Apache+SSL
时间:2006-05-30 来源:nothing9
Configuration
Section A -- Create Certificate
It is now time to create your own certificate using the openssl utility. Now, you need to understand that one server can hold multiple certificates, but only one per listening IP address. So, if your server is listening on one IP address, you can only have one certificate for the server. All of your virtual domains can share the same certificate, but clients will get warning prompts when they connect to a secure site where the certificate does not match the domain name. If your server is listening on multiple IP addresses, your virtual hosts have to be IP-based -- not name-based. This is something to consider when creating your certificate.
Change to any directory you would like to save your certficate in. I chose root's home directory. We will then copy the necessary files to the correct directory later. This way we have a back up in case something happens.
# cd ~
# openssl genrsa -des3 -out server.key 1024
You will be prompted to enter a password for this key. Remember it because we will need it later. Now we need to make a Certificate Signing Request (CSR) from the key we just generated
# openssl req -new -key server.key -out server.csr
Enter your password you had used as this is where you get to enter all the fun information about the certificate, like your name and Fully Qualified Domain Name (FQDN). Make sure you enter your FQDN for the "Common Name" portion. For example, if the certificate is for https://webmail.domain.tld/, then your CommonName should be webmail.domain.tld.
Alright, your certificate is ready to be signed. The following steps are to self-sign the certificate, but you could pay money and have it signed by Verisign or Thawte.
# openssl x509 -req -days 365 -in /root/server.csr -signkey /root/server.key -out /root/server.crt
Ok, your certificate is signed and valid for 365 days, which you could have changed if you wanted. We now need to copy the files to the appropriate directory for Apache to use them.
#cp ~/server.key /usr/local/etc/apache/ssl.key/
#cp ~/server.crt /usr/local/etc/apache/ssl.crt/
If you want to read more about SSL Certificates, you can read the FAQs at http://httpd.apache.org/docs-2.0/ssl/ssl_faq.html#aboutcerts.
** Apache2 users: The correct permissions must be set.
# chmod 0400 /usr/local/etc/apache2/ssl.key/server.key
# chmod 0400 /usr/local/etc/apache2/ssl.crt/server.crt
Section B -- Configure VirtualHosts
VirtualHosts are neat because they allow you to host many domains on the same server and the same IP address. For this example, we will make three VirtualHost entries -- one for http and two for https (SSL).
This section will be modifying /usr/local/etc/apache/httpd.conf so you can pull that up in your favorite editor now. The normal VirtualHosts can be placed at the beginning of the file for easy access and should be set up like this:
ServerName domain.tld
NameVirtualHost 192.168.0.2:80
<VirtualHost 192.168.0.2:80>;
ServerName domain.tld
ServerAlias www.domain.tld
ServerAdmin [email protected]
DocumentRoot /path/to/website/files
</VirtualHost>;
Now at the bottom of httpd.conf, you should see a whole bunch of lines relating to SSL. Insert the following line just before the default VirtualHost for SSL like this:
NameVirtualHost 192.168.0.2:443
<VirtualHost _default_:443>;
NameVirtualHost tells Apache that there are several virtual hosts under the same IP. So, at the bottom of httpd.conf you will want to put your VirtualHosts just before .
<VirtualHost 192.168.0.2:443>;
ServerName domain.tld
ServerAlias www.domain.tld
ServerAdmin [email protected]
DocumentRoot /path/to/website/files
SSLEngine on
SSLCertificateFile /usr/local/etc/apache/ssl.crt/server.crt
SSLCertificateKeyFile /usr/local/etc/apache/ssl.key/server.key
</VirtualHost>;
Now, if you had a server listening on another IP address, you could set up another certificate for that IP address to use. Then, your second VirtualHost could look like this:
<VirtualHost 192.168.0.3:443>;
ServerName domain2.tld
ServerAlias www.domain2.tld
ServerAdmin [email protected]
DocumentRoot /path/to/website/files
SSLEngine on
SSLCertificateFile /usr/local/etc/apache/ssl.crt/server2.crt
SSLCertificateKeyFile /usr/local/etc/apache/ssl.key/server2.key
</VirtualHost>;
If you notice, SSLCertificateFile and SSLCertificateKeyFile are only paths to the certificate and key. Just remember that you would have to use IP-based VirtualHosts, like we did, and not name-based.
** Apache2 users: All of your SSL configuration is in a separate file at /usr/local/etc/apache2/ssl.conf so edit that for your SSL-aware VirtualHosts.
