Apache bidirectional HTTPS SSL authentication configuration

Attention:

If the newspaper can't find OPENSSL. CNF file error, you can go to the next online, and then use-config openssl.cnf to specify the location of this profile, or put to the error when prompted to specify the location

1. Generate the root certificate of the key, 1024 means the RSA encryption digits, must be 2 of the n-th side, generally 1024 can be.

OpenSSL genrsa-out Ca.key 1024

2. Generate a CSR (certificate signing request) using the key of the root certificate that you just generated, which will require information about the request to be filled out.

OpenSSL Req-new-key ca.key-out CA.CSR

There are two entries to note, one common name (certificate authority name), and the other Challenge password (remember)

3. Using just the CSR and key to generate our root certificate, the days parameter is used to specify a valid number of dates for the certificate.

OpenSSL x509-req-days 3650-in ca.csr-signkey ca.key-out ca.crt

Generate server certificates in the same way

1. Mr. Cheng Key

OpenSSL genrsa-out Server.key 1024

2. Then use key to generate a CSR, this step into the information in the common name must fill in the site's domain name

OpenSSL Req-new-key server.key-out SERVER.CSR

3. Generate Server Certificate

OpenSSL x509-req-days 3650-in server.csr-signkey server.key-out server.crt

Issue a client certificate to install the last generated suffix, P12 file, to the client.

1. Key to Client

OpenSSL genrsa-out Client.key 1024

2. Use key to generate CSR, but this step input information in the common name can not fill the site domain name, because this is the client's certificate, if the same as the server certificate, will cause validation failure.

OpenSSL Req-new-key client.key-out CLIENT.CSR

3. The certificate that generates this client is signed with the root certificate that was first generated.

OpenSSL x509–req–days 3650–ca ca.crt–cakey ca.key–cacreateserial–in client.csr–out

4. Make the client Installation certificate, this step will require the input of an export Password, is the client installation certificate required to enter the installation password

OpenSSL pkcs12-export-clcerts-in Client.crt-inkey client.key-out client.p12

Here's how to start Apache configuration.

The first step is to load the SSL module into the Apache configuration file.

LoadModule Ssl_module modules/mod_ssl.so

Then the SSL configuration file also loaded in, without this configuration file, you can go to the next

Include conf/extra/httpd-ssl.conf

Then modify the httpd-ssl.conf file to find the following key values to modify to correspond to your own system path.

DocumentRoot "E:\VertrigoServ\www"

#localhost改成网站的域名

ServerName localhost:443

ErrorLog "E:/vertrigoserv/apache/logs/error.log"

Transferlog "E:/vertrigoserv/apache/logs/access.log"

Sslengine on

#下面的文件就是我们刚才用OPENSSL生成的, pay attention to change into your own path

Sslcertificatefile "E:/VERTRIGOSERV/APACHE/CONF/SERVER.CRT"

Sslcertificatekeyfile "E:/vertrigoserv/apache/conf/server.key"

Sslcacertificatefile "E:/VERTRIGOSERV/APACHE/CONF/CA.CRT"

Reboot Apache when finished