2009年2月25日 星期三

[Linux] CentOS - Apache server with SSL 的作法

From: Polin Wei

Cent OS 5.x
Apache 2.x

Step 01:
# cd /etc/pki/tls/certs

Step 02: 建立金鑰, 要輸入相關的 國家,省份,城巿,主機名(country,state,city,host name)

[root@myssl certs]# make mycert.crt
umask 77 ; \
/usr/bin/openssl genrsa -des3 1024 > mycert.key
Generating RSA private key, 1024 bit long modulus
e is 65537 (0x10001)
Enter pass phrase: **** <== 這裡要輸入金鑰的密碼
Verifying - Enter pass phrase: **** <== 重新輸入金鑰的密碼
umask 77 ; \
/usr/bin/openssl req -utf8 -new -key mycert.key -x509 -days 365 -out mycert.crt -set_serial 0
Enter pass phrase for mycert.key: **** <== 再輸入一次金鑰的密碼
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
Country Name (2 letter code) [GB]:tw
State or Province Name (full name) [Berkshire]:Taichung
Locality Name (eg, city) [Newbury]:Taichung
Organization Name (eg, company) [My Company Ltd]:MyCorp.
Organizational Unit Name (eg, section) []:WEI
Common Name (eg, your name or your server's hostname) []
Email Address []

這時, 會在 /etc/pki/tls/certs 產生兩個檔 mycert.crt & mycert.key

移動 mycert.key 到 /etc/pki/tls/private
mv mycert.key /etc/pki/tls/private

Step04: 修改 /etc/httpd/conf.d/ssl.conf 檔案中的參數

SSLCertificateFile /etc/pki/tls/certs/mycert.crt
SSLCertificateKeyFile /etc/pki/tls/private/mycert.key

Step05: 重新啟動 httpd 服務,
[root@myssl certs]# service httpd start
Starting httpd: Apache/2.2.3 mod_ssl/2.2.3 (Pass Phrase Dialog)
Some of your private key files are encrypted for security reasons.
In order to read them you have to provide the pass phrases.

Server (RSA)
Enter pass phrase: *** <== 這裡要輸入金鑰的密碼

OK: Pass Phrase Dialog successful.
[ OK ]

Step06: 檢查 ssl 是否有在運作
netstat -an|grep 443

每次啟動 httpd 時, 都會詢問您的 金鑰的密碼 , 若要讓 httpd 不要每次詢問的話可以這麼作

[root@myssl tls]# openssl rsa -in mycert.key -out mycert.pem
Enter pass phrase for private/svncert.key: <== 輸入您的 金鑰的密碼
writing RSA key <== 完成

這樣會產生一個 mycert.pem 的檔案.
[root@myssl tls]# cp mycert.pem /etc/pki/tls/private/

Step07: 修改 /etc/httpd/conf.d/ssl.conf 檔案中的參數

SSLCertificateFile /etc/pki/tls/certs/mycert.crt
SSLCertificateKeyFile /etc/pki/tls/private/mycert.pem

這樣每次重開 httpd 就不會要您輸入 金鑰的密碼
[root@myssl tls]# service httpd restart

另外一種產生 SSL 方法如下:

1. go to /etc/pki/tls/certs
2. make mycert.pem
3. Enter the information about country,state,city,host name etc, your certificate and key has been created .
4. now go to /etc/httpd/conf.d/ssl.conf and change..
SSLCACertificateFile /etc/pki/tls/certs/mycert.pem
SSLCACertificateKeyFile /etc/pki/tls/mycert.pem
5. save changes.
6. on shell prompt service httpd start