Apache使用SSL证书



前提: Apache已整合SSL或有mod_ssl模块.
利用OpenSSL产生Apache使用的证书, 以下脚本产生一个RSA私人密钥(server.key)和自签署证书(server.crt)文件, 并将这两文件保存到conf/目录.

#
# First, generate apache server certificate request
#
# Generate 1024 bits RSA key, store private key in a
# no password protected PEM file server.key, using
# system default openssl configuration file.
#
echo
echo Generating Apache server private key…
echo
openssl genrsa -out server.key 1024
#
# Next, sign the apache server certificate with the apache
# server key
#
# Sign with PEM certificate server.crt, using PEM file
# server.key for server private key, using system default
# openssl configuration file.
#
# The produced certificate will be valid for 1825 days (about 5 years)
#
echo
echo Generating Apache server self signed certificate…
echo
openssl req -outform PEM -new -key server.key -x509 -days 1825 -out server.crt

修改apache配置文件

#
# When we also provide SSL we have to listen to the
# standard HTTP port (see above) and to the HTTPS port
Listen 0.0.0.0:443
#
# Some MIME-types for downloading Certificates and CRLs
#
AddType application/x-x509-ca-cert .crt
AddType application/x-pkcs7-crl .crl
# Pass Phrase Dialog:
# Configure the pass phrase gathering process.
# The filtering dialog program (`builtin’ is a internal
# terminal dialog) has to provide the pass phrase on stdout.
SSLPassPhraseDialog builtin
SSLEngine on
# SSL Cipher Suite:
# List the ciphers that the client is permitted to negotiate.
# See the mod_ssl documentation for a complete list.
SSLCipherSuite ALL:!ADH:!EXPORT56:RC4+RSA:+HIGH:+MEDIUM:+LOW:+SSLv2:+EXP
# Server Certificate:
SSLCertificateFile conf/ssl.crt/server.crt
# Server Private Key:
SSLCertificateKeyFile conf/ssl.key/server.key
# SSL Engine Options:
SSLOptions +StdEnvVars
SetEnvIf User-Agent “.*MSIE.*”
nokeepalive ssl-unclean-shutdown
downgrade-1.0 force-response-1.0

重启apache.
https://apache_server/