yum install httpd php

1.配置CA服务器vim /etc/pki/tls/openssl.cnf修改第45行，更改存放证书目录dir   = ../../CAdir   = /etc/CA修改第178行，让服务器支持自签名#basicConstraints=CA:FALSE自签名的证书可以使用basicConstraints=CA:TRUEcd /etc/pki/CA配置生成CA证书脚本 42行vim /etc/pki/tls/misc/CACATOP=../../CACATOP=/etc/CA运行脚本生成CA证书/etc/pki/tls/misc/CA -newcaCA certificate filename (or enter to create) 回车Making CA certificate ...Generating a 1024 bit RSA private key.++++++....................................................................................++++++writing new private key to '/etc/CA/private/./cakey.pem'Enter PEM pass phrase: 输入保护密码 111111Verifying - Enter PEM pass phrase: 确认密码 111111-----You are about to be asked to enter information that will be incorporatedinto your certificate request.What you are about to enter is what is called a Distinguished Name or a DN.There are quite a few fields but you can leave some blankFor some fields there will be a default value,If you enter '.', the field will be left blank.-----Country Name (2 letter code) [GB]:CNState or Province Name (full name) [Berkshire]:BEIJINGLocality Name (eg, city) [Newbury]:HDOrganization Name (eg, company) [My Company Ltd]:schoolOrganizational Unit Name (eg, section) []:itCommon Name (eg, your name or your server's hostname) []:server11.comEmail Address []:chengfeng56@126.comPlease enter the following 'extra' attributesto be sent with your certificate requestA challenge password []:An optional company name []:Using configuration from /etc/pki/tls/openssl.cnfEnter pass phrase for /etc/CA/private/./cakey.pem:111111Check that the request matches the signatureSignature okCertificate Details:        Serial Number: 0 (0x0)        Validity            Not Before: Jul 17 01:20:16 2013 GMT            Not After : Jul 16 01:20:16 2016 GMT        Subject:            countryName               = CN            stateOrProvinceName       = BEIJING            organizationName          = school            organizationalUnitName    = it            commonName                = server11.com            emailAddress              = chengfeng56@126.com        X509v3 extensions:            X509v3 Basic Constraints:                CA:TRUE            Netscape Comment:                OpenSSL Generated Certificate            X509v3 Subject Key Identifier:                37:A5:4E:79:72:DF:51:1A:EF:9D:43:D1:9C:2E:24:92:70:D3:FF:64            X509v3 Authority Key Identifier:                keyid:37:A5:4E:79:72:DF:51:1A:EF:9D:43:D1:9C:2E:24:92:70:D3:FF:64Certificate is to be certified until Jul 16 01:20:16 2016 GMT (1095 days)Write out database with 1 new entriesData Base Updated配置web服务器 生成web自己的私钥openssl genrsa -des3 -out /etc/httpd/conf.d/server.keyGenerating RSA private key, 512 bit long modulus........++++++++++++......++++++++++++e is 65537 (0x10001)Enter pass phrase for /etc/httpd/conf.d/server.key: 111111Verifying - Enter pass phrase for /etc/httpd/conf.d/server.key: 111111(使用身份标识＋公钥)生成证书请求openssl req -new -key /etc/httpd/conf.d/server.key -out /tmp/server.csrEnter pass phrase for /etc/httpd/conf.d/server.key:111111You are about to be asked to enter information that will be incorporatedinto your certificate request.What you are about to enter is what is called a Distinguished Name or a DN.There are quite a few fields but you can leave some blankFor some fields there will be a default value,If you enter '.', the field will be left blank.-----Country Name (2 letter code) [GB]:CNState or Province Name (full name) [Berkshire]:BEIJINGLocality Name (eg, city) [Newbury]:HDOrganization Name (eg, company) [My Company Ltd]:schoolOrganizational Unit Name (eg, section) []:itCommon Name (eg, your name or your server's hostname) []:server11.comEmail Address []:chengfeng56@126.comPlease enter the following 'extra' attributesto be sent with your certificate requestA challenge password []:An optional company name []:将证书请求发送给CACA服务器对证书请求进行数字签名openssl ca -keyfile /etc/CA/private/cakey.pem -cert /etc/CA/cacert.pem -in /tmp/server.csr -out /tmp/server.crt/etc/CA/private/cakey.pem ca私钥/tmp/server.csr 证书请求/etc/CA/cacert.pem ca证书/tmp/server.crt 数字证书名字/etc/httpd/conf.d web私钥报错：failed to update databaseTXT_DB error number 2解决：cd /etc/CA 修改yes为novim index.txt.attrunique_subject = yesunique_subject = no将签名后的数字证书颁发给web服务器cp /tmp/server.crt /etc/httpd/conf.d/配置web支持ssl实现httpsyum install mod_sslvim /etc/httpd/conf.d/ssl.conf修改112行 数字证书签名SSLCertificateFile /etc/pki/tls/certs/localhost.crtSSLCertificateFile /etc/httpd/conf.d/server.crt修改119行 web私钥SSLCertificateKeyFile /etc/pki/tls/private/localhost.keySSLCertificateKeyFile /etc/httpd/conf.d/server.key启动 httpd 服务service httpd restart输入密码验证安全可信度把/etc/CA/private/cakey.pem 文件复制到ftp下在后把此文件导入到浏览器 火狐 编辑 配置 高级 查看证书 导入 找到ca证书 选三个勾 ok