Apache1.3.27+mod_ssl+自定义SSL证书
绝对蓝屏 [ ihweb ] (黄华栋)Apache 1.3.27+mod_ssl+自定义SSL证书在我发表第一篇文章里介绍了用FreeBSD 的Ports 来安装方便简单,可更多使用者使用的OS非FreeBSD或想自己下载他们的原代码自己编译安装的。以下是作者在FreeBSD 4.8 stable平台下,一步一步编译安装Apache 1.3.27+mod_ssl的过程。
1、下载所需的安装包
FBSD# pwd/tmp/installFBSD# fetch http://httpd.apache.org/dist/httpd/apache_1.3.27.tar.gzFBSD# fetch ftp://ftp.modssl.org/source/mod_ssl-2.8.14-1.3.27.tar.gzFBSD# fetch ftp://ftp.openssl.org/source/openssl-0.9.7a.tar.gzFBSD# ls –lA-rw-r--r-- 1 root wheel 2306052 10 4 2002 apache_1.3.27.tar.gz-rw-r--r-- 1 root wheel 754179 3 21 22:21 mod_ssl-2.8.14-1.3.27.tar.gz-rw-r--r-- 1 root wheel 2776582 2 19 22:12 openssl-0.9.7a.tar.gz
2、安装opensslopenssl 是mod_ssl 必需的软件包
FBSD# tar zxvf openssl-0.9.7a.tar.gzFBSD# cd openssl-0.9.7aFBSD# ./config (请看清楚,不是一般的configure 他自己的是config)FBSD# make
make 成功后,openssl 就安装完成了。3、将mod_ssl 配置进apache
FBSD# pwd/tmp/installFBSD# tar zxvf mod_ssl-2.8.14-1.3.27.tar.gzFBSD# tar zxvf apache_1.3.27.tar.gzFBSD# ls –lAdrwxr-xr-x 8 1078 1078 512 7 17 13:09 apache_1.3.27-rw-r--r-- 1 root wheel 2306052 10 4 2002 apache_1.3.27.tar.gzdrwxr-xr-x 10 root wheel 512 7 17 13:06 mod_ssl-2.8.14-1.3.27-rw-r--r-- 1 root wheel 754179 3 21 22:21 mod_ssl-2.8.14-1.3.27.tar.gzdrwxr-xr-x 20 root wheel 1024 7 17 13:05 openssl-0.9.7a-rw-r--r-- 1 root wheel 2776582 2 19 22:12 openssl-0.9.7a.tar.gzFBSD# cd mod_ssl-2..8.14-1.3.27FBSD# ./configure --with-apache=../apache_1.3.27 --with-ssl=../openssl-0.9.7a --prefix=/usr/local/apacheConfiguring mod_ssl/2.8.14 for Apache/1.3.27+ Apache location: ../apache_1.3.27 (Version 1.3.27)+ OpenSSL location: ../openssl-0.9.7a+ Auxiliary patch tool: ./etc/patch/patch (local)……….Now proceed with the following commands:$ cd ../apache_1.3.27$ make$ make certificate$ make installFBSD#
当大家看到以上的东西后,mod_ssl 已经加到了apache的源代码中,按照提示本来就应该直接到apache_1.3.27下面编译就可以使用apache 了,但是我发现这样编译后的apache 不具有 动态模块加载(DSO)功能,那么来说,你的apache1.3.27只具备静态网页的功能(当然,你也可以用perl 来写CGI程序实现动态网页)其实DSO有很多好处,比如你可以加装PHP……等。4、编译和安装Apache 1.3.27
刚才提到为什么我们不按照指示去做呢,就是因为我们要把Apache 1.3.27编译成DSO模式。如果你单单想编译成静态模式的话,就直接在apache 1.3.27 目录下make 就OK了。
下面是把apache 1.3.27 编译成DSO模式。
FBSD# ./configure --prefix=/usr/local --enable-module=so --enable-module=ssl(--enable-module=ssl 这个很重要,就是要加如mod_ssl 模块)……FBSD# make….
