Debian 下配置 apache2 的 SSL

sudo apt-get install openssl
sudo apt-get install ssl-cert
sudo make-ssl-cert /usr/share/ssl-cert/ssleay.cnf /
/etc/ssl/private/apache2.pem

cp /etc/apache2/sites-available/default /etc/apache2/sites-available/ssl
ln -s /etc/apache2/sites-available/ssl /etc/apache2/sites-enabled/ssl
"/etc/apache2/sites-enabled/ssl" should look like this:

NameVirtualHost *:443

<virtualhost *:443>

ServerAdmin webmaster@localhost



SSLEngine On

SSLCertificateFile /etc/ssl/private/apache2.pem




DocumentRoot /var/www/


<directory />

Options FollowSymLinks

AllowOverride None

</directory>



<directory /var/www/>

Options Indexes FollowSymLinks MultiViews

AllowOverride None

Order allow,deny

allow from all

# This directive allows us to have apache2's default start page

# in /apache2-default/, but still have / go to the right place

# Commented out for Ubuntu

#RedirectMatch ^/$ /apache2-default/

</directory>



ScriptAlias /cgi-bin/ /usr/lib/cgi-bin/

<directory "/usr/lib/cgi-bin">

AllowOverride None

Options ExecCGI -MultiViews +SymLinksIfOwnerMatch

Order allow,deny

Allow from all

</directory>



ErrorLog /var/log/apache2/error.log



# Possible values include: debug, info, notice, warn, error, crit,

# alert, emerg.

LogLevel warn



CustomLog /var/log/apache2/access.log combined

ServerSignature On



Alias /doc/ "/usr/share/doc/"

<directory "/usr/share/doc/">

Options Indexes MultiViews FollowSymLinks

AllowOverride None

Order deny,allow

Deny from all

Allow from 127.0.0.0/255.0.0.0 ::1/128

</directory>



</virtualhost>



/etc/init.d/apache2 restart







KEY:

一、激活模块（有两种方法）

1.运行命令

a2enmod ssl

这条命令相当于

sudo ln -s /etc/apache2/mods-available/ssl.load /etc/apache2/mods-enabled
sudo ln -s /etc/apache2/mods-available/ssl.conf /etc/apache2/mods-enabled

然后Include /etc/apache2/mods-enabled/*.load

2.或直接在apache2.conf中加入模块引导
LoadModule ssl_module /usr/lib/apache2/modules/mod_ssl.so

二、安装openssl
然后执行命令生成证书

openssl req -x509 -newkey rsa:1024 -keyout apache.pem -out apache.pem -nodes -days 999

其中999是证书的有效期

回答一些问题，比如：

Country Name (2 letter code) [AU]:CN

State or Province Name (full name) [Some-State]:gd

Locality Name (eg, city) []:gz

Organization Name (eg, company) [Internet Widgits Pty Ltd]:XXX

Organizational Unit Name (eg, section) []:YYY

Common Name (eg, YOUR name) []:server2   这里是授权的主机名

Email Address []:111@gmail.com



运行之后会在/etc/apache2下面生成一个apache.pem

为了方便管理。在/etc/apache2下面建立一个ssl的文件夹。把apache.pem放进去

三、加入侦听端口

在apache2.conf中加入Listen 443或Include /etc/apache2/ports.conf

四、配置站点文件

把默认端口改为443
在<Virtualhost>下面加入

SSLEngine on
SSLCertificateFile /etc/apache2/ssl/apache.pem

例：
NameVirtualHost *:443

<VirtualHost *:443>
SSLEngine on
SSLCertificateFile /etc/apache2/ssl/apache.pem
ServerAdmin webmaster@localhost

DocumentRoot /var/www
ServerName 192.168.60.131
<Directory />
Options FollowSymLinks
AllowOverride All
</Directory>
<Directory /var/www/>
Options FollowSymLinks MultiViews
AllowOverride None
Order allow,deny
allow from all
# This directive allows us to have apache2's default start page
# in /apache2-default/, but still have / go to the right place
#RedirectMatch ^/$ /apache2-default/
</Directory>

重启apache服务

测试https://localhost/，ie会弹出security alert，ff会显示是否添加exception的信息


生成证书请求文件(CSR)

进入OpenSSL安装的目录，运行如下命令生成私钥：

openssl genrsa -des3 1024 -out server.key

Loading 'screen' into random state - done

Generating RSA private key, 1024 bit long modulus

..........++++++

........++++++

e is 65537 (0x10001)

Enter pass phrase:

Verifying - Enter pass phrase:

如果使用-des3参数，将会需要输入一个密码对私钥进行加密，如不需要对私钥加密请不要使用-des3选项。

输入两次密码后，将会生成server.key私钥文件

运行如下命令生成证书请求文件（CSR）

openssl req -new -key server.key –out server.csr