HTTPS (full name: Hyper Text Transfer Protocol over secure Socket Layer), is a security-targeted HTTP channel, simply speaking, the safe version of HTTP. The SSL layer is added to HTTP, and the security basis for HTTPS is SSL, so the details of the encryption require SSL.
Personal Web site with SSL certificate, foreign These years began to be more popular, especially Google on the use of SSL certificate of the site included good, more and more sites began to use HTTPS access. But the domestic search engine is not so friendly to SSL, and the use of SSL will slow down the Web browsing speed.
In any case, increasing attention to security is not a bad thing.
So what is the configuration of SSL in Apache, we take it step-by-step.
First, use OpenSSL to generate certificate requests
Generate RSA private key (2048-bit)
OpenSSL genrsa-out Teddysun.pem 2048
Generating RSA private key, 2048 bit long modulus
.........................+++
................................................................+++
E is 65537 (0x10001)
Generate a CSR certificate request
OpenSSL Req-new-key teddysun.pem-out TEDDYSUN.CSR
Are about to is asked to enter information that would be incorporated
into your certificate request.
What you are about to enter the What is called a distinguished Name or a DN.
There are quite a few fields but you can L Eave some blank
for some fields there would be a default value,
If you enter '. ', the field would be left blank.
-----
Country Name (2 letter code) [xx]:cn //Country code
State or province name (full name) []:shanghai // Province
Locality name (eg, city) [Default city]:shanghai //Cities
Organization name (eg, company) [Default company Lt D]:teddysun//organization or company name
organizational unit name (eg, section) []: //not filled
Common name (eg, your name or your SE RVer ' s hostname) []:*. teddysun.com//This demo is a wildcard domain name, generally with the WWW prefix
Email address []:admin@teddysun.com //e-mail addresses
Please enter the following ' extra ' attributes
To is sent with your certificate request
A Challenge Password []://No Fill
An optional company name []://No Fill
View the generated files
ll *.pem *.CSR
-rw-r--r--1 root root 1058 14:30 TEDDYSUN.CSR
-rw-r--r--1 root root 1675 14:25 Teddysun.pem
Download the above 2 files to the local, with Notepad open TEDDYSUN.CSR, inside the complete content is the certificate request.
Ii. Issuance of certificates
If you need to default a trusted certificate, you will need to pay for it. Like what
Https://www.namecheap.com/security/ssl-certificates/comodo/positivessl.aspx
Just 9 dollars/year.
Use the first step to generate a CSR file, you can apply for a certificate, the process is slightly, there is a bunch of graphics and text online tutorials.
In addition, certificates can be self-signed, but you need to install root certificates when you use them, otherwise you will not be trusted.
Let's say the self-signed certificate step
Generate root certificate RSA private key (2048-bit)
OpenSSL genrsa-out Ca.pem 2048
Generating RSA private key, 2048 bit long modulus
...............................................+++
.........+++
E is 65537 (0x10001)
Create a root certificate with the private key
OpenSSL req-new-x509-days 3650-key ca.pem-out ca.crt
are about to is asked to enter information that would be incorporated
into your certificate request.
What you are about to enter the What is called a distinguished Name or a DN.
There are quite a few fields but you can leave some
For some fields there would be a default value,
If you enter '. ', the field would be left blank.
-----
Country Name (2 letter code) [XX]:CN
State or province Name (full name) []:shanghai
Locality Name (eg, city) [Default City]:shanghai
Organization Name (eg, company) [Default company Ltd]:teddysun
Organizational unit Name (eg, section) []:
Common name (eg, your name or your server ' s hostname) []:teddysun.com Root CA
Email Address []:admin@teddysun.com
At this point, the root certificate, valid for 3,650 days, CA.CRT is created.
