apache配置ssl

1、確認是否安裝ssl模塊

是否有mod_ssl.so文件

 

2、生成證書和密鑰

 

linux下

步驟1：生成密鑰

命令：openssl genrsa 1024 > server.key

說明：這是用128位rsa算法生成密鑰，得到server.key文件

步驟2: 生成證書請求文件

命令：openssl req -new -key server.key > server.csr

說明：這是用步驟1的密鑰生成證書請求文件server.csr, 這一步提很多問題，一一輸入

步驟3: 生成證書

命令：openssl req -x509 -days 365 -key server.key -in server.csr > server.crt

說明：這是用步驟1,2的的密鑰和證書請求生成證書server.crt，-days參數指明證書有效期，單位為    

window下

步驟1：生成密鑰

命令：openssl genrsa 1024 > server.key

說明：這是用128位rsa算法生成密鑰，得到server.key文件

 

步驟2: 生成證書請求文件

命令：openssl req -config D:\work_soft\Apache2.2\conf\openssl.cnf -new -key server.key > server.csr

說明：這是用步驟1的密鑰生成證書請求文件server.csr, 這一步提很多問題，一一輸入

 

步驟3: 生成證書

命令：openssl req -config D:\work_soft\Apache2.2\conf\openssl.cnf -x509 -days 365 -key server.key -in server.csr > server.crt

說明：這是用步驟1,2的的密鑰和證書請求生成證書server.crt，-days參數指明證書有效期，單位為天

 

    把得到的server.key和server.crt文件拷貝到apache的對應目錄

3、配置apache

　　1、修改 /etc/apache2/sites-available/default-ssl文件

　　　　將其中的證書相關配置替換為

  　　   SSLCertificateFile /etc/apache2/ssl/server.crt 

  　　   SSLCertificateKeyFile /etc/apache2/ssl/server.key 

　　2、在/etc/apache2/sites-enable/目錄下為剛才的default-ssl配置文件生成軟連接(如果已經有就不要了)

　　　　 $sudo ln -s ../sites-available/default-ssl 001-default-ssl

　　3、在/etc/apache2/mods-available下設置ssl.conf和ssl.load

　　　　ssl.conf

　　　　

<IfModule mod_ssl.c>
        # Pseudo Random Number Generator (PRNG):
        # Configure one or more sources to seed the PRNG of the SSL library.
        # The seed data should be of good random quality.
        # WARNING! On some platforms /dev/random blocks if not enough entropy
        # is available. This means you then cannot use the /dev/random device
        # because it would lead to very long connection times (as long as
        # it requires to make more entropy available). But usually those
        # platforms additionally provide a /dev/urandom device which doesn't
        # block. So, if available, use this one instead. Read the mod_ssl User
        # Manual for more details.
        #
        SSLRandomSeed startup builtin
        SSLRandomSeed startup file:/dev/urandom 512
        SSLRandomSeed connect builtin
        SSLRandomSeed connect file:/dev/urandom 512

        ##
        ##  SSL Global Context
        ##
        ##  All SSL configuration in this context applies both to
        ##  the main server and all SSL-enabled virtual hosts.
        ##

        #
        #   Some MIME-types for downloading Certificates and CRLs
        #
        AddType application/x-x509-ca-cert .crt
        AddType application/x-pkcs7-crl .crl

        #   Pass Phrase Dialog:
        #   Configure the pass phrase gathering process.
        #   The filtering dialog program (`builtin' is a internal
        #   terminal dialog) has to provide the pass phrase on stdout.
        SSLPassPhraseDialog  exec:/usr/share/apache2/ask-for-passphrase

        #   Inter-Process Session Cache:
        #   Configure the SSL Session Cache: First the mechanism 
        #   to use and second the expiring timeout (in seconds).
        #   (The mechanism dbm has known memory leaks and should not be used).
        #SSLSessionCache                 dbm:${APACHE_RUN_DIR}/ssl_scache
        SSLSessionCache         shmcb:${APACHE_RUN_DIR}/ssl_scache(512000)
        SSLSessionCacheTimeout  300

        #   Semaphore:
        #   Configure the path to the mutual exclusion semaphore the
        #   SSL engine uses internally for inter-process synchronization. 
        #   (Disabled by default, the global Mutex directive consolidates by default
        #   this)
        #Mutex file:${APACHE_LOCK_DIR}/ssl_mutex ssl-cache

        #   SSL Cipher Suite:
        #   List the ciphers that the client is permitted to negotiate. See the
        #   ciphers(1) man page from the openssl package for list of all available
        #   options.
        #   Enable only secure ciphers:
        SSLCipherSuite HIGH:!aNULL

        # SSL server cipher order preference:
        # Use server priorities for cipher algorithm choice.
        # Clients may prefer lower grade encryption.  You should enable this
        # option if you want to enforce stronger encryption, and can afford
        # the CPU cost, and did not override SSLCipherSuite in a way that puts
        # insecure ciphers first.
        # Default: Off
        #SSLHonorCipherOrder on

        #   The protocols to enable.
        #   Available values: all, SSLv3, TLSv1, TLSv1.1, TLSv1.2
        #   SSL v2  is no longer supported

        SSLProtocol all -SSLv3

        #   Allow insecure renegotiation with clients which do not yet support the
        #   secure renegotiation protocol. Default: Off
        #SSLInsecureRenegotiation on


        #   Whether to forbid non-SNI clients to access name based virtual hosts.
        #   Default: Off

        #SSLStrictSNIVHostCheck On
</IfModule>
# vim: syntax=apache ts=4 sw=4 sts=4 sr noet

　　ssl.load

# Depends: setenvif mime socache_shmcb
LoadModule ssl_module /usr/lib/apache2/modules/mod_ssl.so

　　4、在/etc/apache2/mods-enabled下設置剛才配置文件的軟連接

　　　　ln -s ../mods-available/ssl.conf ssl.conf

　　　　ln -s ../mods-available/ssl.load ssl.load

4、重啟apache　

　　apachectl configtest

　　apachectl restart

報錯：

　　1 、SSLSessionCache: 'shmcb' session cache not supported (known names: ). Maybe you need to load the appropriate socache module (mod_socache_shmcb?)

　　　　解決方法：加載mod_sochache_shmcb

　　　　在/etc/apache2/mods-enabled下

　　　　ln -s ../mods-available/socache_shmcb.load socache_shmcb.load

　　2、"Syntax error on line 80 of c:/apache/conf/extra/httpd-ssl.conf:ErrorLog takes one argument,The filename of the error log"或者"Syntax error on line 99 of c:/apache/conf/extra/httpd-ssl.conf:SSLCertificateFile takes one argument,SSL Server Certificate file ('/path/to/file' -PEM or DER encoded)"

　　　　解決方法：文件路徑加雙引號