Apache SSL server Configuration SSL detailed _linux

1. Install the necessary software
Reference
I am using the apahce2.0.61 version, which can be directly officially supplied by the binding OpenSSL Apache.
The filename is: Apache_2.0.61-win32-x86-openssl-0.9.7m.msi

Otherwise, a separate installation of Windows under the OpenSSL more trouble, either find a third-party compilation results, or compile their own

2. Generate Server Certificate
Reference
Installed in the bin directory there is a Openssl.exe file to generate certificates and keys.
1. The private key file used by the build server Server.key
Enter conf directory, execute command line
OpenSSL genrsa-out Server.key 1024

A document indicates that the private key file is generated using OpenSSL genrsa-des3-out Server.key 1024, so that the generated private key file requires a password.
Apache failed to start, error prompt: Init:sslpassphrasedialog builtin is isn't supported on Win32 (key file ...)
The reason is that Apache under window does not support encrypted private key files.

2. Generate unsigned SERVER.CSR
Enter conf directory, execute command line
OpenSSL req-new-key server.key-out server.csr-config openssl.cnf
Prompt to enter a series of parameters,
......
Country Name (2 letter code) [AU]:
State or province Name (full name) [Some-state]:
Locality Name (eg, city) []:
Organization Name (eg, company) [Internet widgits Pty LTD]:
Organizational unit Name (eg, section) []:
Common name (eg, YOUR name) []:
Email Address []:
.....
Note: Common name must be consistent with server name in httpd.conf, otherwise Apache will not start
When you start Apache, the error message is: RSA server certificate commonname (CN) ' Koda ' does not match server name!?

3). Signing Server certificate file Server.crt
Enter conf directory, execute command line
OpenSSL x509-req-days 365-in server.csr-signkey server.key-out server.crt

The above signed certificate is only for testing purposes, when the real run, the CSR should be sent to a CA to return the real book. Some documents on the Web the process of generating a certificate file is cumbersome because
They set up a CA center certificate of their own and then sign SERVER.CSR.

Use OpenSSL x509-noout-text-in server.crt to view the contents of the certificate. The certificate actually contains the public Key.

3. Configure httpd.conf.
Reference
The ssl.conf file in the Conf directory is about SSL configuration and is part of the httpd.conf.
A 443 virtual host configuration entry was found, as follows:
<virtualhost _default_:443>
Sslengine on
Sslcertificatefile CONF/SSL.CRT/SERVER.CRT
Sslcertificatekeyfile Conf/ssl.key/server.key
#SSLCertificateChainFile CONF/SSL.CRT/CA.CRT//temporarily not enabled
#......
DocumentRoot "C:/programs/apache2/htdocs"
ServerName www.my.com:443
</VirtualHost>
1. See sslcertificatefile,sslcertificatekeyfile Two configuration items, so you should create two subdirectories under Conf ssl.crt, Ssl.key, and then the signed certificate file (. crt) and private key file (. Key ) in the appropriate directory
2. See Documentroot,servername configuration items, servername modified to any you want the domain name, note: The previous generation. The common name entered in the CSR must be consistent with the ServerName item here.
When you start Apache, accessing https://www.my.com will access the contents of the C:/programs/apache2/htdocs directory.
But if you want to keep access to other directories that are still HTTP, then you should put
<virtualhost _default_:443> also changed to <virtualhost www.my.com:443>
At this point, even if the servername is arbitrary, the system is still operating normally, only Apache log prompts "does not match server name"
3). Remove Comment Line
LoadModule Ssl_module modules/mod_ssl.so

Note that the ssl.conf configuration is in the label <ifdefine ssl>, so in order for the Ifdefine command to be valid, the-D SSL parameter is added when running Apache.

Reference
Apache-d ssl-k Start