由于安装了vpn,生成ca,key都很方便。直接用openssl生成的,参考以上链接。
以下生成的ca.crt ,server.key, server.crt 都放在/usr/local/share/examples/openvpn/easy-rsa/2.0/keys 里
- #cd /usr/local/share/examples/openvpn/easy-rsa/2.0/
- # . ./vars
- NOTE: If you run ./clean-all, I will be doing a rm -rf on /usr/local/share/examples/openvpn/easy-rsa/2.0/keys
# ./build-ca
# ./build-key-server server
# ./build-key-pkcs12 client
修改Apache 配置文件httpd.conf (OpenBSD的位置在: /var/www/conf/httpd.conf ),以下是其部分配置文件,红色字体为编辑后:
-------------------------------------------------------------------------------------
SSLCertificateFile /usr/local/share/examples/openvpn/easy-rsa/2.0/keys/server.crt
# Server Private Key:
# If the key is not combined with the certificate, use this
# directive to point at the key file.
SSLCertificateKeyFile /usr/local/share/examples/openvpn/easy-rsa/2.0/keys/server.key
# Certificate Authority (CA):
# Set the CA certificate verification path where to find CA
# certificates for client authentication or alternatively one
# huge file containing all of them (file must be PEM encoded)
# Note: Inside SSLCACertificatePath you need hash symlinks
# to point to the certificate files. Use the provided
# Makefile to update the hash symlinks after changes.
#SSLCACertificatePath /var/www/conf/ssl.crt
#SSLCACertificateFile /var/www/conf/ssl.crt/ca-bundle.crt
SSLCACertificateFile /usr/local/share/examples/openvpn/easy-rsa/2.0/keys/ca.crt
# Client Authentication (Type):
# Client certificate verification type and depth. Types are
# none, optional, require and optional_no_ca. Depth is a
# number which specifies how deeply to verify the certificate
# issuer chain before deciding the certificate is not valid.
SSLVerifyClient require
SSLVerifyDepth 10
--------------------------------------------------------------------------------------
SSLVerifyClient require 启用客户端需要证书才可以访问。
Apache启动: #apachectl startssl
拷贝刚才生成的client.p12 到需要访问这Apache的服务器,点击client.p12即可倒入。
阅读(2042) | 评论(0) | 转发(0) |
