Apache1.3.27+mod_ssl+自定义SSL证书(转)

Apache1.3.27+mod_ssl+自定义SSL证书(转)[@more@]

　　绝对蓝屏 [ ihweb ] （黄华栋）

　　Apache 1.3.27+mod_ssl+自定义SSL证书在我发表第一篇文章里介绍了用FreeBSD 的Ports 来安装方便简单，可更多使用者使用的OS非FreeBSD或想自己下载他们的原代码自己编译安装的。以下是作者在FreeBSD 4.8 stable平台下，一步一步编译安装Apache 1.3.27+mod_ssl的过程。

　　1、下载所需的安装包

FBSD# pwd

/tmp/install

FBSD# fetch http://httpd.apache.org/dist/httpd/apache_1.3.27.tar.gz

FBSD# fetch ftp://ftp.modssl.org/source/mod_ssl-2.8.14-1.3.27.tar.gz

FBSD# fetch ftp://ftp.openssl.org/source/openssl-0.9.7a.tar.gz

FBSD# ls –lA

-rw-r--r-- 1 root wheel 2306052 10 4 2002 apache_1.3.27.tar.gz

-rw-r--r-- 1 root wheel 754179 3 21 22:21 mod_ssl-2.8.14-1.3.27.tar.gz

-rw-r--r-- 1 root wheel 2776582 2 19 22:12 openssl-0.9.7a.tar.gz 2、安装openssl

　　openssl 是mod_ssl 必需的软件包

　　FBSD# tar zxvf openssl-0.9.7a.tar.gz

FBSD# cd openssl-0.9.7a

FBSD# ./config （请看清楚，不是一般的configure 他自己的是config）

FBSD# make make 成功后，openssl 就安装完成了。

　　3、将mod_ssl 配置进apache

　　FBSD# pwd

/tmp/install

FBSD# tar zxvf mod_ssl-2.8.14-1.3.27.tar.gz

FBSD# tar zxvf apache_1.3.27.tar.gz

FBSD# ls –lA

drwxr-xr-x 8 1078 1078 512 7 17 13:09 apache_1.3.27

-rw-r--r-- 1 root wheel 2306052 10 4 2002 apache_1.3.27.tar.gz

drwxr-xr-x 10 root wheel 512 7 17 13:06 mod_ssl-2.8.14-1.3.27

-rw-r--r-- 1 root wheel 754179 3 21 22:21 mod_ssl-2.8.14-1.3.27.tar.gz

drwxr-xr-x 20 root wheel 1024 7 17 13:05 openssl-0.9.7a

-rw-r--r-- 1 root wheel 2776582 2 19 22:12 openssl-0.9.7a.tar.gz

FBSD# cd mod_ssl-2..8.14-1.3.27

FBSD# ./configure --with-apache=../apache_1.3.27 --with-ssl=../openssl-0.9.7a --prefix=/usr/local/apache

Configuring mod_ssl/2.8.14 for Apache/1.3.27

+ Apache location: ../apache_1.3.27 (Version 1.3.27)

+ OpenSSL location: ../openssl-0.9.7a

+ Auxiliary patch tool: ./etc/patch/patch (local)

……….

Now proceed with the following commands:

$ cd ../apache_1.3.27

$ make

$ make certificate

$ make install

FBSD# 当大家看到以上的东西后，mod_ssl 已经加到了apache的源代码中，按照提示本来就应该直接到apache_1.3.27下面编译就可以使用apache 了，但是我发现这样编译后的apache 不具有 动态模块加载（DSO）功能，那么来说，你的apache1.3.27只具备静态网页的功能（当然，你也可以用perl 来写CGI程序实现动态网页）其实DSO有很多好处，比如你可以加装PHP……等。

　　4、编译和安装Apache 1.3.27

　　刚才提到为什么我们不按照指示去做呢，就是因为我们要把Apache 1.3.27编译成DSO模式。如果你单单想编译成静态模式的话，就直接在apache 1.3.27 目录下make 就OK了。

　　下面是把apache 1.3.27 编译成DSO模式。

　　FBSD# ./configure --prefix=/usr/local --enable-module=so --enable-module=ssl（--enable-module=ssl 这个很重要，就是要加如mod_ssl 模块）

…

…

FBSD# make

….

到此，apache 1.3.27+mod_ssl 已经编译完成，下面的是生成CA证书。

　　FBSD# make certificate

SSL Certificate Generation Utility (mkcert.sh)

Copyright (c) 1998-2000 Ralf S. Engelschall, All Rights Reserved.

Generating test certificate signed by Snake Oil CA [TEST]

WARNING: Do not use this for real-life/production systems

______________________________________________________________________

STEP 0: Decide the signature algorithm used for certificate

The generated X.509 CA certificate can contain either

RSA or DSA based ingredients. Select the one you want to use.

