apache1.3.27+mod_ssl+ Custom SSL Certificate

Absolute blue screen [Ihweb] (Huanghuatong) <ihweb@cnfug.org>

Apache 1.3.27+mod_ssl+ Custom SSL Certificate in my first article I introduced the use of FreeBSD ports to install easy, can more users use the OS FreeBSD or want to download their own original code to compile the installation. The following is the process by which the author compiles and installs the Apache 1.3.27+mod_ssl step by step under the FreeBSD 4.8 stable platform.

1, download the required installation package

FBSD# pwd
/tmp/install
FBSD# fetch http://httpd.apache.org/dist/httpd/apache_1.3.27.tar.gz
FBSD# fetch ftp://ftp.modssl.org/source/mod_ssl-2.8.14-1.3.27.tar.gz
FBSD# fetch ftp://ftp.openssl.org/source/openssl-0.9.7a.tar.gz
FBSD# ls –lA
-rw-r--r-- 1 root wheel 2306052 10 4 2002 apache_1.3.27.tar.gz
-rw-r--r-- 1 root wheel 754179 3 21 22:21 mod_ssl-2.8.14-1.3.27.tar.gz
-rw-r--r-- 1 root wheel 2776582 2 19 22:12 openssl-0.9.7a.tar.gz

2. Installation OpenSSL

OpenSSL is a necessary package for mod_ssl

FBSD# tar zxvf openssl-0.9.7a.tar.gz
FBSD# cd openssl-0.9.7a
FBSD# ./config（请看清楚，不是一般的configure 他自己的是config）
FBSD# makeWhen make is successful, the OpenSSL is installed.

3. Configure the Mod_ssl into Apache

fbsd# pwd
/tmp/install
fbsd# Tar zxvf mod_ssl-2.8.14-1.3.27.tar.gz
fbsd# Tar zxvf apache_1.3.27.tar.gz
fbsd# Ls–la
Drwxr-xr-x 8 1078 1078 7 13:09 apache_1.3.27
-rw-r--r--1 root Wheel 2306052 4 2002 apache_1.3.27.tar.gz
Drwxr-xr-x root Wheel 7 13:06 mod_ssl-2.8.14-1.3.27
-rw-r--r--1 root Wheel 754179 3 22:21 mod_ssl-2.8.14-1.3.27.tar.gz
Drwxr-xr-x Root Wheel 1024 7 13:05 openssl-0.9.7a
-rw-r--r--1 root Wheel 2776582 2 22:12 openssl-0.9.7a.tar.gz
fbsd# CD Mod_ssl-2. 8.14-1.3.27
fbsd#./configure--with-apache=. /apache_1.3.27--with-ssl=. /openssl-0.9.7a--prefix=/usr/local/apache
Configuring mod_ssl/2.8.14 for apache/1.3.27
+ Apache Location:. /apache_1.3.27 (Version 1.3.27)
+ OpenSSL Location:. /openssl-0.9.7a
+ Auxiliary Patch tool:./etc/patch/patch (local)
..........
Now proceed with the following commands:
$ cd ... /apache_1.3.27
$ make
$ make Certificate
$ make Install
fbsd#When you see the above things, Mod_ssl has been added to the Apache source code, according to the hint should be directly to the apache_1.3.27 to compile the following can be used Apache, but I found that the compiled Apache does not have Dynamic module loading (DSO) function, then, your apache1.3.27 only have static Web features (of course, you can also use Perl to write CGI program to achieve dynamic Web pages) in fact, DSO has a lot of benefits, such as you can install PHP ... Wait

4. Compile and install Apache 1.3.27

Just mentioned why we do not follow the instructions, it is because we want to compile the Apache 1.3.27 into DSO mode. If you simply want to compile the static mode, make it directly in the Apache 1.3.27 directory.

Here is the Apache 1.3.27 compiled into DSO mode.

