Chinaunix首页 | 论坛 | 博客
  • 博客访问: 272484
  • 博文数量: 188
  • 博客积分: 0
  • 博客等级: 民兵
  • 技术积分: -30
  • 用 户 组: 普通用户
  • 注册时间: 2017-03-29 11:17
文章分类
文章存档

2013年(8)

2012年(5)

2011年(13)

2010年(26)

2009年(63)

2008年(20)

2007年(32)

2006年(21)

分类: LINUX

2006-03-01 15:45:26


Step 1: 下载所需的安装包
 #mkdir -p /usr/local/src
 #cd  /usr/local/src
Downloaded the following files:
  1)apache_1.3.27.tar.gz
  2)mod_ssl-2.8.12-1.3.27.tar.gz
  3)openssl-0.9.6i.tar.gz
Step 2: 设置路径
 # PATH=/usr/local/bin:$PATH:/usr/local/ssl:\         /usr/local/ssl/bin:/usr/ccs/bin
 # export PATH
 # LD_LIBRARY_PATH=/usr/local/ssl/lib
 # export LD_LIBRARY_PATH
 # echo $PATH
 # echo $LD_LIBRARY_PATH
Step 3: 先安装openssl
 openssl是mod_ssl 必需的软件包
 # cd /usr/local/src
 # gunzip openssl-0.9.6i.tar.gz
 # tar xvf openssl-0.9.6i.tar
 # cd openssl-0.9.6i
 # ./config 
 # make 
 # make install
 openssl就安装完成了。
Step 4: 将mod_ssl 配置进apache
 # cd ..
 # gunzip mod_ssl-2.8.12-1.3.27.tar.gz
 # tar xvf mod_ssl-2.8.12-1.3.27.tar
 # cd mod_ssl-2.8.12-1.3.27
 #./configure --with-apache=../apache_1.3.27 --with-    ssl=../openssl-0.9.6i --prefix=/usr/local/apache
...............................................................
Configuring mod_ssl/2.8.14 for Apache/1.3.27
+ Apache location: ../apache_1.3.27 (Version 1.3.27)
+ OpenSSL location: ../openssl-0.9.6i
+ Auxiliary patch tool: ./etc/patch/patch (local)
……….
Now proceed with the following commands:
$ cd ../apache_1.3.27
$ make
$ make certificate
$ make install
...............................................................
    当大家看到以上的东西后,mod_ssl 已经加到了apache的源代码中,按照提示本来就应该直接到apache_1.3.27下面编译就可以使用apache了,但是我发现这样编译后的apache不具有动态模块加载(DSO)功能,那么来说,你的apache1.3.27只具备静态网页的功能(当然,你也可以用perl 来写CGI程序实现动态网页)其实DSO有很多好处,比如你可以加装PHP……等。
..................................................................
Step 5: 安装和编译Apache 1.3.27
# gunzip apache_1.3.27.tar.gz
# tar xvf apache_1.3.17.tar
# cd apache_1.3.27
#.configure --prefix=/usr/local/apache --enable-module=so \
--enable-rule=SHARED_CORE --enable-module=ssl
# cd /usr/local/src/apache-1.3.27/src/modules/ssl
# vi Makefile 修改
238(行数) #ssl_expr_scan.c: ssl_expr_scan.l ssl_expr_parse.h
239(行数) #       flex -Pssl_expr_yy -s -B ssl_expr_scan.l
240(行数) #       sed -e '/$$Header:/d' ssl_expr_scan.c && rm
-f lex.ssl_expr_yy.c
#make     ;注意这里可能会报错,应检查路径和上面 Makefile文件的修改
#make install
#make certificate TYPE=custom
displaying:
SSL Certificate Generation Utility (mkcert.sh)
Copyright (c) 1998-2000 Ralf S. Engelschall, All Rights Reserved.
Generating custom certificate signed by own CA [CUSTOM]
__________________________________________________________________
STEP 0): Decide the signature algorithm used for certificates
The generated X.509 certificates can contain either
RSA or DSA based ingredients. Select the one you want to use.
Signature Algorithm ((R)SA or (D)SA) [R]:
__________________________________________________________________
STEP 1): Generating RSA private key for CA (1024 bit) [ca.key]
1840740 semi-random bytes loaded
Generating RSA private key, 1024 bit long modulus
...........................................++++++
.............................++++++
e is 65537 (0x10001)
__________________________________________________________________
STEP 2): Generating X.509 certificate signing request for CA [ca.csr]
Using configuration from .mkcert.cfg
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
1. Country Name             (2 letter code) [XY]:
2. State or Province Name   (full name)     [Snake Desert]:
3. Locality Name            (eg, city)      [Snake Town]:
4. Organization Name        (eg, company)   [Snake Oil, Ltd]:
5. Organizational Unit Name (eg, section)   [Certificate Authority]:
6. Common Name              (eg, CA name)   [Snake Oil CA]:
7. Email Address            (eg, ) [ca@snakeoil.dom]:
8. Certificate Validity     (days)          [365]:
__________________________________________________________________
STEP 3): Generating X.509 certificate for CA signed by itself [ca.crt]
Certificate Version (1 or 3) [3]:1
Signature ok
subject=/C=XY/ST=Snake Desert/L=Snake Town/O=Snake Oil, Ltd/OU=Certificate Aut
rity/CN=Snake Oil
Getting Private key
Verify: matching certificate & key modulus
read RSA key
Verify: matching certificate signature
../conf/ssl.crt/ca.crt: /C=XY/ST=Snake Desert/L=Snake Town/O=Snake Oil, Ltd/OU
ertificate Authority/CN=Snake Oil
error 18 at 0 depth lookup:self signed certificate
OK
__________________________________________________________________
STEP 4): Generating RSA private key for SERVER (1024 bit) [server.key]
1840740 semi-random bytes loaded
Generating RSA private key, 1024 bit long modulus
.................++++++
......++++++
e is 65537 (0x10001)
______________________________________________________________________
STEP 5): Generating X.509 certificate signing request for SERVER [server.csr]
Using configuration from .mkcert.cfg
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
1. Country Name             (2 letter code) [XY]:
2. State or Province Name   (full name)     [Snake Desert]:
3. Locality Name            (eg, city)      [Snake Town]:
4. Organization Name        (eg, company)   [Snake Oil, Ltd]:
5. Organizational Unit Name (eg, section)   [Webserver Team]:
6. Common Name              (eg, FQDN)      []:
7. Email Address            (eg, ) [www@snakeoil.dom]:
8. Certificate Validity     (days)          [365]:
______________________________________________________________________
STEP 6): Generating X.509 certificate signed by own CA [server.crt]
Certificate Version (1 or 3) [3]:3
Signature ok
subject=/C=XY/ST=Snake Desert/L=Snake Town/O=Snake Oil, Ltd/OU=Webserver Team/

