httpd配置支持https

• httpd配置支持https

• 建一台私有CA

• 配置httpd支持ssl协议以及使用证书

• 测试基于https访问的相应主机

• rpm包安装的httpd

• https

https

超文本传输安全协议（英语：Hypertext Transfer Protocol Secure，缩写：HTTPS，也被称为HTTP over TLS，HTTP over SSL或HTTP Secure）是一种网络安全传输协议。在计算机网络上，HTTPS经由超文本传输协议进行通信，但利用SSL/TLS来对数据包进行加密。HTTPS开发的主要目的，是提供对网络服务器的身份认证，保护交换数据的隐私与完整性。这个协议由网景公司（Netscape）在1994年首次提出，随后扩展到互联网上。

配置步骤： 
A、为服务器申请数字证书 
B、配置httpd支持ssl协议以及使用的证书 
C、测试基于https访问的相应主机

建一台私有CA

注意：最好找一台CentOS 7版本的将私有CA，否则，CA的加密等级太低。浏览器报错。如果只能在CentOS 6上面操作，编辑/etc/pki/tls/openssl.cnf中的default_md = sha1为sha256

(umask 077;openssl genrsa -out private/cakey.pem 1024 -md md5)
openssl req -new -x509 -key private/cakey.pem -out cacert.pem -days 3650
touch serial index.txt
echo 01 > serial

配置httpd支持ssl协议以及使用证书

rpm包安装的httpd

使用rpm安装的httpd，需要安装mod_ssl包，可以直接安装rpm包。安装完成后，先申请证书：

(umask 077;openssl genrsa -out http.key 2048)
openssl req -new -key http.key -out http.csr

生成后传给CA服务器签发证书：

openssl ca -in /tmp/http.csr -out certs/http.crt -days 2000

签发完成后，传回httpd服务器。 
安装完成mod_ssl后，会生成配置文件：/etc/httpd/conf.d/ssl.conf，打开文件，配置：

...
 76 # General setup for the virtual host, inherited from global configuration
 77 DocumentRoot "/var/www/html"    ##网页存放位置
 78 #ServerName www.example.com:443
 79 ServerName www.roger.com   ##主机名字
...
02 # Point SSLCertificateFile at a PEM encoded certificate.  If
103 # the certificate is encrypted, then you will be prompted for a
104 # pass phrase.  Note that a kill -HUP will prompt again.  A new
105 # certificate can be generated using the genkey(1) command.
106 SSLCertificateFile /etc/httpd/conf/ssl/http.crt   ##证书位置
107    
108 #   Server Private Key:
109 #   If the key is not combined with the certificate, use this
110 #   directive to point at the key file.  Keep in mind that if
111 #   you've both a RSA and a DSA private key you can configure
112 #   both in parallel (to also allow the use of DSA ciphers, etc.)
113 SSLCertificateKeyFile /etc/httpd/conf/ssl/http.key   ##私钥位置
...

完成后检查配置文件语法：

[root:ssl]#    httpd -t
Syntax OK

没有问题后重启服务，查看端口：

[root:ssl]#    ss -ntal
State      Recv-Q Send-Q                                           Local Address:Port                                             Peer Address:Port
LISTEN     0      128                                                         :::80                                                         :::*
LISTEN     0      3                                                          ::1:53                                                         :::*
LISTEN     0      3                                               172.16.253.113:53                                                          *:*
LISTEN     0      3                                                    127.0.0.1:53                                                          *:*
LISTEN     0      128                                                         :::22                                                         :::*
LISTEN     0      128                                                          *:22                                                          *:*
LISTEN     0      100                                                        ::1:25                                                         :::*
LISTEN     0      100                                                  127.0.0.1:25                                                          *:*
LISTEN     0      128                                                        ::1:953                                                        :::*
LISTEN     0      128                                                  127.0.0.1:953                                                         *:*
LISTEN     0      128                                                         :::443                                                        :::*

