Centos 64位 Install certificate on apache 即走https協議

一:

　　先要apache 請求ssl證書的csr 一下是步驟：

重要注意事項 An Important Note Before You Start

在生成CSR文件時同時生成您的私鑰，若是您丟了私鑰或忘了私鑰密碼，則頒發 證書給您後不能安裝成功！您必須從新生成私鑰和CSR文件，免費從新頒發新的 證書。爲了不此狀況的發生，請在生成CSR後必定要備份私鑰文件和記住私鑰 密碼，最好是在收到證書以前不要再動服務器。 By far the most common problem users have when going through this process is related to private keys. If you lose or cannot access a private key, you cannot use the certificate we issue to you and will need to request a free reissue. To ensure this never happens, we advise that a backup of the private key file is made and that a note is made of the password that is used to protect the export of the private key.

「openssl」用於生成私鑰和CSR，OpenSSL通常安裝在/user/bin下，若是您的 系統安裝在其餘目錄，請指定正確的目錄路徑。 The utility "openssl" that you use to generate the private key and CSR comes with the OpenSSL toolkit and is usually installed under /usr/bin. If you have installed it elsewhere you will need to modify these instructions appropriately.

如下全部命令假設您已經成功安裝OpenSSL，將產生2048位的密鑰，加密算法 採用3DES，您必須使用您要申請SSL證書的域名來命名密鑰文件。 The following sequence of commands will generate a 2048 bit key, encrypt it using the triple-DES cipher, and create a CSR based upon it (they assume that you have openssl in your path - if not then you should prefix the openssl command with the path to the binary). You should use the domain name that you are wishing to have certified as the core of the filenames. You should also make sure you do not overwrite existing keys and CSR's:

1. 生成私鑰 Generate the private key

　　請使用如下命令來生成私鑰 Please type the following command at the prompt:

openssl genrsa -des3 -out www.mydomain.com.key 2048

www.mydomain.com.key，會提示您設定私鑰密碼，請設置密碼，並牢記！
This command will generate a 1024 bit RSA private key and stores it in
the file www.mydomain.com.key. It will ask you for a pass phrase: use
something secure and remember it. Your certificate will be useless without
it's corresponding key

2. 　　生成 CSR 文件 Generate the CSR 請使用如下命令來生成CSR Please type the following command at the prompt:

openssl req -new -key www.mydomain.com.key -out www.mydomain.com.csr

若是提示「Unable to load config info from /usr/local/ssl/openssl.cnf 」， 則加上一個指定openssl.cnf 路徑的參數： openssl req -new -config openssl.cnf -key www.mydomain.com.key -out www.mydomain.com.csr

此命令將提示您輸入X.509證書所要求的字段信息，包括國家(中國添CN)、省 份、所在城市、單位名稱、單位部門名稱(能夠不填直接回車)。請注意： 除國 家縮寫必須填CN外，其他均可以是英文或中文。

This command will prompt you for the X.509 attributes of your certificate. Enter your country, state or province and locality or city. You should enter the company name as it appears on your official company registration documents. The organization unit is optional, we verify and authenticate the company name and not the organization unit. To skip the organization unit (OU) field please press enter on your keyboard.

請輸入您要申請SSL證書的域名，若是您須要爲www.domain.com申請SSL證書 就不能只輸入domain.com。SSL證書是嚴格綁定域名的。 The term "Common Name" is X.509 speak for the name that distinguishes the certificate best, and ties it to your Organization. Enter your exact host and domain name that you wish to secure. Example: If you wish to secure www.mydomain.com, then you will need to enter the exact host (www) and domain name (mydomain.com) in this field. If you enter mydomain.com then the certificate issued to you will only work error free on https://mydomain.com. It will cause a certificate mismatch error when you or your users access the domain via https:// www.mydomain.com.

注意： Common name 必定得寫好 nihao.com 就不能是 www.nihao.com

請不要輸入Email、口令(challenge password)和可選的公司名稱，直接打回車 便可。 Please do not enter your email address, challenge password or an optional company name when generating the CSR.