FBSD# ./configure --prefix=/usr/local --enable-module=so --enable-module=ssl（--enable-module=ssl 这个很重要，就是要加如mod_ssl 模块）
…
…
FBSD# make
….
To this end, Apache 1.3.27+mod_ssl has been compiled and the following is the build CA certificate.

fbsd# Make Certificate
SSL Certificate Generation Utility (mkcert.sh)
Copyright (c) 1998-2000 Ralf S. Engelschall, all Rights Reserved.
Generating test certificate signed by Snake oil CA [test]
Warning:do not to real-life/production systems
______________________________________________________________________
Step 0:decide the signature algorithm used for certificate
The generated X.509 CA certificate can contain either
RSA or DSA based ingredients. Select the one you want to use.
Signature algorithm ((r) SA or (D) SA) [R]:R(select Encryption method)
______________________________________________________________________
Step 1:generating RSA Private key (1024 bit) [Server.key]
4493119 semi-random bytes Loaded
Generating RSA private key, 1024 bit long modulus
.. ++++++
...........................................................................++++++
E is 65537 (0x10001)
______________________________________________________________________
Step 2:generating X.509 Certificate signing request [SERVER.CSR]
are about to is asked to enter information that would be incorporated
into your certificate request.
What you are about to enter the What is called a distinguished Name or a DN.
There are quite a few fields but you can leave some
For some fields there would be a default value,
If you enter '. ', the field would be left blank.
-----
1. Country Name (2 letter code) [XY]:CN
2. State or province Name (full name) [Snake Desert]:Guang Dong
3. Locality Name (eg, city) [Snake Town]:Guang Zhou
4. Organization Name (eg, company) [Snake Oil, LTD]:kingisme.com Xbsd Studio
5. Organizational unit Name (eg, section) [Webserver team]:cnfug.org
6. Common Name (eg, FQDN) [Www.snakeoil.dom]:www.cnfug.org
7. Email address (eg, name@fqdn) [Www@snakeoil.dom]:ihweb@cnfug.org
8. Certificate validity (days) [365]:365
______________________________________________________________________
Step 3:generating X.509 certificate signed by Snake oil CA [SERVER.CRT]
Certificate Version (1 or 3) [3]:3
Signature OK
Subject=/c=cn/st=guang Dong/l=guang zhou/o=kingisme.com Xbsd studio/ou=cnfug.org/cn=www.cnfug.org/emailaddress= ihweb@cnfug.org
Getting CA Private Key
Verify:matching Certificate & Key Modulus
Verify:matching Certificate Signature
.. /CONF/SSL.CRT/SERVER.CRT:/c=xy/st=snake desert/l=snake town/o=snake Oil, ltd/ou=certificate Authority/CN=Snake oil CA /emailaddress=ca@snakeoil.dom
Error 1 Depth lookup:certificate has expired
Ok
______________________________________________________________________
Step 4:enrypting RSA private key with a pass phrase for security [Server.key]
The contents of the Server.key file (the generated private key) has to IS
Kept secret. So we strongly recommend you to encrypt the Server.key file
With a triple-des cipher and a pass Phrase.
Encrypt the private key now? [y/n]:N
Warning, you ' re using a unencrypted RSA private key.
Please notice this fact and does this on your own risk.
______________________________________________________________________
Result:server Certification Files
o Conf/ssl.key/server.key
The pem-encoded RSA private key file which you configure
With the ' sslcertificatekeyfile ' Directive (automatically) done
When you install via Apaci). KEEP this FILE private!
o CONF/SSL.CRT/SERVER.CRT
The pem-encoded X.509 certificate file which you configure
With the ' sslcertificatefile ' Directive (automatically) done
When you install via Apaci).
o CONF/SSL.CSR/SERVER.CSR
The pem-encoded X.509 certificate signing request file which
You can send to a official certificate authority (CA) in order
To request a real server certificate (signed by this CA instead
Our demonstration-only Snake oil CA) which later can replace
The Conf/ssl.crt/server.crt file.
Warning:do not to real-life/production systems
fbsd#