Apache配置https全过程

Posted by monk on 2007, October 9, 10:35 AM. Filed in 技术文章收集

writer: demonalex[at]163[dot]com
实验环境：

FreeBSD server5.demonalex 4.7-RELEASE FreeBSD 4.7-RELEASE #0: Wed Oct
9 15:08:34 GMT 2002
root@builder.freebsdmall.com:/usr/obj/usr/src/sys/GENERIC i386

系统默认自带了cc/gcc、tar、fetch、openssl。

安装过程：

#cd /usr/local/sbin

#fetch http://mirror.olnevhost.net/pub/apache/httpd/apache_1.3.37.tar.gz
#fetch http://www.modssl.org/source/mod_ssl-2.8.28-1.3.37.tar.gz
#tar -zxvf apache_1.3.37.tar.gz

#tar -zxvf mod_ssl-2.8.28-1.3.37.tar.gz

关于为什么一定要用apache1.3这个问题我是很无奈的...

#cd mod_ssl-2.8.28-1.3.37

#./configure --with-apache=../apache_1.3.37

#cd ../apache_1.3.37

#./configure --enable-module=ssl

#make

接下来是make certificate，提示是：

+---------------------------------------------------------------------+

| Before you install the package you now should prepare the SSL |

| certificate system by running the 'make certificate' command. |

| For different situations the following variants are provided: |

| |

| % make certificate TYPE=dummy (dummy self-signed Snake Oil cert) |

| % make certificate TYPE=test (test cert signed by Snake Oil CA) |

| % make certificate TYPE=custom (custom cert signed by own CA) |

| % make certificate TYPE=existing (existing cert) |

| CRT=/path/to/your.crt [KEY=/path/to/your.key] |

| |

| Use TYPE=dummy when you're a vendor package maintainer, |

| the TYPE=test when you're an admin but want to do tests only, |

| the TYPE=custom when you're an admin willing to run a real server |

| and TYPE=existing when you're an admin who upgrades a server. |

| (The default is TYPE=test) |

| |

| Additionally add ALGO=RSA (default) or ALGO=DSA to select |

| the signature algorithm used for the generated certificate. |

| |

| Use 'make certificate VIEW=1' to display the generated data. |

| |

| Thanks for using Apache & mod_ssl. Ralf S. Engelschall |

| rse@engelschall.com |

| www.engelschall.com |

+---------------------------------------------------------------------+

#make certificate TYPE=custom

STEP 0: Decide the signature algorithm used for certificates

The generated X.509 certificates can contain either

RSA or DSA based ingredients. Select the one you want to use.

Signature Algorithm ((R)SA or (D)SA) [R]:按回车

STEP 0是选择加密算法，选择默认的R/RSA就可以了。

STEP 1: Generating RSA private key for CA (1024 bit) [ca.key]

4337667 semi-random bytes loaded

Generating RSA private key, 1024 bit long modulus

等待系统随机生成ca.key（CA-“证书颁发机构”的私钥）

STEP 2: Generating X.509 certificate signing request for CA [ca.csr]

Using configuration from .mkcert.cfg

You are about to be asked to enter information that will be incorporated

into your certificate request.

What you are about to enter is what is called a Distinguished Name or a DN.

There are quite a few fields but you can leave some blank

For some fields there will be a default value,

If you enter '.', the field will be left blank.

-----

1. Country Name (2 letter code) [XY]:输入CN（国家名称缩写）

2. State or Province Name (full name) [Snake Desert]:输入GuangDong（所在省份）

3. Locality Name (eg, city) [Snake Town]:输入GuangZhou（所在地市）

4. Organization Name (eg, company) [Snake Oil, Ltd]:输入demonalex.net（组织名）

5. Organizational Unit Name (eg, section) [Certificate Authority]:输入demonalex.net（组织单元名）

6. Common Name (eg, CA name) [Snake Oil CA]:输入demonalex.net（日常使用名称）

7. Email Address (eg, name@FQDN) [ca@snakeoil.dom]:输入demonalex@163.com（管理员邮件）

8. Certificate Validity (days) [365]:输入3650（CA的有效期，我这里输入了10年）

STEP 3: Generating X.509 certificate for CA signed by itself [ca.crt]

Certificate Version (1 or 3) [3]:按回车

STEP 4: Generating RSA private key for SERVER (1024 bit) [server.key]

4337667 semi-random bytes loaded

Generating RSA private key, 1024 bit long modulus

等待系统随机生成server.key（服务器的私钥）

STEP 5: Generating X.509 certificate signing request for SERVER [server.csr]

Using configuration from .mkcert.cfg

You are about to be asked to enter information that will be incorporated

into your certificate request.

