1.安装专门的mod_ssl模块
[root@contos7 ~]# yum install mod_ssl Loaded plugins: fastestmirror, langpacks Loading mirror speeds from cached hostfile Resolving Dependencies --> Running transaction check ---> Package mod_ssl.x86_64 1:2.4.6-80.el7.centos will be installed --> Finished Dependency Resolution Dependencies Resolved ====================================================================================================================== Package Arch Version Repository Size ====================================================================================================================== Installing: mod_ssl x86_64 1:2.4.6-80.el7.centos base 111 k Transaction Summary ====================================================================================================================== Install 1 Package Total download size: 111 k Installed size: 224 k Is this ok [y/d/N]: y Downloading packages: mod_ssl-2.4.6-80.el7.centos.x86_64.rpm | 111 kB 00:00:00 Running transaction check Running transaction test Transaction test succeeded Running transaction Installing : 1:mod_ssl-2.4.6-80.el7.centos.x86_64 1/1 Verifying : 1:mod_ssl-2.4.6-80.el7.centos.x86_64 1/1 Installed: mod_ssl.x86_64 1:2.4.6-80.el7.centos Complete!
2.申请CA证书
要生成证书就需要为服务端生成私钥,并用它来为其提供证书文件;
[root@contos7 ~]# cd /etc/pki/CA [root@contos7 /etc/pki/CA]# (umask 066;openssl genrsa -out private/cakey.pem 4096) Generating RSA private key, 4096 bit long modulus .....++ .........................................................++ e is 65537 (0x10001) [root@contos7 /etc/pki/CA]# openssl req -new -x509 -key private/cakey.pem -out cacert.pem -days 3650 You are about to be asked to enter information that will be incorporated into your certificate request. What you are about to enter is what is called a Distinguished Name or a DN. There are quite a few fields but you can leave some blank For some fields there will be a default value, If you enter '.', the field will be left blank. ----- Country Name (2 letter code) [XX]:CN State or Province Name (full name) []:HeNan Locality Name (eg, city) [Default City]:ZhengZhou Organization Name (eg, company) [Default Company Ltd]:Magedu Organizational Unit Name (eg, section) []:opt Common Name (eg, your name or your server's hostname) []: Email Address []: [root@contos7 /etc/pki/CA]# touch index.txt [root@contos7 /etc/pki/CA]# echo 00 > serial [root@contos7 /etc/pki/CA]# mkdir /etc/httpd/conf.d/ssl [root@contos7 /etc/pki/CA]# cd /etc/httpd/conf.d/ssl/ [root@contos7 /etc/httpd/conf.d/ssl]# (umask 066;openssl genrsa -out httpd.key 1024) Generating RSA private key, 1024 bit long modulus ......++++++ .............++++++ e is 65537 (0x10001) [root@contos7 /etc/httpd/conf.d/ssl]# openssl req -new -key httpd.key -out httpd.csr [root@contos7 /etc/httpd/conf.d/ssl]# openssl ca -in httpd.csr -out httpd.crt -days 365 [root@contos7 /etc/httpd/conf.d/ssl]# cp /etc/pki/CA/cacert.pem .
3.编辑.conf配置文件
将代码修改为下列三行
[root@contos7 ~]# vim /etc/httpd/conf.d/ssl.conf SSLCertificateFile /etc/httpd/conf.d/ssl/httpd.crt SSLCertificateKeyFile /etc/httpd/conf.d/ssl/httpd.key SSLCACertificateFile /etc/httpd/conf.d/ssl/cacert.pem
4.修改配置文件
[root@contos7 ~]# vim /etc/httpd/conf.d/vhost.conf
<VirtualHost *:443>
ServerName www.baidu.com
DocumentRoot "/app/website1"
CustomLog "logs/www.baidu.com_access_log" combined
<Directory "/app/website1">
Require all granted
</Directory>
</VirtualHost>
~
4.重新启动服务
[root@contos7 ~]# systemctl restart httpd