apache2.2+openssl0.9总结
系统版本:CentOS release 5.5 (Final)
软件: httpd-2.2.22.tar.gz ,openssl-0.9.8e.tar.gz
1.首先用ssh上传到centos虚拟机器中
[root@cacti ~]# tar -zxvf httpd-2.2.22.tar.gz
[root@cacti ~]# tar -zxvf openssl-0.9.8e.tar.gz
[root@cacti ~]# tar -zxvf httpd-2.2.22.tar.gz
[root@cacti ~]# tar -zxvf openssl-0.9.8e.tar.gz
2.首先安装openssl
[root@cacti openssl-0.9.8e]# ./config --prefix=/usr/local/ssl //配置路径为/usr/local/ssl目录下
[root@cacti openssl-0.9.8e]# make&&make install//安装openssl
[root@cacti openssl-0.9.8e]# make&&make install//安装openssl
3.安装apache2.2
[root@cacti httpd-2.2.22]#./configure --prefix=/usr/local/apache --enable-so --enable-ssl --with-ssl=/usr/local/ssl //如果需要加别的参数也是可以的可以用./configure --help查看其它参数。
[root@cacti httpd-2.2.22]#make&&make install//安装apache
4.[root@cacti ~]# cd /usr/local/apache/conf/
[root@cacti ~]#vi httpd.conf
# Secure (SSL/TLS) connections
Include conf/extra/httpd-ssl.conf//把这个井号去掉,默认路径也可以修改
Include conf/extra/httpd-ssl.conf//把这个井号去掉,默认路径也可以修改
5.[root@cacti extra]# cd extra进入extra目录找到httpd.ssl.conf
[root@cacti extra]# cp httpd.ssl.conf httpd.ssl.conf.backup//备份一份
[root@cacti extra]# cat httpd.ssl.conf|grep -v "#" >httpd.ssl.conf//把井号去掉便于查找。
[root@cacti extra]# vi httpd.ssl.conf//打开httpd.ssl.conf文件。
DocumentRoot "/usr/local/apache/htdocs"
ServerName www.example.com:443
ServerAdmin you@example.com
ErrorLog "/usr/local/apache/logs/error_log"
TransferLog "/usr/local/apache/logs/access_log"
ServerName www.example.com:443
ServerAdmin you@example.com
ErrorLog "/usr/local/apache/logs/error_log"
TransferLog "/usr/local/apache/logs/access_log"
SSLEngine on
SSLProtocol all -SSLv2
SSLCipherSuite HIGH:MEDIUM:!aNULL:!MD5
SSLCertificateFile "/usr/local/apache/conf/server.cert"//这里可以修改默认路径和后缀名。
SSLCertificateKeyFile "/usr/local/apache/conf/server.key"
6.[root@cacti conf]#cd /usr/local/apache/conf//进入conf路径生成密匙
[root@cacti conf]#openssl genrsa -des3 -out server.key 1024//生成服务器私钥:运行openssl命令,生成1024、2048位长的私钥server.key文件。如果您需要对 server.key 添加保护密码,请使用 -des3 扩展命令。Windows环境下不支持加密格式私钥,Linux环境下使用加密格式私钥时,每次重启Apache都需要您输入该私钥密码(例:openssl genrsa -des3 -out server.key 2048)。
Generating RSA private key, 1024 bit long modulus
....................++++++
.................................++++++
e is 65537 (0x10001)
Enter pass phrase for server.key://输入密码
Verifying - Enter pass phrase for server.key:
....................++++++
.................................++++++
e is 65537 (0x10001)
Enter pass phrase for server.key://输入密码
Verifying - Enter pass phrase for server.key:
[root@cacti conf]#openssl req -new -key server.key -out server.crt//生成服务器证书请求,并按要求填些相关证书信息:
Enter pass phrase for server.key:
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [GB]:cn //您所在国家的ISO标准代号,中国为CN
Enter pass phrase for server.key:
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [GB]:cn //您所在国家的ISO标准代号,中国为CN
State or Province Name (full name) [Berkshire]:zj浙江//您单位所在地省/自治区/直辖市
Locality Name (eg, city) [Newbury]: //您单位所在地的市/县/区 hz杭州
Organization Name (eg, company) [My Company Ltd]:hz公司名字hz
Organizational Unit Name (eg, section) []: //部门名称 hz组织单位名称
Common Name (eg, your name or your server's hostname) []:通用名,例如: www.xxx.com。此项必须与您访问提供SSL服务的服务器时所应用的域名完全匹配。
zhh主机名
Email Address []:enjoygoodboy@163.com邮箱地址//您的邮件地址,不必后缀可以输入,直接回车跳过
Locality Name (eg, city) [Newbury]: //您单位所在地的市/县/区 hz杭州
Organization Name (eg, company) [My Company Ltd]:hz公司名字hz
Organizational Unit Name (eg, section) []: //部门名称 hz组织单位名称
Common Name (eg, your name or your server's hostname) []:通用名,例如: www.xxx.com。此项必须与您访问提供SSL服务的服务器时所应用的域名完全匹配。
zhh主机名
Email Address []:enjoygoodboy@163.com邮箱地址//您的邮件地址,不必后缀可以输入,直接回车跳过
Please enter the following 'extra' attributes //以下信息不必输入,回车跳过直到命令执行完毕。
to be sent with your certificate request
A challenge password []:
An optional company name []:
to be sent with your certificate request
A challenge password []:
An optional company name []:
签名:
[root@cacti conf]# openssl x509 -req -days 700 -in server.crt -signkey server.key -out server.cert
Signature ok
subject=/C=cn/ST=zj/L=hz/O=hz/OU=hz/CN=zhh/emailAddress=enjoygoodboy@163.com
Getting Private key
Enter pass phrase for server.key:
[root@cacti conf]# ls //可以备份证书
extra keybackup mime.types server.cert server.key
httpd.conf magic original server.crt
[root@cacti conf]# openssl x509 -req -days 700 -in server.crt -signkey server.key -out server.cert
Signature ok
subject=/C=cn/ST=zj/L=hz/O=hz/OU=hz/CN=zhh/emailAddress=enjoygoodboy@163.com
Getting Private key
Enter pass phrase for server.key:
[root@cacti conf]# ls //可以备份证书
extra keybackup mime.types server.cert server.key
httpd.conf magic original server.crt
为了安装把以上生成3个文件chmod 400模式。
7.启动apache服务输入密码
[root@cacti ~]# /usr/local/apache/bin/apachectl start
httpd: Could not reliably determine the server's fully qualified domain name, using 127.0.0.1 for ServerName
Apache/2.2.22 mod_ssl/2.2.22 (Pass Phrase Dialog)
Some of your private key files are encrypted for security reasons.
