apache+mod_ssl中認證產生方法
首先產生認證請求:
| 代碼如下 | 複製代碼 |
#openssl req -new > server.csr |
|
按照提示輸入相關資訊後,會在目前的目錄自動產生server.csr和privkey.pem兩個檔案,privkey.pem是私密金鑰檔案,預設會有passphrase,如果不移除的話,每次運行apache的時候都會提示輸入passphrase,所以如果伺服器重啟後如果你不在伺服器前面,則apache無法正常運行。
所以,第二步需要移除passphrase:
| 代碼如下 | 複製代碼 |
#openssl rsa -in privkey.pem -out server.key |
|
這一步會讓你輸入前面設定的passphrase,所以在前面的時候不要胡亂設定一個passphrase哈。
第三步,產生伺服器憑證:
| 代碼如下 | 複製代碼 |
#openssl req -x509 -days 3650 -key server.key -in server.csr > server.crt |
|
days參數是指定認證有效期間的,3650是10 年,夠長的了吧?
最後,在httpd.conf裡的相應網域名稱配置裡加上:
| 代碼如下 | 複製代碼 |
SSLCertificateFile /etc/httpd/conf/key/server.crt |
|
然後重啟apache即可。
| 代碼如下 | 複製代碼 |
==== UPDATE: |
|
還有一種方法,先按照指定演算法產生密鑰:
| 代碼如下 | 複製代碼 |
#openssl genrsa -des3 1024 -new > server.old.key |
|
然後移除passphrase:
| 代碼如下 | 複製代碼 |
#openssl rsa -in server.old.key -out server.key |
|
然後產生認證請求:
| 代碼如下 | 複製代碼 |
#openssl req -new -key server.key > server.csr |
|
最後產生認證:
| 代碼如下 | 複製代碼 |
#openssl req -x509 -days 3650 -key server.key -in server.csr > server.crt 為了方便,網上有人製作成shell。方便產生。如下: #!/bin/sh # 產生CA根憑證私密金鑰 |
|
例2,產生apache認證(https應用)
| 代碼如下 | 複製代碼 |
| # cd /usr/local/apache2/conf # tar zxvf ssl.ca-0.1.tar.gz # cd ssl.ca-0.1 |
|
產生根憑證:
| 代碼如下 | 複製代碼 |
| # ./new-root-ca.sh (產生根憑證) No Root CA key round. Generating one Generating RSA private key, 1024 bit long modulus ...........................++++++ ....++++++ e is 65537 (0x10001) Enter pass phrase for ca.key: (輸入一個密碼) Verifying - Enter pass phrase for ca.key: (再輸入一次密碼) ...... Self-sign the root CA... (簽署根憑證) Enter pass phrase for ca.key: (輸入剛剛設定的密碼) ........ ........ (下面開始簽署) Country Name (2 letter code) [MY]:CN State or Province Name (full name) [Perak]:HaiNan Locality Name (eg, city) [Sitiawan]:HaiKou Organization Name (eg, company) [My Directory Sdn Bhd]:Wiscom System Co.,Ltd Organizational Unit Name (eg, section) [Certification Services Division]:ACSTAR Common Name (eg, MD Root CA) []:WISCOM CA Email Address []:acmail@wiscom.com.cn |
|
這樣就產生了ca.key和ca.crt兩個檔案,下面還要為我們的伺服器產生一個認證:
產生server認證:
| 代碼如下 | 複製代碼 |
| # ./new-server-cert.sh server (這個認證的名字是server) ...... ...... Country Name (2 letter code) [MY]:CN State or Province Name (full name) [Perak]:HaiNan Locality Name (eg, city) [Sitiawan]:HaiKou Organization Name (eg, company) [My Directory Sdn Bhd]:Wiscom System Co.,Ltd Organizational Unit Name (eg, section) [Secure Web Server]:ACSTAR Common Name (eg, www.domain.com) []:acmail.wiscom.com.cn Email Address []:acmail@wiscom.com.cn |
|
這樣就產生了server.csr和server.key這兩個檔案。
簽署server認證:
| 代碼如下 | 複製代碼 |
| # ./sign-server-cert.sh server CA signing: server.csr -> server.crt: Using configuration from ca.config Enter pass phrase for ./ca.key: (輸入上面設定的根憑證密碼) Check that the request matches the signature Signature ok The Subject's Distinguished Name is as follows countryName :PRINTABLE:'CN' stateOrProvinceName :PRINTABLE:'JiangSu' localityName :PRINTABLE:'NanJing' organizationName :PRINTABLE:'Wiscom System Co.,Ltd' organizationalUnitName:PRINTABLE:'ACSTAR' commonName :PRINTABLE:'acmail.wiscom.com.cn' emailAddress :IA5STRING:'acmail@wiscom.com.cn' Certificate is to be certified until Jul 16 12:55:34 2005 GMT (365 days) Sign the certificate? [y/n]:y 1 out of 1 certificate requests certified, commit? [y/n]y Write out database with 1 new entries Data Base Updated CA verifying: server.crt <-> CA cert server.crt: OK |
|
(如果這裡出現錯誤,最好重新來過,刪除ssl.ca-0.1這個目錄,從解壓縮處重新開始。)
下面要按照ssl.conf裡面的設定,將認證放在適當的位置。
| 代碼如下 | 複製代碼 |
| # chmod 400 server.key # cd .. # mkdir ssl.key # mv ssl.ca-0.1/server.key ssl.key # mkdir ssl.crt # mv ssl.ca-0.1/server.crt ssl.crt |
|
然後就可以啟動啦!
| 代碼如下 | 複製代碼 |
# cd /usr/local/apache2 |
|
Start building with 50+ products and up to 12 months usage for Elastic Compute Service
1 on 1 presale consultation
24/7 Technical Support 6 Free Tickets per Quarter Faster Response
Alibaba Cloud offers highly flexible support services tailored to meet your exact needs.
A comprehensive suite of global cloud computing services to power your business
Payment Methods We Support
