CentOS - Apache server with SSL 的作法
這幾天伺服器有發出下面的提示The certificate for XXX will expire in XXX days
################# SSL Certificate Warning ################
Certificate for hostname 'xxx.xxx.xxx', in file (or by nickname):
/etc/pki/tls/certs/localhost.crt
The certificate needs to be renewed; this can be done
using the 'genkey' program.
Browsers will not be able to correctly connect to this
web site using SSL until the certificate is renewed.
##########################################################
Generated by certwatch(1)
上網找了一下,用下面這個方式可以處理,就把他轉上來
From: Polin Wei
環境:
Cent OS 5.x
Apache 2.x
Domain: mydomain.com
Host: myssl.mydomain.com
Step 01:# cd /etc/pki/tls/certs Step 02: 建立金鑰, 要輸入相關的 國家,省份,城巿,主機名(country,state,city,host name)# make mycert.crt
umask 77 ; \
/usr/bin/openssl genrsa -des3 1024 > mycert.key
Generating RSA private key, 1024 bit long modulus
......................................................................++++++
...........++++++
e is 65537 (0x10001)
Enter pass phrase: **** <== 這裡要輸入金鑰的密碼
Verifying - Enter pass phrase: **** <== 重新輸入金鑰的密碼
umask 77 ; \
/usr/bin/openssl req -utf8 -new -key mycert.key -x509 -days 365 -out mycert.crt -set_serial 0
Enter pass phrase for mycert.key: **** <== 再輸入一次金鑰的密碼
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) :tw
State or Province Name (full name) :Taichung
Locality Name (eg, city) :Taichung
Organization Name (eg, company) :MyCorp.
Organizational Unit Name (eg, section) []:WEI
Common Name (eg, your name or your server's hostname) []:myssl.mydomain.com
Email Address []:[email protected]
這時, 會在 /etc/pki/tls/certs 產生兩個檔 mycert.crt & mycert.key
Step03:
移動 mycert.key 到 /etc/pki/tls/privatemv mycert.key /etc/pki/tls/privateStep04: 修改 /etc/httpd/conf.d/ssl.conf 檔案中的參數SSLCertificateFile /etc/pki/tls/certs/mycert.crt
SSLCertificateKeyFile /etc/pki/tls/private/mycert.keyStep05: 重新啟動 httpd 服務,# service httpd start
Starting httpd: Apache/2.2.3 mod_ssl/2.2.3 (Pass Phrase Dialog)
Some of your private key files are encrypted for security reasons.
In order to read them you have to provide the pass phrases.
Server svn.globeunion.com:443 (RSA)
Enter pass phrase: *** <== 這裡要輸入金鑰的密碼
OK: Pass Phrase Dialog successful.
[ OK ]Step06: 檢查 ssl 是否有在運作netstat -an|grep 443每次啟動 httpd 時, 都會詢問您的 金鑰的密碼 , 若要讓 httpd 不要每次詢問的話可以這麼作# openssl rsa -in mycert.key -out mycert.pem
Enter pass phrase for private/svncert.key: <== 輸入您的 金鑰的密碼
writing RSA key <== 完成這樣會產生一個 mycert.pem 的檔案.# cp mycert.pem /etc/pki/tls/private/Step07: 修改 /etc/httpd/conf.d/ssl.conf 檔案中的參數SSLCertificateFile /etc/pki/tls/certs/mycert.crt
SSLCertificateKeyFile /etc/pki/tls/private/mycert.pem這樣每次重開 httpd 就不會要您輸入 金鑰的密碼# service httpd restart另外一種產生 SSL 方法如下:
1. go to /etc/pki/tls/certs
2. make mycert.pem
3. Enter the information about country,state,city,host name etc, your certificate and key has been created .
4. now go to /etc/httpd/conf.d/ssl.conf and change..
SSLCACertificateFile /etc/pki/tls/certs/mycert.pem
SSLCACertificateKeyFile /etc/pki/tls/mycert.pem
5. save changes.
6. on shell prompt service httpd start
原文出處:http://polinwei.blogspot.tw/2009/02/linux-centos-apache-server-with-ssl.html
頁:
[1]