|
這幾天伺服器有發出下面的提示
The certificate for XXX will expire in XXX days
################# SSL Certificate Warning ################
Certificate for hostname 'xxx.xxx.xxx', in file (or by nickname):
/etc/pki/tls/certs/localhost.crt
The certificate needs to be renewed; this can be done
using the 'genkey' program.
Browsers will not be able to correctly connect to this
web site using SSL until the certificate is renewed.
##########################################################
Generated by certwatch(1)
上網找了一下,用下面這個方式可以處理,就把他轉上來
From: Polin Wei
環境:
Cent OS 5.x
Apache 2.x
Domain: mydomain.com
Host: myssl.mydomain.com
Step 01:Step 02: 建立金鑰, 要輸入相關的 國家,省份,城巿,主機名(country,state,city,host name)- [root@myssl certs]# make mycert.crt
- umask 77 ; \
- /usr/bin/openssl genrsa -des3 1024 > mycert.key
- Generating RSA private key, 1024 bit long modulus
- ......................................................................++++++
- ...........++++++
- e is 65537 (0x10001)
- Enter pass phrase: **** <== 這裡要輸入金鑰的密碼
- Verifying - Enter pass phrase: **** <== 重新輸入金鑰的密碼
- umask 77 ; \
- /usr/bin/openssl req -utf8 -new -key mycert.key -x509 -days 365 -out mycert.crt -set_serial 0
- Enter pass phrase for mycert.key: **** <== 再輸入一次金鑰的密碼
- You are about to be asked to enter information that will be incorporated
- into your certificate request.
- What you are about to enter is what is called a Distinguished Name or a DN.
- There are quite a few fields but you can leave some blank
- For some fields there will be a default value,
- If you enter '.', the field will be left blank.
- -----
- Country Name (2 letter code) [GB]:tw
- State or Province Name (full name) [Berkshire]:Taichung
- Locality Name (eg, city) [Newbury]:Taichung
- Organization Name (eg, company) [My Company Ltd]:MyCorp.
- Organizational Unit Name (eg, section) []:WEI
- Common Name (eg, your name or your server's hostname) []:myssl.mydomain.com
- Email Address []:[email protected]
複製代碼 這時, 會在 /etc/pki/tls/certs 產生兩個檔 mycert.crt & mycert.key
Step03:
移動 mycert.key 到 /etc/pki/tls/private- mv mycert.key /etc/pki/tls/private
複製代碼 Step04: 修改 /etc/httpd/conf.d/ssl.conf 檔案中的參數- SSLCertificateFile /etc/pki/tls/certs/mycert.crt
- SSLCertificateKeyFile /etc/pki/tls/private/mycert.key
複製代碼 Step05: 重新啟動 httpd 服務,- [root@myssl certs]# service httpd start
- Starting httpd: Apache/2.2.3 mod_ssl/2.2.3 (Pass Phrase Dialog)
- Some of your private key files are encrypted for security reasons.
- In order to read them you have to provide the pass phrases.
- Server svn.globeunion.com:443 (RSA)
- Enter pass phrase: *** <== 這裡要輸入金鑰的密碼
- OK: Pass Phrase Dialog successful.
- [ OK ]
複製代碼 Step06: 檢查 ssl 是否有在運作每次啟動 httpd 時, 都會詢問您的 金鑰的密碼 , 若要讓 httpd 不要每次詢問的話可以這麼作- [root@myssl tls]# openssl rsa -in mycert.key -out mycert.pem
- Enter pass phrase for private/svncert.key: <== 輸入您的 金鑰的密碼
- writing RSA key <== 完成
複製代碼 這樣會產生一個 mycert.pem 的檔案.- [root@myssl tls]# cp mycert.pem /etc/pki/tls/private/
複製代碼 Step07: 修改 /etc/httpd/conf.d/ssl.conf 檔案中的參數- SSLCertificateFile /etc/pki/tls/certs/mycert.crt
- SSLCertificateKeyFile /etc/pki/tls/private/mycert.pem
複製代碼 這樣每次重開 httpd 就不會要您輸入 金鑰的密碼- [root@myssl tls]# service httpd restart
複製代碼 另外一種產生 SSL 方法如下:
1. go to /etc/pki/tls/certs
2. make mycert.pem
3. Enter the information about country,state,city,host name etc, your certificate and key has been created .
4. now go to /etc/httpd/conf.d/ssl.conf and change..
SSLCACertificateFile /etc/pki/tls/certs/mycert.pem
SSLCACertificateKeyFile /etc/pki/tls/mycert.pem
5. save changes.
6. on shell prompt service httpd start
原文出處:http://polinwei.blogspot.tw/2009 ... erver-with-ssl.html |
|