本文详细介绍了如何在Apache服务器上配置SSL证书,包括创建密码文件夹、生成CA及服务器的私钥与证书请求文件(CSR)、发行CA证书、设置证书有效期、配置httpd/ssl选项及重启Apache等步骤。
※[]里的内容自行修正
1.创建密码文件夹
# cd /etc/apache2
# mkdir ssl.crt
# mkdir ssl.key
# mkdir tmp
2.CA密码
# cd tmp
# openssl genrsa -rand /var/adm/messages -out ca.key 1024
※/.profileのPATH里面必须加上 /usr/sfw/bin
3.生成CSR(CA的署名)
# openssl req -new -key ca.key -out ca.csr
Country Name (2 letter code) [US]:CN
State or Province Name (full name) [Some-State]:Shanghai
Locality Name (eg, city) []:Shanghai
Organization Name (eg, company) [Unconfigured OpenSSL Installation]:orgName
Organizational Unit Name (eg, section) []:unitName
Common Name (eg, YOUR name) []:userName
Email Address []:example@example.com
A challenge password []:
An optional company name []:
4.CA证明书发行
# openssl x509 -req -in ca.csr -signkey ca.key -out ca.crt
5.服务器密码
# openssl genrsa -rand /var/adm/messages -out server.key 1024
6.生成CSR(服务器的署名)
# openssl req -new -key server.key -out server.csr
Country Name (2 letter code) [US]:CN
State or Province Name (full name) [Some-State]:Shanghai
Locality Name (eg, city) []:Shanghai
Organization Name (eg, company) [Unconfigured OpenSSL Installation]:orgName
Organizational Unit Name (eg, section) []:unitName
Common Name (eg, YOUR name) []:userName
Email Address []:example@example.com
A challenge password []:
An optional company name []:
7.证明书时效(1年)
# echo 01 > ca.srl
# openssl x509 -req -days 365 -CA ca.crt -CAkey ca.key -CAserial ca.srl -in server.csr -out server.crt
8.复制到/etc/apache2下面
# cp server.crt /etc/apache2/ssl.crt
# cp server.key /etc/apache2/ssl.key
9.httpd/ssl设定为TRUE
# svccfg -s apache2
svc:/network/http:apache2> setprop httpd/ssl = boolean: true
svc:/network/http:apache2> end
# svcadm refresh apache2
# svcprop -p httpd/ssl apache2
true
10.编辑ssl.conf
如果ssl.conf文件不存在,则如下复制
# cp /etc/apache2/ssl-std.conf /etc/apache2/ssl.conf
编辑/etc/apache2/ssl.conf
修改:
DocumentRoot "[DocumentRoot]"
<Directory "[DocumentRoot]">
# mkdir /var/run/apache2
# chmod -R 777 /var/run/apache2
11.重启apache2
# svcadm restart apache2
1.创建密码文件夹
# cd /etc/apache2
# mkdir ssl.crt
# mkdir ssl.key
# mkdir tmp
2.CA密码
# cd tmp
# openssl genrsa -rand /var/adm/messages -out ca.key 1024
※/.profileのPATH里面必须加上 /usr/sfw/bin
3.生成CSR(CA的署名)
# openssl req -new -key ca.key -out ca.csr
Country Name (2 letter code) [US]:CN
State or Province Name (full name) [Some-State]:Shanghai
Locality Name (eg, city) []:Shanghai
Organization Name (eg, company) [Unconfigured OpenSSL Installation]:orgName
Organizational Unit Name (eg, section) []:unitName
Common Name (eg, YOUR name) []:userName
Email Address []:example@example.com
A challenge password []:
An optional company name []:
4.CA证明书发行
# openssl x509 -req -in ca.csr -signkey ca.key -out ca.crt
5.服务器密码
# openssl genrsa -rand /var/adm/messages -out server.key 1024
6.生成CSR(服务器的署名)
# openssl req -new -key server.key -out server.csr
Country Name (2 letter code) [US]:CN
State or Province Name (full name) [Some-State]:Shanghai
Locality Name (eg, city) []:Shanghai
Organization Name (eg, company) [Unconfigured OpenSSL Installation]:orgName
Organizational Unit Name (eg, section) []:unitName
Common Name (eg, YOUR name) []:userName
Email Address []:example@example.com
A challenge password []:
An optional company name []:
7.证明书时效(1年)
# echo 01 > ca.srl
# openssl x509 -req -days 365 -CA ca.crt -CAkey ca.key -CAserial ca.srl -in server.csr -out server.crt
8.复制到/etc/apache2下面
# cp server.crt /etc/apache2/ssl.crt
# cp server.key /etc/apache2/ssl.key
9.httpd/ssl设定为TRUE
# svccfg -s apache2
svc:/network/http:apache2> setprop httpd/ssl = boolean: true
svc:/network/http:apache2> end
# svcadm refresh apache2
# svcprop -p httpd/ssl apache2
true
10.编辑ssl.conf
如果ssl.conf文件不存在,则如下复制
# cp /etc/apache2/ssl-std.conf /etc/apache2/ssl.conf
编辑/etc/apache2/ssl.conf
修改:
DocumentRoot "[DocumentRoot]"
<Directory "[DocumentRoot]">
# mkdir /var/run/apache2
# chmod -R 777 /var/run/apache2
11.重启apache2
# svcadm restart apache2
扫一扫
1100
被折叠的 条评论
为什么被折叠?
到【灌水乐园】发言
