/ 中存储网

Linux如何使用Apache服务器支持https(ssl)

2014-03-05 12:12:01 来源:kejihao

软件环境

debian 5.0

Apache Httpd 2.0.63 (http://httpd.apache.org )

OpenSSL 0.9.81 (http://www.openssl.org/source )

SSL-Tools (http://www.openssl.org/contrib/ssl.ca-0.1.tar.gz )

安装步骤(所有操作使用root用户进行):

1. OpenSSL

#tar zxvf openssl-0.9.81.tar.gz

#cd openssl-0.9.81

#./config

#make

#make install

此举将安装最新的OpenSSL到/usr/local/ssl目录中,无需理会系统中已有版本的OpenSSL,也不要去卸载它,否则会导致很多的应用程序无法正常执行,例如X窗口无法进入等错误。

2. Apache Httpd

#tar zxvf httpd-2.0.63.tar.gz

#cd httpd-2.0.63

#./configure --prefix=/usr/local/apache/httpd --enable-ssl=static --with-ssl=/usr/local/ssl

#make

#make install

此步骤在/apache/httpd目录中安装httpd服务(通过参数--prefix指定),同时使用--with-ssl指定刚才所安装OpenSSL的路径,用于将mod_ssl静态的编译到httpd服务中。

3.制作证书

我们必须手工来生成SSL用到的证书,对证书不熟悉的人,有一个工具可以使用:http://www.openssl.org/contrib/ssl.ca-0.1.tar.gz  。下面是如何通过这个工具来生成证书的过程:

#cp ssl.ca-0.1.tar.gz /usr/local/apache/httpd/conf

#cd /usr/local/apache/conf

#tar zxvf ssl.ca-0.1.tar.gz

#cd ssl.ca-0.1

#./new-root-ca.sh (生成根证书)

No Root CA key round. Generating one

Generating RSA private key, 1024 bit long modulus

...........................++++++

....++++++

e is 65537 (0x10001)

Enter pass phrase for ca.key: (输入一个密码)

Verifying - Enter pass phrase for ca.key: (再输入一次密码)

......

Self-sign the root CA... (签署根证书)

Enter pass phrase for ca.key: (输入刚刚设置的密码)

........

........ (下面开始签署)

Country Name (2 letter code) [MY]:CN

State or Province Name (full name) [Perak]:GanSu//随你喜欢

Locality Name (eg, city) [Sitiawan]:LanZhou//随你喜欢

Organization Name (eg, company) [My Directory Sdn Bhd]:lzu//随你喜欢

Organizational Unit Name (eg, section) [Certification Services Division]:lzu//随你喜欢

Common Name (eg, MD Root CA) []:dslab//随你喜欢

Email Address []:[email protected]//随你喜欢

这样就生成了ca.key和ca.crt两个文件,下面还要为我们的服务器生成一个证书:

# ./new-server-cert.sh server (这个证书的名字是server)

......

......

Country Name (2 letter code) [MY]:CN

State or Province Name (full name) [Perak]:GanSu

Locality Name (eg, city) [Sitiawan]: LanZhou

Organization Name (eg, company) [My Directory Sdn Bhd]:lzu

Organizational Unit Name (eg, section) [Secure Web Server]:lzu

Common Name (eg, www.domain.com) []:localhost

Email Address []:[email protected]

这样就生成了server.csr和server.key这两个文件。

还需要签署一下才能使用的:

# ./sign-server-cert.sh server

CA signing: server.csr -> server.crt:

Using configuration from ca.config

Enter pass phrase for ./ca.key: (输入上面设置的根证书密码)

Check that the request matches the signature

Signature ok

The Subject's Distinguished Name is as follows

countryName :PRINTABLE:'CN'

stateOrProvinceName :PRINTABLE:'GanSu'

localityName :PRINTABLE:'LanZhou'

organizationName :PRINTABLE:'lzu'

organizationalUnitName:PRINTABLE:'lzu'

commonName :PRINTABLE:'localhost'

emailAddress  :IA5STRING:[email protected]'

Certificate is to be certified until Jan 19 21:59:46 2011 GMT (365 days)

Sign the certificate? [y/n]:y

1 out of 1 certificate requests certified, commit? [y/n]y

Write out database with 1 new entries

Data Base Updated

CA verifying: server.crt <-> CA cert

server.crt: OK

下面要按照ssl.conf里面的设置,将证书放在适当的位置。

# chmod 400 server.key

# cd ..

# mkdir ssl.key

# mv ssl.ca-0.1/server.key ssl.key

# mkdir ssl.crt

# mv ssl.ca-0.1/server.crt ssl.crt

然后就可以启动啦!

# cd /usr/local/apache

# ./bin/apachectl startssl

4. 测试HTTP服务

使用浏览器打开地址:https://127.0.0.1   完毕!!