CentOS - Apache server with SSL 的作法

台中人2000

這幾天伺服器有發出下面的提示
The certificate for XXX will expire in XXX days

################# SSL Certificate Warning ################

  Certificate for hostname 'xxx.xxx.xxx', in file (or by nickname):
     /etc/pki/tls/certs/localhost.crt

  The certificate needs to be renewed; this can be done
  using the 'genkey' program.

  Browsers will not be able to correctly connect to this
  web site using SSL until the certificate is renewed.

##########################################################
                                  Generated by certwatch(1)

上網找了一下,用下面這個方式可以處理,就把他轉上來

From: Polin Wei

環境:
Cent OS 5.x
Apache 2.x
Domain: mydomain.com
Host: myssl.mydomain.com

Step 01:

1. # cd /etc/pki/tls/certs

複製代碼

Step 02: 建立金鑰, 要輸入相關的 國家,省份,城巿,主機名(country,state,city,host name)

1. [root@myssl certs]# make mycert.crt
   
2. umask 77 ; \
   
3. /usr/bin/openssl genrsa -des3 1024 > mycert.key
   
4. Generating RSA private key, 1024 bit long modulus
   
5. ......................................................................++++++
   
6. ...........++++++
   
7. e is 65537 (0x10001)
   
8. Enter pass phrase: **** <== 這裡要輸入金鑰的密碼
   
9. Verifying - Enter pass phrase: **** <== 重新輸入金鑰的密碼
   
10. umask 77 ; \
    
11. /usr/bin/openssl req -utf8 -new -key mycert.key -x509 -days 365 -out mycert.crt -set_serial 0
    
12. Enter pass phrase for mycert.key: **** <== 再輸入一次金鑰的密碼
    
13. You are about to be asked to enter information that will be incorporated
    
14. into your certificate request.
    
15. What you are about to enter is what is called a Distinguished Name or a DN.
    
16. There are quite a few fields but you can leave some blank
    
17. For some fields there will be a default value,
    
18. If you enter '.', the field will be left blank.
    
19. -----
    
20. Country Name (2 letter code) [GB]:tw
    
21. State or Province Name (full name) [Berkshire]:Taichung
    
22. Locality Name (eg, city) [Newbury]:Taichung
    
23. Organization Name (eg, company) [My Company Ltd]:MyCorp.
    
24. Organizational Unit Name (eg, section) []:WEI
    
25. Common Name (eg, your name or your server's hostname) []:myssl.mydomain.com
    
26. Email Address []:[email protected]
    

複製代碼

這時, 會在 /etc/pki/tls/certs 產生兩個檔 mycert.crt & mycert.key

Step03:
移動 mycert.key 到 /etc/pki/tls/private

1. mv mycert.key /etc/pki/tls/private

複製代碼

Step04: 修改 /etc/httpd/conf.d/ssl.conf 檔案中的參數

1. SSLCertificateFile /etc/pki/tls/certs/mycert.crt
   
2. SSLCertificateKeyFile /etc/pki/tls/private/mycert.key

複製代碼

Step05: 重新啟動 httpd 服務,

1. [root@myssl certs]# service httpd start
   
2. Starting httpd: Apache/2.2.3 mod_ssl/2.2.3 (Pass Phrase Dialog)
   
3. Some of your private key files are encrypted for security reasons.
   
4. In order to read them you have to provide the pass phrases.
   
5. 
   
6. Server svn.globeunion.com:443 (RSA)
   
7. Enter pass phrase: *** <== 這裡要輸入金鑰的密碼
   
8. 
   
9. OK: Pass Phrase Dialog successful.
   
10. [ OK ]

複製代碼

Step06: 檢查 ssl 是否有在運作

1. netstat -an|grep 443

複製代碼

每次啟動 httpd 時, 都會詢問您的 金鑰的密碼 , 若要讓 httpd 不要每次詢問的話可以這麼作

1. [root@myssl tls]# openssl rsa -in mycert.key -out mycert.pem
   
2. Enter pass phrase for private/svncert.key: <== 輸入您的 金鑰的密碼
   
3. writing RSA key <== 完成

複製代碼

這樣會產生一個 mycert.pem 的檔案.

1. [root@myssl tls]# cp mycert.pem /etc/pki/tls/private/

複製代碼

Step07: 修改 /etc/httpd/conf.d/ssl.conf 檔案中的參數

1. SSLCertificateFile /etc/pki/tls/certs/mycert.crt
   
2. SSLCertificateKeyFile /etc/pki/tls/private/mycert.pem

複製代碼

這樣每次重開 httpd 就不會要您輸入 金鑰的密碼

1. [root@myssl tls]# service httpd restart

複製代碼

另外一種產生 SSL 方法如下:

1. go to /etc/pki/tls/certs
2. make mycert.pem
3. Enter the information about country,state,city,host name etc, your certificate and key has been created .
4. now go to /etc/httpd/conf.d/ssl.conf and change..
SSLCACertificateFile /etc/pki/tls/certs/mycert.pem
SSLCACertificateKeyFile /etc/pki/tls/mycert.pem
5. save changes.
6. on shell prompt service httpd start


原文出處:http://polinwei.blogspot.tw/2009 ... erver-with-ssl.html