SSL for apache2 in Linux

I. Installation

1. Install OpenSSL (http://www.openssl.org)

./Configure

Make

Su

Make install

2. Install mod_ssl

Apache2 has built-in mod_ssl, so you only need to add parameters during compilation:

-- Enable-SSL = static -- With-SSL =/usr/local/SSL

Explanation:

Compile mod_ssl statically before it can be used normally. Otherwise, Apache will prompt an error at startup.

By default, OpenSSL is installed in the/usr/local/SSL directory. Therefore, when compiling Apache, you must specify the SSL directory: -- With-SSL =/usr/local/SSL, because it uses the header file and library provided by OpenSSL during compilation.

Ii. Configuration

Before using apache1 + mod_ssl, make has this step
$ Make Certificate
It can be used to generate certificates used by SSL.
Now there is no this tool, you can only generate their own, not familiar with the certificate, there is a tool can use: http://www.openssl.org/contrib/ssl.ca-0.1.tar.gz
# Cd/usr/local/apache2/Conf
# Tar zxvf ssl.ca-0.1.tar.gz
# Cd SSL. ca-0.1
#./New-root-ca.sh (generate Root Certificate)
No Root CA key round. Generating One
Generating RSA private key, 1024 bit long Modulus
...
... ++
E is 65537 (0x10001)
Enter pass phrase for Ca. Key: (enter a password)
Verifying-enter pass phrase for Ca. Key: (enter the password again)
......
Self-sign the root Ca... (sign the root certificate)
Enter pass phrase for Ca. Key: (enter the password you just set)
........
...... (Signing starts below)
Country name (2 letter code) [my]: CN
State or province name (full name) [Perak]: Jiangsu
Locality name (eg, city) [sitiawan]: Nanjing
Organization Name (eg, company) [My directory Sdn Bhd]: wiscom System Co., Ltd
Organizational unit name (eg, section) [Certification Services Division]: acstar
Common name (eg, MD Root CA) []: wiscom ca
Email Address []: acmail@wiscom.com.cn
In this way, the Ca. Key and Ca. CRT files are generated. The following also generates a certificate for our server:
#./New-server-cert.sh server (the Certificate Name is server)
......
......
Country name (2 letter code) [my]: CN
State or province name (full name) [Perak]: Jiangsu
Locality name (eg, city) [sitiawan]: Nanjing
Organization Name (eg, company) [My directory Sdn Bhd]: wiscom System Co., Ltd
Organizational unit name (eg, section) [Secure Web Server]: acstar
Common name (eg, www.domain.com) []: acmail.wiscom.com.cn
Email Address []: acmail@wiscom.com.cn
In this way, the two files server. CSR and server. Key are generated.
You need to sign the signature before using it:
#./Sign-server-cert.sh Server
CA signing: Server. CSR-> server. CRT:
Using configuration from CA. config
Enter pass phrase for./CA. Key: (enter the root certificate password set above)
Check that the request matches the signature
Signature OK
The subject's distinguished name is as follows
Countryname: printable: 'cn'
Stateorprovincename: printable: 'jiangsu'
Localityname: printable: 'nanjing'
Organizationname: printable: 'wiscom System Co., Ltd'
Organizationalunitname: printable: 'acstar'
CommonName: printable: 'acmail .wiscom.com.cn'
Emailaddress: ia5string: 'acmail @ wiscom.com.cn'
Certificate is to be certified until Jul 16 12:55:34 2005 GMT (365 days)
Sign the certificate? [Y/n]: Y
1 out of 1 certificate requests certified, commit? [Y/n] y
Write out database with 1 new entries
Data Base updated
CA verifying: server. crt <-> CA cert
Server. crt: OK
(If an error occurs here, you 'd better try again, delete the directory ssl. ca-0.1 and start again from the extract .)
Set the Certificate in ssl. conf to the appropriate location.
# Chmod 400 server. key
# Cd ..
# Mkdir ssl. key
# Mv ssl. ca-0.1/server. key ssl. key
# Mkdir ssl. crt
# Mv ssl: ca-0.1/server. crt ssl. crt
Then you can start it!
# Cd/usr/local/apache2
#./Bin/apachectl startssl
For this prompt:
Httpd: cocould not determine the server's fully qualified domain name, using 127.0.0.1 for ServerName

You only need to edit httpd. conf, find the ServerName xxxx line, and remove the preceding comment.

<VirtualHost 172.18.116.42: 443>
DocumentRoot/etc/httpd/htdocs
Servername secure.somewhere.com
Sslengine on
Sslcertificatefile/usr/local/SSL/CRT/your_domain_com.crt
Sslcertificatekeyfile/usr/local/SSL/private. Key
Sslcacertificatefile/usr/local/SSL/CRT/geotrust_ca_bundle.crt
</Virtualhost>

Iii. References:

Http://www.geocerts.com/install/apache_2

Http://www.digicert.com/ssl-certificate-installation-apache.htm

Http://man.ddvip.com/linux/debian/apache2/debian-apache2-7.html

Http://www.pkphp.com/2008/06/05/apache2-mod_ssl-php5-%E5% AE %8C%E5%85%A8%E5% AE %89%E8%A3%85%E5% AE %9E%E5%BD%95/

Http://www.nurdletech.com/https.html

Iv. Reference Configuration:

Namevirtualhost *: 80
Namevirtualhost*: 443
Listen 443.

<Virtualhost *: 80>
Serveradmin webmaster@mydomain.com
DocumentRoot/srv/www/htdocs/mydomain
Servername www.mydomain.com
Serveralias mydomain.com
</Virtualhost>

<Virtualhost *: 443>
Serveradmin webmaster@mydomain.com
DocumentRoot/srv/www/htdocs/mydomain-Secure
Servername mail.mydomain.com
Sslengine on
Sslcertificatefile/etc/apache2/SSL. CRT/mydomain. CRT
Sslcertificatekeyfile/etc/apache2/SSL. Key/mydomain. Key
</Virtualhost>

<Directory/srv/www/htdocs/mydomain-secure>
Sslrequiressl
</Directory>

<Virtualhost *: 80>
Serveradmin webmaster@mydomain.com
DocumentRoot/srv/www/htdocs/mydomain
Servername mail.mydomain.com
Redirectmatch permanent (/. *) https://mail.mydomain.com $1
</Virtualhost>