Apache配置https全过程

by amxku on 2007-09-20, 14:02. 技术相关 | TECH
writer: demonalex[at]163[dot]com
实验环境：
FreeBSD server5.demonalex 4.7-RELEASE FreeBSD 4.7-RELEASE #0: Wed Oct 9 15:08:34 GMT 2002 root@builder.freebsdmall.com:/usr/obj/usr/src/sys/GENERIC i386
系统默认自带了cc/gcc、tar、fetch、openssl。

安装过程：
#cd /usr/local/sbin
#fetch http://mirror.olnevhost.net/pub/apache/httpd/ href="http://amxku.net/tag/apache/" target=_blank>apache_1.3.37.tar.gz
#fetch http://www.modssl.org/source/mod_ssl-2.8.28-1.3.37.tar.gz #tar -zxvf apache_1.3.37.tar.gz
#tar -zxvf mod_ssl-2.8.28-1.3.37.tar.gz
关于为什么一定要用apache1.3这个问题我是很无奈的...
#cd mod_ssl-2.8.28-1.3.37
#./configure --with-apache=../apache_1.3.37
#cd ../apache_1.3.37
#./configure --enable-module=ssl
#make
接下来是make certificate，提示是：
+---------------------------------------------------------------------+
| Before you install the package you now should prepare the SSL |
| certificate system by running the 'make certificate' command. |
| For different situations the following variants are provided: |
| |
| % make certificate TYPE=dummy (dummy self-signed Snake Oil cert) |
| % make certificate TYPE=test (test cert signed by Snake Oil CA) |
| % make certificate TYPE=custom (custom cert signed by own CA) |
| % make certificate TYPE=existing (existing cert) |
| CRT=/path/to/your.crt [KEY=/path/to/your.key] |
| |
| Use TYPE=dummy when you're a vendor package maintainer, |
| the TYPE=test when you're an admin but want to do tests only, |
| the TYPE=custom when you're an admin willing to run a real server |
| and TYPE=existing when you're an admin who upgrades a server. |
| (The default is TYPE=test) |
| |
| Additionally add ALGO=RSA (default) or ALGO=DSA to select |
| the signature algorithm used for the generated certificate. |
| |
| Use 'make certificate VIEW=1' to display the generated data. |
| |
| Thanks for using Apache & mod_ssl. Ralf S. Engelschall |
| rse@engelschall.com |
| www.engelschall.com |
+---------------------------------------------------------------------+
#make certificate TYPE=custom
STEP 0: Decide the signature algorithm used for certificates
The generated X.509 certificates can contain either
RSA or DSA based ingredients. Select the one you want to use.
Signature Algorithm ((R)SA or (D)SA) [R]:按回车
STEP 0是选择加密算法，选择默认的R/RSA就可以了。

STEP 1: Generating RSA private key for CA (1024 bit) [ca.key]
4337667 semi-random bytes loaded
Generating RSA private key, 1024 bit long modulus
等待系统随机生成ca.key（CA-“证书颁发机构”的私钥）

STEP 2: Generating X.509 certificate signing request for CA [ca.csr]
Using configuration from .mkcert.cfg
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
1. Country Name (2 letter code) [XY]:输入CN（国家名称缩写）
2. State or Province Name (full name) [Snake Desert]:输入GuangDong（所在省份）
3. Locality Name (eg, city) [Snake Town]:输入GuangZhou（所在地市）
4. Organization Name (eg, company) [Snake Oil, Ltd]:输入demonalex.net（组织名）
5. Organizational Unit Name (eg, section) [Certificate Authority]:输入demonalex.net（组织单元名）
6. Common Name (eg, CA name) [Snake Oil CA]:输入demonalex.net（日常使用名称）
7. Email Address (eg, name@FQDN) [ca@snakeoil.dom]:输入demonalex@163.com（管理员邮件）
8. Certificate Validity (days) [365]:输入3650（CA的有效期，我这里输入了10年）

STEP 3: Generating X.509 certificate for CA signed by itself [ca.crt]
Certificate Version (1 or 3) [3]:按回车

