Apache 版本:Apache 2.2.8 for Windows,包含 ssl 模块支持。文件名形如 apache_2.2.8-win32-x86-openssl-0.9.8g.msi。
工作目录:~/apache2.2
-------------------------------------------------
1,生成私钥 .key
~/Apache2.2>openssl genrsa -des3 -out localhost.key 1024
Loading 'screen' into random state - done
Generating RSA private key, 1024 bit long modulus
............++++++
..........................++++++
e is 65537 (0x10001)
Enter pass phrase for localhost.key: mbi1001
Verifying - Enter pass phrase for localhost.key:mbi1001
由于使用 -des3 参数,需要输入一个密码对私钥进行加密,如不需要对私钥加密请不要使用-des3选项。
结果生成 localhost.key 文件。
2,将私钥解密(可选):
~/Apache2.2>openssl rsa -in localhost.key -out localhost.decrypt-key
Enter pass phrase for localhost.key:
writing RSA key
输入 pass phrase for localhost.key 后,生成解密后的 localhost.decrypt-key 文件。也可以使用未解密的文件。
3,根据.key生成证书请求文件.csr:
~/Apache2.2>openssl req -new -config ./conf/openssl.cnf -key localhost.key -out localhost.csr
Enter pass phrase for localhost.key:mbi1001
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [AU]:CN
State or Province Name (full name) [Some-State]:shaanxi
Locality Name (eg, city) []:xian
Organization Name (eg, company) [Internet Widgits Pty Ltd]:myCom Name
Organizational Unit Name (eg, section) []:myOU Name
Common Name (eg, YOUR name) []:localhost
Email Address []:
Please enter the following 'extra' attributes
to be sent with your certificate request
A challenge password []:mbi1001
An optional company name []:
Common Name 输入网站域名,否则会报告此证书不是为本网站颁发的。
从Email地址开始,下面的信息可以不需要,保留为空,直接回车即可。
pass phrase for localhost.key 与前边输入的必须一致。
需要输入的信息说明及举例:
Country Name:ISO国家代码(两位字符),CN
State or Province Name:所在省份,GuangDong
Locality Name:所在城市,ShenZhen
Organization Name:公司名称,KaiKai Technology Co. Ltd.
Organizational Unit Name:部门名称 IT Dept.
Common Name:申请证书的域名,test.com
Email Address:不需要输入
A challenge password:不需要输入
请妥善保存生成的文件。
命令行参数 -config conf/openssl.cnf 指出了 ssl 配置文件 openssl.cnf 位置,否则报告错误:
Unable to load config info from /usr/local/ssl/openssl.cnf
设置 Openssl 全局环境变量为 ~/apache2.2/conf/openssl.cnf 也可以。
在 Windows 系统下 openssl.cnf 默认会被当成快捷方式,看不到扩展名。
4,提交.csr文件给证书提供商以申请你的域名证书,以便他们制作.crt证书文件和CA文件。
a、把刚才所生成的 .csr 文件,发给证书提供商。
b、等待证书提供商颁发证书。
注:证书提供商目前有VeriSign、globalsign等,自己也可以google下:)
作为测试。这里自己制作,使用下面的命令:
~/Apache2.2>openssl x509 -in localhost.csr -out localhost.crt -req -signkey localhost.key -days 365
Loading 'screen' into random state - done
Signature ok
subject=/C=CN/ST=shaaanxi/L=xian/O=myCom for Test SSL/OU=my OU name/CN=localhost
Getting Private key
Enter pass phrase for localhost.key:mbi1001
5,部署到服务器上:
拷贝到 ~/apache2.2/conf 文件夹下。
6,修改配置:
在 ~/apache2.2/conf/httpd.conf 中修改:
LoadModule ssl_module modules/mod_ssl.so 打开注释
Include conf/extra/httpd-ssl.conf 打开注释
在 ~/apache2.2/conf/extra/httpd-ssl.conf 中修改,主要是把上边生成的证书文件的路径配置正确。要点摘录如下:
Listen 443
AddType application/x-x509-ca-cert .crt
SSLPassPhraseDialog builtin
SSLMutex default
<VirtualHost *:443>
DocumentRoot "C:/Program Files/Apache Software Foundation/Apache2.2/htdocs"
ServerName localhost:443
SSLEngine on
SSLCipherSuite ALL:!ADH:!EXPORT56:RC4+RSA:+HIGH:+MEDIUM:+LOW:+SSLv2:+EXP:+eNULL
SSLCertificateFile "C:/Program Files/Apache Software Foundation/Apache2.2/conf/localhost.crt"
SSLCertificateKeyFile "C:/Program Files/Apache Software Foundation/Apache2.2/conf/localhost.decrypt-key"
#SSLCACertificatePath "C:/Program Files/Apache Software Foundation/Apache2.2/conf/ssl.crt"
#SSLCACertificateFile "C:/Program Files/Apache Software Foundation/Apache2.2/conf/ssl.crt/ca-bundle.crt"
#SSLVerifyClient require #本测试没打开
#SSLVerifyDepth 10
</VirtualHost>
7,运行测试:
浏览器地址栏输入网址:
https://localhost,注意后面不带“:443”端口号。
会出现警告信息,点击继续“继续浏览此网站(不推荐) ”(在 IE8下)链接即可。
2593
被折叠的 条评论
为什么被折叠?
到【灌水乐园】发言
