How To Create a SSL Certificate on Apache for Debian 8 htttps
2016-03-04 13:08
651 查看
June 19, 2015 Security, Apache Debian
Apache server secured with an SSL certificate. By the end of the
tutorial, you will have a server accessible via HTTPS.
SSL is based on the mathematical intractability of resolving a large
integer into its also-large prime factors. Using this, we can encrypt
information using a private-public key pair. Certificate authorities can
issue SSL certificates that verify the authenticity of such a secured
connection, and on the same note, a self-signed certificate can be
produced without third-party support.
In this tutorial, we will generate a self-signed certificate, make
the necessary configurations, and test the results. Self-signed
certificates are great for testing, but will result in browser errors
for your users, so they're not recommended for production.
If you'd like to obtain a paid certificate instead, please see this tutorial.
One fresh Debian 8 Droplet
A sudo non-root user, which you can set up by following Steps 2 and 3 of this tutorial
OpenSSL installed and updated (should be installed by default)
Another Linux Droplet
Or, a Unix-based local system (Mac, Ubuntu, Debian, etc.)
In the link specified in the prerequisites, you should have updated
Apache will be our HTTPS server. To install it, run the following:
First, enable the Apache SSL module.
First, generate a new certificate and a private key to protect it.
The
The
The
Common Name: Specify your server's IP address or
hostname. This field matters, since your certificate needs to match the
domain (or IP address) for your website
Fill out all other fields at your own discretion.
Example answers are shown in red below.
Your certificate and the private key that protects it are now ready for Apache to use.
use the SSL key and certificate. After making this change, our server
will begin serving HTTPS instead of HTTP requests for the default site.
Open the server configuration file using
Add a line with your server name directy below the
/etc/apache2/sites-enabled/default
locations of the certificate and key we generated earlier. If you
purchased a certificate or generated your certificate elsewhere, make
sure the paths here match the actual locations of your certificate and
key:
/etc/apache2/sites-enabled/default
/etc/apache2/sites-enabled/default-ssl
Restart Apache to apply the changes.
You can run this test from either (1) your local Unix-based system,
(2) another Droplet, or (3) the same Droplet. If you run it from an
external system you'll confirm that your site is reachable over the
public Internet.
Open a connection via the HTTPS 443 port.
Press
You can also visit your site in a web browser, using HTTPS in the URL (
Your browser will warn you that the certificate is self-signed. You
should be able to view the certificate and confirm that the details
match what you entered in Step 3.
server, configured securely with an SSL certificate. For more
information on working with OpenSSL, see the OpenSSL Essentials article.
Introduction
This tutorial walks you through the setup and configuration of anApache server secured with an SSL certificate. By the end of the
tutorial, you will have a server accessible via HTTPS.
SSL is based on the mathematical intractability of resolving a large
integer into its also-large prime factors. Using this, we can encrypt
information using a private-public key pair. Certificate authorities can
issue SSL certificates that verify the authenticity of such a secured
connection, and on the same note, a self-signed certificate can be
produced without third-party support.
In this tutorial, we will generate a self-signed certificate, make
the necessary configurations, and test the results. Self-signed
certificates are great for testing, but will result in browser errors
for your users, so they're not recommended for production.
If you'd like to obtain a paid certificate instead, please see this tutorial.
Prerequisites
To follow this tutorial, you will need:One fresh Debian 8 Droplet
A sudo non-root user, which you can set up by following Steps 2 and 3 of this tutorial
OpenSSL installed and updated (should be installed by default)
sudo apt-get updatesudo apt-get upgrade opensslYou may want a second computer with OpenSSL installed, for testing purposes:
Another Linux Droplet
Or, a Unix-based local system (Mac, Ubuntu, Debian, etc.)
Step 1 — Install Apache
In this step, we will use a built-in package installer calledapt-get. It simplifies package management drastically and facilitates a clean installation.
In the link specified in the prerequisites, you should have updated
apt-getand installed the
sudopackage, as unlike other Linux distributions, Debian 8 does not come with
sudoinstalled.
Apache will be our HTTPS server. To install it, run the following:
sudo apt-get install apache2
Step 2 — Enable the SSL Module
In this section, we will enable SSL on our server.First, enable the Apache SSL module.
sudo a2enmod sslThe default Apache website comes with a useful template for enabling SSL, so we will activate the default website now.
sudo a2ensite default-sslRestart Apache to put these changes into effect.
sudo service apache2 reload
Step 3 — Create a Self-Signed SSL Certificate
First, let's create a new directory where we can store the private key and certificate.sudo mkdir /etc/apache2/sslNext, we will request a new certificate and sign it.
First, generate a new certificate and a private key to protect it.
The
daysflag specifies how long the certificate should remain valid. With this example, the certificate will last for one year
The
keyoutflag specifies the path to our generated key
The
outflag specifies the path to our generated certificate
sudo openssl req -x509 -nodes -days 365 -newkey rsa:2048 -keyout /etc/apache2/ssl/apache.key -out /etc/apache2/ssl/apache.crtInvoking this command will result in a series of prompts.
