一、安裝
1、安裝openssl(http://www.openssl.org)
./configure
make
su
make install
2、安裝mod_ssl
apache2內建mod_ssl,所以只需要編譯時間加參:
--enable-ssl=static --with-ssl=/usr/local/ssl
解釋:
將mod_ssl靜態編譯進去才可以正常使用,否則apache在啟動的時候會提示錯誤的。
預設的安裝是將openssl全部安裝在 /usr/local/ssl 目錄下面,所以編譯apache的時候,需要指定ssl的目錄:--with-ssl=/usr/local/ssl ,因為它在編譯的時候要用到openssl提供的標頭檔和庫。
二、配置
以前使用apache1+mod_ssl的時候,make之後有一個這樣的步驟
$ make certificate
可以用來產生ssl所用到的認證。
現在沒有這個工具了,只能自己動手產生了,對認證不熟悉的人,有一個工具可以使用:http://www.openssl.org/contrib/ssl.ca-0.1.tar.gz
# cd /usr/local/apache2/conf
# tar zxvf ssl.ca-0.1.tar.gz
# cd ssl.ca-0.1
# ./new-root-ca.sh (產生根憑證)
No Root CA key round. Generating one
Generating RSA private key, 1024 bit long modulus
...........................++++++
....++++++
e is 65537 (0x10001)
Enter pass phrase for ca.key: (輸入一個密碼)
Verifying - Enter pass phrase for ca.key: (再輸入一次密碼)
......
Self-sign the root CA... (簽署根憑證)
Enter pass phrase for ca.key: (輸入剛剛設定的密碼)
........
........ (下面開始簽署)
Country Name (2 letter code) [MY]:CN
State or Province Name (full name) [Perak]:JiangSu
Locality Name (eg, city) [Sitiawan]:NanJing
Organization Name (eg, company) [My Directory Sdn Bhd]:Wiscom System Co.,Ltd
Organizational Unit Name (eg, section) [Certification Services Division]:ACSTAR
Common Name (eg, MD Root CA) []:WISCOM CA
Email Address []:acmail@wiscom.com.cn
這樣就產生了ca.key和ca.crt兩個檔案,下面還要為我們的伺服器產生一個認證:
# ./new-server-cert.sh server (這個認證的名字是server)
......
......
Country Name (2 letter code) [MY]:CN
State or Province Name (full name) [Perak]:JiangSu
Locality Name (eg, city) [Sitiawan]:NanJing
Organization Name (eg, company) [My Directory Sdn Bhd]:Wiscom System Co.,Ltd
Organizational Unit Name (eg, section) [Secure Web Server]:ACSTAR
Common Name (eg, www.domain.com) []:acmail.wiscom.com.cn
Email Address []:acmail@wiscom.com.cn
這樣就產生了server.csr和server.key這兩個檔案。
還需要簽署一下才能使用的:
# ./sign-server-cert.sh server
CA signing: server.csr -> server.crt:
Using configuration from ca.config
Enter pass phrase for ./ca.key: (輸入上面設定的根憑證密碼)
Check that the request matches the signature
Signature ok
The Subject's Distinguished Name is as follows
countryName :PRINTABLE:'CN'
stateOrProvinceName :PRINTABLE:'JiangSu'
localityName :PRINTABLE:'NanJing'
organizationName :PRINTABLE:'Wiscom System Co.,Ltd'
organizationalUnitName:PRINTABLE:'ACSTAR'
commonName :PRINTABLE:'acmail.wiscom.com.cn'
emailAddress :IA5STRING:'acmail@wiscom.com.cn'
Certificate is to be certified until Jul 16 12:55:34 2005 GMT (365 days)
Sign the certificate? [y/n]:y
1 out of 1 certificate requests certified, commit? [y/n]y
Write out database with 1 new entries
Data Base Updated
CA verifying: server.crt <-> CA cert
server.crt: OK
(如果這裡出現錯誤,最好重新來過,刪除ssl.ca-0.1這個目錄,從解壓縮處重新開始。)
下面要按照ssl.conf裡面的設定,將認證放在適當的位置。
# chmod 400 server.key
# cd ..
# mkdir ssl.key
# mv ssl.ca-0.1/server.key ssl.key
# mkdir ssl.crt
# mv ssl.ca-0.1/server.crt ssl.crt
然後就可以啟動啦!
# cd /usr/local/apache2
# ./bin/apachectl startssl
對於這個提示:
httpd: Could not determine the server's fully qualified domain name, using 127.0.0.1 for ServerName
只需要編輯httpd.conf,找到ServerName xxxx這一行,去掉前面的注釋即可。
<VirtualHost 172.18.116.42:443>
DocumentRoot /etc/httpd/htdocs
ServerName secure.somewhere.com
SSLEngine on
SSLCertificateFile /usr/local/ssl/crt/your_domain_com.crt
SSLCertificateKeyFile /usr/local/ssl/private/private.key
SSLCACertificateFile /usr/local/ssl/crt/GeoTrust_CA_Bundle.crt
</VirtualHost>
三、參考文章:
http://www.geocerts.com/install/apache_2
http://www.digicert.com/ssl-certificate-installation-apache.htm
http://man.ddvip.com/linux/debian/apache2/debian-apache2-7.html
http://www.pkphp.com/2008/06/05/apache2-mod_ssl-php5-%E5%AE%8C%E5%85%A8%E5%AE%89%E8%A3%85%E5%AE%9E%E5%BD%95/
http://www.nurdletech.com/https.html
四、參考配置:
NameVirtualHost *:80
NameVirtualHost *:443
Listen 443
<VirtualHost *:80>
ServerAdmin webmaster@mydomain.com
DocumentRoot /srv/www/htdocs/mydomain
ServerName www.mydomain.com
ServerAlias mydomain.com
</VirtualHost>
<VirtualHost *:443>
ServerAdmin webmaster@mydomain.com
DocumentRoot /srv/www/htdocs/mydomain-secure
ServerName mail.mydomain.com
SSLEngine on
SSLCertificateFile /etc/apache2/ssl.crt/mydomain.crt
SSLCertificateKeyFile /etc/apache2/ssl.key/mydomain.key
</VirtualHost>
<Directory /srv/www/htdocs/mydomain-secure>
SSLRequireSSL
</Directory>
<VirtualHost *:80>
ServerAdmin webmaster@mydomain.com
DocumentRoot /srv/www/htdocs/mydomain
ServerName mail.mydomain.com
RedirectMatch permanent (/.*) https://mail.mydomain.com$1
</VirtualHost>