测试基于https访问的相应主机

确定80端口和443端口启动后，使用以下命令测试：

openssl s_client -connect 172.16.253.113:443 -CAfile cacert.pem

没有报错且出现下面的情况：

CONNECTED(00000003)
depth=0 C = CN, ST = beijing, O = roger, OU = it, CN = www.roger.com
verify error:num=20:unable to get local issuer certificate
verify return:1
depth=0 C = CN, ST = beijing, O = roger, OU = it, CN = www.roger.com
verify error:num=27:certificate not trusted
verify return:1
depth=0 C = CN, ST = beijing, O = roger, OU = it, CN = www.roger.com
verify error:num=21:unable to verify the first certificate
verify return:1
---
Certificate chain
 0 s:/C=CN/ST=beijing/O=roger/OU=it/CN=www.roger.com
   i:/C=CN/ST=beijing/L=beijing/O=roger/OU=it/CN=www.roger.com
---
Server certificate
-----BEGIN CERTIFICATE-----
MIIDLzCCApigAwIBAgIBATANBgkqhkiG9w0BAQsFADBmMQswCQYDVQQGEwJDTjEQ
MA4GA1UECAwHYmVpamluZzEQMA4GA1UEBwwHYmVpamluZzEOMAwGA1UECgwFcm9n
ZXIxCzAJBgNVBAsMAml0MRYwFAYDVQQDDA13d3cucm9nZXIuY29tMB4XDTE2MTIx
MzA5NDc0NloXDTI2MDkxMjA5NDc0NlowVDELMAkGA1UEBhMCQ04xEDAOBgNVBAgM
B2JlaWppbmcxDjAMBgNVBAoMBXJvZ2VyMQswCQYDVQQLDAJpdDEWMBQGA1UEAwwN
d3d3LnJvZ2VyLmNvbTCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBALsU
EmVS/foKbeMal61vO2Yk04Phs7OpC7pxypJGExio88X3FU185xZiB02ELWNWm/wM
C3v3JB4Ss3OYluH6YCXl0AwR2aT97WYkNogntEeyaFKURl7HXxehBwlLmz9FpCe7
0r5zzQ7sZB5QYc6fAM59CrJhRjTyiMv+znfxyLph5p8JbtwZPYU3H/USZDmudP1M
odFwENHY1Ik8hCOx+J/J8TadNu+JmAtuMfEDTeZs9ESlrqv1c89Sk6pg9X9AkB8X
MEizvfebWMieOYBu+dQ817eKsnqU7J4c5I2Hzy7LKOS+2xP0zZHIU8RpGdyQMFYx
7wZ2K7O+0FQLFqZOYLsCAwEAAaN7MHkwCQYDVR0TBAIwADAsBglghkgBhvhCAQ0E
HxYdT3BlblNTTCBHZW5lcmF0ZWQgQ2VydGlmaWNhdGUwHQYDVR0OBBYEFPSWw5I7
x0a3AhSro8S0bw2mqOI6MB8GA1UdIwQYMBaAFBP6ncoGlGp7iIcSXMkdNFcjLKIH
MA0GCSqGSIb3DQEBCwUAA4GBAH0LQdNyekfgvEEc32pCsOKxcAjHD8bo3RwzbDRi
CQuBDOJs49U7eSqgOhRXPcHk3oy+SCy6SMYMZQ//ayfrRG0GUM44cFhfgIpN+3Y7
xJDUxzPhT4MU9rFflPmLyyzSJ+UM3de++oHEDFcFe5+2CH1vuAXI91Q1bNgWGDEp
csxH
-----END CERTIFICATE-----
subject=/C=CN/ST=beijing/O=roger/OU=it/CN=www.roger.com
issuer=/C=CN/ST=beijing/L=beijing/O=roger/OU=it/CN=www.roger.com
---
No client certificate CA names sent
Server Temp Key: ECDH, prime256v1, 256 bits
---
SSL handshake has read 1510 bytes and written 375 bytes
---
New, TLSv1/SSLv3, Cipher is ECDHE-RSA-AES256-GCM-SHA384
Server public key is 2048 bit
Secure Renegotiation IS supported
Compression: NONE
Expansion: NONE
SSL-Session:
    Protocol  : TLSv1.2
    Cipher    : ECDHE-RSA-AES256-GCM-SHA384
    Session-ID: B10E1BDF09128850EAED0EC8511345CE31F54A93F1CECA4301209D3370A69864
    Session-ID-ctx:
    Master-Key: B6B08AF09022A171F8EFDA07C3397785ABF61F5C8ADED40DFBC9F5011A79F76824476819EC33DB15AE4D9178E81CD383
    Key-Arg   : None
    Krb5 Principal: None
    PSK identity: None
    PSK identity hint: None
    TLS session ticket lifetime hint: 300 (seconds)
    TLS session ticket:
    0000 - fd 27 18 4c 72 68 f6 1b-2f 3f 18 1f 63 55 4a 13   .'.Lrh../?..cUJ.
    0010 - 37 ec 3b ac 26 af 28 22-66 f7 12 42 af f4 10 fd   7.;.&.("f..B....
    0020 - 17 b1 9b 85 55 28 d8 69-ca 0e f4 e6 1e fa 8a d9   ....U(.i........
    0030 - 04 03 5d 08 d9 e2 50 ba-19 dd 6d 0b 1e bd 95 8b   ..]...P...m.....
    0040 - 80 24 d6 4b 49 3d a6 2f-41 e3 b0 4f 1a 6f 42 f3   .$.KI=./A..O.oB.
    0050 - 0c a1 0b e0 bc 80 c6 77-0a 8c 5c 63 52 dd cf f3   .......w..\cR...
    0060 - c8 c5 81 5a 6b 5e 0a 8a-73 53 5d 0b 2e 5a c5 38   ...Zk^..sS]..Z.8
    0070 - 57 60 a7 5a b8 f4 4a d7-79 8e 6a ac 58 c6 db 00   W`.Z..J.y.j.X...
    0080 - 3a a1 49 ef ad 45 c1 c9-1e 4d fc 81 cb 5b ae 37   :.I..E...M...[.7
    0090 - 4a 54 e7 07 7a 82 d9 37-1f 59 1e 97 52 0d 80 5b   JT..z..7.Y..R..[
    00a0 - 7c 03 ac 5a a0 d6 18 a4-92 81 1b 7b dc 5f eb 61   |..Z.......{._.a
    00b0 - 6a 41 eb 5c d9 11 c3 3e-33 de 0a e2 c6 7a 45 d6   jA.\...>3....zE.

    Start Time: 1481643204
    Timeout   : 300 (sec)
    Verify return code: 21 (unable to verify the first certificate)
---

https配置成功。 
要想用浏览器访问，需要将根CA导入到浏览器中就可以用https访问了。

在签发证书时，如果不修改文件，指定加密等级，可以使用：

openssl ca -md sha512 -in /usr/local/apache2.4/conf/http.csr -out certs/http.crt -days 1200  ###签发证书

openssl req -sha224 -new -x509 -key private/cakey.pem -out cacert.pem -days 7000   ##自签证书