Linux下配置SSL (转)

没有安装apache的情况：

首先安装SSL，再编译安装Apache，再配置证书即可

1.下载apache和openssl

网址：http://www.apache.org

http://www.openssl.org

2.解压

(先进入到安装包的位置，和你解压的文件名字是不是和这个一样)

#tar zxvf httpd-2.0.54.tar.gz

#tar zxvf openssl-0.9.7g.tar.gz

3.编译安装openssl,这个软件主要是用来生成证书：

#cd openssl-0.9.7g

#./config

#make

#make test

#make install

把openssl放进内核目录下，使其在任何目录下都能运行。

#cd /usr/local/bin

#ln -s /usr/local/ssl/bin/openssl openssl

4.编译安装httpd

#cd /opt/httpd-2.0.54

#./configure --prefix="/opt/apache2" --enable-so --enable-ssl --with-ssl="/usr/local/ssl/bin"

#make

#make install

5.安装完毕，生成证书：

在/opt/apache2/conf下建立一个ssl.key目录

#cd ../apache2/

#cd conf/

#mkdir ssl.key

然后在该目录下生成证书：

#cd ssl.key/

生成服务器私钥：

#openssl genrsa -des3 -out server.key 1024

Generating RSA private key, 1024 bit long modulus

.......................++++++

.................................................++++++

e is 65537 (0x10001)

Enter pass phrase for server.key:

Verifying - Enter pass phrase for server.key:

生成服务器证书请求，并按要求填些相关证书信息：

#openssl req -new -key server.key -out server.csr

如果要生成中文证书用

#openssl req -utf8 -new -key server.key -out server.csr

Enter pass phrase for server.key:

You are about to be asked to enter information that will be incorporated

into your certificate request.

What you are about to enter is what is called a Distinguished Name or a DN.

There are quite a few fields but you can leave some blank

For some fields there will be a default value,

If you enter '.', the field will be left blank.

-----

Country Name (2 letter code) [AU]:

State or Province Name (full name) [Some-State]:

Locality Name (eg, city) []:tyl

Organization Name (eg, company) [Internet Widgits Pty Ltd]:tz

Organizational Unit Name (eg, section) []:tz

Common Name (eg, YOUR name) []:tyl（这个名字要和计算机的名字一样）

Email Address []:tangyl@ruyi.com

Please enter the following 'extra' attributes

to be sent with your certificate request

A challenge password []:

An optional company name []:

签证：

# openssl x509 -req -days 700 -in server.csr -signkey server.key -out server.cert

Signature ok

subject=/C=AU/ST=Some-State/L=tyl/O=tz/OU=tz/CN=tyl/emailAddress=tangyl@ruyi.com

Getting Private key

Enter pass phrase for server.key:

为了安全，然后我们把这些文件的权限都设为400

chmod 400 server.key

chmod 400 server.cert

最后对/opt/apache2/conf/ssl.conf 进行修改：

vi /opt/apache2/conf/ssl.conf

修改的地方如下几处：

#SSLCertificateFile /opt/apache2/conf/ssl.crt/server.crt #108行

SSLCertificateFile /opt/apache2/conf/ssl.key/server.cert

#SSLCertificateFile /opt/apache2/conf/ssl.crt/server-dsa.crt

SSLCertificateKeyFile /opt/apache2/conf/ssl.key/server.key   #116行

#SSLCertificateKeyFile /opt/apache2/conf/ssl.key/server-dsa.key

这样我们就基本配好了ssl现在我们来让apache启动ssl

/opt/apache2/bin/apachectl startssl

然后要求输入证书密码，正确输入后ssl就连同apache一起启动

已经安装apache的情况：

必须先在Linux下安装apache 服务

执行：                 yum install mod_ssl

就会出现：Loaded plugins: rhnplugin, security
This system is not registered with RHN.
RHN support will be disabled.
Setting up Install Process
Resolving Dependencies
–> Running transaction check
—> Package mod_ssl.i386 1:2.2.3-31.el5 set to be updated
–> Finished Dependency Resolution

Dependencies Resolved

====================================================================================================================================
Package Arch Version Repository Size
====================================================================================================================================
Installing:
mod_ssl i386 1:2.2.3-31.el5 file 88 k

Transaction Summary
====================================================================================================================================
Install 1 Package(s)
Update 0 Package(s)
Remove 0 Package(s)

Total download size: 88 k
Is this ok [y/N]: y
Downloading Packages:
Running rpm_check_debug
Running Transaction Test
Finished Transaction Test
Transaction Test Succeeded
Running Transaction
Installing : mod_ssl 1/1

Installed:
mod_ssl.i386 1:2.2.3-31.el5

Complete!

然后手动创建证书：

cd /etc/pki/tls/certs/

make auth.key (创建一个名为auth的SSL私钥）
umask 77 ; \
/usr/bin/openssl genrsa -des3 1024 > auth.key
Generating RSA private key, 1024 bit long modulus
……………………………….++++++
……………………….++++++
e is 65537 (0×10001)
Enter pass phrase:
Verifying – Enter pass phrase:

[root@localhost certs]# make auth.crt (创建一个名为auth的证书）
umask 77 ; \
/usr/bin/openssl req -new -key auth.key -x509 -days 365 -out auth.crt -set_serial 0
Enter pass phrase for auth.key: (输入刚才的私钥密码）
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter ‘.’, the field will be left blank.
—–
Country Name (2 letter code) [GB]:CN (国家）
State or Province Name (full name) [Berkshire]:liaoning （地区）
Locality Name (eg, city) [Newbury]:dalian (城市）
Organization Name (eg, company) [My Company Ltd]:IBM （组织机构名）
Organizational Unit Name (eg, section) []:IBM （全名）
Common Name (eg, your name or your server’s hostname) []:WWW.IBM.COM （公共名称）
Email Address []: （邮箱）

8.再次重新配置我们的httpd

在/usr/local/apache2/conf/httpd.conf里面做下面修改

1) LoadModule ssl_module /etc/httpd/modules/mod_ssl.so（加上这句）

Include conf/extra/httpd-ssl.conf 去掉两行前面的#

2)注意修改httpd-ssl.conf 文件里的两个字段：

SSLCertificateFile /etc/pki/tls/certs/auth.crt
SSLCertificateKeyFile /etc/pki/tls/private/auth.key

这样我们就基本配好了ssl现在我们来让apache启动ssl

/usr/local/apache2/bin/apachectl start

然后要求输入证书密码，正确输入后ssl就连同apache一起启动

这次我输入的密码都是：123456，只要不混淆的情况下你可以随便设置。

自
己看法：我觉得进去的时候先检查httpd.conf然后就会启动一些配置，我们的设置就会生效。这个方案最红使用的是apache自带的mod_SSL
的模块，并没有使用openssl的加密过程，但是第一种方案使用的是openssl，具体过程可能比较复杂，不知道怎么实现的。上面的一些步骤可能有些
多余，但是我在原理方面不太清楚，所以就不知道那些该删，那些该留。