Common problem analysis of Apache configuration HTTPS protocol

To Configure the HTTPS protocol:

1, install a good Apache environment, pay attention to installed SSL version. It's in the C:/apache catalogue.

2. Generate Server Certificate

1 Enter the Apache/bin directory under DOS command

2 in the Windows environment, you need to set the OpenSSL environment variable first:
Execute command
[Plain] View plain copy set openssl_conf= ... \conf\openssl.cnf

Make sure the OPENSSL.CNF exists before you execute it, or it will appear: Warning:can ' t open config file:/usr/local/ssl/openssl.cnf information prompt.
There are also under Windows System. CNF default is treated as a shortcut and the extension is not visible.

3) Generate private key file:
Execute command
[Plain] View plain copy OpenSSL Genrsa 1024>server.key

Description: This is a 128-bit RSA algorithm to generate the key to get the Server.key file. > is an identifier for the output file

This build method generates a private key file without a key. Of course, Apache provides the command to join the key (Password), which is to add the parameter-des3. The command is: [plain] View plain copy OpenSSL Genrsa 1024-des3 > Server.key using the above command to generate the private key file requires the key to be entered and the runtime will allow you to enter and confirm your key. However, the following error is caused in the Windows environment: error: Apache failed to start, error prompt: Init:sslpassphrasedialog builtin is not supported on Win32 (key file ...)
The reason is that Apache under window does not support encrypted private key files.
Note: The default length of the RSA key pair in the generated certificate is 1024, with a value of 2 for the entire number of times. Recommended to use more than 4096.

4 Generate the certificate request file.
Execute command
[Plain] View plain copy OpenSSL Req-new-key server.key > SERVER.CSR

Description: This is to use the key of step 3 to generate the certificate request file SERVER.CSR, this step will have many parameters, requires one by one input.

Enter a series of parameters as prompted:
Country Name (2 letter code) [AU]:CN ISO country code (only two-bit characters supported)

State or province Name (full name) [Some-state]:zj Province

Locality Name (eg, city) []:hz

Organization name (eg, company): Sw_tech

Organizational unit name (eg, section) []:sw_tech Organization name

Common name (eg, YOUR name) []:kedou.com domain name for the certificate

email address []:admin@admin.com Admin mailbox

Please enter the following ' extra ' attributes to be sent with your certificate request A challenge Password []: Exchange key

An optional company name []: note: Common name must be consistent with server name in httpd.conf, otherwise Apache will not start (when you start Apache, the error message is: RSA server certific Ate commonname (CN) ' Kedou ' does not match server name!? ）

5 Sign the server certificate file.
Execute command line
[Plain] View plain copy OpenSSL req-x509-days 365-key server.key-in server.csr > SERVER.CRT Description: This is the key and certificate request with step 3,4 Generate certificate server.crt,-days parameter indicates the certificate validity period, the unit is days, X509 represents the generated as X.509 certificate.

The above signed certificate is only for testing purposes, when it is really running, the CSR should be sent to a CA to return the true certificate. Some documents on the Web describe the process of generating a certificate file as cumbersome because they set up a CA center and then sign the SERVER.CSR

Use OpenSSL x509-noout-text-in server.crt to view the contents of the certificate. The certificate actually contains the public Key

3. Configure httpd.conf

Open the httpd.conf file and remove the line for the comment:

[Plain] View plain copy Include conf/extra/httpd-ssl.conf LoadModule ssl_module modules/mod_ssl.so

Open the httpd-ssl.conf and modify the following:

[Plain] View plain copy <virtualhost _default_:443> sslengine on Sslcertificatefile ... /BIN/SERVER.CRT Sslcertificatekeyfile. /bin/server.key #SSLCertificateChainFile. /BIN//CA.CRT//Temporarily not enabled #......&nbs