分享
 
 
 

Apache1.3.27+mod_ssl+自定义SSL证书

王朝system·作者佚名  2008-05-21
窄屏简体版  字體: |||超大  

绝对蓝屏 [ ihweb ] (黄华栋) <ihweb@cnfug.org>

Apache 1.3.27+mod_ssl+自定义SSL证书在我发表第一篇文章里介绍了用FreeBSD 的Ports 来安装方便简单,可更多使用者使用的OS非FreeBSD或想自己下载他们的原代码自己编译安装的。以下是作者在FreeBSD 4.8 stable平台下,一步一步编译安装Apache 1.3.27+mod_ssl的过程。

1、下载所需的安装包FBSD# pwd/tmp/installFBSD# fetch http://httpd.apache.org/dist/httpd/apache_1.3.27.tar.gzFBSD# fetch ftp://ftp.modssl.org/source/mod_ssl-2.8.14-1.3.27.tar.gzFBSD# fetch ftp://ftp.openssl.org/source/openssl-0.9.7a.tar.gzFBSD# ls –lA-rw-r--r-- 1 root wheel 2306052 10 4 2002 apache_1.3.27.tar.gz-rw-r--r-- 1 root wheel 754179 3 21 22:21 mod_ssl-2.8.14-1.3.27.tar.gz-rw-r--r-- 1 root wheel 2776582 2 19 22:12 openssl-0.9.7a.tar.gz 2、安装openssl

openssl 是mod_ssl 必需的软件包

FBSD# tar zxvf openssl-0.9.7a.tar.gzFBSD# cd openssl-0.9.7aFBSD# ./config (请看清楚,不是一般的configure 他自己的是config)FBSD# make make 成功后,openssl 就安装完成了。

3、将mod_ssl 配置进apache

FBSD# pwd/tmp/installFBSD# tar zxvf mod_ssl-2.8.14-1.3.27.tar.gzFBSD# tar zxvf apache_1.3.27.tar.gzFBSD# ls –lAdrwxr-xr-x 8 1078 1078 512 7 17 13:09 apache_1.3.27-rw-r--r-- 1 root wheel 2306052 10 4 2002 apache_1.3.27.tar.gzdrwxr-xr-x 10 root wheel 512 7 17 13:06 mod_ssl-2.8.14-1.3.27-rw-r--r-- 1 root wheel 754179 3 21 22:21 mod_ssl-2.8.14-1.3.27.tar.gzdrwxr-xr-x 20 root wheel 1024 7 17 13:05 openssl-0.9.7a-rw-r--r-- 1 root wheel 2776582 2 19 22:12 openssl-0.9.7a.tar.gzFBSD# cd mod_ssl-2..8.14-1.3.27FBSD# ./configure --with-apache=../apache_1.3.27 --with-ssl=../openssl-0.9.7a --prefix=/usr/local/apacheConfiguring mod_ssl/2.8.14 for Apache/1.3.27+ Apache location: ../apache_1.3.27 (Version 1.3.27)+ OpenSSL location: ../openssl-0.9.7a+ Auxiliary patch tool: ./etc/patch/patch (local)……….Now proceed with the following commands:$ cd ../apache_1.3.27$ make$ make certificate$ make installFBSD# 当大家看到以上的东西后,mod_ssl 已经加到了apache的源代码中,按照提示本来就应该直接到apache_1.3.27下面编译就可以使用apache 了,但是我发现这样编译后的apache 不具有 动态模块加载(DSO)功能,那么来说,你的apache1.3.27只具备静态网页的功能(当然,你也可以用perl 来写CGI程序实现动态网页)其实DSO有很多好处,比如你可以加装PHP……等。

4、编译和安装Apache 1.3.27

刚才提到为什么我们不按照指示去做呢,就是因为我们要把Apache 1.3.27编译成DSO模式。如果你单单想编译成静态模式的话,就直接在apache 1.3.27 目录下make 就OK了。