STEP 4: Generating RSA private key for SERVER (1024 bit) [server.key]
4337667 semi-random bytes loaded
Generating RSA private key, 1024 bit long modulus
等待系统随机生成server.key（服务器的私钥）

STEP 5: Generating X.509 certificate signing request for SERVER [server.csr]
Using configuration from .mkcert.cfg
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
1. Country Name (2 letter code) [XY]:输入CN
2. State or Province Name (full name) [Snake Desert]:输入GuangDong
3. Locality Name (eg, city) [Snake Town]:输入GuangZhou
4. Organization Name (eg, company) [Snake Oil, Ltd]:输入demonalex.net
5. Organizational Unit Name (eg, section) [Webserver Team]:输入demonalex.net
6. Common Name (eg, FQDN) [www.snakeoil.dom]:输入demonalex.3322.org（注意：这个值一定要是你的网站实际使用的域名）
7. Email Address (eg, name@fqdn) [www@snakeoil.dom]:输入demonalex@163.com
8. Certificate Validity (days) [365]:输入365（注意：这个值不宜输入太大）

STEP 6: Generating X.509 certificate signed by own CA [server.crt]
Certificate Version (1 or 3) [3]:按回车

STEP 7: Enrypting RSA private key of CA with a pass phrase for security [ca.key]
The contents of the ca.key file (the generated private key) has to be
kept secret. So we strongly recommend you to encrypt the server.key file
with a Triple-DES cipher and a Pass Phrase.
Encrypt the private key now? [Y/n]: 输入Y（使用一个字符串为ca.key加密）
read RSA key
writing RSA key
Enter PEM pass phrase:输入一个加密字符串，如“demonalex”
Verifying password - Enter PEM pass phrase:重新输入上一步的加密字符串
Fine, you're using an encrypted private key.

STEP 8: Enrypting RSA private key of SERVER with a pass phrase for security [server.key]
The contents of the server.key file (the generated private key) has to be
kept secret. So we strongly recommend you to encrypt the server.key file
with a Triple-DES cipher and a Pass Phrase.
Encrypt the private key now? [Y/n]: 输入Y（使用一个字符串为ca.key加密）
read RSA key
writing RSA key
Enter PEM pass phrase:输入一个加密字符串
Verifying password - Enter PEM pass phrase:重新输入上一步的加密字符串
Fine, you're using an encrypted RSA private key.

最后得到的提示如下：
RESULT: CA and Server Certification Files

o conf/ssl.key/ca.key
The PEM-encoded RSA private key file of the CA which you can
use to sign other servers or clients. KEEP THIS FILE PRIVATE!

o conf/ssl.crt/ca.crt
The PEM-encoded X.509 certificate file of the CA which you use to
sign other servers or clients. When you sign clients with it (for
SSL client authentication) you can configure this file with the
'SSLCACertificateFile' directive.

o conf/ssl.key/server.key
The PEM-encoded RSA private key file of the server which you configure
with the 'SSLCertificateKeyFile' directive (automatically done
when you install via APACI). KEEP THIS FILE PRIVATE!

o conf/ssl.crt/server.crt
The PEM-encoded X.509 certificate file of the server which you configure
with the 'SSLCertificateFile' directive (automatically done
when you install via APACI).

o conf/ssl.csr/server.csr
The PEM-encoded X.509 certificate signing request of the server file which
you can send to an official Certificate Authority (CA) in order
to request a real server certificate (signed by this CA instead
of our own CA) which later can replace the conf/ssl.crt/server.crt
file.

Congratulations that you establish your server with real certificates.

#make install
安装完成，接下来是启动：
#/usr/local/apache/bin/apachectl startssl
Apache/1.3.37 mod_ssl/2.8.28 (Pass Phrase Dialog)
Some of your private key files are encrypted for security reasons.
In order to read them you have to provide us with the pass phrases.
Server server5.demonalex:443 (RSA)
Enter pass phrase:输入make certificate中STEP 8中设定的加密字符串
若输入成功的话将提示：
Ok: Pass Phrase Dialog successful.
/usr/local/apache/bin/apachectl startssl: httpd started
整个安装过程完成。