Build an https server using Linux + Apache + OpenSSL (two-way authentication)

Source: Internet
Author: User
Tags builtin openssl rsa openssl x509 ssl certificate startssl



Complete the SSL (Secure Socket Layer) Certificate Service through Linux + Apache + OpenSSL, and provide secure HTTPS (Hypertext Transfer Protocol over Secure Socket Layer) services.

Device SSL

1. device OpenSSL

Tar-zxvf openssl-0.9.8a.tar.gz

CD openssl-0.9.8a



Make install

The OpenSSL device is in the/usr/local/SSL directory.

2. install Apache

Tar-zxvf httpd-2.0.55.tar.gz

CD httpd-2.0.55

./Configure-Prefix =/usr/local/Apache-enable-SSL-enable-rewrite-enable-so-with-SSL =/usr/local/SSL


Make install

The Apache device is in the/usr/local/Apache directory.

The above is the source code device, the best device method through the RPM device. Install apache rpm first, and then OpenSSL rpm. OpenSSL can be automatically installed in the Apache directory.

Certificate content first

SSL security certificate can be issued by myself and by a third-party Ca (Certification Authority) Certificate core payment request.

SSL security certificates include:

1. CA certificate, also known as root certificate or two-level certificate. For one-way HTTPS authentication, the CA certificate is optional. Secondary means is to form a certificate chain to reach the reader suspect certificate. If a CA certificate is used, both the server certificate and client certificate use the CA certificate to sign the certificate. If the CA certificate is not installed, the reader acquiesce that it is not safe.

2. server certificate. Required. After the private key of the server, the native certificate requests the CSR file, and then signs the native server certificate with the CA certificate.

3. Customer certificate. Optional. If there is a customer certificate, it is a two-way authentication https, otherwise it is a one-way authentication HTTPS. The native method is similar to the server certificate.

The following certificates can be created by myself. In terms of trade, I provide a service or client certificate, which is a real private key and certificate, and request a CSR to request a third-party institution to pay for the service certificate and customer certificate signed by the CA certificate.

Native Certificate

Use the ca. Sh tool provided by OpenSSL to sign the certificate. Put the certificate in the/usr/local/apache2/CONF/SSL. CRT directory and copy the tool to the directory:

CP/usr/share/SSL/MISC/CA. sh/usr/local/apache2/CONF/SSL. CRT

1. CA certificate (Root Certificate/two-level certificate)

It is provided by a ca. It is required if it is a two-way authentication. Otherwise, it is optional. After CA certificates, a certificate chain is formed to make the reader suspect your certificate. If the CA certificate is used, it is used to sign the server and customer certificate to reach the reader's suspicion.

My native CA certificate method:

./CA. Sh-newca

Press enter to create a new file, output the encrypted password, and enter the certificate message:

Country name (2 letter code) [au]: CN

State or province name (full name) [some-State]: Guangdong

Locality name (eg, city) []: Shenzhen

Organization Name (eg, company) [Internet widgits Pty Ltd]: XXX

Organizational unit name (eg, section) []: XXX

Common name (eg, your name) []:

Email Address []:

Entering the common name in the host name is a good choice. This title must be the opposite of the URL of your website visited by a reader. Otherwise, the user will find that the common name of your server certificate is not matched with the site name, the user will doubt the authenticity of your certificate. The common name of the server certificate and customer certificate is different from that of the CA.

Natural consequence: democa/private/cakey. PEM is the private key file of the CA certificate, and democa/cacert. PEM is the CA certificate.

In this way, a CA server is created with the private key cakey of the root certificate. PEM and a root certificate cacert. PEM, now can use cacert. PEM to sign the server certificate or customer certificate.

Let's name the CA certificate and rename the CA certificate and key:

CP democa/private/cakey. pem ca. Key

CP democa/cacert. pem ca. CRT

CA. Key is the two-level certificate private key, and Ca. CRT is the two-level certificate.

2. server certificate

A) Native server Private Key

OpenSSL genrsa-des3-out server. Key 1024

The encrypted password is output. The 128-bit RSA algorithm is used to generate a natural key and the server. Key file is lost.

B) Native server certificate request (CSR)

OpenSSL req-New-key server. Key-out server. CSR

CSR (Certificate Signing Request) is a certificate signature request. Before requesting a certificate, you must first create a CSR on the Web server and submit it to the CA authentication core, CA can issue an SSL server certificate to you. We can think that CSR is a natural certificate on your server. The secondary form of CSR is as follows:

Country name (2 letter code) [au]: CN

State or province name (full name) [some-State]: Guangdong

Locality name (eg, city) []: Shenzhen

Organization Name (eg, company) [Internet widgits Pty Ltd]: XXX

Organizational unit name (eg, section) []: XXX

Common name (eg, your name) []:

Email Address []:

Please enter the following 'extra 'attributes

To be sent with your certificate request

A challenge password []:

An optional company name []:

Enter the common name in the Host Name and Ca differences.

C) My native server certificate

If you do not use the CA certificate signature, use the following method:

OpenSSL req-X509-days 1024-key server. Key-in server. CSR> server. CRT

Use the server key and certificate to request the native Certificate Server. CRT. The-days parameter specifies that the certificate has no effective period, in days. Trade goes on, the server certificate is issued by a third-party organization, which is issued by a third-party certification organization.

