Chinaunix首页 | 论坛 | 博客
  • 博客访问: 435670
  • 博文数量: 56
  • 博客积分: 842
  • 博客等级: 准尉
  • 技术积分: 761
  • 用 户 组: 普通用户
  • 注册时间: 2009-04-22 21:20
文章分类

全部博文(56)

文章存档

2018年(2)

2017年(3)

2016年(8)

2015年(1)

2014年(8)

2013年(7)

2012年(9)

2011年(5)

2010年(2)

2009年(11)

我的朋友

分类: 系统运维

2013-02-18 14:56:53

先期准备

find / -name “CA.sh”

mkdir //usr/local/apache2/etc/ssl

cp /opt/openssl/misc/CA.sh /usr/local/apache2/etc/ssl

cd /usr/local/apache2/etc/ssl


创建主证书

./CA.sh -newca

CA certificate filename (or enter to create)


Making CA certificate ...

Generating a 1024 bit RSA private key

......++++++

...........++++++

writing new private key to './demoCA/private/./cakey.pem'

Enter PEM pass phrase: ** *自己设置密码,要用纸记录下来以备后用哦

Verifying - Enter PEM pass phrase:

-----

You are about to be asked to enter information that will be incorporated

into your certificate request.

What you are about to enter is what is called a Distinguished Name or a DN.

There are quite a few fields but you can leave some blank

For some fields there will be a default value,

If you enter '.', the field will be left blank.

-----

Country Name (2 letter code) [AU]:CN

State or Province Name (full name) [Some-State]:GD

Locality Name (eg, city) []:ss

Organization Name (eg, company) [Internet Widgits Pty Ltd]:gsdfds

Organizational Unit Name (eg, section) []:gsdfds

Common Name (eg, YOUR name) []:gsdfds

Email Address []:admin@test.com


Please enter the following 'extra' attributes

to be sent with your certificate request

A challenge password []:lgeduapachessl

An optional company name []:gzluogangedu

Using configuration from /opt/openssl/openssl.cnf

Enter pass phrase for ./demoCA/private/./cakey.pem: *此处输入前面的PEM密码


生成服务器私钥

openssl genrsa -des3 -out server.key 1024

Generating RSA private key, 1024 bit long modulus

............................++++++

......++++++

e is 65537 (0x10001)

Enter pass phrase for server.key:** *输入要设置的密码,记录下来,这个启动httpd要用


生成服务器证书

openssl req -new -key server.key -out server.csr 

Enter pass phrase for server.key: *输入上面设置for server.key密码

You are about to be asked to enter information that will be incorporated

into your certificate request.

What you are about to enter is what is called a Distinguished Name or a DN.

There are quite a few fields but you can leave some blank

For some fields there will be a default value,

If you enter '.', the field will be left blank.

-----

Country Name (2 letter code) [AU]:CN

State or Province Name (full name) [Some-State]:g# #GD

Locality Name (eg, city) []:ss

Organization Name (eg, company) [Internet Widgits Pty Ltd]:gsdfds

Organizational Unit Name (eg, section) []:gsdfds

Common Name (eg, YOUR name) []:test.com *网站域名

Email Address []:admin@test.com


Please enter the following 'extra' attributes

to be sent with your certificate request

A challenge password []:********

An optional company name []:gsdfds


为服务器证书签名

cp server.csr newreq.pem

./CA.sh -sign

Using configuration from /opt/openssl/openssl.cnf

Enter pass phrase for ./demoCA/private/cakey.pem: *输入前面的PEM密码

Check that the request matches the signature

Signature ok


签名成功后

cp newcert.pem server.crt


因网站用户多,就不用客户端私钥了,客户端和服务器端都使用服务器端证书


收集所有生成的证书到一起

cp demoCA/cacert.pem cacert.pem

cp cacert.pem ca.crt *复制一份证书


修改httpd.conf文件,以下几处改成这样:

1.修改/目录访问权限

AllowOverride none

Options Indexes FollowSymLinks

#Require all denied

2.启用httpd-ssl.conf配置文件

Include etc/extra/httpd-ssl.conf

3.启用ssl模块

LoadModule ssl_module lib/modules/mod_ssl.so


修改httpd-ssl.conf文件,改成如下:

Listen 443
SSLCipherSuite HIGH:MEDIUM:!aNULL:!MD5
SSLPassPhraseDialog builtin
SSLSessionCacheTimeout 300

DocumentRoot "/data/test/ssl"
ServerName ssl.test.com:443
ServerAdmin admin@test.com
ErrorLog "/usr/local/apache2/adm/sslerror_log"
TransferLog "/usr/local/apache2/adm/sslaccess_log"
SSLEngine on *
开启ssl
SSLCertificateFile "/usr/local/apache2/etc/ssl/server.crt" *
指定服务器证书
SSLCertificateKeyFile "/usr/local/apache2/etc/ssl/server.key" *
指定服务器证书key
SSLCACertificatePath "/usr/local/apache2/etc/ssl" *
指定证书目录


SSLOptions +StdEnvVars

SSLOptions +StdEnvVars

BrowserMatch "MSIE [2-5]" \
nokeepalive ssl-unclean-shutdown \
downgrade-1.0 force-response-1.0
CustomLog "/usr/local/apache2/adm/ssl_request_log" \
"%t %h %{SSL_PROTOCOL}x %{SSL_CIPHER}x \"%r\" %b"


启动httpd服务

./apachectl -D SSL -k start *输入phrase for server.key密码

OK: Pass Phrase Dialog successful.

查看启动是否成功ps -ef |grep httpd

配置SSL自动应答密码--使apache启动时无需输入SSL密码

cd /usr/local/apache2/etc/ssl

vi server.pass     创建密码文件
    #!/usr/bin/sh

    SSLPhrasePassword='yourpassword'

    echo  $SSLPhrasePassword

chmod 755 server.pass      改变文件权限

vi /usr/local/apache2/etc/extra/httpd-ssl.conf    修改http-ssl.conf文件
找到 SSLPassPhraseDialog builtin 这一行,将其注释掉
加入 SSLPassPhraseDialog  exec:/usr/local/apache2/etc/ssl/server.pass


重启Apache测试正常。














阅读(1310) | 评论(0) | 转发(0) |
给主人留下些什么吧!~~