系统版本:CentOS release 5.5 (Final)
软件: httpd-2.2.22.tar.gz ,openssl-0.9.8e.tar.gz
1.首先用ssh上传到centos虚拟机器中
[root@cacti ~]# tar -zxvf httpd-2.2.22.tar.gz
[root@cacti ~]# tar -zxvf openssl-0.9.8e.tar.gz
2.首先安装openssl
[root@cacti openssl-0.9.8e]# ./config --prefix=/usr/local/ssl //配置路径为/usr/local/ssl目录下
[root@cacti openssl-0.9.8e]# make&&make install//安装openssl
3.安装apache2.2
[root@cacti httpd-2.2.22]#./configure --prefix=/usr/local/apache --enable-so --enable-ssl --with-ssl=/usr/local/ssl //如果需要加别的参数也是可以的可以用./configure --help查看其它参数。
[root@cacti httpd-2.2.22]#make&&make install//安装apache
4.[root@cacti ~]# cd /usr/local/apache/conf/
[root@cacti ~]#vi httpd.conf
# Secure (SSL/TLS) connections
Include conf/extra/httpd-ssl.conf//把这个井号去掉,默认路径也可以修改
5.[root@cacti extra]# cd extra进入extra目录找到httpd.ssl.conf
[root@cacti extra]# cp httpd.ssl.conf httpd.ssl.conf.backup//备份一份
[root@cacti extra]# cat httpd.ssl.conf|grep -v "#" >httpd.ssl.conf//把井号去掉便于查找。
[root@cacti extra]# vi httpd.ssl.conf//打开httpd.ssl.conf文件。
DocumentRoot "/usr/local/apache/htdocs"
ServerName :443
ServerAdmin you@example.com
ErrorLog "/usr/local/apache/logs/error_log"
TransferLog "/usr/local/apache/logs/access_log"
SSLEngine on
SSLProtocol all -SSLv2
SSLCipherSuite HIGH:MEDIUM:!aNULL:!MD5
SSLCertificateFile "/usr/local/apache/conf/server.cert"//这里可以修改默认路径和后缀名。
SSLCertificateKeyFile "/usr/local/apache/conf/server.key"
6.[root@cacti conf]#cd /usr/local/apache/conf//进入conf路径生成密匙
[root@cacti conf]#openssl genrsa -des3 -out server.key 1024//生成服务器私钥:运行openssl命令,生成1024、2048位长的私钥server.key文件。如果您需要对 server.key 添加保护密码,请使用 -des3 扩展命令。Windows环境下不支持加密格式私钥,Linux环境下使用加密格式私钥时,每次重启Apache都需要您输入该私钥密码(例:openssl genrsa -des3 -out server.key 2048)。
Generating RSA private key, 1024 bit long modulus
....................++++++
.................................++++++
e is 65537 (0x10001)
Enter pass phrase for server.key://输入密码
Verifying - Enter pass phrase for server.key:
[root@cacti conf]#openssl req -new -key server.key -out server.crt//生成服务器证书请求,并按要求填些相关证书信息:
Enter pass phrase for server.key:
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [GB]:cn //您所在国家的ISO标准代号,中国为CN
State or Province Name (full name) [Berkshire]:zj浙江//您单位所在地省/自治区/直辖市
Locality Name (eg, city) [Newbury]: //您单位所在地的市/县/区 hz杭州
Organization Name (eg, company) [My Company Ltd]:hz公司名字hz
Organizational Unit Name (eg, section) []: //部门名称 hz组织单位名称
Common Name (eg, your name or your server's hostname) []:通用名,例如:。此项必须与您访问提供SSL服务的服务器时所应用的域名完全匹配。
zhh主机名
Email Address []:enjoygoodboy@163.com邮箱地址//您的邮件地址,不必后缀可以输入,直接回车跳过
Please enter the following 'extra' attributes //以下信息不必输入,回车跳过直到命令执行完毕。
to be sent with your certificate request
A challenge password []:
An optional company name []:
签名:
[root@cacti conf]# openssl x509 -req -days 700 -in server.crt -signkey server.key -out server.cert
Signature ok
subject=/C=cn/ST=zj/L=hz/O=hz/OU=hz/CN=zhh/emailAddress=enjoygoodboy@163.com
Getting Private key
Enter pass phrase for server.key:
[root@cacti conf]# ls //可以备份证书
extra keybackup mime.types server.cert server.key
httpd.conf magic original server.crt
为了安装把以上生成3个文件chmod 400模式。