Section A -- Create Certificate
It is now time to create your own certificate using the openssl utility. Now, you need to understand that one server can hold multiple certificates, but only one per listening IP address. So, if your server is listening on one IP address, you can only have one certificate for the server. All of your virtual domains can share the same certificate, but clients will get warning prompts when they connect to a secure site where the certificate does not match the domain name. If your server is listening on multiple IP addresses, your virtual hosts have to be IP-based -- not name-based. This is something to consider when creating your certificate.
Change to any directory you would like to save your certficate in. I chose root's home directory. We will then copy the necessary files to the correct directory later. This way we have a back up in case something happens.
# cd ~
# openssl genrsa -des3 -out server.key 1024
You will be prompted to enter a password for this key. Remember it because we will need it later. Now we need to make a Certificate Signing Request (CSR) from the key we just generated
# openssl req -new -key server.key -out server.csr
Enter your password you had used as this is where you get to enter all the fun information about the certificate, like your name and Fully Qualified Domain Name (FQDN). Make sure you enter your FQDN for the "Common Name" portion. For example, if the certificate is for https://webmail.domain.tld/, then your CommonName should be webmail.domain.tld.
Alright, your certificate is ready to be signed. The following steps are to self-sign the certificate, but you could pay money and have it signed by Verisign or Thawte.
# openssl x509 -req -days 365 -in /root/server.csr -signkey /root/server.key -out /root/server.crt
Ok, your certificate is signed and valid for 365 days, which you could have changed if you wanted. We now need to copy the files to the appropriate directory for Apache to use them.
#cp ~/server.key /usr/local/etc/apache/ssl.key/
#cp ~/server.crt /usr/local/etc/apache/ssl.crt/
If you want to read more about SSL Certificates, you can read the FAQs at http://httpd.apache.org/docs-2.0/ssl/ssl_faq.html#aboutcerts.
** Apache2 users: The correct permissions must be set.
# chmod 0400 /usr/local/etc/apache2/ssl.key/server.key
# chmod 0400 /usr/local/etc/apache2/ssl.crt/server.crt
Section B -- Configure VirtualHosts
VirtualHosts are neat because they allow you to host many domains on the same server and the same IP address. For this example, we will make three VirtualHost entries -- one for http and two for https (SSL).
This section will be modifying /usr/local/etc/apache/httpd.conf so you can pull that up in your favorite editor now. The normal VirtualHosts can be placed at the beginning of the file for easy access and should be set up like this:
ServerName domain.tld
NameVirtualHost 192.168.0.2:80
<VirtualHost 192.168.0.2:80>;
ServerName domain.tld
ServerAlias www.domain.tld
ServerAdmin [email protected]
DocumentRoot /path/to/website/files
</VirtualHost>;
Now at the bottom of httpd.conf, you should see a whole bunch of lines relating to SSL. Insert the following line just before the default VirtualHost for SSL like this:
NameVirtualHost 192.168.0.2:443
<VirtualHost _default_:443>;
NameVirtualHost tells Apache that there are several virtual hosts under the same IP. So, at the bottom of httpd.conf you will want to put your VirtualHosts just before .
<VirtualHost 192.168.0.2:443>;
ServerName domain.tld
ServerAlias www.domain.tld
ServerAdmin [email protected]
DocumentRoot /path/to/website/files
SSLEngine on
SSLCertificateFile /usr/local/etc/apache/ssl.crt/server.crt
SSLCertificateKeyFile /usr/local/etc/apache/ssl.key/server.key
</VirtualHost>;
Now, if you had a server listening on another IP address, you could set up another certificate for that IP address to use. Then, your second VirtualHost could look like this:
<VirtualHost 192.168.0.3:443>;
ServerName domain2.tld
ServerAlias www.domain2.tld
ServerAdmin [email protected]
DocumentRoot /path/to/website/files
SSLEngine on
SSLCertificateFile /usr/local/etc/apache/ssl.crt/server2.crt
SSLCertificateKeyFile /usr/local/etc/apache/ssl.key/server2.key
</VirtualHost>;
If you notice, SSLCertificateFile and SSLCertificateKeyFile are only paths to the certificate and key. Just remember that you would have to use IP-based VirtualHosts, like we did, and not name-based.
** Apache2 users: All of your SSL configuration is in a separate file at /usr/local/etc/apache2/ssl.conf so edit that for your SSL-aware VirtualHosts.
相关阅读 更多 +
