SSL安装(CentOS)

简介:

在CentOS上安装SSL,使用https进行访问,增加安全性

安装环境及版本:

系统环境:CentOS Linux release 7.5.1804 (Core)
SSL版本:使用yum安装

一、安装

[root@localhost ~]# yum -y install openssl openssl-devel mod_ssl

[root@localhost ~]# yum -y install openssl openssl-devel mod_ssl
Loaded plugins: fastestmirror
Loading mirror speeds from cached hostfile
 * base: mirrors.tuna.tsinghua.edu.cn
 * extras: mirrors.tuna.tsinghua.edu.cn
 * updates: mirrors.bfsu.edu.cn
......                                                                                                                                                                                      35/35 

Installed:
  mod_ssl.x86_64 1:2.4.6-93.el7.centos                                                                                 openssl-devel.x86_64 1:1.0.2k-19.el7                                                                                

Dependency Installed:
  keyutils-libs-devel.x86_64 0:1.5.8-3.el7   krb5-devel.x86_64 0:1.15.1-46.el7   libcom_err-devel.x86_64 0:1.42.9-17.el7   libkadm5.x86_64 0:1.15.1-46.el7   libselinux-devel.x86_64 0:2.5-15.el7   libsepol-devel.x86_64 0:2.5-10.el7  
  libverto-devel.x86_64 0:0.2.5-4.el7        pcre-devel.x86_64 0:8.32-17.el7     zlib-devel.x86_64 0:1.2.7-18.el7         

Updated:
  openssl.x86_64 1:1.0.2k-19.el7                                                                                                                                                                                                            

Dependency Updated:
  e2fsprogs.x86_64 0:1.42.9-17.el7        e2fsprogs-libs.x86_64 0:1.42.9-17.el7    krb5-libs.x86_64 0:1.15.1-46.el7    libcom_err.x86_64 0:1.42.9-17.el7      libselinux.x86_64 0:2.5-15.el7    libselinux-python.x86_64 0:2.5-15.el7   
  libselinux-utils.x86_64 0:2.5-15.el7    libsepol.x86_64 0:2.5-10.el7             libss.x86_64 0:1.42.9-17.el7        openssl-libs.x86_64 1:1.0.2k-19.el7    zlib.x86_64 0:1.2.7-18.el7       

Complete!
[root@localhost ~]# 

二、配置

配置文件目录:/etc/httpd/conf.d/

[root@localhost ~]# ll /etc/httpd/conf.d/
total 28
-rw-r--r--. 1 root root 2926 Apr  2 09:13 autoindex.conf
-rw-r--r--. 1 root root  366 Apr  2 09:14 README
-rw-r--r--. 1 root root 9443 Nov 27  2019 ssl.conf
-rw-r--r--. 1 root root 1252 Nov 27  2019 userdir.conf
-rw-r--r--. 1 root root  824 Nov 27  2019 welcome.conf

修改配置文件:vi /etc/httpd/conf.d/ssl.conf

发布目录:59 #DocumentRoot “/var/www/html”

CA绑定域名:60 #ServerName www.example.com:443

版本支持:75 SSLProtocol all -SSLv2 -SSLv3(微信小程序用SSLProtocol -all +TLSv1.2)

将已有的CA证书拷贝到响应目录,并修改配置

    95	#   Server Certificate:
    96	# Point SSLCertificateFile at a PEM encoded certificate.  If
    97	# the certificate is encrypted, then you will be prompted for a
    98	# pass phrase.  Note that a kill -HUP will prompt again.  A new
    99	# certificate can be generated using the genkey(1) command.
   100	SSLCertificateFile /etc/pki/tls/certs/localhost.crt
   101	
   102	#   Server Private Key:
   103	#   If the key is not combined with the certificate, use this
   104	#   directive to point at the key file.  Keep in mind that if
   105	#   you've both a RSA and a DSA private key you can configure
   106	#   both in parallel (to also allow the use of DSA ciphers, etc.)
   107	SSLCertificateKeyFile /etc/pki/tls/private/localhost.key
   117	
   118	#   Certificate Authority (CA):
   119	#   Set the CA certificate verification path where to find CA
   120	#   certificates for client authentication or alternatively one
   121	#   huge file containing all of them (file must be PEM encoded)
   122	SSLCACertificateFile /etc/pki/tls/certs/ca-bundle.crt

三、验证

浏览器输入:https://ip

发表回复