8、openssl实现私有CA：
	配置文件：/etc/pki/tls/openssl.cnf

		39 ####################################################################
		40 [ CA_default ]
		41 
		42 dir             = /etc/pki/CA           # CA工作目录
		43 certs           = $dir/certs            # 证书目录
		44 crl_dir         = $dir/crl              # 吊销列表
		45 database        = $dir/index.txt        # 索引文件数据库
		46 #unique_subject = no                    # 
		47                                         # 
		48 new_certs_dir   = $dir/newcerts         # 刚签署的证书放置目录
		49 
		50 certificate     = $dir/cacert.pem       # CA自签署证书放置目录
		51 serial          = $dir/serial           # 证书序列号，下一个证书的序列号
		52 crlnumber       = $dir/crlnumber        # 吊销证书序列号
		53                                         # 
		54 crl             = $dir/crl.pem          # 当前正在使用吊销列表文件
		55 private_key     = $dir/private/cakey.pem# CA的私钥

		56 RANDFILE        = $dir/private/.rand    # 随机数文件

	1、认证中心的身份生成一对密钥
		cd /etc/pki/CA
		方法一：
			生成私钥：openssl genrsa -out private/cakey.pem 2048
			修改私钥权限为600或400：chmod 600 private/cakey.pem
		方法二：
			(umask 066; openssl genrsa -out /etc/pki/CA/private/cakey.pem 2048)
		提取公钥（在私钥的基础上提取公钥）：openssl rsa -in private/cakey.pem -pubout	#非必要步骤


	2、认证中心的身份生成自签署的证书
		生成证书：openssl req -new -x509 -key private/cakey.pem -out cacert.pem -days 365
		查看生成的证书：openssl x509 -text -in cacert.pem

				  openssl req –new -x509 -key /etc/pki/CA/private/cakey.pem  -days 7300 -out /etc/pki/CA/cacert.pem


	3、生成文件：
		touch index.txt serial crlnumber
		echo 01 > serial
	4、客户应用程序申请证书
		生成私钥：（umask 077；openssl genrsa -out httpd.key 2048）	#将私钥保存至使用此证书的应用服务的配置文件目录下
		申请：openssl req -new -key httpd.key -out httpd.csr
		客户将申请发给认证中心：scp httpd.csr 192.168.1.101:/tmp/

		认证中心签署证书：openssl ca -in httpd.csr -out httpd.crt -days 365
		查看证书：openssl x509 -in certs/httpd.crt -noout -serial -subject
		将证书发给客户：scp httpd.crt 192.168.1.105:/etc/httpd/ssl

	5、认证中心吊销证书
		openssl ca -revoke /tmp/httpd.crt


	1、yum install mod_ssl
	2、配置
		SSLEngine on|off 				#SSL引擎操作开关
		SSLCertificateFile “/usr/local/apache2/conf/ssl.crt/server.crt”    		#指定服务器证书位置
		SSLCertificateKeyFile “/usr/local/apache2/conf/ssl.key/server.key” 		#服务器私钥文件
	3、配置文件
		36 <VirtualHost *:443>
		37         DocumentRoot "/var/www/html"
		38         ServerName www.xuejinwei.cc
		39         SSLEngine on
		40         SSLCertificateFile "/etc/httpd/ssl/httpd.crt"
		41         SSLCertificateKeyFile "/etc/httpd/ssl/httpd.key"
		42 </VirtualHost>
	4、跳转https
		36 <VirtualHost *:80>
		37         DocumentRoot "/var/www/html"
		38         ServerName www.xuejinwei.cc
		39         RewriteEngine on
		40         RewriteCond %{SERVER_PORT} !^443$
		41         RewriteRule ^(.*)?$ https://%{SERVER_NAME}/$1 [L,R]
		42 </VirtualHost>

		如果只针对某个目录
			RewriteEngine on
			RewriteBase /yourfolder
			RewriteCond %{SERVER_PORT} !^443$
			#RewriteRule ^(.*)?$ https://%{SERVER_NAME}/$1 [L,R]
			RewriteRule ^.*$ https://%{SERVER_NAME}%{REQUEST_URI} [L,R]