创建CA目录
[root@node1 ~]# mkdir /etc/pki/CA
[root@node1 ~]# cd /etc/pki/CA
[root@node1 CA]# pwd
/etc/pki/CA
[root@node1 CA]#
CA生成一对密钥
[root@node1 CA]# (umask 077;openssl genrsa -out private/cakey.pem 2048)
genrsa: Can't open "private/cakey.pem" for writing, No such file or directory
[root@node1 CA]# (umask 077;openssl genrsa -out private/cakey.pem 2048)
genrsa: Can't open "private/cakey.pem" for writing, No such file or directory
[root@node1 CA]# mkdir -p /etc/pki/CA/private
[root@node1 CA]# (umask 077;openssl genrsa -out private/cakey.pem 2048)
Generating RSA private key, 2048 bit long modulus (2 primes)
..........................................+++++
.................................................+++++
e is 65537 (0x010001)
[root@node1 CA]# ls
private
[root@node1 CA]# ll private/
total 4
-rw------- 1 root root 1675 Dec 26 20:06 cakey.pem
[root@node1 CA]# openssl rsa -in private/cakey.pem -pubout
writing RSA key
-----BEGIN PUBLIC KEY-----
MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAue+ul0JSXudpEv3b1Uab
7/o6pudQheeyqKM9g+bNS4Y3dCwI90KWqz1HtCjgRk7ws5hdplj5r8h+3c5r8Bq5
kcrhuBOezG/5RUXNZSwH/HQH4+OCskhwD+/v/tvsMcyv5mxGVe8nUCHjTlIEXMvW
pEmWpfiRoH4o257ZtTMNhupSq14SsS4CRjv8EJxzQ0+EOqka7JcAZvczo75mnOVr
ue+lLd0l0fJDC6rGOOSiZ7THQYEJXY6BHzCMsJA1gjafOhEpmDB7zOcDW+x5CwWt
z18aX8x3cHG2TOtNpexz+KxabfTIjOTq/NjO2UdpuqCafW62j1UcI78PnAb3f9eq
jQIDAQAB
-----END PUBLIC KEY-----
[root@node1 CA]#
生成自签署证书
[root@node1 CA]# openssl req -new -x509 -key private/cakey.pem -out cacert.pem -days 365
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [XX]:CN
State or Province Name (full name) []:HB
Locality Name (eg, city) [Default City]:WH
Organization Name (eg, company) [Default Company Ltd]:runtime
Organizational Unit Name (eg, section) []:runtime
Common Name (eg, your name or your server's hostname) []:www.dianjijixu.com
Email Address []:2@233.com
[root@node1 CA]# ls
cacert.pem private
[root@node1 CA]# mkdir certs newcerts crl
[root@node1 CA]# touch index.txt && echo 01 >serial
[root@node1 CA]# ls
cacert.pem certs crl index.txt newcerts private serial
[root@node1 CA]# cat serial
01
[root@node1 CA]# mkdir -p /usr/local/apache/conf/ssl
[root@node1 CA]# cd /usr/local/apache/conf/ssl
[root@node1 ssl]# ls
[root@node1 ssl]# (umask 077;openssl genrsa -out httpd.key 2048)
Generating RSA private key, 2048 bit long modulus (2 primes)
....................................................................+++++
.............................+++++
e is 65537 (0x010001)
[root@node1 ssl]# ls
httpd.key
[root@node1 ssl]# openssl req -new -key httpd.key -days 365 -out httpd.csr
Ignoring -days; not generating a certificate
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [XX]:CN
State or Province Name (full name) []:HB
Locality Name (eg, city) [Default City]:WH
Organization Name (eg, company) [Default Company Ltd]:runtime
Organizational Unit Name (eg, section) []:runtime
Common Name (eg, your name or your server's hostname) []:www.dianjijixu.com
Email Address []:2@233.com
Please enter the following 'extra' attributes
to be sent with your certificate request
A challenge password []:
An optional company name []:
[root@node1 ssl]#
[root@node1 ssl]# openssl ca -in httpd.csr -out httpd.crt -days 365
Using configuration from /etc/pki/tls/openssl.cnf
Check that the request matches the signature
Signature ok
Certificate Details:
Serial Number: 1 (0x1)
Validity
Not Before: Dec 26 12:14:38 2022 GMT
Not After : Dec 26 12:14:38 2023 GMT
Subject:
countryName = CN
stateOrProvinceName = HB
organizationName = runtime
organizationalUnitName = runtime
commonName = www.dianjijixu.com
emailAddress = 2@233.com
X509v3 extensions:
X509v3 Basic Constraints:
CA:FALSE
Netscape Comment:
OpenSSL Generated Certificate
X509v3 Subject Key Identifier:
BB:C4:DD:0D:F7:E5:02:72:A6:E5:22:12:89:D2:C6:55:B8:D3:6E:8D
X509v3 Authority Key Identifier:
keyid:D6:65:E6:E7:52:9E:FB:B1:84:21:4A:5D:81:4E:00:51:6F:F4:9E:93
Certificate is to be certified until Dec 26 12:14:38 2023 GMT (365 days)
Sign the certificate? [y/n]:y
1 out of 1 certificate requests certified, commit? [y/n]y
Write out database with 1 new entries
Data Base Updated
[root@node1 ssl]#
取消注释
[root@node1 ~]# cd /usr/local/apache/conf/
[root@node1 conf]# vim httpd.conf
#LoadModule slotmem_shm_module modules/mod_slotmem_shm.so
LoadModule ssl_module modules/mod_ssl.so //删除#
#LoadModule lbmethod_byrequests_module modules/mod_lbmethod_byrequests.so
# Virtual hosts
Include conf/extra/httpd-vhosts.conf //删除#
修改文件httpd-vhosts.conf
[root@node1 ssl]# cd ..
