简介:
在CentOS上安装SSL,使用https进行访问,增加安全性
安装环境及版本:
系统环境:CentOS Linux release 7.5.1804 (Core)
SSL版本:使用yum安装
一、安装
[root@localhost ~]# yum -y install openssl openssl-devel mod_ssl
[root@localhost ~]# yum -y install openssl openssl-devel mod_ssl
Loaded plugins: fastestmirror
Loading mirror speeds from cached hostfile
* base: mirrors.tuna.tsinghua.edu.cn
* extras: mirrors.tuna.tsinghua.edu.cn
* updates: mirrors.bfsu.edu.cn
...... 35/35
Installed:
mod_ssl.x86_64 1:2.4.6-93.el7.centos openssl-devel.x86_64 1:1.0.2k-19.el7
Dependency Installed:
keyutils-libs-devel.x86_64 0:1.5.8-3.el7 krb5-devel.x86_64 0:1.15.1-46.el7 libcom_err-devel.x86_64 0:1.42.9-17.el7 libkadm5.x86_64 0:1.15.1-46.el7 libselinux-devel.x86_64 0:2.5-15.el7 libsepol-devel.x86_64 0:2.5-10.el7
libverto-devel.x86_64 0:0.2.5-4.el7 pcre-devel.x86_64 0:8.32-17.el7 zlib-devel.x86_64 0:1.2.7-18.el7
Updated:
openssl.x86_64 1:1.0.2k-19.el7
Dependency Updated:
e2fsprogs.x86_64 0:1.42.9-17.el7 e2fsprogs-libs.x86_64 0:1.42.9-17.el7 krb5-libs.x86_64 0:1.15.1-46.el7 libcom_err.x86_64 0:1.42.9-17.el7 libselinux.x86_64 0:2.5-15.el7 libselinux-python.x86_64 0:2.5-15.el7
libselinux-utils.x86_64 0:2.5-15.el7 libsepol.x86_64 0:2.5-10.el7 libss.x86_64 0:1.42.9-17.el7 openssl-libs.x86_64 1:1.0.2k-19.el7 zlib.x86_64 0:1.2.7-18.el7
Complete!
[root@localhost ~]#
二、配置
配置文件目录:/etc/httpd/conf.d/
[root@localhost ~]# ll /etc/httpd/conf.d/
total 28
-rw-r--r--. 1 root root 2926 Apr 2 09:13 autoindex.conf
-rw-r--r--. 1 root root 366 Apr 2 09:14 README
-rw-r--r--. 1 root root 9443 Nov 27 2019 ssl.conf
-rw-r--r--. 1 root root 1252 Nov 27 2019 userdir.conf
-rw-r--r--. 1 root root 824 Nov 27 2019 welcome.conf
修改配置文件:vi /etc/httpd/conf.d/ssl.conf
发布目录:59 #DocumentRoot “/var/www/html”
CA绑定域名:60 #ServerName www.example.com:443
版本支持:75 SSLProtocol all -SSLv2 -SSLv3(微信小程序用SSLProtocol -all +TLSv1.2)
将已有的CA证书拷贝到响应目录,并修改配置
95 # Server Certificate:
96 # Point SSLCertificateFile at a PEM encoded certificate. If
97 # the certificate is encrypted, then you will be prompted for a
98 # pass phrase. Note that a kill -HUP will prompt again. A new
99 # certificate can be generated using the genkey(1) command.
100 SSLCertificateFile /etc/pki/tls/certs/localhost.crt
101
102 # Server Private Key:
103 # If the key is not combined with the certificate, use this
104 # directive to point at the key file. Keep in mind that if
105 # you've both a RSA and a DSA private key you can configure
106 # both in parallel (to also allow the use of DSA ciphers, etc.)
107 SSLCertificateKeyFile /etc/pki/tls/private/localhost.key
117
118 # Certificate Authority (CA):
119 # Set the CA certificate verification path where to find CA
120 # certificates for client authentication or alternatively one
121 # huge file containing all of them (file must be PEM encoded)
122 SSLCACertificateFile /etc/pki/tls/certs/ca-bundle.crt
三、验证
浏览器输入:https://ip