下面是把apache 1.3.27 编译成DSO模式。

FBSD# ./configure --prefix=/usr/local --enable-module=so --enable-module=ssl(--enable-module=ssl 这个很重要,就是要加如mod_ssl 模块)……FBSD# make….到此,apache 1.3.27+mod_ssl 已经编译完成,下面的是生成CA证书。

FBSD# make certificateSSL Certificate Generation Utility (mkcert.sh)Copyright (c) 1998-2000 Ralf S. Engelschall, All Rights Reserved.Generating test certificate signed by Snake Oil CA [TEST]WARNING: Do not use this for real-life/production systems______________________________________________________________________STEP 0: Decide the signature algorithm used for certificateThe generated X.509 CA certificate can contain eitherRSA or DSA based ingredients. Select the one you want to use.Signature Algorithm ((R)SA or (D)SA) [R]:R (选择加密方式)______________________________________________________________________STEP 1: Generating RSA private key (1024 bit) [server.key]4493119 semi-random bytes loadedGenerating RSA private key, 1024 bit long modulus..++++++...........................................................................++++++e is 65537 (0x10001)______________________________________________________________________STEP 2: Generating X.509 certificate signing request [server.csr]You are about to be asked to enter information that will be incorporatedinto your certificate request.What you are about to enter is what is called a Distinguished Name or a DN.There are quite a few fields but you can leave some blankFor some fields there will be a default value,If you enter '.', the field will be left blank.-----1. Country Name (2 letter code) [XY]:CN2. State or Province Name (full name) [Snake Desert]:Guang Dong3. Locality Name (eg, city) [Snake Town]:Guang Zhou4. Organization Name (eg, company) [Snake Oil, Ltd]:Kingisme.com xBSD Studio5. Organizational Unit Name (eg, section) [Webserver Team]:cnfug.org6. Common Name (eg, FQDN) [www.snakeoil.dom]:www.cnfug.org7. Email Address (eg, name@FQDN) [www@snakeoil.dom]:ihweb@cnfug.org8. Certificate Validity (days) [365]:365______________________________________________________________________STEP 3: Generating X.509 certificate signed by Snake Oil CA [server.crt]Certificate Version (1 or 3) [3]:3Signature oksubject=/C=CN/ST=Guang Dong/L=Guang Zhou/O=Kingisme.com xBSD Studio/OU=cnfug.org/CN=www.cnfug.org/emailAddress=ihweb@cnfug.orgGetting CA Private KeyVerify: matching certificate & key modulusVerify: matching certificate signature../conf/ssl.crt/server.crt: /C=XY/ST=Snake Desert/L=Snake Town/O=Snake Oil, Ltd/OU=Certificate Authority/CN=Snake Oil CA/emailAddress=ca@snakeoil.domerror 10 at 1 depth lookup:certificate has expiredOK______________________________________________________________________STEP 4: Enrypting RSA private key with a pass phrase for security [server.key]The contents of the server.key file (the generated private key) has to bekept secret. So we strongly recommend you to encrypt the server.key filewith a Triple-DES cipher and a Pass Phrase.Encrypt the private key now? [Y/n]: nWarning, you're using an unencrypted RSA private key.Please notice this fact and do this on your own risk.______________________________________________________________________RESULT: Server Certification Fileso conf/ssl.key/server.keyThe PEM-encoded RSA private key file which you configurewith the 'SSLCertificateKeyFile' directive (automatically donewhen you install via APACI). KEEP THIS FILE PRIVATE!o conf/ssl.crt/server.crtThe PEM-encoded X.509 certificate file which you configurewith the 'SSLCertificateFile' directive (automatically donewhen you install via APACI).o conf/ssl.csr/server.csrThe PEM-encoded X.509 certificate signing request file whichyou can send to an official Certificate Authority (CA) in orderto request a real server certificate (signed by this CA insteadof our demonstration-only Snake Oil CA) which later can replacethe conf/ssl.crt/server.crt file.WARNING: Do not use this for real-life/production systemsFBSD# 到此,CA证书正式生成。

