最近在研究linux下的apache-ssl配置,寫點個人小心得,新人發博,敬請見諒。
軟件環境
Apache Httpd 2.2.29 (http://httpd.apache.org )
OpenSSL 1.0.1h (http://www.openssl.org/source )
SSL-Tools (http://www.openssl.org/contrib/ssl.ca-0.1.tar.gz )
1. OpenSSL
#tar zxvf openssl-1.0.1h.tar.gz
#cd openssl-1.0.1h
#./config
#make
#make install
此舉將安裝最新的OpenSSL到/usr/local/ssl目錄中,無需理會系統中已有版本的OpenSSL,也不要去卸載它,否則會導致很多的應用程序無法正常執行,例如X窗口無法進入等錯誤。
2. Apache Httpd
#tar zxvf httpd-2.2.29.tar.gz
#cd httpd-2.2.29
#./configure --prefix=/usr/local/apache/httpd --enable-ssl=static --with-ssl=/usr/local/ssl
#make
#make install
此步驟在/apache/httpd目錄中安裝httpd服務(通過參數--prefix指定),同時使用--with-ssl指定剛才所安裝OpenSSL的路徑,用於將mod_ssl靜態的編譯到httpd服務中。
3.制作證書
我們必須手工來生成SSL用到的證書,對證書不熟悉的人,有一個工具可以使用:http://www.openssl.org/contrib/ssl.ca-0.1.tar.gz 。下面是如何通過這個工具來生成證書的過程:
#cp ssl.ca-0.1.tar.gz /usr/local/apache/httpd/conf
#cd /usr/local/apache/conf
#tar zxvf ssl.ca-0.1.tar.gz
#cd ssl.ca-0.1
#./new-root-ca.sh (生成根證書)
No Root CA key round. Generating one
Generating RSA private key, 1024 bit long modulus
...........................++++++
....++++++
e is 65537 (0x10001)
Enter pass phrase for ca.key:12345 (輸入一個密碼)
Verifying - Enter pass phrase for ca.key: 12345(再輸入一次密碼)
......
Self-sign the root CA... (簽署根證書)
Enter pass phrase for ca.key:12345 (輸入剛剛設置的密碼)
........
........ (下面開始簽署)
Country Name (2 letter code) [MY]:CN
State or Province Name (full name) [Perak]:SD //隨你喜歡
Locality Name (eg, city) [Sitiawan]:QD //隨你喜歡
Organization Name (eg, company) [My Directory Sdn Bhd]:GX //隨你喜歡
Organizational Unit Name (eg, section) [Certification Services Division]:GX //隨你喜歡
Common Name (eg, MD Root CA) []:gaoxin.com //隨你喜歡
Email Address []:[email protected]//隨你喜歡
這樣就生成了ca.key和ca.crt兩個文件,下面還要為我們的服務器生成一個證書:
# ./new-server-cert.sh server (這個證書的名字是server)
......
......
Country Name (2 letter code) [MY]:CN
State or Province Name (full name) [Perak]:SD
Locality Name (eg, city) [Sitiawan]: QD
Organization Name (eg, company) [My Directory Sdn Bhd]:GX
Organizational Unit Name (eg, section) [Secure Web Server]:GX
Common Name (eg, www.domain.com) []:gaoxiaoit.com (必須與上面的不同,否則報錯)
Email Address []:[email protected]
這樣就生成了server.csr和server.key這兩個文件。
還需要簽署一下才能使用的:
# ./sign-server-cert.sh server
CA signing: server.csr -> server.crt:
Using configuration from ca.config
Enter pass phrase for ./ca.key:12345 (輸入上面設置的根證書密碼)
Check that the request matches the signature
Signature ok
The Subject's Distinguished Name is as follows
countryName:PRINTABLE:'CN'
stateOrProvinceName:PRINTABLE:'GanSu'
localityName:PRINTABLE:'LanZhou'
organizationName:PRINTABLE:'lzu'
organizationalUnitName:PRINTABLE:'lzu'
commonName:PRINTABLE:'localhost'
emailAddress :IA5STRING:'[email protected]'
Certificate is to be certified until Jan 19 21:59:46 2011 GMT (365 days)
Sign the certificate? [y/n]:y
1 out of 1 certificate requests certified, commit? [y/n]y
Write out database with 1 new entries
Data Base Updated
CA verifying: server.crt <-> CA cert
server.crt: OK
配置conf/extr/httpd-ssl.conf
找到#include conf/extra/httpd-ssl.confm去掉注釋
下面要按照httpd-ssl.conf裡面的設置,將證書放在適當的位置。
# cd ..
# mkdir ssl.key
# mv ssl.ca-0.1/server.key ssl.key
# mkdir ssl.crt
# mv ssl.ca-0.1/server.crt ssl.crt
然後就可以啟動啦!
# cd /usr/local/apache
注意,apache2.2之後不支持startssl,所以只用start即可
# ./bin/apachectl start
4. 測試HTTP服務
使用浏覽器打開地址:https://127.0.0.1 完畢!!