假设apache已经装好
1、使用yum install openssl,安装openssl
2、开启httpd.conf中LoadModule ssl_module modules/mod_ssl.so
3、制作证书
有一个工具可以使用:http://www.openssl.org/contrib/ssl.ca-0.1.tar.gz 。下面是如何通过这个工具来生成证书的过程:
#cp ssl.ca-0.1.tar.gz
/usr/local/apache/httpd/conf
#cd
/usr/local/apache/conf
#tar zxvf
ssl.ca-0.1.tar.gz
#cd
ssl.ca-0.1
#./new-root-ca.sh
(生成根证书)
No Root CA key round.
Generating one
Generating RSA private
key, 1024 bit long modulus
...........................++++++
....++++++
e is 65537
(0x10001)
Enter pass phrase for ca.key:
(输入一个密码)
Verifying - Enter pass phrase
for ca.key: (再输入一次密码)
......
Self-sign the root CA...
(签署根证书)
Enter pass phrase for ca.key:
(输入刚刚设置的密码)
........
........ (下面开始签署)
Country Name (2 letter code) [MY]:CN
State or Province Name (full name) [Perak]:GanSu//随你喜欢
Locality Name (eg, city) [Sitiawan]:LanZhou//随你喜欢
Organization Name (eg, company) [My Directory Sdn Bhd]:lzu//随你喜欢
Organizational Unit Name (eg, section) [Certification
Services Division]:lzu//随你喜欢
Common
Name (eg, MD Root CA) []:dslab//随你喜欢
Email Address []:sunyanmeng@gmail.com//随你喜欢
这样就生成了ca.key和ca.crt两个文件,下面还要为我们的服务器生成一个证书:
# ./new-server-cert.sh server (这个证书的名字是server)
......
......
Country Name (2 letter code) [MY]:CN
State or Province Name (full name) [Perak]:GanSu
Locality Name (eg, city) [Sitiawan]: LanZhou
Organization Name (eg, company) [My Directory Sdn Bhd]:lzu
Organizational Unit Name (eg, section) [Secure Web
Server]:lzu
Common Name (eg,
www.domain.com) []:localhost
Email
Address []:sunyanmeng@gmail.com
这样就生成了server.csr和server.key这两个文件。
还需要签署一下才能使用的:
# ./sign-server-cert.sh
server
CA signing: server.csr ->
server.crt:
Using configuration from
ca.config
Enter pass phrase for
./ca.key: (输入上面设置的根证书密码)
Check that the
request matches the signature
Signature
ok
The Subject‘s Distinguished Name is
as follows
countryName
:PRINTABLE:‘CN‘
stateOrProvinceName
:PRINTABLE:‘GanSu‘
localityName
:PRINTABLE:‘LanZhou‘
organizationName
:PRINTABLE:‘lzu‘
organizationalUnitName:PRINTABLE:‘lzu‘
commonName :PRINTABLE:‘localhost‘
emailAddress :IA5STRING:‘sunyanmeng@gmail.com‘
Certificate is to be certified until Jan 19 21:59:46 2011 GMT (365
days)
Sign the certificate?
[y/n]:y
1 out of 1 certificate requests
certified, commit? [y/n]y
Write out
database with 1 new entries
Data Base
Updated
CA verifying: server.crt
<-> CA cert
server.crt: OK
下面要按照ssl.conf里面的设置,将证书放在适当的位置。
# chmod 400 server.key
# cd ..
# mkdir ssl.key
# mv ssl.ca-0.1/server.key ssl.key
# mkdir ssl.crt
# mv ssl.ca-0.1/server.crt ssl.crt
4、配置ssl.conf(/etc/httpd/conf/ssl.conf)
打开ssl.conf文件
<VirtualHost *:443>
DocumentRoot "/var/www/html/"#你的WEB目录,和vhost里配置一样。
ServerName
www.xxx.com:443
SSLCertificateFile /etc/httpd/conf.d/ssl.crt#你的文件在哪里就写哪里的路径
SSLCertificateKeyFile /etc/httpd/conf.d/ssl.key#你的文件在哪里就写哪里的路径
SSLCertificateChainFile /etc/httpd/conf.d/ca.crt#你的文件在哪里就写哪里的路径
</VirtualHost>
5、加载ssl的方式启动apache(这步很重要)
找到你的apachectl位置,
apachectl -D SSL -k start
原文:http://www.cnblogs.com/naci/p/3656378.html