RHEL5上组建Apache+SSL+PHP+PostgreSQL环境详解(一)

最新推荐文章于 2018-10-03 15:07:00 发布

昆山人在上海

最新推荐文章于 2018-10-03 15:07:00 发布

阅读量1.2k

点赞数

分类专栏：数据库应用 Linux平台 PHP研究文章标签： apache ssl postgresql php internet email

本文链接：https://blog.csdn.net/kunshan_shenbin/article/details/3563458

版权

PHP研究同时被 3 个专栏收录

102 篇文章 0 订阅

订阅专栏

数据库应用

66 篇文章 0 订阅

订阅专栏

Linux平台

56 篇文章 0 订阅

订阅专栏

在linux上使用命令行编译并安装，需要确保linux上已经安装了开发工具包。

如果在安装linux的时候没有安装，请参照http://blog.csdn.net/kunshan_shenbin/archive/2008/12/20/3564157.aspx。

安装步骤如下：

1.安装openssl，网址：http://www.openssl.org/source/ 或者 ftp://ftp.openssl.org/source/

这里选择最新的openssl-0.9.8i.tar.gz版本。

# tar -zxvf openssl-0.9.8i.tar.gz

# cd openssl-0.9.8i

# ./config --prefix=/usr/local/openssl #设置安装路径

# make

# make install

2.安装apache,网址：http://httpd.apache.org/download.cgi

这里选择最新的httpd-2.2.11.tar.gz版本。

# tar -zxvf httpd-2.2.11.tar.gz

# cd httpd-2.2.11

# ./configure --enable-so --enable-ssl --with-ssl=/usr/local/openssl --enable-rewrite

# make

# make install

3.创建SSL所需证书(文件全部生成到/usr/local/apache2/conf下)

A.创建key文件

# cd /usr/local/apache2/conf/

# /usr/local/openssl/bin/openssl genrsa -des3 -out server.key 1024

这时提示输入密码，如下：(当然你可以随便使用一个密码，例如kunshan_shenbin)

Generating RSA private key, 1024 bit long modulus
......................................................++++++
............++++++
e is 65537 (0x10001)
Enter pass phrase for server.key: kunshan_shenbin
Verifying - Enter pass phrase for server.key: kunshan_shenbin

执行完后应该在当前目录中有一个server.key文件。

B.查看创建的key文件:(不是必须)

# /usr/local/openssl/bin/openssl rsa -noout -text -in server.key

C.创建pem文件:(不是必须)

# /usr/local/openssl/bin/openssl rsa -in server.key -out server.key.unsecure

D.创建scr文件:

# /usr/local/openssl/bin/openssl req -new -key server.key -out server.csr

这里需要输入很多信息，方便起见，我是一路敲回车下来的，如下：

Enter pass phrase for server.key:
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [AU]:
State or Province Name (full name) [Some-State]:
Locality Name (eg, city) []:
Organization Name (eg, company) [Internet Widgits Pty Ltd]:
Organizational Unit Name (eg, section) []:
Common Name (eg, YOUR name) []:
Email Address []:

Please enter the following 'extra' attributes
to be sent with your certificate request
A challenge password []:
An optional company name []:

执行完后应该在当前目录中有一个server.csr文件

E.创建crt文件:

# /usr/local/openssl/bin/openssl x509 -req -days 3650 -in server.csr -signkey server.key -out server.crt

执行完后应该在当前目录中有一个server.crt文件

4.修改apache的ssl配置文件

A.修改httpd.conf

在文件中找到下面一行,把注释去掉

#Include conf/extra/httpd-ssl.conf

B.修改httpd-ssl.conf

在extra目录中,修改ssl的配置文件

找到SSLCertificateFile和SSLCertificateKeyFile的配置,修改文件路径到上面创建的目录

(注意：按照上面SSL证书的生成位置应该就是httpd-ssl.conf配置文件中默认的位置，故无需更改)

此时可以通过/usr/local/apache2/bin/apachectl start命令启动Apache,输入https://localhost来访问你的https站点了。

但这时,是所有的用户都可以访问你的https站点的,如果你希望只有认证的用户才能访问的话,请继续下面的配置!

5.创建认证客户所需要的证书

A.创建用户的key文件:

# /usr/local/openssl/bin/openssl genrsa -des3 -out client.key 1024

B.创建用户的crt证书文件:

# /usr/local/openssl/bin/openssl req -new -x509 -days 3650 -key client.key -out client.crt

这里需要输入很多信息，方便起见，我是一路敲回车下来的，如下：

Enter pass phrase for client.key:
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [AU]:
State or Province Name (full name) [Some-State]:
Locality Name (eg, city) []:
Organization Name (eg, company) [Internet Widgits Pty Ltd]:
Organizational Unit Name (eg, section) []:
Common Name (eg, YOUR name) []:
Email Address []:

C.创建访问用户的csr文件:

# /usr/local/openssl/bin/openssl req -new -out pony.csr

这里需要输入很多信息，方便起见，我是一路敲回车下来的，如下：

Generating a 1024 bit RSA private key
....++++++
......................................................++++++
writing new private key to 'privkey.pem'
Enter PEM pass phrase:
Verifying - Enter PEM pass phrase:
-----
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [AU]:
State or Province Name (full name) [Some-State]:
Locality Name (eg, city) []:
Organization Name (eg, company) [Internet Widgits Pty Ltd]:
Organizational Unit Name (eg, section) []:
Common Name (eg, YOUR name) []:
Email Address []:

Please enter the following 'extra' attributes
to be sent with your certificate request
A challenge password []:
An optional company name []:

D.创建访问用户的crt证书文件:

# /usr/local/openssl/bin/openssl x509 -req -in pony.csr -out pony.crt -signkey client.key -CA client.crt -CAkey client.key -CAcreateserial -days 3650

E.导出为pfx证书:(ie中只能导入pfx证书)

# /usr/local/openssl/bin/openssl pkcs12 -export -in pony.crt -inkey client.key -out pony.pfx

在你的测试机的ie中导入这个pfx证书

F.修改ssl配置文件:

在httpd-ssl.conf文件中找到SSLCACertificateFile的配置,然后修改文件路径为client.crt
把以下两行注释去掉:
SSLVerifyClient require
SSLVerifyDepth 10

重新启动apache,再次访问apache的时候,ie就会弹出窗口选择证书了.

以上内容可参阅：http://www.blogjava.net/jjwwhmm/archive/2008/04/25/195964.html

昆山人在上海

关注

0
点赞
踩
0

收藏

觉得还不错? 一键收藏
1
评论
RHEL5上组建Apache+SSL+PHP+PostgreSQL环境详解(一)

在linux上使用命令行编译并安装，需要确保linux上已经安装了开发工具包。如果在安装linux的时候没有安装，请参照http://blog.csdn.net/kunshan_shenbin/archive/2008/12/20/3564157.aspx。安装步骤如下：1.安装openssl，网址：http://www.openssl.org/source/ 或者 ftp://f
复制链接

扫一扫

专栏目录