Configuration record of apache + openssl in linux

Configuration record of apache + openssl in linux

I recently studied the apache-ssl configuration in linux. I am very careful about writing this configuration. I am sorry to ask new users to send a blog.

Software Environment

Apache Httpd 2.2.29 (http://httpd.apache.org)
OpenSSL 1.0.1h (http://www.openssl.org/source)
SSL-Tools (http://www.openssl.org/contrib/ssl.ca-0.1.tar.gz)

1. OpenSSL

# Tar zxvf openssl-1.0.1h.tar.gz
# Cd openssl-1.0.1h
#./Config
# Make
# Make install

This will install the latest OpenSSL to the/usr/local/ssl directory, regardless of the existing version of OpenSSL in the system or uninstall it, otherwise, many applications may fail to run normally, for example, errors such as window X being inaccessible.

2. Apache Httpd

# Tar zxvf httpd-2.2.29.tar.gz

# Cd httpd-2.2.29
#./Configure -- prefix =/usr/local/apache/httpd -- enable-ssl = static -- with-ssl =/usr/local/ssl
# Make
# Make install

In this step, install the httpd service in the/apache/httpd directory (specified by the -- prefix parameter), and use -- with-ssl to specify the path of the OpenSSL installation just now, it is used to statically compile mod_ssl into the httpd service.

3. Create a certificate

We must manually generate the certificate used by SSL, a tool available to anyone who is not familiar with the certificate: http://www.openssl.org/contrib/ssl.ca-0.1.tar.gz. The following describes how to generate a certificate using this tool:

# Cp ssl.ca-0.1.tar.gz/usr/local/apache/httpd/conf
# Cd/usr/local/apache/conf
# Tar zxvf ssl.ca-0.1.tar.gz
# Cd ssl. ca-0.1
#./New-root-ca.sh (generate Root Certificate)
No Root CA key round. Generating one
Generating RSA private key, 1024 bit long modulus
...
... ++
E is 65537 (0x10001)
Enter pass phrase for ca. key: 12345 (Enter a password)
Verifying-Enter pass phrase for ca. key: 12345 (Enter the password again)
......
Self-sign the root CA... (sign the root certificate)
Enter pass phrase for ca. key: 12345 (Enter the password you just set)
........
...... (Signing starts below)
Country Name (2 letter code) [MY]: CN
State or Province Name (full name) [Perak]: SD // whatever you like
Locality Name (eg, city) [Sitiawan]: QD // whatever you like
Organization Name (eg, company) [My Directory Sdn Bhd]: GX // whatever you like
Organizational Unit Name (eg, section) [Certification Services Division]: GX // whatever you like
Common Name (eg, MD Root CA) []: gaoxin.com // whatever you like
Email Address []: 12345@163.com // whatever you like
In this way, the ca. key and ca. crt files are generated. The following also generates a certificate for our server:
#./New-server-cert.sh server (the Certificate Name is server)
......
......
Country Name (2 letter code) [MY]: CN
State or Province Name (full name) [Perak]: SD
Locality Name (eg, city) [Sitiawan]: QD
Organization Name (eg, company) [My Directory Sdn Bhd]: GX
Organizational Unit Name (eg, section) [Secure Web Server]: GX
Common Name (eg, www.domain.com) []: gaoxiaoit.com (must be different from the preceding one; otherwise, an error is returned)
Email Address []: 123456@163.com
In this way, the two files server. csr and server. key are generated.
You need to sign the signature before using it:
#./Sign-server-cert.sh server
CA signing: server. csr-> server. crt:
Using configuration from ca. config
Enter pass phrase for./ca. key: 12345 (Enter the root certificate password set above)
Check that the request matches the signature
Signature OK
The Subject's Distinguished Name is as follows
CountryName: PRINTABLE: 'cn'
StateOrProvinceName: PRINTABLE: 'gansu'
LocalityName: PRINTABLE: 'lanzhou'
OrganizationName: PRINTABLE: 'lzu'
OrganizationalUnitName: PRINTABLE: 'lzu'
CommonName: PRINTABLE: 'localhost'
EmailAddress: IA5STRING: 'sunyanmeng @ gmail.com'
Certificate is to be certified until Jan 19 21:59:46 2011 GMT (365 days)
Sign the certificate? [Y/n]: y
1 out of 1 certificate requests certified, commit? [Y/n] y
Write out database with 1 new entries
Data Base Updated
CA verifying: server. crt <-> CA cert
Server. crt: OK

Configure conf/extr/httpd-ssl.conf

Find # include conf/extra/httpd-ssl.confm remove comments
Follow the settings in the httpd-ssl.conf to place the certificate in the appropriate place.

# Cd ..
# Mkdir ssl. key
# Mv ssl. ca-0.1/server. key ssl. key
# Mkdir ssl. crt
# Mv ssl: ca-0.1/server. crt ssl. crt
Then you can start it!
# Cd/usr/local/apache
Note that startssl is not supported after apache2.2, so you only need start.
#./Bin/apachectl start

4. Test the HTTP service

Open the address in the browser: https: // 127.0.0.1 !!