View the generated files
ll *.pem *.CSR *.CRT
-rw-r--r--1 root root 1411 15:14 ca.crt
-rw-r--r--1 root root 1679 14:48 Ca.pem
-rw-r--r--1 root root 1041 14:40 TEDDYSUN.CSR
-rw-r--r--1 root root 1675 14:25 Teddysun.pem
Using a root certificate to issue an SSL certificate
OpenSSL ca-in teddysun.csr-out teddysun.crt-cert ca.crt-keyfile Ca.pem
This step has gone wrong and the error message is as follows
Using Configuration From/etc/pki/tls/openssl.cnf
/etc/pki/ca/index.txt:no such file or directory
Unable to open '/etc/pki/ca/index.txt '
140292081481544:error:02001002:system library:fopen:No such file or Directory:bss_file.c:398:fopen ('/etc/pki/ca/ Index.txt ', ' R ')
140292081481544:error:20074002:bio Routines:FILE_CTRL:system lib:bss_file.c:400:
Prompt for missing files, we will generate an empty file
Touch/etc/pki/ca/index.txt
Continue to execute
OpenSSL ca-in teddysun.csr-out teddysun.crt-cert ca.crt-keyfile Ca.pem
Another error occurred, the error message is as follows
Using Configuration From/etc/pki/tls/openssl.cnf
/etc/pki/ca/serial:no such file or directory
Error while loading serial number
140375536244552:error:02001002:system library:fopen:No such file or Directory:bss_file.c:398:fopen ('/etc/pki/ca/ Serial ', ' R ')
140375536244552:error:20074002:bio Routines:FILE_CTRL:system lib:bss_file.c:400:
Or the missing file, which generates a file with content of 01
Echo ' ' >/etc/pki/ca/serial
Executed again
OpenSSL ca-in teddysun.csr-out teddysun.crt-cert ca.crt-keyfile Ca.pem
Using Configuration From/etc/pki/tls/openssl.cnf
Check that the request matches the signature
Signature OK
Certificate Details:
Serial Number:1 (0x1)
Validity
Not Before:jan 07:35:14 2015 GMT
Not After:jan 07:35:14 2016 GMT
Subject:
CountryName = CN
Stateorprovincename = Shanghai
OrganizationName = Teddysun
CommonName = *.teddysun.com
EmailAddress = admin@teddysun.com
X509v3 Extensions:
X509v3 Basic Constraints:
Ca:false
Netscape Comment:
OpenSSL generated Certificate
X509v3 Subject Key Identifier:
e8:7f:9e:be:12:25:22:48:a2:49:ae:d5:cb:a6:7b:24:ee:a6:e2:5b
X509v3 Authority Key Identifier:
Keyid:c7:0c:ef:f2:73:8c:cb:01:7a:8f:9c:30:a7:80:37:fa:e7:b6:88:02
Certificate is to being certified until 07:35:14 2016 GMT (365 days)
Sign the certificate? [Y/n]:y
1 out of 1 certificate requests certified, commit? [Y/n]y
Write out database with 1 new entries
Data Base Updated
At this point, you have issued an SSL certificate with a wildcard domain name *.teddysun.com that is valid for 365 days by default.
If you want to issue a certificate for a longer period of validity, such as 730 days, the command is as follows:
OpenSSL ca-in teddysun.csr-out teddysun2.crt-days 730-cert ca.crt-keyfile
The maximum duration of the root certificate cannot be exceeded.
View the final generated file
ll *.pem *.CSR *.CRT
-rw-r--r--1 root root 1411 15:14 ca.crt
-rw-r--r--1 root root 1679 14:48 Ca.pem
-rw-r--r--1 root root 4594 15:35 teddysun.crt
-rw-r--r--1 root root 1041 14:40 TEDDYSUN.CSR
-rw-r--r--1 root root 1675 14:25 Teddysun.pem
Explain the 5 files separately.
CA.CRT is the root certificate file that issued the completion
CA.PEM is the private key file for the root certificate
TEDDYSUN.CRT is a certificate of domain name issued by the completed
TEDDYSUN.CSR is a certificate request file
TEDDYSUN.PEM is the private key that issued the domain name
If you want to use a self-signed certificate, you need to import the root certificate on the local machine by following these steps:
Click "Install Certificate", next, put all the certificates in the following store, browse, select "Trusted Root certification Authority", Next, complete.
After installing the LAMP environment, the default is not to load the HTTPS configuration, here you need to modify the configuration file/usr/local/apache/conf/httpd.conf, find the following
#Include conf/extra/httpd-ssl.conf, remove the front # and save it.
Copy the merged certificate TEDDYSUN.CRT and private key Teddysun.pem to/usr/local/apache/conf/.
Then modify the configuration file/usr/local/apache/conf/extra/httpd-ssl.conf, sample content as follows:
# port
Listen 443
# SSL Cipher Suite:
# List The ciphers that's the client is permitted to negotiate.
# The MOD_SSL documentation for a complete list.
Sslciphersuite high:medium:!anull:! MD5
Sslpassphrasedialog Builtin
Sslsessioncache "Shmcb:/usr/local/apache/logs/ssl_scache (512000)"
Sslsessioncachetimeout 300
##
# # SSL Virtual Host Context
##
<virtualhost *:443>
Documentroot/data/www/default
ServerName teddysun.com
Serveralias www.teddysun.com
ErrorLog "/usr/local/apache/logs/lamp_error_log"
Transferlog "/usr/local/apache/logs/lamp_access_log"
Sslengine on
Sslcertificatefile/usr/local/apache/conf/teddysun.crt
Sslcertificatekeyfile/usr/local/apache/conf/teddysun.pem
#SSLCertificateChainFile/usr/local/apache/conf/alphassl.pem
#SSLCACertificateFile/usr/local/apache/conf/root.pem
Customlog "/usr/local/apache/logs/lamp_ssl_request_log"
"%t%h%{ssl_protocol}x%{ssl_cipher}x%r"%b "%{referer}i" "%{user-agent}i" "
Browsermatch "MSIE [2-5]"
Nokeepalive Ssl-unclean-shutdown
downgrade-1.0 force-response-1.0
</VirtualHost>
After the above configuration has been modified, note that the firewall to release port 443. To view the firewall status:
/etc/init.d/iptables status
And then restart Apache, command:
/ETC/INIT.D/HTTPD restart
OK, now you can have a pleasant visit to the site with HTTPS.
Start building with 50+ products and up to 12 months usage for Elastic Compute Service
1 on 1 presale consultation
24/7 Technical Support 6 Free Tickets per Quarter Faster Response
Alibaba Cloud offers highly flexible support services tailored to meet your exact needs.
A comprehensive suite of global cloud computing services to power your business
Payment Methods We Support
