环境:Centos5.7 + Apache2.2.21
用途:提供https的web服务器
相关文章:
http://djxailc.blog.sohu.com/56732044.html
http://greatdeer007.blog.163.com/blog/static/163665174201051232022335/
http://www.sxszjzx.com/~t096/phparticle/article.php/845
其他:说明一下,现在网上坑爹的文章太多了,需要经过自己筛选实践整理以后再发出来,有任何问题可以联系tonyty163@ttlsa.com
作者: 滕云
一、安装带ssl的Apache2.2.21
1、安装apache之前需要先检查openssl是否安装完毕,yum list "*openssl*",如果没有用yum安装下即可
2、apache安装,网上文档很多,以下是专门针对ssl的编译参数
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
|
# cd /usr/local/src/tarbag
# wget http://labs.renren.com/apache-mirror//httpd/httpd-2.2.21.tar.gz
# tar xzvf httpd-2.2.21.tar.gz -C ../software
# cd ../software/httpd-2.2.21
# ./configure --prefix=/usr/local/apache --enable-so --enable-ssl --enable-rewrite --enable-headers --with-mpm=worker --enable-expires --enable-suexec --with-suexec-docroot=/data/www --enable-mods-shared=all
# make && make install
# rm -rf /etc/init.d/httpd
# cp /usr/local/apache/bin/apachectl /etc/init.d/httpd
# sed -i '2c\#chkconfig: 35 85 15' /etc/init.d/httpd
# sed -i '3c\#description: apache' /etc/init.d/httpd
# chmod +x /etc/init.d/httpd
# chkconfig --add httpd
# chkconfig httpd on
# rm -rf /sbin/apachectl
# ln -s /usr/local/apache/bin/apachectl /sbin
|
二、生成证书
1、安装好apache后,第一时间生成证书,在生成证书之前先准备生成一个证书存放的目录
1
2
3
|
# cd /usr/local/apache/conf
# mkdir ssl.key
# cd ssl.key/
|
2、分3步生成服务器签名的证书
step.1
首先要生成服务器端的私钥(key文件)
1
|
# openssl genrsa -des3 -out server.key 1024
|
运行时会提示输入密码,此密码用于加密key文件
去除key文件口令的命令:
1
2
3
4
5
|
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
++
++
++
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
++
++
++
e
is
65537
(
0x10001
)
Enter
pass
phrase
for
server
.
key
:
Verifying
-
Enter
pass
phrase
for
server
.
key
:
|
step.2
生成Certificate Signing Request(CSR),生成的csr文件交给CA签名后形成服务端自己的证书.屏幕上将有提示,依照其指示一步一步输入要求的个人信息即可.
1
|
# openssl req -new -key server.key -out server.csr
|
看到如下提示,并按照提示输入相关信息即可生成密钥
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
|
Enter
pass
phrase
for
server
.
key
:
You
are
about
to
be
asked
to
enter
information
that
will
be
incorporated
into
your
certificate
request
.
What
you
are
about
to
enter
is
what
is
called
a
Distinguished
Name
or
a
DN
.
There
are
quite
a
few
fields
but
you
can
leave
some
blank
For
some
fields
there
will
be
a
default
value
,
If
you
enter
'.'
,
the
field
will
be
left
blank
.
--
--
-
Country
Name
(
2
letter
code
)
[
GB
]
:
CN
State
or
Province
Name
(
full
name
)
[
Berkshire
]
:
FJ
Locality
Name
(
eg
,
city
)
[
Newbury
]
:
FZ
Organization
Name
(
eg
,
company
)
[
My
Company
Ltd
]
:
company
Organizational
Unit
Name
(
eg
,
section
)
[
]
:
company
Common
Name
(
eg
,
your
name
or
your
server
's hostname) []:ty
Email Address []:ty@company.com
Please enter the following '
extra'
attributes
to
be
sent
with
your
certificate
request
A
challenge
password
[
]
:
company
An
optional
company
name
[
]
:
company
|
如果要生成客户端证书,那么对客户端也作同样的命令生成key及csr文件:
openssl genrsa -des3 -out client.key 1024
openssl req -new -key client.key -out client.csr -config openssl.cnf
这里就不做演示了,有兴趣的朋友可以去尝试下。
step.3
CSR文件必须有CA的签名才可形成证书.可将此文件发送到verisign等地方由它验证.自己生成
1
|
# openssl req -new -key server.key -out server.csr
|
看到如下提示,输入密码,即可完成
1
2
3
4
|
Signature
ok
subject
=
/
C
=
CN
/
ST
=
FJ
/
L
=
FZ
/
O
=
poppace
/
OU
=
poppace
/
CN
=
ty
/
emailAddress
=
ty
@
poppace
.
