Linux_install mod_ssl OpenSSL Apache

1. Download Mod_ssl and Apache

Log in to http://www.modssl.org/source/, download

mod_ssl-2.8.31-1.3.41.targz;

2.8.31 is the mod_ssl version number; 1.3.41 is the Apache version number (MOD_SSL and Apache are one by one)

Apache_1.3.41.tar.gz (https://archive.apache.org/dist/httpd/)

2. Download OpenSSL

Openssl-0.9.6.tar.gz (http://www.openssl.org/source/openssl-0.9.6.tar.gz)

Note

Unify downloaded compressed packages under/usr/local/src/(easy to manage next configuration)]

Extract

Tar zxvf *.tar.gz

Installation

First, configure Apache

# cd/usr/local/src/apache_1.3.41

#./configure--prefix=/usr/local/apache

Second, compile OpenSSL

# CD: /openssl-0.9.6

#./config--prefix=/usr/local/openssl

[Note: This is config rather than configure.] ]

# make

# Make Test

# make Install

MAKE[1]: Gcc:command not found, download gcc Http://ftp.gnu.org/gnu.

Third, configuration Mod_ssl

# CD: /mod_ssl-2.8.31-1.3.41

#./configure--with-apache=. /apache_1.3.41

D. Compiling Apache

# CD: /apache_1.3.41

# ssl_base=. /openssl-0.9.6

#./configure--prefix=/usr/local/apache--enable-module=ssl--enable-shared=ssl

# make

V. Generate CA

# Make Certificate Type=custom

This step is to build your own CA (if you do not know, I can not elaborate, simply to say that the certification center), and use it to sign your server certificate. There's a lot of stuff to enter.

______________________________________________________________________

STEP 0:r selection algorithm, using the default RSA

______________________________________________________________________

STEP 1: Generate a private key for CA.KEY,CA

______________________________________________________________________

STEP 2:generating Certificate Signing request for CA [CA.CSR]

You is about-to is asked to-enter information that'll be incorporated

into your certificate request.

(Generate a certificate request for CA for the CAs CA.CSR to enter some information)

Country NAME:CN Country code, two letters

State or Provice Name:fujain province

Locality Name:xiamen City Name

Organization name:home CA organization name, just write it.

Organization Unit name:home CA

Common Name:home CA

Email Address: [email protected] my email

Certificate validity:4096 more than 4,000 days, that's enough.

______________________________________________________________________

STEP 3:generating Certificate for CA signed by itself [CA.CRT]

Certificate Version (1 or 3) [3]:1

______________________________________________________________________

STEP 4:generating RSA private key for SERVER (1024x768 bit) [Server.key]

(Generate the server's private key, Server.key)

______________________________________________________________________

STEP 5:generating Certificate Signing request for SERVER [SERVER.CSR]

You is about-to is asked to-enter information that'll be incorporated

into your certificate request.

(Generate server authentication request, SERVER.CSR to enter some information, similar to step 2)

Note

Common name is the domain name of your website, such as www.mydomain.com

Certificate validity not too big, 365 will be OK]

Country NAME:CN

State or Provice Name:fujain

Locality Name:xiamen

Organization Name:home

Organization Unit Name:home

Common Name:home

Email Address: [email protected]

Certificate validity:365

______________________________________________________________________

STEP 6:generating certificate signed by own CA [SERVER.CRT]

Certificate Version (1 or 3) [3]:1

(Sign your server and get SERVER.CRT)

______________________________________________________________________

STEP 7:enrypting RSA Private key of CA with a pass phrase for security [Ca.key]

(Encrypted for your ca.key)

Encrypt the private key now? [y/n]: Y

______________________________________________________________________

STEP 8:enrypting RSA Private key of SERVER with a pass phrase for security [Server.key]

(Encrypted for your server.key)

Encrypt the private key now? [y/n]: Y

Vi. installation of Apache

# make Install

Seven, configuration http.conf

# vi/usr/local/apache/conf/httpd.conf

Modify bindaddress and ServerName to join the line about PHP4. If you want to change documentroot, you should also get rid of httpd.conf settings in the SSL Virtual Host context section of DocumentRoot.

The Sslcertificatefile and Sslcertificatkeyfile settings are also in the SSL Virtual Host context section. It may have been set up like this:

Sslcertificatefile/usr/local/apache/conf/ssl.crt/server.crt

Sslcertificatekeyfile/usr/local/apache/conf/ssl.key/server.key

Be aware of Ssl.key SSL.CRT and other directories and file permissions! All KEY,CSR,CRT,PRM files should be set to 400 properties!

Eight, start the HTTPS port

# Cd/usr/local/apache

# Bin/apachectl Startssl

Enter Password: ccy123

Error

#cd/usr/local/apache/bin

#apachectl Startssl]

Nine, testing

#netstat-tunal |grep 443

Linux on Browser/window 36 Browser input: https://localhost/

Note

IE browser input on window will error]

Although you have used the make certificate command to establish a certificate signature for the server when installing mod_ssl, you may need to change it sometimes.

Of course there are many automated scripts to implement it, but the most reliable way is to manually sign the certificate.

Ten, maintenance

1)/usr/local/openssl/bin Join the Execute file lookup path.

2) Copy the file name sign.sh to/usr/local/openssl/bin in the Pkg.contrib directory under the mod_ssl source directory tree

Xi. Creating a CA

1) First establish a CA certificate, first to create an RSA private key for the CA

#cd/usr/local/openssl/bin

#openssl Genrsa-des3-out Ca.key 1024

#chmod ca.key (Generate Ca.key file attribute to 400 and put in a safe place)

#openssl rsa-noout-text-in ca.key (view ca.key content)

2) Create a self-signed CA certificate using the CA's RSA key (the structure of the

#openssl  req -new -x509 -days 3650 -key ca.key  -OUT CA.CRT

Then you need to enter the following information:

Country&nbs P name: cn 

State or province name: fujain

Locality name: xiamen

Organization nam E: family home

Organizational unit name: home

common name: home 

Email address:  [email protected]

#chmod  400 ca.crt

#openssl  x509 -noout -text -in ca.crt

 

12. Create a server certificate signing request

1) First create an RSA private key for your Apache:

#openssl Genrsa-des3-out Server.key 1024

#chmod Server.key

#openssl rsa-noout-text-in Server.key

2) Create a certificate with Server.key to sign the CSR request.

#openssl Req-new-key server.key-out SERVER.CSR

#openssl req-noout-text-in SERVER.CSR

3) Below you can sign the certificate, you need to use the script sign.sh

#./sign.sh SERVER.CSR (can get SERVER.CRT)

#chmod SERVER.CRT

#rm SERVER.CSR

13. Final Apache Settings

If your apache compilation parameter prefix to/usr/local/apache,

Copy server.crt and Server.key to/usr/local/apache/conf.

Modify httpd.conf to change the following parameter to:

Sslcertificatefile/usr/local/apache/conf/server.crt

Sslcertificatekeyfile/usr/local/apache/conf/server.key

14. Open

#apachectl Startssl

Note

After configuration modification, Apache must be restarted before it takes effect]

Linux_install mod_ssl OpenSSL Apache