您如今已經成功生成了密鑰對，私鑰文件：www.mydomain.com.key 保存在您的 服務器中， 請把CSR文件：www.mydomain.com.csr 發給Willrey/Thawte便可， CSR文件格式以下圖所示。 You have now created a public/private key pair. The private key (www.mydomain.com.key) is stored locally on your machine and is used for decryption. The public portion is sent to thawte in the form of a Certificate Signing Request, and will be used by your users to encrypt the data they send to your site. The Certificate Signing Request (CSR) looks something like this:

openssl req -new -nodes -keyout myserver.key -out myserver.csr 或 openssl req -new -config openssl.cnf -nodes -keyout myserver.key -out myserver.csr

3.　　 備份私鑰文件 Backup your private key

請備份您的私鑰文件並記下私鑰密碼。最好是把私鑰文件備份到軟盤或光盤中。 Please backup your keystore file and make a note of the password. A good choice is to create a copy of this file onto a diskette or other removeable media.

完成以後 你就會受到 你購買的證書的機構發給你的確認郵件 裏邊就是你的 web server certificate 也就是接下來的 public .crt

二.

　　Step 1: Save your SSL Certificate File

Firstly when your issuance email arrives it will contain your web server certificate. Copy your web server certificate into a text editor such as Notepad including the header and footer. You should then have a text file that looks like:

-----BEGIN CERTIFICATE-----

[encoded data]

-----END CERTIFICATE-----

Make sure you have 5 dashes to either side of the BEGIN CERTIFICATE and END CERTIFICATE and that no white space, extra line breaks or additional characters have been inadvertently added.

Save the certificate file as public.crt

Step 2: Obtain the Intermediate CA Bundle

Here is the intermediate file: intermediate_file （你網站的web certificate）

Right click the above intermediate_file link and save as intermediate.crt

Step 3: Set up your httpd.conf file

Open your httpd.conf file (some installations keep the SSL section separately in the ssl.conf file or separate ) using a text editor, and locate the virtual host section for the site for which the SSL Certificate will secure.

Your virtual host section will need to contain the following directives:

SSLCertificateFile – This will need to point to the your SSL certificate itself that we issued to you
SSLCertificateKeyFile – This will need to point to the private key file associated with your certificate.
SSLCertificateChainFile – This will need to point to the the intermediate file

Note: Some versions of Apache will not accept the SSLCACertificateFile directive. Try usingSSLCertificateChainFile instead.

For example

Save the changes to the file and quit the text editor

Stop and start apache to register the change.

Note: Some instances of Apache contain both a httpd.conf and ssl.conf file. Please enter or amend the httpd.conf or the ssl.conf with the above directives. Do not enter both as there will be a conflict and Apache may not start.

Additional information

The VirtualHosts in your httpd.conf file should be configured as follows:

<VirtualHost [IP ADDRESS]:443>

ServerAdmin admin@domain.com

DocumentRoot /www/home

ServerName www.domain.com

ErrorLog /www/home/logs/error_log

SSLEngine on

SSLProtocol all

SSLCertificateFile /etc/httpd/conf/ssl.crt/public.crt

SSLCertificateKeyFile /etc/httpd/conf/ssl.key/private.key

SSLCACertificateFile /usr/local/ssl/crt/intermediate.crt

ServerPath /home

<Directory "/www/home">

</Directory>

</VirtualHost>

Save your config file and restart Apache. You can most likely do so by using the apachectl script:

apachectl stop

幾個注意事項：

1.http.conf 中 要include 你的httpd-ssl.conf 不然不生效。

2.http-ssl.conf 中要 loadmodoule ssl_module xx/mod_ssl.so

3.在 <virtual host>標籤外 加上 SSLFIPS on

4.假如找不到private key 能夠 用 openssl rsa -in xx.key -out private.key 而後放到httpd-ssl.conf

下面替換掉就行了。

5.必須保證apache編譯的時候 --enable--ssl --with-ssl=openssl所在的目錄