com
Getting
Private
key
Enter
pass
phrase
for
server
.
key
:
|
为了安全起见要将证书相关文件的访问权限降到最低
1
|
# chmod 400 *
|
证书生成完毕,接下来可以配置apache了
三、配置apache
1、在httpd.conf中打开vhosts和ssl的配置文件
1
|
# vi /usr/local/apache/conf/httpd.conf
|
打开vhosts配置
跳转到447行和459行
取消掉Include conf/extra/httpd-vhosts.conf和Include conf/extra/httpd-ssl.conf之前的注释
2、配置vhosts
1
|
# vi /usr/local/apache/conf/extra/httpd-vhosts.conf
|
特别需要注意443段的配置,可在httpd-ssl.conf中找到相关说明
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
|
NameVirtualHost *
:
80
NameVirtualHost *
:
443
<
VirtualHost *
:
80
>
DocumentRoot
"/data/www/"
ServerName
192.168.1.201
<
Directory
/
data
/
www
/
>
Order
allow
,
deny
Allow
from
all
Options
-
Indexes
FollowSymLinks
AllowOverride
All
<
/
Directory
>
<
/
VirtualHost
>
<
VirtualHost *
:
443
>
DocumentRoot
"/data/www/"
ServerName
192.168.1.201
:
443
SSLEngine
on
SSLCipherSuite
ALL
:
!
ADH
:
!
EXPORT56
:
RC4
+
RSA
:
+
HIGH
:
+
MEDIUM
:
+
LOW
:
+
SSLv2
:
+
EXP
:
+
eNULL
SSLCertificateFile
"/usr/local/apache/conf/ssl.key/server.cert"
SSLCertificateKeyFile
"/usr/local/apache/conf/ssl.key/server.key"
<
FilesMatch
"\.(cgi|shtml|phtml|php)$"
>
SSLOptions
+
StdEnvVars
<
/
FilesMatch
>
<
Directory
/
data
/
www
/
>
Order
allow
,
deny
Allow
from
all
Options
-
Indexes
FollowSymLinks
AllowOverride
All
<
/
Directory
>
BrowserMatch
".*MSIE.*"
\
nokeepalive
ssl
-
unclean
-
shutdown
\
downgrade
-
1.0
force
-
response
-
1.0
<
/
VirtualHost
>
|
3、修改httpd-ssl.conf的相关配置
1
|
# vi /usr/local/apache/conf/extra/httpd-ssl.conf
|
搜索SSLCertificateFile
并将:(99行)SSLCertificateFile "/usr/local/apache/conf/server.crt"
改为:SSLCertificateFile "/usr/local/apache/conf/ssl.key/server.cert"
注:本章生成的非crt,请注意修改随后的cert
搜索SSLCertificateKeyFile
并将:(107行)SSLCertificateKeyFile "/usr/local/apache/conf/server.key"
改为:SSLCertificateKeyFile "/usr/local/apache/conf/ssl.key/server.key"
4、重启apache
1
2
3
4
5
6
7
8
9
|
# service httpd start
Apache
/
2.2.21
mod_ssl
/
2.2.21
(
Pass
Phrase
Dialog
)
Some
of
your
private
key
files
are
encrypted
for
security
reasons
.
In
order
to
read
them
you
have
to
provide
the
pass
phrases
.
Server
www
.
example
.
com
:
443
(
RSA
)
Enter
pass
phrase
:
OK
:
Pass
Phrase
Dialog
successful
.
|
现在用浏览器访问下https://192.168.1.201
如下图,即大功告成

https页面
转载请注明出处:http://www.ttlsa.com/html/654.html