完成 keystone 证书加密的 HTTPS 服务提升
2021-04-12 13:26
标签:local shm let rest check 输入 ber log int 1.建立服务器密钥 2.建立服务器公钥 3.建立服务器证书 4.设置SSL 5.重新启动HTTP服务,让SSL生效 本地配置文件/etc/httpd/conf.d/ssl_saturn.conf: 完成 keystone 证书加密的 HTTPS 服务提升 标签:local shm let rest check 输入 ber log int 原文地址:https://blog.51cto.com/14308623/2475023[root@controller ~]# yum install -y mod_ssl //在线安装mod_ssl
已加载插件:fastestmirror
centos | 3.6 kB 00:00:00
iaas | 2.9 kB 00:00:00
Loading mirror speeds from cached hostfile
正在解决依赖关系
--> 正在检查事务
---> 软件包 mod_ssl.x86_64.1.2.4.6-40.el7.centos.4 将被 安装
--> 解决依赖关系完成
依赖关系解决
========================================================================================================================================
Package 架构 版本 源 大小
========================================================================================================================================
正在安装:
mod_ssl x86_64 1:2.4.6-40.el7.centos.4 iaas 104 k
事务概要
========================================================================================================================================
安装 1 软件包
总下载量:104 k
安装大小:224 k
Downloading packages:
Running transaction check
Running transaction test
Transaction test succeeded
Running transaction
正在安装 : 1:mod_ssl-2.4.6-40.el7.centos.4.x86_64 1/1
验证中 : 1:mod_ssl-2.4.6-40.el7.centos.4.x86_64 1/1
已安装:
mod_ssl.x86_64 1:2.4.6-40.el7.centos.4
完毕!
HTTP 服务器上配置mod_ssl
[root@controller ~]# cd /etc/pki/tls/certs/ //进入HTTP服务器配置文件所在目录
[root@controller ~]# make server.key //建立服务器密钥
umask 77 ; /usr/bin/openssl genrsa -des3 1024 > server.key
Generating RSA private key, 1024 bit long modulus
................++++++
......++++++
e is 65537 (0x10001)
Enter pass phrase: //在这里输入口令
Verifying - Enter pass phrase: //确认口令,再次输入
[root@controller ~]# openssl rsa -in server.key -out server.key //从密钥中删除密码(以避免系统启动后被询问口令)
Enter pass phrase for server.key: //输入口令
writing RSA key
[root@controller ~]# make server.csr //建立服务器密钥
umask 77 ;
/usr/bin/openssl req -utf8 -new -key server.key -out server.csr
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter ‘.‘, the field will be left blank.
-----
Country Name (2 letter code) [GB]:CN //输入国名
State or Province Name (full name) [Berkshire]:Xinjiang //输入省名
Locality Name (eg, city) [Newbury]:Shihezi //输入城市名
Organization Name (eg, company) [My Company Ltd]:www.msdn.com //输入组织名(任意)
Organizational Unit Name (eg, section) []: //不输入,直接回车
Common Name (eg, your name or your server‘s hostname) []:www.msdn.com ← 输入通称(任意)
Email Address []:zq@qq.com //输入电子邮箱地址
Please enter the following ’extra‘ attributes
to be sent with your certificate request
A challenge password []: //不输入,直接回车
An optional company name []: //不输入,直接回车
[root@controller ~]# openssl x509 -in server.csr -out server.pem -req -signkey server.key -days 365 //建立服务器证书
Signature ok
subject=/C=CN/ST=Xinjiang/L=Shihezi/O=www.51cto.com/emailAddress=xiandian@qq.com
Getting Private key
Enter pass phrase for server.key:
140645233670048:error:28069065:lib(40):UI_set_result:result too small:ui_lib.c:869:You must type in 4 to 8191 characters
Enter pass phrase for server.key:
[root@controller ~]# chmod 400 server.* //修改权限为400
[root@controller ~]# vi /etc/httpd/conf.d/ssl.conf //修改SSL的设置文件
#DocumentRoot "/var/www/html" //找到这一行,将行首的“#”去掉
Ⅴ
DocumentRoot "/var/www/html" //变为此状态
[root@controller]# systemctl restart httpd.service //重新启动HTTP服务器
Listen 443 https
SSLPassPhraseDialog exec:/usr/libexec/httpd-ssl-pass-dialog
SSLSessionCache shmcb:/run/httpd/sslcache(512000)
SSLSessionCacheTimeout 300
SSLRandomSeed startup file:/dev/urandom 256
SSLRandomSeed connect builtin
SSLCryptoDevice builtin
文章标题:完成 keystone 证书加密的 HTTPS 服务提升
文章链接:http://soscw.com/essay/74730.html