Common Name: Specify your server's IP address or
hostname. This field matters, since your certificate needs to match the
domain (or IP address) for your website
Fill out all other fields at your own discretion.
Example answers are shown in red below.
InteractiveYou are about to be asked to enter information that will be incorporated into your certificate request. What you are about to enter is what is called a Distinguished Name or a DN. There are quite a few fields but you can leave some blank For some fields there will be a default value, If you enter '.', the field will be left blank. ——- Country Name (2 letter code) [AU]:USState or Province Name (full name) [Some-State]:New YorkLocality Name (eg, city) []:NYCOrganization Name (eg, company) [Internet Widgits Pty Ltd]:DigitalOceanOrganizational Unit Name (eg, section) []:SSL Certificate TestCommon Name (e.g. server FQDN or YOUR name) []:example.com Email Address []:test@example.comSet the file permissions to protect your private key and certificate.
sudo chmod 600 /etc/apache2/ssl/*For more information on the three-digit permissions code, see the tutorial on Linux permissions.
Your certificate and the private key that protects it are now ready for Apache to use.
Step 4 — Configure Apache to Use SSL
debian的ssl配置文件在这里root@uat:~# vim /etc/apache2/sites-available/default-ssl.confIn this section, we will configure the default Apache virtual host to
use the SSL key and certificate. After making this change, our server
will begin serving HTTPS instead of HTTP requests for the default site.
Open the server configuration file using
nanoor your favorite text editor.
sudo nano /etc/apache2/sites-enabled/default-ssl.confLocate the section that begins with
<VirtualHost _default_:443>and make the following changes.
Add a line with your server name directy below the
ServerAdminemail line. This can be your domain name or IP address:
/etc/apache2/sites-enabled/default
ServerAdmin webmaster@localhost ServerName example.com:443Find the following two lines, and update the paths to match the
locations of the certificate and key we generated earlier. If you
purchased a certificate or generated your certificate elsewhere, make
sure the paths here match the actual locations of your certificate and
key:
/etc/apache2/sites-enabled/default
SSLCertificateFile /etc/apache2/ssl/apache.crt SSLCertificateKeyFile /etc/apache2/ssl/apache.keyOnce these changes have been made, check that your virtual host configuration file matches the following.
/etc/apache2/sites-enabled/default-ssl
<IfModule mod_ssl.c>Save and exit the file.
<VirtualHost _default_:443>
ServerAdmin webmaster@localhost ServerName example.com:443
DocumentRoot /var/www/html
. . .
SSLEngine on
. . .
SSLCertificateFile /etc/apache2/ssl/apache.crt
SSLCertificateKeyFile /etc/apache2/ssl/apache.key
Restart Apache to apply the changes.
sudo service apache2 reloadTo learn more about configuring Apache virtual hosts in general, see this article.
Step 5 — Test Apache with SSL
In this section, we will test your SSL connection from the command line.You can run this test from either (1) your local Unix-based system,
(2) another Droplet, or (3) the same Droplet. If you run it from an
external system you'll confirm that your site is reachable over the
public Internet.
Open a connection via the HTTPS 443 port.
openssl s_client -connect your_server_ip:443Scroll to the middle of the output (after the key), and you should find the following:
Output—- SSL handshake has read 3999 bytes and written 444 bytes —- . . . SSL-Session: . . .Of course, the numbers are variable, but this is success. Congratulations!
Press
CTRL+Cto exit.
You can also visit your site in a web browser, using HTTPS in the URL (
https://example.com).
Your browser will warn you that the certificate is self-signed. You
should be able to view the certificate and confirm that the details
match what you entered in Step 3.
Conclusion
This concludes our tutorial, leaving you with a working Apacheserver, configured securely with an SSL certificate. For more
information on working with OpenSSL, see the OpenSSL Essentials article.
相关文章推荐
- 访问Nginx发生SSL connection error的一种情况
- MySQL复制解决方案(Replication Solutions)
- Access to SQLserver 数据库生迁脚本编写器(DB_CreateSqlEV1.06下载)
- WMA To MP3 Encoder6.15绿色版含注册文件 下载
- sql2005 附加数据库出错(错误号:5123)解决方法
- PHP通过session id 实现session共享和登录验证的代码
- C# LINQ to XML应用介绍
- Linq to SQL Delete时遇到问题的解决方法
- How to Auto Include a Javascript File
- Easy RM RMVB to DVD Burner v1.3.8 汉化版 下载 附注册码
- Locate a File Using a File Open Dialog Box
- Save a File Using a File Save Dialog Box
- Apache SSL服务器配置SSL详解
- php xml分析函数代码第1/2页
- 配置apache默认使用ssl的方法
- World Wide Web Publishing 服务尝试删除 IIS 所有的 SSL 配置数据失败的几种方法
- sql2005 create file遇到操作系统错误5拒绝访问 错误1802
- nginx配置免费ssl证书支持https安全访问