In order to read them you have to provide the pass phrases.
[root@cacti ~]# /usr/local/apache/bin/apachectl start
httpd: Could not reliably determine the server's fully qualified domain name, using 127.0.0.1 for ServerName
Apache/2.2.22 mod_ssl/2.2.22 (Pass Phrase Dialog)
Some of your private key files are encrypted for security reasons.
In order to read them you have to provide the pass phrases.
Server
www.example.com:443 (RSA)
Enter pass phrase:
OK: Pass Phrase Dialog successful.
You have mail in /var/spool/mail/root
Enter pass phrase:
OK: Pass Phrase Dialog successful.
You have mail in /var/spool/mail/root
8.测试
3. 备份私钥并提交证书请求
请将证书请求文件certreq.csr提交给天威诚信,并备份保存证书私钥文件server.key,等待证书的签发。服务器证书密钥对必须配对使用,私钥文件丢失将导致证书不可用。
安装服务器证书
请将证书请求文件certreq.csr提交给天威诚信,并备份保存证书私钥文件server.key,等待证书的签发。服务器证书密钥对必须配对使用,私钥文件丢失将导致证书不可用。
安装服务器证书
1. 获取服务器证书中级CA证书
为保障服务器证书在客户端的兼容性,服务器证书需要安装两张中级CA证书(不同品牌证书,可能只有一张中级证书)。
从邮件中获取中级CA证书:
将证书签发邮件中的从BEGIN到 END结束的两张中级CA证书内容(包括“-----BEGIN CERTIFICATE-----”和“-----END CERTIFICATE-----”)粘贴到同一个记事本等文本编辑器中,中间用回车换行分隔。修改文件扩展名,保存为intermediatebundle.crt文件(如果只有一张中级证书,则只需要保存并安装一张中级证书)。
为保障服务器证书在客户端的兼容性,服务器证书需要安装两张中级CA证书(不同品牌证书,可能只有一张中级证书)。
从邮件中获取中级CA证书:
将证书签发邮件中的从BEGIN到 END结束的两张中级CA证书内容(包括“-----BEGIN CERTIFICATE-----”和“-----END CERTIFICATE-----”)粘贴到同一个记事本等文本编辑器中,中间用回车换行分隔。修改文件扩展名,保存为intermediatebundle.crt文件(如果只有一张中级证书,则只需要保存并安装一张中级证书)。
2. 获取EV服务器证书
将证书签发邮件中的从BEGIN到 END结束的服务器证书内容(包括“-----BEGIN CERTIFICATE-----”和“-----END CERTIFICATE-----”) 粘贴到记事本等文本编辑器中,保存为server.crt文件
将证书签发邮件中的从BEGIN到 END结束的服务器证书内容(包括“-----BEGIN CERTIFICATE-----”和“-----END CERTIFICATE-----”) 粘贴到记事本等文本编辑器中,保存为server.crt文件
服务器证书的备份及恢复
在您成功的安装和配置了服务器证书之后,请务必依据下面的操作流程,备份好您的服务器证书,以防证书丢失给您带来不便。
1. 服务器证书的备份
备份服务器证书私钥文件server.key,服务器证书文件server.crt,以及服务器证书中级CA证书文件intermediatebundle.crt即可完成服务器证书的备份操作。
2. 服务器证书的恢复
请参照服务器证书配置部分,将服务器证书密钥文件恢复到您的服务器上,并修改配置文件,恢复服务器证书的应用。
备份服务器证书私钥文件server.key,服务器证书文件server.crt,以及服务器证书中级CA证书文件intermediatebundle.crt即可完成服务器证书的备份操作。
2. 服务器证书的恢复
请参照服务器证书配置部分,将服务器证书密钥文件恢复到您的服务器上,并修改配置文件,恢复服务器证书的应用。
本文转自zh888 51CTO博客,原文链接:http://blog.51cto.com/zh888/812877,如需转载请自行联系原作者
