当前位置: > Linux服务器 > 环境配置 >

linux下apache+openssl配置记录

时间:2014-10-13 22:03来源:linux.it.net.cn 作者:it
最近在研究linux下的apache-ssl配置,写点个人小心得,新人发博,敬请见谅。 
 
软件环境 
 
Apache Httpd 2.2.29 (http://httpd.apache.org ) 
OpenSSL 1.0.1h (http://www.openssl.org/source ) 
SSL-Tools (http://www.openssl.org/contrib/ssl.ca-0.1.tar.gz ) 
 
1. OpenSSL 
 
#tar zxvf openssl-1.0.1h.tar.gz 
#cd openssl-1.0.1h 
#./config 
#make 
#make install 
 
此举将安装最新的OpenSSL到/usr/local/ssl目录中,无需理会系统中已有版本的OpenSSL,也不要去卸载它,否则会导致很多的应用程序无法正常执行,例如X窗口无法进入等错误。 
 
2. Apache Httpd 
 
#tar zxvf httpd-2.2.29.tar.gz 
 
#cd httpd-2.2.29 
#./configure --prefix=/usr/local/apache/httpd --enable-ssl=static --with-ssl=/usr/local/ssl 
#make 
#make install 
 
此步骤在/apache/httpd目录中安装httpd服务(通过参数--prefix指定),同时使用--with-ssl指定刚才所安装OpenSSL的路径,用于将mod_ssl静态的编译到httpd服务中。 
 
3.制作证书 
 
我们必须手工来生成SSL用到的证书,对证书不熟悉的人,有一个工具可以使用:http://www.openssl.org/contrib/ssl.ca-0.1.tar.gz 。下面是如何通过这个工具来生成证书的过程: 
 
#cp ssl.ca-0.1.tar.gz /usr/local/apache/httpd/conf 
#cd /usr/local/apache/conf 
#tar zxvf ssl.ca-0.1.tar.gz 
#cd ssl.ca-0.1 
#./new-root-ca.sh (生成根证书) 
No Root CA key round. Generating one 
Generating RSA private key, 1024 bit long modulus 
...........................++++++ 
....++++++ 
e is 65537 (0x10001) 
Enter pass phrase for ca.key:12345 (输入一个密码) 
Verifying - Enter pass phrase for ca.key: 12345(再输入一次密码) 
...... 
Self-sign the root CA... (签署根证书) 
Enter pass phrase for ca.key:12345 (输入刚刚设置的密码) 
........ 
........ (下面开始签署) 
Country Name (2 letter code) [MY]:CN 
State or Province Name (full name) [Perak]:SD //随你喜欢 
Locality Name (eg, city) [Sitiawan]:QD //随你喜欢 
Organization Name (eg, company) [My Directory Sdn Bhd]:GX //随你喜欢 
Organizational Unit Name (eg, section) [Certification Services Division]:GX //随你喜欢 
Common Name (eg, MD Root CA) []:gaoxin.com //随你喜欢 
Email Address []:12345@163.com//随你喜欢 
这样就生成了ca.key和ca.crt两个文件,下面还要为我们的服务器生成一个证书: 
# ./new-server-cert.sh server (这个证书的名字是server) 
...... 
...... 
Country Name (2 letter code) [MY]:CN 
State or Province Name (full name) [Perak]:SD 
Locality Name (eg, city) [Sitiawan]: QD 
Organization Name (eg, company) [My Directory Sdn Bhd]:GX 
Organizational Unit Name (eg, section) [Secure Web Server]:GX 
Common Name (eg, www.domain.com) []:gaoxiaoit.com (必须与上面的不同,否则报错)
Email Address []:123456@163.com 
这样就生成了server.csr和server.key这两个文件。 
还需要签署一下才能使用的: 
# ./sign-server-cert.sh server 
CA signing: server.csr -> server.crt: 
Using configuration from ca.config 
Enter pass phrase for ./ca.key:12345 (输入上面设置的根证书密码) 
Check that the request matches the signature 
Signature ok 
The Subject's Distinguished Name is as follows 
countryName:PRINTABLE:'CN' 
stateOrProvinceName:PRINTABLE:'GanSu' 
localityName:PRINTABLE:'LanZhou' 
organizationName:PRINTABLE:'lzu' 
organizationalUnitName:PRINTABLE:'lzu' 
commonName:PRINTABLE:'localhost' 
emailAddress :IA5STRING:'sunyanmeng@gmail.com' 
Certificate is to be certified until Jan 19 21:59:46 2011 GMT (365 days) 
Sign the certificate? [y/n]:y 
1 out of 1 certificate requests certified, commit? [y/n]y 
Write out database with 1 new entries 
Data Base Updated 
CA verifying: server.crt <-> CA cert 
server.crt: OK 
 
配置conf/extr/httpd-ssl.conf
 
找到#include conf/extra/httpd-ssl.confm去掉注释
下面要按照httpd-ssl.conf里面的设置,将证书放在适当的位置。 
 
# cd .. 
# mkdir ssl.key 
# mv ssl.ca-0.1/server.key ssl.key 
# mkdir ssl.crt 
# mv ssl.ca-0.1/server.crt ssl.crt 
然后就可以启动啦! 
# cd /usr/local/apache 
注意,apache2.2之后不支持startssl,所以只用start即可 
# ./bin/apachectl start 
 
4. 测试HTTP服务 
 
使用浏览器打开地址:https://127.0.0.1 完毕!!
(责任编辑:IT)
------分隔线----------------------------