Linux under Apache+openssl configuration record

Recently in the study of Linux under the Apache-ssl configuration, write some personal tips, new hair bo, please forgive me.

Software Environment

Apache Httpd 2.2.29 (http://httpd.apache.org)
OpenSSL 1.0.1h (Http://www.openssl.org/source)
Ssl-tools (http://www.openssl.org/contrib/ssl.ca-0.1.tar.gz)

1. OpenSSL

#tar ZXVF openssl-1.0.1h.tar.gz
#cd openssl-1.0.1h
#./config
#make
#make Install

This will install the latest OpenSSL into the/usr/local/ssl directory, regardless of the existing version of OpenSSL in the system, and do not uninstall it, otherwise it will cause a lot of applications can not be performed properly, such as the X window can not enter the error.

2. Apache Httpd

#tar ZXVF httpd-2.2.29.tar.gz

#cd httpd-2.2.29
#./configure--prefix=/usr/local/apache/httpd--enable-ssl=static--with-ssl=/usr/local/ssl
#make
#make Install

This step installs the HTTPD service (specified through the parameter--prefix) in the/APACHE/HTTPD directory and uses--with-ssl to specify the path to the OpenSSL that you just installed to compile mod_ssl static into the httpd service.

3. Production Certificate

We have to manually generate SSL for the certificate, for those unfamiliar with the certificate, there is a tool that can be used: http://www.openssl.org/contrib/ssl.ca-0.1.tar.gz. Here's how to generate a certificate using this tool:

#cp ssl.ca-0.1.tar.gz/usr/local/apache/httpd/conf
#cd/usr/local/apache/conf
#tar ZXVF ssl.ca-0.1.tar.gz
#cd ssl.ca-0.1
#./new-root-ca.sh (Generate root certificate)
No Root CA key round. Generating One
Generating RSA private key, 1024x768 bit long modulus
...........................++++++
....++++++
E is 65537 (0x10001)
Enter pass phrase for ca.key:12345 (enter a password)
Verifying-enter Pass phrase for ca.key:12345 (re-enter password once)
......
Self-sign the root CA ... (Sign root certificate)
Enter pass phrase for ca.key:12345 (enter the password you just set)
........
........ (Start signing below)
Country Name (2 letter code) [MY]:CN
State or province name (full name) [PERAK]:SD//whatever you like
Locality Name (eg, city) [SITIAWAN]:QD//whatever you like
Organization Name (eg, company) [My Directory Sdn BHD]:GX//whatever you like
Organizational Unit Name (eg, section) [Certification Services DIVISION]:GX//whatever you like
Common Name (eg, MD Root CA) []:gaoxin.com//whatever you like
Email Address []:[email protected]//as You like
This generates two files for Ca.key and CA.CRT, as well as a certificate for our server:
#./new-server-cert.sh server (the name of this certificate is server)
......
......
Country Name (2 letter code) [MY]:CN
State or province name (full name) [PERAK]:SD
Locality Name (eg, city) [Sitiawan]: QD
Organization Name (eg, company) [My Directory Sdn BHD]:GX
Organizational Unit Name (eg, section) [Secure Web SERVER]:GX
Common Name (eg, www.domain.com) []:gaoxiaoit.com (must be different from above, otherwise error)
Email Address []:123456@163.com
This generates the two files of SERVER.CSR and Server.key.
You also need to sign up to use:
#./sign-server-cert.sh Server
CA SIGNING:SERVER.CSR-SERVER.CRT:
Using Configuration from Ca.config
Enter pass phrase for./ca.key:12345 (Enter the root certificate password set above)
Check that the request matches the signature
Signature OK
The Subject ' s distinguished Name is as follows
Countryname:printable: ' CN '
Stateorprovincename:printable: ' Gansu '
Localityname:printable: ' Lanzhou '
Organizationname:printable: ' Lzu '
Organizationalunitname:printable: ' Lzu '
commonname:printable: ' localhost '
emailaddress:ia5string: ' [email protected] '
Certificate is to be certified until Jan 21:59:46 GMT (365 days)
Sign the certificate? [Y/n]:y
1 out of 1 certificate requests certified, commit? [Y/n]y
Write out database with 1 new entries
Data Base Updated
CA VERIFYING:SERVER.CRT <-> CA cert
Server.crt:OK

Configure conf/extr/httpd-ssl.conf

Find # include CONF/EXTRA/HTTPD-SSL.CONFM Remove comments
Follow the settings in httpd-ssl.conf to place the certificate in the appropriate location.

# CD:
# mkdir Ssl.key
# MV Ssl.ca-0.1/server.key Ssl.key
# mkdir SSL.CRT
# MV Ssl.ca-0.1/server.crt SSL.CRT
Then you can start it!
# Cd/usr/local/apache
Note that STARTSSL is not supported after apache2.2, so use start only
#./bin/apachectl Start

4. Testing the HTTP Service

Open address with browser: https://127.0.0.1 finished!!

Linux under Apache+openssl configuration record