廣告聯播

2009年2月25日 星期三

[Linux] CentOS - Apache server with SSL 的作法

From: Polin Wei

環境:
Cent OS 5.x
Apache 2.x
Domain: mydomain.com
Host: myssl.mydomain.com

Step 01:
# cd /etc/pki/tls/certs

Step 02: 建立金鑰, 要輸入相關的 國家,省份,城巿,主機名(country,state,city,host name)

[root@myssl certs]# make mycert.crt
umask 77 ; \
/usr/bin/openssl genrsa -des3 1024 > mycert.key
Generating RSA private key, 1024 bit long modulus
......................................................................++++++
...........++++++
e is 65537 (0x10001)
Enter pass phrase: **** <== 這裡要輸入金鑰的密碼
Verifying - Enter pass phrase: **** <== 重新輸入金鑰的密碼
umask 77 ; \
/usr/bin/openssl req -utf8 -new -key mycert.key -x509 -days 365 -out mycert.crt -set_serial 0
Enter pass phrase for mycert.key: **** <== 再輸入一次金鑰的密碼
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [GB]:tw
State or Province Name (full name) [Berkshire]:Taichung
Locality Name (eg, city) [Newbury]:Taichung
Organization Name (eg, company) [My Company Ltd]:MyCorp.
Organizational Unit Name (eg, section) []:WEI
Common Name (eg, your name or your server's hostname) []:myssl.mydomain.com
Email Address []:root@mydomain.com


這時, 會在 /etc/pki/tls/certs 產生兩個檔 mycert.crt & mycert.key

Step03:
移動 mycert.key 到 /etc/pki/tls/private
mv mycert.key /etc/pki/tls/private

Step04: 修改 /etc/httpd/conf.d/ssl.conf 檔案中的參數

SSLCertificateFile /etc/pki/tls/certs/mycert.crt
SSLCertificateKeyFile /etc/pki/tls/private/mycert.key


Step05: 重新啟動 httpd 服務,
[root@myssl certs]# service httpd start
Starting httpd: Apache/2.2.3 mod_ssl/2.2.3 (Pass Phrase Dialog)
Some of your private key files are encrypted for security reasons.
In order to read them you have to provide the pass phrases.

Server svn.globeunion.com:443 (RSA)
Enter pass phrase: *** <== 這裡要輸入金鑰的密碼

OK: Pass Phrase Dialog successful.
[ OK ]



Step06: 檢查 ssl 是否有在運作
netstat -an|grep 443

每次啟動 httpd 時, 都會詢問您的 金鑰的密碼 , 若要讓 httpd 不要每次詢問的話可以這麼作

[root@myssl tls]# openssl rsa -in mycert.key -out mycert.pem
Enter pass phrase for private/svncert.key: <== 輸入您的 金鑰的密碼
writing RSA key <== 完成


這樣會產生一個 mycert.pem 的檔案.
[root@myssl tls]# cp mycert.pem /etc/pki/tls/private/


Step07: 修改 /etc/httpd/conf.d/ssl.conf 檔案中的參數

SSLCertificateFile /etc/pki/tls/certs/mycert.crt
SSLCertificateKeyFile /etc/pki/tls/private/mycert.pem


這樣每次重開 httpd 就不會要您輸入 金鑰的密碼
[root@myssl tls]# service httpd restart


另外一種產生 SSL 方法如下:

1. go to /etc/pki/tls/certs
2. make mycert.pem
3. Enter the information about country,state,city,host name etc, your certificate and key has been created .
4. now go to /etc/httpd/conf.d/ssl.conf and change..
SSLCACertificateFile /etc/pki/tls/certs/mycert.pem
SSLCACertificateKeyFile /etc/pki/tls/mycert.pem
5. save changes.
6. on shell prompt service httpd start

沒有留言:

張貼留言