Signature Algorithm ((R)SA or (D)SA) [R]:R （选择加密方式）

______________________________________________________________________

STEP 1: Generating RSA private key (1024 bit) [server.key]

4493119 semi-random bytes loaded

Generating RSA private key, 1024 bit long modulus

..++++++

...........................................................................++++++

e is 65537 (0x10001)

______________________________________________________________________

STEP 2: Generating X.509 certificate signing request [server.csr]

You are about to be asked to enter information that will be incorporated

into your certificate request.

What you are about to enter is what is called a Distinguished Name or a DN.

There are quite a few fields but you can leave some blank

For some fields there will be a default value,

If you enter '.', the field will be left blank.

-----

1. Country Name (2 letter code) [XY]:CN

2. State or Province Name (full name) [Snake Desert]:Guang Dong

3. Locality Name (eg, city) [Snake Town]:Guang Zhou

4. Organization Name (eg, company) [Snake Oil, Ltd]:Kingisme.com xBSD Studio

5. Organizational Unit Name (eg, section) [Webserver Team]:cnfug.org

6. Common Name (eg, FQDN) [www.snakeoil.dom]:www.cnfug.org

7. Email Address (eg, name@FQDN) [www@snakeoil.dom]:ihweb@cnfug.org

8. Certificate Validity (days) [365]:365

______________________________________________________________________

STEP 3: Generating X.509 certificate signed by Snake Oil CA [server.crt]

Certificate Version (1 or 3) [3]:3

Signature ok

subject=/C=CN/ST=Guang Dong/L=Guang Zhou/O=Kingisme.com xBSD Studio/OU=cnfug.org/CN=www.cnfug.org/emailAddress=ihweb@cnfug.org

Getting CA Private Key

Verify: matching certificate & key modulus

Verify: matching certificate signature

../conf/ssl.crt/server.crt: /C=XY/ST=Snake Desert/L=Snake Town/O=Snake Oil, Ltd/OU=Certificate Authority/CN=Snake Oil CA/emailAddress=ca@snakeoil.dom

error 10 at 1 depth lookup:certificate has expired

OK

______________________________________________________________________

STEP 4: Enrypting RSA private key with a pass phrase for security [server.key]

The contents of the server.key file (the generated private key) has to be

kept secret. So we strongly recommend you to encrypt the server.key file

with a Triple-DES cipher and a Pass Phrase.

Encrypt the private key now? [Y/n]: n

Warning, you're using an unencrypted RSA private key.

Please notice this fact and do this on your own risk.

______________________________________________________________________

RESULT: Server Certification Files

o conf/ssl.key/server.key

The PEM-encoded RSA private key file which you configure

with the 'SSLCertificateKeyFile' directive (automatically done

when you install via APACI). KEEP THIS FILE PRIVATE!

o conf/ssl.crt/server.crt

The PEM-encoded X.509 certificate file which you configure

with the 'SSLCertificateFile' directive (automatically done

when you install via APACI).

o conf/ssl.csr/server.csr

The PEM-encoded X.509 certificate signing request file which

you can send to an official Certificate Authority (CA) in order

to request a real server certificate (signed by this CA instead

of our demonstration-only Snake Oil CA) which later can replace

the conf/ssl.crt/server.crt file.

WARNING: Do not use this for real-life/production systems

FBSD# 到此，CA证书正式生成。

　　然后安装apache 1.3.27

FBSD# make install

… 5、启动并测试

　　FBSD# /usr/local/apache/bin/apachectl startssl 在IE中输入地址

　　https://192.168.168.168/ （请更换你的APACHE服务器IP） 你将会看到需要

　　1）询问是否要通过安全连接查看网页

　　2）接收到证书

　　6、关于自定义SSL的证书

　　大家可以查看我的《Apache1.3.27+mod_ssl+SSL》中提到方法去做，只是此是的sign.sh 在

　　/tmp/install/mod_ssl-2.8.14-1.3.27/pkg.contrib/sign.sh 那里，这是签署证书生成server.crt需要的。

　　7、小结

　　此文章虽然是在 FreeBSD 4.8 stable 平台上实现的，但是由于Unix Like ，基本上适用于Linux、Solaris、AIX、HP-UX等。其实这样的安装不难，多看点文档，尤其是mod_ssl 本身自带的文档，因为这个mod_ssl-2.8.14-1.3.27 本身就是for Apache 1.3.27 所以mod_ssl.org Code team 们肯定经过测试的，安装的时候只要认真看提示就可以了！

　　希望大家能顺利完成自己的apache+mod_ssl。

来自 “ ITPUB博客 ” ，链接：http://blog.itpub.net/10748419/viewspace-944440/，如需转载，请注明出处，否则将追究法律责任。

转载于:http://blog.itpub.net/10748419/viewspace-944440/