apache2.2下配置SSL 的过程

最新推荐文章于 2024-01-10 19:27:52 发布

snowqiang

最新推荐文章于 2024-01-10 19:27:52 发布

阅读量4.7k

点赞数 1

CC 4.0 BY-SA版权

文章标签： ssl apache attributes database generation server

本文链接：https://blog.youkuaiyun.com/snowqiang/article/details/1854918

本文详细介绍了在Apache2.2环境下配置SSL的过程，包括创建SSL目录结构、配置openssl.cnf文件、生成认证文件以及修改httpd.conf。通过遵循这些步骤，可以成功启用服务器的HTTPS支持。

摘要生成于 C知道，由 DeepSeek-R1 满血版支持，前往体验 >

apache2.2下配置 SSL 的过程

by snowqiang[at]gmail.com 2007-10-29

1. 安装的是 apache 的带 openssl的版本.

2. 在apache 的bin目录里 , 建立 ssl 目录结构

└─ssl
    ├─newcerts
    ├─crl
    ├─certs
    └─private
在ssl中建立 index.txt 空文件, serial文件 , serial文件中可输入01

3. openssl.cnf 文件:
VVVVVVVVVVVVVVVVVVVVVVVVV 一下是openssl.cnf 文件 VVVVVVVVVVVVVVVVV
#
# SSLeay example configuration file.
# This is mostly being used for generation of certificate requests.
#

RANDFILE = .rnd

####################################################################
[ ca ]
default_ca = CA_default # The default ca section

####################################################################
[ CA_default ]

dir = ssl
#certs  = $dir/certs
#crl_dir = $dir/crl
database = $dir/index.txt
new_certs_dir = $dir
certificate = $dir/cacert.pem
serial  = $dir/serial
crl  = $dir/crl.pem
private_key = $dir/privkey.pem
RANDFILE = $dir/privkey.rnd

#dir  = ssl  # Where everything is kept
#certs  = $dir/certs  # Where the issued certs are kept
#crl_dir = $dir/crl  # Where the issued crl are kept
#database = $dir/index.txt # database index file.
#new_certs_dir = $dir/newcerts  # default place for new certs.

#certificate = $dir/cacert.pem     # The CA certificate
#serial  = $dir/serial      # The current serial number
#crl  = $dir/crl.pem      # The current CRL
#private_key = $dir/private/cakey.pem   # The private key
#RANDFILE = $dir/private/private.rnd # private random number file

#x509_extensions = x509v3_extensions # The extentions to add to the cert
default_days = 365   # how long to certify for
default_crl_days= 30   # how long before next CRL
default_md = md5   # which md to use.
preserve = no   # keep passed DN ordering

# A few difference way of specifying how similar the request should look
# For type CA, the listed attributes must be the same, and the optional
# and supplied fields are just that :-)
policy = policy_match

# For the CA policy
[ policy_match ]
countryName  = optional
stateOrProvinceName = optional
organizationName = optional
organizationalUnitName = optional
commonName  = supplied
emailAddress  = optional

# For the 'anything' policy
# At this point in time, you must list all acceptable 'object'
# types.
[ policy_anything ]
countryName  = optional
stateOrProvinceName = optional
localityName  = optional
organizationName = optional
organizationalUnitName = optional
commonName  = supplied
emailAddress  = optional

####################################################################
[ req ]
default_bits = 1024
default_keyfile = privkey.pem
distinguished_name = req_distinguished_name
attributes = req_attributes

[ req_distinguished_name ]
countryName   = Country Name (2 letter code)
countryName_min   = 2
countryName_max   = 2

stateOrProvinceName = State or Province Name (full name)

localityName = Locality Name (eg, city)

0.organizationName = Organization Name (eg, company)

organizationalUnitName = Organizational Unit Name (eg, section)

commonName = Common Name (eg, your website's domain name)
commonName_max = 64

emailAddress = Email Address
emailAddress_max = 40

[ req_attributes ]
challengePassword  = A challenge password
challengePassword_min  = 4
challengePassword_max  = 20

[ x509v3_extensions ]

# under ASN.1, the 0 bit would be encoded as 80
nsCertType = 0x40

#nsBaseUrl
#nsRevocationUrl
#nsRenewalUrl
#nsCaPolicyUrl
#nsSslServerName
#nsCertSequence
#nsCertExt
#nsDataType

^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ 以上是openssl.cnf 文件 ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
4. 从命令行生成认证文件

a) 产生 CA private key，它會要求你輸入密碼
  openssl genrsa -des3 -out ssl/ca.key 1024
b) 产生 CA require cert，照著它的說明填入對應資料
  openssl req -config openssl.cnf -new -key ssl/ca.key -out ssl/ca.csr
c) 产生 CA public cert
  openssl x509 -days 3650 -req -signkey ssl/ca.key -in ssl/ca.csr -out ssl/ca.crt
d) 产生 Server private key
  openSSL genrsa -out ssl/server.key 1024
e) 产生 Server require cert，這裡跟上面填入相同的資料
  openssl req -config openssl.cnf -new -key ssl/server.key -out ssl/server.csr
f) 产生 Server public key
  openssl ca -config openssl.cnf -days 3650 -cert ssl/ca.crt -keyfile ssl/ca.key -in ssl/server.csr -out ssl/server.crt

将生成的 ca.crt、server.crt 和 server.key 放入apache的 conf 下的 ssl 中

5. 配置 httpd.conf 文件:

a) 开启: LoadModule ssl_module modules/mod_ssl.so
b) 添加 Listen 443
c) 在httpd.conf 加入如下内容
<VirtualHost *:443>
  SSLEngine On
  SSLCertificateFile conf/ssl/server.crt
  SSLCertificateKeyFile conf/ssl/server.key
  SSLCertificateChainFile conf/ssl/ca.crt
</VirtualHost>

6. 启动 apache .

应该可以了 https://127.0.0.1 试试了,