[root@node1 conf]# vim extra/httpd-vhosts.conf
[root@node1 conf]# tail -17 extra/httpd-vhosts.conf
#DocumentRoot "/usr/local/apache/htdocs/www.dianjijixu.com"
ServerName www.dianjijixu.com
ErrorLog "logs/www.dianjijixu.com-error_log"
CustomLog "logs/www.dianjijixu.com-access_log" common DocumentRoot "/usr/local/apache/htdocs/www.dianjijixu.com"
ServerName www.dianjijixu.com
ErrorLog "logs/www.dianjijixu.com-error_log"
CustomLog "logs/www.dianjijixu.com-access_log" common [root@node1 conf]#
创建目录 移动文件 重新启动服务
root@node1 conf]# mkdir -p /usr/local/apache/htdocs/{www.dianjijixu.com,blog.dianjijixu.com}
[root@node1 conf]# ls /usr/local/apache/htdocs
blog.dianjijixu.com index.html www.dianjijixu.com
[root@node1 conf]#
[root@node1 conf]# mv /var/www/html/blog/* /usr/local/apache/htdocs/blog.dianjijixu.com/
[root@node1 conf]# mv /var/www/html/www/* /usr/local/apache/htdocs/www.dianjijixu.com/
[root@node1 conf]# apachectl stop
[root@node1 conf]# apachectl start
[root@node1 conf]#
修改httpd.conf 文件
[root@node1 conf]# vim httpd.conf
# Secure (SSL/TLS) connections
Include conf/extra/httpd-ssl.conf //删除注释
#
#LoadModule cache_socache_module modules/mod_cache_socache.so
LoadModule socache_shmcb_module modules/mod_socache_shmcb.so //删除注释
#LoadModule socache_dbm_module modules/mod_socache_dbm.so
修改extra/httpd-ssl.conf的文件
[root@node1 conf]# vim extra/httpd-ssl.conf
# General setup for the virtual host
DocumentRoot "/usr/local/apache/htdocs/www.dianjijixu.com"
ServerName www.dianjijixu.com:443
ServerAdmin you@example.com
ErrorLog "/usr/local/apache/logs/www.dianjijixu.com_error_log"
TransferLog "/usr/local/apache/logs/www.dianjijixu.com_access_log"
# SSL Engine Switch:
SSLCertificateFile "/usr/local/apache/conf/ssl/httpd.crt"
#SSLCertificateFile "/usr/local/apache/conf/server-dsa.crt"
#SSLCertificateFile "/usr/local/apache/conf/server-ecc.crt"
SSLCertificateKeyFile "/usr/local/apache/conf/ssl/httpd.key"
#SSLCertificateKeyFile "/usr/local/apache/conf/server-dsa.key"
#SSLCertificateKeyFile "/usr/local/apache/conf/server-ecc.key"
重启服务
[root@node1 conf]# apachectl stop
[root@node1 conf]# apachectl start
[root@node1 conf]# ss -antl
State Recv-Q Send-Q Local Address:Port Peer Address:Port Process
LISTEN 0 128 0.0.0.0:22 0.0.0.0:*
LISTEN 0 128 [::]:22 [::]:*
LISTEN 0 128 *:443 *:*
LISTEN 0 128 *:8080 *:*
LISTEN 0 128 *:80 *:*
[root@node1 conf]#
你是否还在寻找稳定的海外服务器提供商?创新互联www.cdcxhl.cn海外机房具备T级流量清洗系统配攻击溯源,准确流量调度确保服务器高可用性,企业级服务器适合批量采购,新人活动首月15元起,快前往官网查看详情吧
售后响应及时
7×24小时客服热线数据备份
更安全、更高效、更稳定价格公道精准
项目经理精准报价不弄虚作假合作无风险
重合同讲信誉,无效全额退款