|
apache+mysql+php+ssl服务器之完全安装攻略(10) SSLEngine on
# Server Certificate:
# Point SSLCertificateFile at a PEM encoded certificate. If
# the certificate is encrypted, then you will be prompted for a
# pass phrase. Note that a kill -HUP will prompt again. A test
# certificate can be generated with `make certificate' under
# built time. Keep in mind that if you've both a RSA and a DSA
# certificate you can configure both in parallel (to also allow
# the use of DSA ciphers, etc.)
# Note that I keep my certificate files located in a central
# location. You could change this if you are an ISP, or ASP.
SSLCertificateFile /usr/local/apache/conf/ssl.crt/server.crt
# Server Private Key:
# If the key is not combined with the certificate, use this
# directive to point at the key file. Keep in mind that if
# you've both a RSA and a DSA private key you can configure
# both in parallel (to also allow the use of DSA ciphers, etc.)
SSLCertificateKeyFile /usr/local/apache/conf/ssl.key/server.key
# Per-Server Logging:
# The home of a custom SSL log file. Use this when you want a
# compact non-error SSL logfile on a virtual host basis.
CustomLog /usr/local/apache/logs/ssl_request_log
"%t %h %{SSL_PROTOCOL}x %{SSL_CIPHER}x "%r" %b"
记住你有很多指令可以指定。我们将在另一篇有关配置Apache的文章中讨论,本文只是一个入门性指南。
生成证书
这是如何生成证书的按部就班的描述。
为你的Apache服务器创建一个RSA私用密钥(被Triple-DES加密并且进行PEM格式化):
# openssl genrsa -des3 -out server.key 1024
请在安全的地方备份这个server.key文件。记住你输入的通行短语(pass phrase)!你可以通过下面的命令看到这个RSA私用密钥的细节。
# openssl rsa -noout -text -in server.key
而且你可以为这个RSA私用密钥创建一个加密的PEM版本(不推荐),通过下列命令:
# openssl rsa -in server.key -out server.key.unsecure
用服务器RSA私用密钥生成一个证书签署请求(CSR-Certificate Signing Request)(输出将是PEM格式的):
# openssl req -new -key server.key -out server.csr
当OpenSSL提示你“CommonName”时,确保你输入了服务器的FQDN("Fully Qualified Domain Name") ,即,当你为一个以后用https://www.foo.dom/访问的网站生成一个CSR时,这里输入"www.foo.dom"。你可借助下列命令查看该CSR的细节:
# openssl req -noout -text -in server.csr
| 