到此,apache 1.3.27+mod_ssl 已经编译完成,下面的是生成CA证书。FBSD# make certificateSSL Certificate Generation Utility (mkcert.sh)Copyright (c) 1998-2000 Ralf S. Engelschall, All Rights Reserved.Generating test certificate signed by Snake Oil CA [TEST]WARNING: Do not use this for real-life/production systems______________________________________________________________________STEP 0: Decide the signature algorithm used for certificateThe generated X.509 CA certificate can contain eitherRSA or DSA based ingredients. Select the one you want to use.Signature Algorithm ((R)SA or (D)SA) [R]:R (选择加密方式)______________________________________________________________________STEP 1: Generating RSA private key (1024 bit) [server.key]4493119 semi-random bytes loadedGenerating RSA private key, 1024 bit long modulus..++++++...........................................................................++++++e is 65537 (0x10001)______________________________________________________________________STEP 2: Generating X.509 certificate signing request [server.csr]You are about to be asked to enter information that will be incorporatedinto your certificate request.What you are about to enter is what is called a Distinguished Name or a DN.There are quite a few fields but you can leave some blankFor some fields there will be a default value,If you enter '.', the field will be left blank.-----1. Country Name (2 letter code) [XY]:CN2. State or Province Name (full name) [Snake Desert]:Guang Dong3. Locality Name (eg, city) [Snake Town]:Guang Zhou4. Organization Name (eg, company) [Snake Oil, Ltd]:Kingisme.com xBSD Studio5. Organizational Unit Name (eg, section) [Webserver Team]:cnfug.org6. Common Name (eg, FQDN) [www.snakeoil.dom]:www.cnfug.org7. Email Address (eg, name@FQDN) [www@snakeoil.dom]:ihweb@cnfug.org8. Certificate Validity (days) [365]:365______________________________________________________________________STEP 3: Generating X.509 certificate signed by Snake Oil CA [server.crt]Certificate Version (1 or 3) [3]:3Signature oksubject=/C=CN/ST=Guang Dong/L=Guang Zhou/O=Kingisme.com xBSD Studio/OU=cnfug.org/CN=www.cnfug.org/emailAddress=ihweb@cnfug.orgGetting CA Private KeyVerify: matching certificate & key modulusVerify: matching certificate signature../conf/ssl.crt/server.crt: /C=XY/ST=Snake Desert/L=Snake Town/O=Snake Oil, Ltd/OU=Certificate Authority/CN=Snake Oil CA/emailAddress=ca@snakeoil.domerror 10 at 1 depth lookup:certificate has expiredOK______________________________________________________________________STEP 4: Enrypting RSA private key with a pass phrase for security [server.key]The contents of the server.key file (the generated private key) has to bekept secret. So we strongly recommend you to encrypt the server.key filewith a Triple-DES cipher and a Pass Phrase.Encrypt the private key now? [Y/n]: nWarning, you're using an unencrypted RSA private key.Please notice this fact and do this on your own risk.______________________________________________________________________RESULT: Server Certification Fileso conf/ssl.key/server.keyThe PEM-encoded RSA private key file which you configurewith the 'SSLCertificateKeyFile' directive (automatically donewhen you install via APACI). KEEP THIS FILE PRIVATE!o conf/ssl.crt/server.crtThe PEM-encoded X.509 certificate file which you configurewith the 'SSLCertificateFile' directive (automatically donewhen you install via APACI).o conf/ssl.csr/server.csrThe PEM-encoded X.509 certificate signing request file whichyou can send to an official Certificate Authority (CA) in orderto request a real server certificate (signed by this CA insteadof our demonstration-only Snake Oil CA) which later can replacethe conf/ssl.crt/server.crt file.WARNING: Do not use this for real-life/production systemsFBSD#
到此,CA证书正式生成。然后安装apache 1.3.27FBSD# make install…
5、启动并测试FBSD# /usr/local/apache/bin/apachectl startssl
在IE中输入地址https://192.168.168.168/ (请更换你的APACHE服务器IP)
你将会看到需要1)询问是否要通过安全连接查看网页
2)接收到证书
6、关于自定义SSL的证书
大家可以查看我的《Apache1.3.27+mod_ssl+SSL》中提到方法去做,只是此是的sign.sh 在
/tmp/install/mod_ssl-2.8.14-1.3.27/pkg.contrib/sign.sh 那里,这是签署证书生成server.crt需要的。
7、小结
此文章虽然是在 FreeBSD 4.8 stable 平台上实现的,但是由于Unix Like ,基本上适用于Linux、Solaris、AIX、HP-UX等。其实这样的安装不难,多看点文档,尤其是mod_ssl 本身自带的文档,因为这个mod_ssl-2.8.14-1.3.27 本身就是for Apache 1.3.27 所以mod_ssl.org Code team 们肯定