ssl_saturn.conf:

Listen 443 https
SSLPassPhraseDialog exec:/usr/libexec/httpd-ssl-pass-dialog
SSLSessionCache         shmcb:/run/httpd/sslcache(512000)
SSLSessionCacheTimeout  300
SSLRandomSeed startup file:/dev/urandom  256
SSLRandomSeed connect builtin
SSLCryptoDevice builtin
<VirtualHost _default_:443>
DocumentRoot "/var/www/html"
ErrorLog logs/ssl_error_log
TransferLog logs/ssl_access_log
LogLevel warn
SSLEngine on
SSLProtocol all -SSLv2
SSLCipherSuite HIGH:MEDIUM:!aNULL:!MD5:!SEED:!IDEA
SSLCertificateFile /etc/pki/tls/certs/localhost.crt
SSLCertificateKeyFile /etc/pki/tls/private/localhost.key
<Files ~ "\.(cgi|shtml|phtml|php3?)$">
    SSLOptions +StdEnvVars
</Files>
<Directory "/var/www/cgi-bin">
    SSLOptions +StdEnvVars
</Directory>
BrowserMatch "MSIE [2-5]" \
         nokeepalive ssl-unclean-shutdown \
         downgrade-1.0 force-response-1.0
CustomLog logs/ssl_request_log \
          "%t %h %{SSL_PROTOCOL}x %{SSL_CIPHER}x \"%r\" %b"
</VirtualHost>