Centos 5下配置https服务器的方法

[root@centos5 ~]# yum -y install mod_ssl 在线安装mod_ssl
Loading "fastestmirror" plugin
Loading mirror speeds from cached hostfile
* base: centos.candishosting.com.cn
* updates: mirror.khlug.org
* addons: centos.candishosting.com.cn
* extras: centos.candishosting.com.cn
Setting up Install Process
Parsing package install arguments
Resolving Dependencies
--> Running transaction check
---> Package mod_ssl.i386 1:2.2.3-11.el5_2.centos.4 set to be updated
--> Processing Dependency: libdistcache.so.1 for package: mod_ssl
--> Processing Dependency: libnal.so.1 for package: mod_ssl
--> Running transaction check
---> Package distcache.i386 0:1.4.5-14.1 set to be updated
--> Finished Dependency Resolution

Dependencies Resolved

=============================================================================
Package Arch Version Repository Size
=============================================================================
Installing:
mod_ssl i386 1:2.2.3-11.el5_2.centos.4 updates

85 k
Installing for dependencies:
distcache i386 1.4.5-14.1 base 119 k

Transaction Summary
=============================================================================
Install 2 Package(s)
Update 0 Package(s)
Remove 0 Package(s)

Total download size: 204 k
Downloading Packages:
(1/2): mod_ssl-2.2.3-11.e 100% |=========================| 85 kB 00:02
(2/2): distcache-1.4.5-14 100% |=========================| 119 kB 00:03
Running rpm_check_debug
Running Transaction Test
Finished Transaction Test
Transaction Test Succeeded
Running Transaction
Installing: distcache ######################### [1/2]
Installing: mod_ssl ######################### [2/2]

Installed: mod_ssl.i386 1:2.2.3-11.el5_2.centos.4
Dependency Installed: distcache.i386 0:1.4.5-14.1
Complete!

[root@centos5 ~]# cd /etc/httpd/conf 进入HTTP服务器配置文件所在目录
[root@centos5 conf]# rm -rf ssl.*/server.* 删除默认或残留的服务器证书相关文件

[root@centos5 ~]# rpm -qa |grep openssl
openssl-0.9.8b-10.el5

[root@centos5 ~]# openssl genrsa -out www.yang.com.key 1024 建立服务器密钥
Generating RSA private key, 1024 bit long modulus
...........................................................++++++
.++++++
e is 65537 (0x10001)

[root@centos5 ~]# openssl req -new -key www.yang.com.key -out www.yang.com.csr 建立服务器公钥

You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [GB]:OM 输入国名
State or Province Name (full name) [Berkshire]:fuzhou 输入省名
Locality Name (eg, city) [Newbury]:fou 输入城市名
Organization Name (eg, company) [My Company Ltd]:yang 输入组织名（任意）
Organizational Unit Name (eg, section) []:www 不输入，直接回车
Common Name (eg, your name or your server's hostname) []:www.yang.com 输入通称（任意）
Email Address []:admin@yang.com 输入电子邮箱地址

Please enter the following 'extra' attributes
to be sent with your certificate request
A challenge password []: 不输入，直接回车
An optional company name []: 不输入，直接回车

[root@centos5 ~]# ls -l
total 68
-rw------- 1 root root 986 Jan 31 23:54 anaconda-ks.cfg
drwxr-xr-x 2 root root 4096 Feb 1 02:17 Desktop
-rw-r--r-- 1 root root 0 Feb 1 03:06 Finished
-rw-r--r-- 1 root root 15078 Jan 31 23:54 install.log
-rw-r--r-- 1 root root 2876 Jan 31 23:53 install.log.syslog
-rw-r--r-- 1 root root 0 Feb 1 03:06 Package
-rw-r--r-- 1 root root 0 Feb 1 03:06 Processing
-rw-r--r-- 1 root root 0 Feb 1 03:06 Running
-rw-r--r-- 1 root root 684 Feb 1 04:54 www.yang.com.csr
-rw-r--r-- 1 root root 887 Feb 1 04:52 www.yang.com.key

[root@centos5 ~]# openssl x509 -req -days 365 -in www.yang.com.csr -signkey www.yang.com.key -out www.yang.com.crt 建立服务器证书

Signature ok
subject=/C=OM/ST=fuzhou /L=fou/O=yang/OU=www/CN=www.yang.com/emailAddress=admin@ yang.com
Getting Private key

[root@centos5 ~]# ll
total 72
-rw------- 1 root root 986 Jan 31 23:54 anaconda-ks.cfg
drwxr-xr-x 2 root root 4096 Feb 1 02:17 Desktop
-rw-r--r-- 1 root root 0 Feb 1 03:06 Finished
-rw-r--r-- 1 root root 15078 Jan 31 23:54 install.log
-rw-r--r-- 1 root root 2876 Jan 31 23:53 install.log.syslog
-rw-r--r-- 1 root root 0 Feb 1 03:06 Package
-rw-r--r-- 1 root root 0 Feb 1 03:06 Processing
-rw-r--r-- 1 root root 0 Feb 1 03:06 Running
-rw-r--r-- 1 root root 920 Feb 1 04:57 www.yang.com.crt
-rw-r--r-- 1 root root 684 Feb 1 04:54 www.yang.com.csr
-rw-r--r-- 1 root root 887 Feb 1 04:52 www.yang.com.key

[root@centos5 ~]# vi /etc/httpd/conf.d/ssl.conf 修改SSL的设置文件

# When we also provide SSL we have to listen to the
# the HTTPS port in addition.
#
Listen 443

[root@centos5 ~]# /etc/rc.d/init.d/httpd restart 重启服务
Stopping httpd: [ OK ]
Starting httpd: [ OK ]

[root@centos5 ~]# netstat -ntpl |grep 443
tcp 0 0 :::443 :::* LIST

EN 10317/httpd

注：本实验以http://www.centospub.com/make/ssl.html为指导

配置SSL虚拟主机

#vi /etc/httpd/conf/httpd.conf

NameVirtualHost 192.168.0.20:443

NameVirtualHost 192.168.0.20:80
<VirtualHost IP:192.168.0.20:443>
ServerAdmin webmaster@dummy-host.example.com
DocumentRoot /var/www/html
ServerName www. yang.com

SSLEngine on
SSLCertificateFile /etc/httpd/conf/www.yang.com.crt
SSLCertificateKeyFile /etc/httpd/conf/www.yang.com.key

ErrorLog logs/dummy-www.yang.com-error_log
CustomLog logs/dummy-www.yang.com-access_log common
</VirtualHost>
<VirtualHost 192.168.0.20:443>
ServerAdmin webmaster@dummy-host.example.com
DocumentRoot /var/www/cgi-bin/openwebmail
ServerName mail.yang.com

SSLEngine on
SSLCertificateFile /etc/httpd/conf/www.yang.com.crt
SSLCertificateKeyFile /etc/httpd/conf/www.yang.com.key

ErrorLog logs/dummy-www.yang.com-error_log
CustomLog logs/dummy-www.yang.com-access_log common
</VirtualHost>

#vi /etc/httpd/conf.d/ssl.conf 添加下面的内容

SSLEngine on
SSLCertificateFile /etc/httpd/conf/www.yang.com.crt
SSLCertificateKeyFile /etc/httpd/conf/www.yang.com.key