启用ssl
(1)下载ssl.ca-0.1.tar.gz(适合新手使用)到/etc/httpd(Apache2.2.4安装时指定的配置文件目录)
#tar zxvf ssl.ca-0.1.tar.gz
#cd ssl.ca-0.1
生成根证书
#./new-root-ca.sh
No Root CA key round. Generating one
Generating RSA private key, 1024 bit long modulus
...............................++++++
.......++++++
e is 65537 (0x10001)
Enter pass phrase for ca.key: (此处要输入一个密码,至少四位)
Verifying - Enter pass phrase for ca.key: (重复以上密码)
Self-sign the root CA...
Enter pass phrase for ca.key: (刚刚输过的密码)
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [MY]:CN
State or Province Name (full name) [Perak]:HeNan
Locality Name (eg, city) [Sitiawan]:Zhengzhou
Organization Name (eg, company) [My Directory Sdn Bhd]:Benet Ltd
Organizational Unit Name (eg, section) [Certification Services Division]:Marion
Common Name (eg, MD Root CA) []:Benet CA
Email Address []:
knightma@yeah.net
如此可以生成ca.key和ca.crt两个文件;其中的省份、公司等内容可以按照你自己的相法来设定。
接下来要为服务器生成一个证书:
# ./new-server-cert.sh server (这个证书的名字是server)
No server.key round. Generating one
Generating RSA private key, 1024 bit long modulus
....++++++
.............++++++
e is 65537 (0x10001)
Fill in certificate data
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [MY]:CN
State or Province Name (full name) [Perak]:HeNan
Locality Name (eg, city) [Sitiawan]:Zhengzhou
Organization Name (eg, company) [My Directory Sdn Bhd]:Benet Ltd
Organizational Unit Name (eg, section) [Secure Web Server]:Marion
Common Name (eg,
www.domain.com) []:localhost
Email Address []:
knightma@yeah.net
You may now run ./sign-server-cert.sh to get it signed
执行结束后生成了server.csr和server.key这两个文件。但它们还需要签署一下才能使用。
# ./sign-server-cert.sh server
CA signing: server.csr -> server.crt:
Using configuration from ca.config
Enter pass phrase for ./ca.key:
Check that the request matches the signature
Signature ok
The Subject's Distinguished Name is as follows
countryName :PRINTABLE:'CN'
stateOrProvinceName :PRINTABLE:'HeNan'
localityName :PRINTABLE:'Zhengzhou'
organizationName :PRINTABLE:'Benet Ltd'
organizationalUnitName:PRINTABLE:'Marion'
commonName :PRINTABLE:'localhost'
emailAddress :IA5STRING:'
knightma@yeah.net'
Certificate is to be certified until Nov 21 11:58:38 2007 GMT (365 days)
Sign the certificate? [y/n]:y
1 out of 1 certificate requests certified, commit? [y/n]y
Write out database with 1 new entries
Data Base Updated
CA verifying: server.crt <-> CA cert
server.crt: OK
(2)接下来要按照/etc/httpd/extra/httpd-ssl.conf里面的设置,将证书放在适当的位置。
#cp ./server.key /etc/httpd
#cp ./server.crt /etc/httpd
#cd ..
#chmod 400 server.key
(3)编辑/etc/httpd/httpd.conf
找到如下一句,将前面的注释#去掉
#Include /etc/httpd/extra/httpd-ssl.conf
而后重启apache即可
#killall -9 httpd
#/usr/local/apache/bin/apachectl start
(4)查看监听端口,确认里面有:443端口
#netstat -tnl
(5)
https://localhost