大家可以邮件交流哈
分类: 系统运维
2013-02-18 14:56:53
先期准备
find / -name “CA.sh”
mkdir //usr/local/apache2/etc/ssl
cp /opt/openssl/misc/CA.sh /usr/local/apache2/etc/ssl
cd /usr/local/apache2/etc/ssl
创建主证书
./CA.sh -newca
CA certificate filename (or enter to create)
Making CA certificate ...
Generating a 1024 bit RSA private key
......++++++
...........++++++
writing new private key to './demoCA/private/./cakey.pem'
Enter PEM pass phrase: ** *自己设置密码,要用纸记录下来以备后用哦
Verifying - Enter PEM pass phrase:
-----
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [AU]:CN
State or Province Name (full name) [Some-State]:GD
Locality Name (eg, city) []:ss
Organization Name (eg, company) [Internet Widgits Pty Ltd]:gsdfds
Organizational Unit Name (eg, section) []:gsdfds
Common Name (eg, YOUR name) []:gsdfds
Email Address []:admin@test.com
Please enter the following 'extra' attributes
to be sent with your certificate request
A challenge password []:lgeduapachessl
An optional company name []:gzluogangedu
Using configuration from /opt/openssl/openssl.cnf
Enter pass phrase for ./demoCA/private/./cakey.pem: *此处输入前面的PEM密码
生成服务器私钥
openssl genrsa -des3 -out server.key 1024
Generating RSA private key, 1024 bit long modulus
............................++++++
......++++++
e is 65537 (0x10001)
Enter pass phrase for server.key:** *输入要设置的密码,记录下来,这个启动httpd要用
生成服务器证书
openssl req -new -key server.key -out server.csr
Enter pass phrase for server.key: *输入上面设置for server.key密码
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [AU]:CN
State or Province Name (full name) [Some-State]:g# #GD
Locality Name (eg, city) []:ss
Organization Name (eg, company) [Internet Widgits Pty Ltd]:gsdfds
Organizational Unit Name (eg, section) []:gsdfds
Common Name (eg, YOUR name) []:test.com *网站域名
Email Address []:admin@test.com
Please enter the following 'extra' attributes
to be sent with your certificate request
A challenge password []:********
An optional company name []:gsdfds
为服务器证书签名
cp server.csr newreq.pem
./CA.sh -sign
Using configuration from /opt/openssl/openssl.cnf
Enter pass phrase for ./demoCA/private/cakey.pem: *输入前面的PEM密码
Check that the request matches the signature
Signature ok
签名成功后
cp newcert.pem server.crt
因网站用户多,就不用客户端私钥了,客户端和服务器端都使用服务器端证书
收集所有生成的证书到一起
cp demoCA/cacert.pem cacert.pem
cp cacert.pem ca.crt *复制一份证书
修改httpd.conf文件,以下几处改成这样:
1.修改/目录访问权限
AllowOverride none
Options Indexes FollowSymLinks
#Require all denied
2.启用httpd-ssl.conf配置文件
Include etc/extra/httpd-ssl.conf
3.启用ssl模块
LoadModule ssl_module lib/modules/mod_ssl.so
修改httpd-ssl.conf文件,改成如下:
Listen
443
SSLCipherSuite HIGH:MEDIUM:!aNULL:!MD5
SSLPassPhraseDialog
builtin
SSLSessionCacheTimeout 300
DocumentRoot "/data/test/ssl"
ServerName
ssl.test.com:443
ServerAdmin admin@test.com
ErrorLog
"/usr/local/apache2/adm/sslerror_log"
TransferLog
"/usr/local/apache2/adm/sslaccess_log"
SSLEngine on
*开启ssl
SSLCertificateFile
"/usr/local/apache2/etc/ssl/server.crt"
*指定服务器证书
SSLCertificateKeyFile
"/usr/local/apache2/etc/ssl/server.key"
*指定服务器证书key
SSLCACertificatePath
"/usr/local/apache2/etc/ssl"
*指定证书目录
SSLOptions +StdEnvVars
SSLOptions
+StdEnvVars
BrowserMatch "MSIE [2-5]"
\
nokeepalive ssl-unclean-shutdown \
downgrade-1.0 force-response-1.0
CustomLog
"/usr/local/apache2/adm/ssl_request_log" \
"%t
%h %{SSL_PROTOCOL}x %{SSL_CIPHER}x \"%r\"
%b"
启动httpd服务
./apachectl -D SSL -k start *输入phrase for server.key密码
OK: Pass Phrase Dialog successful.
查看启动是否成功ps
-ef |grep httpd
vi server.pass 创建密码文件
#!/usr/bin/sh
SSLPhrasePassword='yourpassword'
echo $SSLPhrasePassword
chmod 755 server.pass 改变文件权限
vi /usr/local/apache2/etc/extra/httpd-ssl.conf 修改http-ssl.conf文件
找到 SSLPassPhraseDialog builtin 这一行,将其注释掉
加入 SSLPassPhraseDialog exec:/usr/local/apache2/etc/ssl/server.pass
重启Apache测试正常。