What you are about to enter is what is called a Distinguished Name or a DN.

There are quite a few fields but you can leave some blank

For some fields there will be a default value,

If you enter '.', the field will be left blank.

-----

1. Country Name (2 letter code) [XY]:输入CN

2. State or Province Name (full name) [Snake Desert]:输入GuangDong

3. Locality Name (eg, city) [Snake Town]:输入GuangZhou

4. Organization Name (eg, company) [Snake Oil, Ltd]:输入demonalex.net

5. Organizational Unit Name (eg, section) [Webserver Team]:输入demonalex.net

6. Common Name (eg, FQDN) [www.snakeoil.dom]:输入demonalex.3322.org（注意：这个值一定要是你的网站实际使用的域名）

7. Email Address (eg, name@fqdn) [www@snakeoil.dom]:输入demonalex@163.com

8. Certificate Validity (days) [365]:输入365（注意：这个值不宜输入太大）

STEP 6: Generating X.509 certificate signed by own CA [server.crt]

Certificate Version (1 or 3) [3]:按回车

STEP 7: Enrypting RSA private key of CA with a pass phrase for security [ca.key]

The contents of the ca.key file (the generated private key) has to be

kept secret. So we strongly recommend you to encrypt the server.key file

with a Triple-DES cipher and a Pass Phrase.

Encrypt the private key now? [Y/n]: 输入Y（使用一个字符串为ca.key加密）

read RSA key

writing RSA key

Enter PEM pass phrase:输入一个加密字符串，如“demonalex”

Verifying password - Enter PEM pass phrase:重新输入上一步的加密字符串

Fine, you're using an encrypted private key.

STEP 8: Enrypting RSA private key of SERVER with a pass phrase for security [server.key]

The contents of the server.key file (the generated private key) has to be

kept secret. So we strongly recommend you to encrypt the server.key file

with a Triple-DES cipher and a Pass Phrase.

Encrypt the private key now? [Y/n]: 输入Y（使用一个字符串为ca.key加密）

read RSA key

writing RSA key

Enter PEM pass phrase:输入一个加密字符串

Verifying password - Enter PEM pass phrase:重新输入上一步的加密字符串

Fine, you're using an encrypted RSA private key.

最后得到的提示如下：

RESULT: CA and Server Certification Files

o conf/ssl.key/ca.key

The PEM-encoded RSA private key file of the CA which you can

use to sign other servers or clients. KEEP THIS FILE PRIVATE!

o conf/ssl.crt/ca.crt

The PEM-encoded X.509 certificate file of the CA which you use to

sign other servers or clients. When you sign clients with it (for

SSL client authentication) you can configure this file with the

'SSLCACertificateFile' directive.

o conf/ssl.key/server.key

The PEM-encoded RSA private key file of the server which you configure

with the 'SSLCertificateKeyFile' directive (automatically done

when you install via APACI). KEEP THIS FILE PRIVATE!

o conf/ssl.crt/server.crt

The PEM-encoded X.509 certificate file of the server which you configure

with the 'SSLCertificateFile' directive (automatically done

when you install via APACI).

o conf/ssl.csr/server.csr

The PEM-encoded X.509 certificate signing request of the server file which

you can send to an official Certificate Authority (CA) in order

to request a real server certificate (signed by this CA instead

of our own CA) which later can replace the conf/ssl.crt/server.crt

file.

Congratulations that you establish your server with real certificates.

#make install

安装完成，接下来是启动：

#/usr/local/apache/bin/apachectl startssl

Apache/1.3.37 mod_ssl/2.8.28 (Pass Phrase Dialog)

Some of your private key files are encrypted for security reasons.

In order to read them you have to provide us with the pass phrases.

Server server5.demonalex:443 (RSA)

Enter pass phrase:输入make certificate中STEP 8中设定的加密字符串

若输入成功的话将提示：

Ok: Pass Phrase Dialog successful.

/usr/local/apache/bin/apachectl startssl: httpd started

整个安装过程完成。