#------------------------------------------------------------------------------------------------------
#1.建立 vim ssl.conf 設定檔
[req]
prompt = no
default_md = sha256
default_bits = 2048
distinguished_name = dn
x509_extensions = v3_req
[dn]
C = TW
ST = Taiwan
L = Taipei
O = Abow Inc.
OU = IT Department
emailAddress = abowspy@gmail.com
CN = www.abowspy.tw
[v3_req]
subjectAltName = @alt_names
[alt_names]
DNS.1 = www.abowspy.tw
DNS.2 = 192.168.1.201
#設定檔的 [alt_names] 區段,則是用來設定 SSL 憑證的域名,這部分設定相當重要,如果沒有設定的話,許多瀏覽器都會將憑證視為無效憑證。
#這部分你要設定幾組域名都可以,基本上沒有什麼上限,因為自簽憑證主要目的是用來開發測試之用,因此建議可以把可能會用到的本機域名 (localhost) 或是區域網路的 IP 地址都加上去,以便後續進行遠端連線測試。
#------------------------------------------------------------------------------------------------------
#2.透過 OpenSSL 命令產生出自簽憑證與相對應的私密金鑰,建立用domain名稱當作檔案名稱
openssl req -x509 -new -nodes -sha256 -utf8 -days 3650 -newkey rsa:2048 -keyout www.abowspy.tw.key -out www.abowspy.tw.crt -config ssl.conf
*** Nginx設定 ***
#------------------------------------------------------------------------------------------------------
#3.建立存放憑證的資料夾,並且把憑證copy過去,並且key給0600權限
mkdir -p /etc/nginx/ssl
cp *.key *.crt /etc/nginx/ssl/
chmod 0600 /etc/nginx/ssl/*.key
#------------------------------------------------------------------------------------------------------
#4.設定nginx設定檔案 vim /etc/nginx/conf.d/default.conf
在原本listen 80;底下加入這幾行
listen 443 ssl;
ssl_certificate /etc/nginx/ssl/www.abowspy.tw.crt;
ssl_certificate_key /etc/nginx/ssl/www.abowspy.tw.key;
#------------------------------------------------------------------------------------------------------
#5.重新啟動 nginx
systemctl restart nginx
*** Apache設定 ***
#------------------------------------------------------------------------------------------------------
#1.要先確認mod_ssl有無安裝
yum -y install mod_ssl
#------------------------------------------------------------------------------------------------------
#3.建立存放憑證的資料夾,並且把憑證copy過去,並且key給0600權限
cp *.crt /etc/pki/tls/certs/
cp *.key /etc/pki/tls/private/
chmod 0600 /etc/pki/tls/private/*.key
#------------------------------------------------------------------------------------------------------
#3.編輯vim /etc/httpd/conf.d/vhosts.conf
<VirtualHost *:80>
ServerName www.abowspy.tw
DocumentRoot /var/www/html/
</VirtualHost>
<VirtualHost *:443>
ServerName www.abowspy.tw
SSLEngine on
SSLProtocol all -SSLv2 -SSLv3
SSLCipherSuite HIGH:3DES:!aNULL:!MD5:!SEED:!IDEA
SSLCertificateFile /etc/pki/tls/certs/www.abowspy.tw.crt
SSLCertificateKeyFile /etc/pki/tls/private/www.abowspy.tw.key
DocumentRoot /var/www/html/
</VirtualHost>
#------------------------------------------------------------------------------------------------------
#4.重新啟動 apache
systemctl restart httpd
SSLCertificateChainFile /etc/pki/tls/certs/example-ca.crt