1、生成密钥
# openssl genrsa 1024 > server.key
这是用128位rsa算法生成密钥,并保存到server.key文件
2、生成证书请求文件
# openssl req -new -key server.key > server.csr
Country Name (2 letter code) [GB]:CN
State or Province Name (full name) [Berkshire]:Zhejiang
Locality Name (eg, city) [Newbury]:Hangzhou
Organization Name (eg, company) [My Company Ltd]:My Application
Organizational Unit Name (eg, section) []:My Application
Common Name (eg, your name or your server's hostname) []:www.www.com
Email Address []:
Please enter the following 'extra' attributes
to be sent with your certificate request
A challenge password []:
An optional company name []:My Application
3、生成证书
# openssl req -x509 -days 730 -key server.key -in server.csr > server.crt
参数-days表示证书有效期
至此证书完毕,开始配置httpd,因为已经在运行httpd
httpd重新编译追加ssl:
1、重新编译
make clean
make clean all
./configure --prefix=/usr/local/apache2 --enable-so --enable-mods-shared=most --enable-ssl &&
make &&
make install
2、编辑httpd.conf文件,添加
LoadModule ssl_module modules/mod_ssl.so
3、加载ssl配置
Include conf/httpd-ssl.conf
4、注意修改证书配置
SSLCertificateFile /apache/conf/server.crt
SSLCertificateKeyFile /apache/conf/server.key
5、因为自定义了DocumentRoot,所以也要修改httpd-ssl.conf的DocumentRoot
起来后发现日志里总是有以下错误:
[notice] caught SIGTERM, shutting down
[Wed Mar 26 21:53:02 2014] [warn] RSA server certificate is a CA certificate (BasicConstraints: CA == TRUE !?)
[Wed Mar 26 21:53:02 2014] [warn] RSA server certificate CommonName (CN) `serv' does NOT match server name!?