Chinaunix首页 | 论坛 | 博客
  • 博客访问: 511565
  • 博文数量: 53
  • 博客积分: 2265
  • 博客等级: 大尉
  • 技术积分: 574
  • 用 户 组: 普通用户
  • 注册时间: 2007-08-15 16:50
文章分类

全部博文(53)

文章存档

2019年(1)

2018年(2)

2016年(2)

2015年(1)

2014年(6)

2013年(5)

2012年(7)

2011年(16)

2010年(13)

分类: BSD

2011-11-29 11:41:05

 
由于安装了vpn,生成ca,key都很方便。直接用openssl生成的,参考以上链接。
以下生成的ca.crt ,server.key, server.crt 都放在/usr/local/share/examples/openvpn/easy-rsa/2.0/keys 里
 
 
  1. #cd /usr/local/share/examples/openvpn/easy-rsa/2.0/
  2. # . ./vars
  3. NOTE: If you run ./clean-all, I will be doing a rm -rf on /usr/local/share/examples/openvpn/easy-rsa/2.0/keys
# ./build-ca                 
 
# ./build-key-server server
 
# ./build-key-pkcs12 client

修改Apache 配置文件httpd.conf (OpenBSD的位置在: /var/www/conf/httpd.conf ),以下是其部分配置文件,红色字体为编辑后:
 
-------------------------------------------------------------------------------------
SSLCertificateFile    /usr/local/share/examples/openvpn/easy-rsa/2.0/keys/server.crt
#   Server Private Key:
#   If the key is not combined with the certificate, use this
#   directive to point at the key file.
SSLCertificateKeyFile /usr/local/share/examples/openvpn/easy-rsa/2.0/keys/server.key
#   Certificate Authority (CA):
#   Set the CA certificate verification path where to find CA
#   certificates for client authentication or alternatively one
#   huge file containing all of them (file must be PEM encoded)
#   Note: Inside SSLCACertificatePath you need hash symlinks
#         to point to the certificate files. Use the provided
#         Makefile to update the hash symlinks after changes.
#SSLCACertificatePath    /var/www/conf/ssl.crt
#SSLCACertificateFile    /var/www/conf/ssl.crt/ca-bundle.crt
SSLCACertificateFile    /usr/local/share/examples/openvpn/easy-rsa/2.0/keys/ca.crt
#   Client Authentication (Type):
#   Client certificate verification type and depth.  Types are
#   none, optional, require and optional_no_ca.  Depth is a
#   number which specifies how deeply to verify the certificate
#   issuer chain before deciding the certificate is not valid.
SSLVerifyClient require
SSLVerifyDepth  10

--------------------------------------------------------------------------------------
SSLVerifyClient require   启用客户端需要证书才可以访问。
 
Apache启动: #apachectl startssl
 
拷贝刚才生成的client.p12 到需要访问这Apache的服务器,点击client.p12即可倒入。
 
 
阅读(1953) | 评论(0) | 转发(0) |
给主人留下些什么吧!~~