#Generate private key openssl genrsa -out ca.key 2048 # Generate CSR openssl req -new -key ca.key -out ca.csr # Generate Self Signed Key openssl x509 -req -days 365 -in ca.csr -signkey ca.key -out ca.crt # Copy the files to the correct locations cp ca.crt /etc/pki/tls/certs cp ca.key /etc/pki/tls/private/ca.key cp ca.csr /etc/pki/tls/private/ca.csr
Original version: this creates CA certificate (?)
yum install mod_ssl mkdir -p /etc/httpd/ssl/ && cd /etc/httpd/ssl/
openssl req -x509 -nodes -days $((20*365)) -newkey rsa:2048 -keyout /etc/httpd/ssl/server.key -out /etc/httpd/ssl/server.crt
Generating a 2048 bit RSA private key ..........................................+++ ...........................................................+++ writing new private key to '/etc/httpd/ssl/server.key' ----- You are about to be asked to enter information that will be incorporated into your certificate request. What you are about to enter is what is called a Distinguished Name or a DN. There are quite a few fields but you can leave some blank For some fields there will be a default value, If you enter '.', the field will be left blank. ----- Country Name (2 letter code) [XX]:xx State or Province Name (full name) []:City Locality Name (eg, city) [Default City]:City Organization Name (eg, company) [Default Company Ltd]:XYZ, Ltd. Organizational Unit Name (eg, section) []: Common Name (eg, your name or your server's hostname) []:domain.name.org Email Address []:my@emajl.comThe most important is to specify "Common name" as the fully qualified hostname (resovable by DNS), or, at least, IP address.
then add to:
vim /etc/httpd/conf.d/ssl.conf
SSLCertificateFile /etc/httpd/ssl/server.crt SSLCertificateKeyFile /etc/httpd/ssl/server.keyTo make SELinux happy, restore context:
restorecon -RvF /etc/httpd/ssl
Finally,
service httpd restartand check your success:
https://www.ssllabs.com/ssltest/
Žádné komentáře:
Okomentovat