HTTPS的实现

1.安装专门的mod_ssl模块

[root@contos7 ~]# yum install mod_ssl
Loaded plugins: fastestmirror, langpacks
Loading mirror speeds from cached hostfile
Resolving Dependencies
--> Running transaction check
---> Package mod_ssl.x86_64 1:2.4.6-80.el7.centos will be installed
--> Finished Dependency Resolution

Dependencies Resolved

======================================================================================================================
 Package                  Arch                    Version                                 Repository             Size
======================================================================================================================
Installing:
 mod_ssl                  x86_64                  1:2.4.6-80.el7.centos                   base                  111 k

Transaction Summary
======================================================================================================================
Install  1 Package

Total download size: 111 k
Installed size: 224 k
Is this ok [y/d/N]: y
Downloading packages:
mod_ssl-2.4.6-80.el7.centos.x86_64.rpm                                                         | 111 kB  00:00:00
Running transaction check
Running transaction test
Transaction test succeeded
Running transaction
  Installing : 1:mod_ssl-2.4.6-80.el7.centos.x86_64                                                               1/1
  Verifying  : 1:mod_ssl-2.4.6-80.el7.centos.x86_64                                                               1/1

Installed:
  mod_ssl.x86_64 1:2.4.6-80.el7.centos

Complete!

2.申请CA证书

要生成证书就需要为服务端生成私钥，并用它来为其提供证书文件；

[root@contos7 ~]# cd /etc/pki/CA
[root@contos7 /etc/pki/CA]# (umask 066;openssl genrsa -out private/cakey.pem 4096)
Generating RSA private key, 4096 bit long modulus
.....++
.........................................................++
e is 65537 (0x10001)
[root@contos7 /etc/pki/CA]# openssl req -new -x509 -key private/cakey.pem -out cacert.pem -days 3650
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [XX]:CN
State or Province Name (full name) []:HeNan
Locality Name (eg, city) [Default City]:ZhengZhou
Organization Name (eg, company) [Default Company Ltd]:Magedu
Organizational Unit Name (eg, section) []:opt
Common Name (eg, your name or your server's hostname) []:
Email Address []:
[root@contos7 /etc/pki/CA]# touch index.txt
[root@contos7 /etc/pki/CA]# echo 00 > serial
[root@contos7 /etc/pki/CA]# mkdir /etc/httpd/conf.d/ssl
[root@contos7 /etc/pki/CA]# cd /etc/httpd/conf.d/ssl/
[root@contos7 /etc/httpd/conf.d/ssl]# (umask 066;openssl genrsa -out httpd.key 1024)
Generating RSA private key, 1024 bit long modulus
......++++++
.............++++++
e is 65537 (0x10001)
[root@contos7 /etc/httpd/conf.d/ssl]# openssl req -new -key httpd.key -out httpd.csr
[root@contos7 /etc/httpd/conf.d/ssl]#  openssl ca -in httpd.csr -out httpd.crt -days 365
[root@contos7 /etc/httpd/conf.d/ssl]#  cp /etc/pki/CA/cacert.pem .

3.编辑.conf配置文件

将代码修改为下列三行

[root@contos7 ~]# vim /etc/httpd/conf.d/ssl.conf
SSLCertificateFile /etc/httpd/conf.d/ssl/httpd.crt
SSLCertificateKeyFile /etc/httpd/conf.d/ssl/httpd.key
SSLCACertificateFile /etc/httpd/conf.d/ssl/cacert.pem

4.修改配置文件

[root@contos7 ~]# vim /etc/httpd/conf.d/vhost.conf
<VirtualHost *:443>
    ServerName  www.baidu.com
    DocumentRoot "/app/website1"
    CustomLog "logs/www.baidu.com_access_log" combined
    <Directory "/app/website1">
    Require all granted
    </Directory>
</VirtualHost>
~

4.重新启动服务

[root@contos7 ~]# systemctl restart httpd