If you use the CA certificate signature, use the tool ca. Sh provided by OpenSSL to generate a server certificate:

MV server. CSR newreq. pem

./CA. Sh-sign

MV newcert. pem server. CRT

After signing the certificate, run the following command to check the form of the server certificate:

OpenSSL X509-noout-text-in server. CRT

Run the following command to verify the server certificate:

OpenSSL verify-cafile ca. CRT server. CRT

3. Customer Certificate

The customer certificate is optional. If there is a customer certificate, it is two-way authentication https, otherwise it is one-way authentication HTTPS.

A) Native customer Private Key

OpenSSL genrsa-des3-out client. Key 1024

B) request for signature of a natural customer Certificate

OpenSSL req-New-key client. Key-out client. CSR

C) Native customer certificate (signature using CA certificate)

OpenSSL ca-in client. CSR-out client. CRT

D) convert the certificate to a format familiar to the reader

OpenSSL PKCS12-export-clcerts-in client. CRT-inkey client. Key-out client. pfx

4. Certificate list

If two-way authentication is used, there will be three private keys and three certificates. Identify ca. Key, Ca. CRT, server. Key, server. CRT, client. Key, client. CRT, and client. pfx for the reader.

For one-way authentication with a CA certificate, the certificate and private key are ca. Key, Ca. CRT, server. Key, server. CRT.

For one-way authentication without a CA certificate, the certificate and private key are server. Key and server. CRT.

Configure Certificate

The Apache standard approach is to configure the extended configuration in the corresponding CONF file, httpd. conf indirectly include the conf file of each function configuration (for example, PHP-related configuration is called PHP. conf: the SSL configuration is called SSL. conf ). The benefit is that the configuration is easy to manage and change, and httpd. conf can still be easily understood.

1. Configure httpd. conf

Include CONF/SSL. conf

2. Configure SSL. conf

Secondary configurations include certificate channels and authentication strategies:

Listen 443 # HTTPS Port

Sslrandomseed startup builtin

Sslpassphrasedialog builtin

Sslsessioncache DBM: logs/ssl_scache

Sslsessioncachetimeout 300

Sslmutex default



# Directoryindex digitalidcenter.htm

Servername 443

Errorlog logs/443-error_log

Customlog/usr/local/apache2/logs/ssl_request_log "% T % H % {ssl_protocol} X % {ssl_cipher} X \" % R \ "% B"

Loglevel info

Sslengine on

Sslciphersuite all :! ADH :! Export56: RC4 + RSA: + high: + medium: + low: + SSLv2: + exp: + enull

Sslcertificatefile/usr/local/apache2/CONF/SSL. CRT/server. CRT # specify the server certificate path

Sslcertificatekeyfile/usr/local/apache2/CONF/SSL. CRT/server. Key # server certificate Private Key Path

Sslcertificatechainfile/usr/local/apache2/CONF/SSL. CRT/CA. CRT # ca two-level certificate Channel

Sslcacertificatepath/usr/local/apache2/CONF/SSL. CRT # client certificate directory (used only for two-way authentication)

Sslcacertificatefile/usr/local/apache2/CONF/SSL. CRT/client. CRT # client certificate channel (used only for two-way authentication)

Sslverifyclient require # force the customer to hold the SSL certificate request

Sslverifydepth 10

For more information about mod_ssl configuration options, see apache documentation:


3. Start Apache


./Apachectl startssl

You can modify the apachectl script to enable the SSL method to launch Apache. In the apachectl script:

Start | stop | restart | graceful)

$ Httpd-K $ argv

Error = $?


Startssl | sslstart | start-SSL)

$ Httpd-K start-dssl

Error = $?



Stop | graceful)

$ Httpd-K $ argv

Error = $?



Killall-9 httpd

$ Httpd-K start-dssl


Start | startssl | sslstart | start-SSL)

$ Httpd-K start-dssl

Error = $?


Output the password of server. Key at the time of launch. It can be decrypted and stored by the private key of the server, and no password needs to be output after restart:

OpenSSL RSA-in server. Key-out my-server.key

Chmod 400 server. Key

The configuration in SSL. conf is changed:

Sslcertificatekeyfile/usr/local/apache2/CONF/SSL. CRT/my-server.key # server certificate decryption Private Key Path



Related Article

Contact Us

The content source of this page is from Internet, which doesn't represent Alibaba Cloud's opinion; products and services mentioned on that page don't have any relationship with Alibaba Cloud. If the content of the page makes you feel confusing, please write us an email, we will handle the problem within 5 days after receiving your email.

If you find any instances of plagiarism from the community, please send an email to: and provide relevant evidence. A staff member will contact you within 5 working days.

A Free Trial That Lets You Build Big!

Start building with 50+ products and up to 12 months usage for Elastic Compute Service

  • Sales Support

    1 on 1 presale consultation

  • After-Sales Support

    24/7 Technical Support 6 Free Tickets per Quarter Faster Response

  • Alibaba Cloud offers highly flexible support services tailored to meet your exact needs.