然后安装apache 1.3.27FBSD# make install… 5、启动并测试

FBSD# /usr/local/apache/bin/apachectl startssl 在IE中输入地址

https://192.168.168.168/ (请更换你的APACHE服务器IP) 你将会看到需要

1)询问是否要通过安全连接查看网页

2)接收到证书

6、关于自定义SSL的证书

大家可以查看我的《Apache1.3.27+mod_ssl+SSL》中提到方法去做,只是此是的sign.sh 在

/tmp/install/mod_ssl-2.8.14-1.3.27/pkg.contrib/sign.sh 那里,这是签署证书生成server.crt需要的。

7、小结

此文章虽然是在 FreeBSD 4.8 stable 平台上实现的,但是由于Unix Like ,基本上适用于Linux、Solaris、AIX、HP-UX等。其实这样的安装不难,多看点文档,尤其是mod_ssl 本身自带的文档,因为这个mod_ssl-2.8.14-1.3.27 本身就是for Apache 1.3.27 所以mod_ssl.org Code team 们肯定经过测试的,安装的时候只要认真看提示就可以了!

希望大家能顺利完成自己的apache+mod_ssl。

 
 
 
免责声明:本文为网络用户发布,其观点仅代表作者个人观点,与本站无关,本站仅提供信息存储服务。文中陈述内容未经本站证实,其真实性、完整性、及时性本站不作任何保证或承诺,请读者仅作参考,并请自行核实相关内容。
2023年上半年GDP全球前十五强
 百态   2023-10-24
美众议院议长启动对拜登的弹劾调查
 百态   2023-09-13
上海、济南、武汉等多地出现不明坠落物
 探索   2023-09-06
印度或要将国名改为“巴拉特”
 百态   2023-09-06
男子为女友送行,买票不登机被捕
 百态   2023-08-20
手机地震预警功能怎么开?
 干货   2023-08-06
女子4年卖2套房花700多万做美容:不但没变美脸,面部还出现变形
 百态   2023-08-04
住户一楼被水淹 还冲来8头猪
 百态   2023-07-31
女子体内爬出大量瓜子状活虫
 百态   2023-07-25
地球连续35年收到神秘规律性信号,网友:不要回答!
 探索   2023-07-21
全球镓价格本周大涨27%
 探索   2023-07-09
钱都流向了那些不缺钱的人,苦都留给了能吃苦的人
 探索   2023-07-02
倩女手游刀客魅者强控制(强混乱强眩晕强睡眠)和对应控制抗性的关系
 百态   2020-08-20
美国5月9日最新疫情:美国确诊人数突破131万
 百态   2020-05-09
荷兰政府宣布将集体辞职
 干货   2020-04-30
倩女幽魂手游师徒任务情义春秋猜成语答案逍遥观:鹏程万里
 干货   2019-11-12
倩女幽魂手游师徒任务情义春秋猜成语答案神机营:射石饮羽
 干货   2019-11-12
倩女幽魂手游师徒任务情义春秋猜成语答案昆仑山:拔刀相助
 干货   2019-11-12
倩女幽魂手游师徒任务情义春秋猜成语答案天工阁:鬼斧神工
 干货   2019-11-12
倩女幽魂手游师徒任务情义春秋猜成语答案丝路古道:单枪匹马
 干货   2019-11-12
倩女幽魂手游师徒任务情义春秋猜成语答案镇郊荒野:与虎谋皮
 干货   2019-11-12
倩女幽魂手游师徒任务情义春秋猜成语答案镇郊荒野:李代桃僵
 干货   2019-11-12
倩女幽魂手游师徒任务情义春秋猜成语答案镇郊荒野:指鹿为马
 干货   2019-11-12
倩女幽魂手游师徒任务情义春秋猜成语答案金陵:小鸟依人
 干货   2019-11-12
倩女幽魂手游师徒任务情义春秋猜成语答案金陵:千金买邻
 干货   2019-11-12
 
推荐阅读
 
 
 
>>返回首頁<<
 
靜靜地坐在廢墟上,四周的荒凉一望無際,忽然覺得,淒涼也很美
© 2005- 王朝網路 版權所有