First, installation preparation
1. Installing OpenSSL
To enable Apache to support SSL, you need to install OpenSSL support first. Recommended Download Installation openssl-0.9.8k.tar.gz
Download openssl:http://www.openssl.org/source/
TAR-ZXF openssl-0.9.8k.tar.gz//Unzip the installation package
CD openssl-0.9.8k//Enter the installed package that has been unzipped
./config//Configuration installation. Recommended default configuration
Make && make install//compile and install
OpenSSL will be installed to/usr/local/ssl by default
2. Installing Apache
./configure--prefix=/usr/local/apache--enable-so--enable-ssl--with-ssl=/usr/local/ssl--enable-mods-shared=all Configure the installation. Recommended Dynamic Compilation Module
Make && make install
The Apache module is dynamically compiled for easy loading and management of modules. Apache will be installed to/usr/local/apache
Ii. Generating a certificate request file
1. Create a private key
Before you create a certificate request, you need to first generate the server certificate private key file.
Cd/usr/local/ssl/bin//Enter the OpenSSL installation directory
OpenSSL genrsa-out server.key 2048//Run the OpenSSL command to generate a 2048-bit long private key Server.key file. If you need to add a protection password to the Server.key, use the-des3 extension command. Encrypted format private key is not supported in Windows environment, when using encrypted private key in Linux environment, every time you restart Apache you will need to enter the private key password (example: OpenSSL genrsa-des3-out server.key 2048).
2. Generate a certificate request (CSR) file
OpenSSL Req-new-key server.key-out CERTREQ.CSR
Country Name://ISO Standard code for your country, China CN
State or Province Name://Your unit is located in the province/municipality
Locality Name://city/district where your organization is located
Organization Name://Your organization/organization/company's legal names
Organizational unit Name://Department
Common Name://Common name, for example: www.itrus.com.cn. This must exactly match the domain name that you applied when you accessed the server that provided the SSL service.
Email Address://Your e-mail addresses, do not enter, direct enter skip
"Extra" attributes//The following information does not have to be entered, enter skip until the command is completed.
3. Back up the private key and submit a certificate request
Please submit the certificate request file CERTREQ.CSR to Tianwei integrity, and backup save certificate private key file Server.key, wait for the certificate to be issued. The server certificate key pair must be paired, and the loss of the private key file will cause the certificate to be unavailable.
Third, install the server certificate
1. Obtain the server Certificate Intermediate CA Certificate
To obtain the intermediate CA certificate from the message:
Paste the contents of the intermediate CA certificate from begin to end in the certificate issuance message (including-----begin CERTIFICATE-----and-----End CERTIFICATE-----) into the Notepad text file. Modify the file name extension to save as a intermediate.crt file.
Download Intermediate CA Certificate: http://www.itrus.com.cn/verisignchina/Service/download/
2. Get the server certificate
Paste the server certificate contents (including "-----Begin CERTIFICATE-----" and "-----End CERTIFICATE-----") from begin to end in the certificate issuance message into a text editor such as Notepad, Save As SERVER.CRT file
3. Configuration of Apache 2.0.63
Open the httpd.conf file in the Conf directory under the Apache installation directory to find
#LoadModule Ssl_module modules/mod_ssl.so
Delete the configuration statement comment symbol "#" at the beginning of the line
Save exit.
Open the ssl.conf file in the Conf directory under the Apache installation directory to find
Look for the following configuration statement in the configuration file
Sslcertificatefile CONF/SSL.CRT/SERVER.CRT Configure the server certificate to this path
Sslcertificatekeyfile Conf/ssl.key/server.key Configure the server certificate private key under this path
#SSLCertificateChainFile conf/ssl.crt/ca.crt Remove the "#" comment from the beginning of the line and configure the intermediate CA certificate intermediate.crt to that path
Save the exit and restart Apache. Restart mode:
Go to the Bin directory under the Apache installation directory and run the following command
./apachectl-k-stop
./apachectl Startssl
4. Configuration of Apache 2.2.*
Open the httpd.conf file in the Conf directory under the Apache installation directory to find
#LoadModule Ssl_module modules/mod_ssl.so
#Include conf/extra/httpd_ssl.conf
Delete the configuration statement comment symbol "#" at the beginning of the line
Save exit.
Open the httpd-ssl.conf file in the Conf/extra directory under the Apache installation directory
Look for the following configuration statement in the configuration file
Sslcertificatefile CONF/SSL.CRT/SERVER.CRT Configure the server certificate to this path
Sslcertificatekeyfile Conf/ssl.key/server.key Configure the server certificate private key under this path
#SSLCertificateChainFile conf/ssl.crt/ca.crt Remove the "#" comment from the beginning of the line and configure the intermediate CA certificate intermediate.crt to that path
Save the exit and restart Apache. Restart mode:
Go to the Bin directory under the Apache installation directory and run the following command
./apachectl-k-stop
./apachectl Startssl
Access your site over HTTPS to test the installation configuration of the site certificate.
Iv. Backup and recovery of server certificates
After you have successfully installed and configured the server certificate, be sure to back up your server certificate according to the following procedure, in case the loss of certificate is inconvenient to you.
1. Backup of the server certificate
Back up the server certificate backup operation by backing up the server certificate private key file Server.key, server certificate file server.crt, and server Certificate intermediate CA certificate file INTERMEDIATE.CRT.
2. Recovery of server certificates
Refer to the Server Certificate configuration section, restore the server certificate key file to your server, and modify the configuration file to restore the application of the server certificate.