Getting CA Private Key
Verify: matching certificate & key modulus
read RSA key
Verify: matching certificate signature
../conf/ssl.crt/server.crt: OK
______________________________________________________________________
STEP 7): Enrypting RSA private key of CA with a pass phrase for security [ca.ke
The contents of the ca.key file (the generated private key) has to be
kept secret. So we strongly recommend you to encrypt the server.key file
with a Triple-DES cipher and a Pass Phrase.
Encrypt the private key now? [Y/n]: y
read RSA key
writing RSA key
Enter PEM pass phrase:
Verifying password - Enter PEM pass phrase:
Fine, you're using an encrypted private key.
______________________________________________________________________
STEP 8): Enrypting RSA private key of SERVER with a pass phrase for security [s
ver.key]
The contents of the server.key file (the generated private key) has to be
kept secret. So we strongly recommend you to encrypt the server.key file
with a Triple-DES cipher and a Pass Phrase.
Encrypt the private key now? [Y/n]: y
read RSA key
writing RSA key
Enter PEM pass phrase:
Verifying password - Enter PEM pass phrase:
Fine, you're using an encrypted RSA private key.
______________________________________________________________________
RESULT: CA and Server Certification Files
o  conf/ssl.key/ca.key
   The PEM-encoded RSA private key file of the CA which you can
   use to sign other servers or clients. KEEP THIS FILE PRIVATE!
o  conf/ssl.crt/ca.crt
   The PEM-encoded X.509 certificate file of the CA which you use to
   sign other servers or clients. When you sign clients with it (for
   SSL client authentication) you can configure this file with the
   'SSLCACertificateFile' directive.
o  conf/ssl.key/server.key
   The PEM-encoded RSA private key file of the server which you configure
   with the 'SSLCertificateKeyFile' directive (automatically done
   when you install via APACI). KEEP THIS FILE PRIVATE!
o  conf/ssl.crt/server.crt
   The PEM-encoded X.509 certificate file of the server which you configure
   with the 'SSLCertificateFile' directive (automatically done
   when you install via APACI).
o  conf/ssl.csr/server.csr
   The PEM-encoded X.509 certificate signing request of the server file which
   you can send to an official Certificate Authority (CA) in order
   to request a real server certificate (signed by this CA instead
   of our own CA) which later can replace the conf/ssl.crt/server.crt
   file.
Congratulations that you establish your server with real certificates.
.................................................................
到此,CA证书正式生成,然后安装apache 1.3.27
# make install
Step 6: 启动前的准备工作
# cp -r /usr/local/src/apache_1.3.27/conf/ssl.*     /usr/local/apache/conf
# vi /usr/local/apache/conf/httpd.conf
change:
 #ServerAdmin
 #ServerName
 DocumentRoot "/usr/local/apache/htdocs"
NOTE: lines above, of course.
You might also want to comment out some of the LoadModule and AddModule lines like, for example,
insert:
 LoadModule ssl_module libexec/libssl.so
 AddModule mod_ssl.c
如果你不配以上module,系统会帮你完成配置。
Step 7 启动并测试
# /usr/local/apache/bin/apachectl stop
# /usr/local/apache/bin/apachectl startssl
将需要输入RSA密码,显示:
 Server unix5:443 (RSA)
 Enter pass phrase:
 Ok: Pass Phrase Dialog successful.
 /usr/local/apache/bin/apachectl startssl: httpd started
在IE中输入地址
(依据你的APACHE服务器IP)
你将会看到页面
1)询问是否要通过安全连接查看网页
2)接收到证书
3)选“是”
4)选语言种类,请选"en" 
5)你会看到关于SSL的说明网页。
关于自定义SSL的证书
/usr/local/src/mod_ssl-2.8.14-1.3.27/pkg.contrib/sign.sh 那里,这是签署证书生成server.crt需要的, 其它请参看Openssl官方网页。
小结
此文章虽然是在 Solaris 9 平台上实现的,基本上适用于Linux、Solaris等。其实这样的安装不难,多看点文档,尤其是mod_ssl 本身自带的文档,因为这个mod_ssl-2.8.14-1.3.27 本身就是for Apache 1.3.27 所以mod_ssl.org Code team 们肯定经过测试的,安装的时候只要认真看提示就可以了!
希望大家能顺利完成自己的apache+mod_ssl。
阅读(2254) | 评论(0) | 转发(0) |
给主人留下些什么吧!~~