1、在httpd.conf中 ,删掉以下语句前的'#'
#LoadModule ssl_module modules/mod_ssl.so #Include conf/extra/httpd-mpm.conf #Include conf/extra/httpd-ssl.con
2、生成证书,进入Apache的bin目录,在该文件夹进行以下操作
a. 首先要生成服务器端的私钥(key文件):
set OPENSSL_CONF=openssl.cnf openssl genrsa -des3 -out server.key 1024
b. 生成server.csr ,Certificate Signing Request(CSR),生成的csr文件交给CA签名后形成服务端自己的证书。屏幕上将有提示,依照其指示一步一步输入要求的个人信息即可。
openssl req -new -key server.key -out server.csr -config openssl.cnf
c. 对客户端也作同样的命令生成key及csr文件
openssl genrsa -des3 -out client.key 1024 openssl req -new -key client.key -out client.csr -config openssl.cnf
d. 本地配置CA
openssl req -new -x509 -keyout ca.key -out ca.crt -config openssl.cnf
e. 在bin目录下新建一个demoCA文件夹,进入它
新建newcerts文件夹,不需要进入
新建index.txt
新建serial,打开后输入01保存即可
f. 用生成的CA的证书为刚才生成的server.csr,client.csr文件签名:
openssl ca -in server.csr -out server.crt -cert ca.crt -keyfile ca.key -config openssl.cnf openssl ca -in client.csr -out client.crt -cert ca.crt -keyfile ca.key -config openssl.cnf
g. 生成一个ca.pfx,打开浏览器-》证书管理-》导入证书,按照提示导入,这里要输入刚才生成 .pfx 过程中输入的密码
openssl pkcs12 -export -in ca.crt -inkey ca.key -out ca.pfx.
h.在httpd.conf中找到下面这句话 #LoadModule socache_shmcb_module modules/mod_socache_shmcb.so 取消注释(删掉前面的"#")
i.导出server.key
openssl rsa -in server.key -out server.key
把生成的server.key ca.crt server.crt复制到conf目录下,然后打开httpd-ssl.conf 找到SSLPassPhraseDialog builtin 在前面加上#
3. 配置httpd-ssl.conf。修改相应项
SSLCertificateFile "c:/Apache24/conf/server.crt" SSLCertificateKeyFile "c:/Apache24/conf/server.key" SSLCACertificateFile "c:/Apache24/conf/ca.crt" SSLVerifyClient require SSLVerifyDepth 1
a-生成私钥,命令: sudo openssl genrsa -des3 -out private.key 1024
b-生成签署申请,命令: sudo openssl req -new -key private.key -out private.csr
c-生成服务器的私钥,命令: sudo openssl rsa -in private.key -out public.key
d-生成给网站服务器签署的证书,命令: sudo openssl req -new -x509 -days 3650 -key public.key -out public.crt
(这一步和a差不多,需要注意的是Common Name一定要填对)
Mac-Pro:ios root_user$ sudo openssl genrsa -des3 -out private.key 1024
Generating RSA private key, 1024 bit long modulus
.....++++++
.........++++++
e is 65537 (0x10001)
Enter pass phrase for private.key:[这里是输入密码]
Verifying - Enter pass phrase for private.key:[这里再次输入密码确认]
Mac-Pro:ios root_user$
Mac-Pro:ios root_user$ sudo openssl req -new -key private.key -out private.csr
Enter pass phrase for private.key:
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [AU]:CN[这里是国家,CN中国]
State or Province Name (full name) [Some-State]:beijing[这里是省份,城市]
Locality Name (eg, city) []:beijing[这里是城市]
Organization Name (eg, company) [Internet Widgits Pty Ltd]:rh ltd[这里是公司]
Organizational Unit Name (eg, section) []:rh[这里是组织名称]
Common Name (e.g. server FQDN or YOUR name) []:192.168.0.1[这个必须填正确,是你的服务器的域名,或者ip]
Email Address []:admin@admin.com[这里是我的邮箱]
Please enter the following 'extra' attributes
to be sent with your certificate request
A challenge password []:123456[这里是密码]
An optional company name []:rh[这里是名字]
Mac-Pro:ios root_user$
Mac-Pro:ios root_user$ sudo openssl rsa -in private.key -out public.key
Enter pass phrase for private.key:[这里输入密码]
writing RSA key
Mac-Pro:ios root_user$
Mac-Pro:ios root_user$ sudo openssl req -new -x509 -days 3650 -key public.key -out public.crt
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [AU]:CN
State or Province Name (full name) [Some-State]:beijing
Locality Name (eg, city) []:beijing
Organization Name (eg, company) [Internet Widgits Pty Ltd]:rh ltd
Organizational Unit Name (eg, section) []:rh
Common Name (e.g. server FQDN or YOUR name) []:192.168.0.1
Email Address []:admin@admin.com
|
|---|
零下一度
928
0
1
- ©2018
-
冀ICP备13018807号-1
Time: 0.010