[root@node1 ~]# mkdir /etc/pki/CA
[root@node1 ~]# cd /etc/pki/CA
[root@node1 CA]# pwd
[root@node1 CA]#
[root@node1 CA]# (umask 077;openssl genrsa -out private/cakey.pem 2048)
genrsa: Can't open "private/cakey.pem" for writing, No such file or directory
[root@node1 CA]# mkdir -p /etc/pki/CA/private
[root@node1 CA]# (umask 077;openssl genrsa -out private/cakey.pem 2048)
Generating RSA private key, 2048 bit long modulus (2 primes)
e is 65537 (0x010001)
[root@node1 CA]# ls
[root@node1 CA]# ll private/
total 4
-rw------- 1 root root 1675 Dec 26 20:06 cakey.pem
[root@node1 CA]# openssl rsa -in private/cakey.pem -pubout
writing RSA key
-----END PUBLIC KEY-----
[root@node1 CA]#
[root@node1 CA]# openssl req -new -x509 -key private/cakey.pem -out cacert.pem -days 365
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
Country Name (2 letter code) [XX]:CN
State or Province Name (full name) []:HB
Locality Name (eg, city) [Default City]:WH
Organization Name (eg, company) [Default Company Ltd]:runtime
Organizational Unit Name (eg, section) []:runtime
Common Name (eg, your name or your server's hostname) []:www.dianjijixu.com
Email Address []:2@233.com
[root@node1 CA]# ls
cacert.pem private
[root@node1 CA]# mkdir certs newcerts crl
[root@node1 CA]# touch index.txt && echo 01 >serial
[root@node1 CA]# ls
cacert.pem certs crl index.txt newcerts private serial
[root@node1 CA]# cat serial
[root@node1 CA]# mkdir -p /usr/local/apache/conf/ssl
[root@node1 CA]# cd /usr/local/apache/conf/ssl
[root@node1 ssl]# ls
[root@node1 ssl]# (umask 077;openssl genrsa -out httpd.key 2048)
Generating RSA private key, 2048 bit long modulus (2 primes)
e is 65537 (0x010001)
[root@node1 ssl]# ls
[root@node1 ssl]# openssl req -new -key httpd.key -days 365 -out httpd.csr
Ignoring -days; not generating a certificate
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
Country Name (2 letter code) [XX]:CN
State or Province Name (full name) []:HB
Locality Name (eg, city) [Default City]:WH
Organization Name (eg, company) [Default Company Ltd]:runtime
Organizational Unit Name (eg, section) []:runtime
Common Name (eg, your name or your server's hostname) []:www.dianjijixu.com
Email Address []:2@233.com
Please enter the following 'extra' attributes
to be sent with your certificate request
A challenge password []:
An optional company name []:
[root@node1 ssl]#
[root@node1 ssl]# openssl ca -in httpd.csr -out httpd.crt -days 365
Using configuration from /etc/pki/tls/openssl.cnf
Check that the request matches the signature
Signature ok
Certificate Details:
Serial Number: 1 (0x1)
Not Before: Dec 26 12:14:38 2022 GMT
Not After : Dec 26 12:14:38 2023 GMT
countryName = CN
stateOrProvinceName = HB
organizationName = runtime
organizationalUnitName = runtime
commonName = www.dianjijixu.com
emailAddress = 2@233.com
X509v3 extensions:
X509v3 Basic Constraints:
Netscape Comment:
OpenSSL Generated Certificate
X509v3 Subject Key Identifier:
X509v3 Authority Key Identifier:
Certificate is to be certified until Dec 26 12:14:38 2023 GMT (365 days)
Sign the certificate? [y/n]:y
1 out of 1 certificate requests certified, commit? [y/n]y
Write out database with 1 new entries
Data Base Updated
[root@node1 ssl]#
[root@node1 ~]# cd /usr/local/apache/conf/
[root@node1 conf]# vim httpd.conf
#LoadModule slotmem_shm_module modules/mod_slotmem_shm.so
LoadModule ssl_module modules/mod_ssl.so //删除#
#LoadModule lbmethod_byrequests_module modules/mod_lbmethod_byrequests.so
# Virtual hosts
Include conf/extra/httpd-vhosts.conf //删除#
[root@node1 ssl]# cd ..
[root@node1 conf]# vim extra/httpd-vhosts.conf
[root@node1 conf]# tail -17 extra/httpd-vhosts.conf
#DocumentRoot "/usr/local/apache/htdocs/www.dianjijixu.com"
ServerName www.dianjijixu.com
ErrorLog "logs/www.dianjijixu.com-error_log"
CustomLog "logs/www.dianjijixu.com-access_log" common DocumentRoot "/usr/local/apache/htdocs/www.dianjijixu.com"
ServerName www.dianjijixu.com
ErrorLog "logs/www.dianjijixu.com-error_log"
CustomLog "logs/www.dianjijixu.com-access_log" common
创建目录 移动文件 重新启动服务
root@node1 conf]# mkdir -p /usr/local/apache/htdocs/{www.dianjijixu.com,blog.dianjijixu.com}
[root@node1 conf]# ls /usr/local/apache/htdocs
blog.dianjijixu.com index.html www.dianjijixu.com
[root@node1 conf]#
[root@node1 conf]# mv /var/www/html/blog/* /usr/local/apache/htdocs/blog.dianjijixu.com/
[root@node1 conf]# mv /var/www/html/www/* /usr/local/apache/htdocs/www.dianjijixu.com/
[root@node1 conf]# apachectl stop
[root@node1 conf]# apachectl start
[root@node1 conf]#
修改httpd.conf 文件
[root@node1 conf]# vim httpd.conf
# Secure (SSL/TLS) connections
Include conf/extra/httpd-ssl.conf //删除注释
#LoadModule cache_socache_module modules/mod_cache_socache.so
LoadModule socache_shmcb_module modules/mod_socache_shmcb.so //删除注释
#LoadModule socache_dbm_module modules/mod_socache_dbm.so
[root@node1 conf]# vim extra/httpd-ssl.conf
# General setup for the virtual host
DocumentRoot "/usr/local/apache/htdocs/www.dianjijixu.com"
ServerName www.dianjijixu.com:443
ServerAdmin you@example.com
ErrorLog "/usr/local/apache/logs/www.dianjijixu.com_error_log"
TransferLog "/usr/local/apache/logs/www.dianjijixu.com_access_log"
# SSL Engine Switch:
SSLCertificateFile "/usr/local/apache/conf/ssl/httpd.crt"
#SSLCertificateFile "/usr/local/apache/conf/server-dsa.crt"
#SSLCertificateFile "/usr/local/apache/conf/server-ecc.crt"
SSLCertificateKeyFile "/usr/local/apache/conf/ssl/httpd.key"
#SSLCertificateKeyFile "/usr/local/apache/conf/server-dsa.key"
#SSLCertificateKeyFile "/usr/local/apache/conf/server-ecc.key"
[root@node1 conf]# apachectl stop
[root@node1 conf]# apachectl start
[root@node1 conf]# ss -antl
State Recv-Q Send-Q Local Address:Port Peer Address:Port Process
LISTEN 0 128*
LISTEN 0 128 [::]:22 [::]:*
LISTEN 0 128 *:443 *:*
LISTEN 0 128 *:8080 *:*
LISTEN 0 128 *:80 *:*
[root@node1 conf]#