centos6配置一个基于SSL VPN的Apache服务,制作该服务的证书
yum -y install httpd*
安装mod_ssl
yum -y install mod_ssl
开启HTTP服务
service httpd start
关闭防火墙
service iptables stop
进入/etc/pki/tls/certs/目录下
cd /etc/pki/tls/certs/
生成证书
make server.crt
umask 77 ; \ /usr/bin/openssl genrsa -aes128 2048 > server.key Generating RSA private key, 2048 bit long modulus ...................................+++ .....+++ e is 65537 (0x10001) Enter pass phrase: Verifying - Enter pass phrase: //输入通行短语 umask 77 ; \ /usr/bin/openssl req -utf8 -new -key server.key -x509 -days 365 -out ser ver.crt -set_serial 0 Enter pass phrase for server.key://输入server.key的密码短语 You are about to be asked to enter information that will be incorporated into your certificate request. What you are about to enter is what is called a Distinguished Name or a DN. There are quite a few fields but you can leave some blank For some fields there will be a default value, If you enter '.', the field will be left blank. ----- Country Name (2 letter code) [XX]:cn //国家名称(2个字母代码) State or Province Name (full name) []:beijing //省份(全名) Locality Name (eg, city) [Default City]:tam //地点名称 Organization Name (eg, company) [Default Company Ltd]:xm //组织名称 Organizational Unit Name (eg, section) []:shit //组织单位名称 Common Name (eg, your name or your server's hostname) []:localhost //公用名 Email Address []:123@qq.com //电子邮箱
配置ssl.conf,第77行中将图中的两个注释去掉修改为本地IP即可
vi /etc/httpd/conf.d/ssl.conf
修改 第113 ,路径要正确,第二个key由为关键
SSLCertificateFile /etc/pki/tls/certs/server.crt
SSLCertificateKeyFile /etc/pki/tls/certs/server.key
改完后保存并退出
重启httpd服务,输入制作证书时的密码service httpd restart
如果报错
SSLCertificateKeyFile: file '/etc/pki/tls/certs/server.key' does not exist or is empty
报错的原因可能是因为
key不存在或者为空,不用担心,删掉key和crt 可以重新生成
cd /etc/pki/tls/certs/server.crt rm server.key rm server.crt make server.crt //重新验证
Openssl 验证
一切准备好后,可以看这一步,每次重启使HTTP服务器无需密码
openssl rsa -in server.key -out server.key
无需输入密码直接重启