環境 CentOS 5.x i386
- 產生 key
|
1 2 3 4 5 6 7 |
[root@Web test]# openssl genrsa -des3 -out site.key 2048 Generating RSA private key, 2048 bit long modulus ............+++ ..................+++ e is 65537 (0x10001) Enter pass phrase for site.key: Verifying - Enter pass phrase for site.key: |
- 產生 csr
|
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 |
[root@Web test]# openssl req -new -key site.key -out site.csr Enter pass phrase for site.key: #輸入剛剛產生key時輸入的資訊 You are about to be asked to enter information that will be incorporated into your certificate request. What you are about to enter is what is called a Distinguished Name or a DN. There are quite a few fields but you can leave some blank For some fields there will be a default value, If you enter '.', the field will be left blank. ----- Country Name (2 letter code) [GB]:TW State or Province Name (full name) [Berkshire]:Taiwan Locality Name (eg, city) [Newbury]:Taipei City Organization Name (eg, company) [My Company Ltd]:Cowman Organizational Unit Name (eg, section) []:IT Common Name (eg, your name or your server's hostname) []:Cowman.ip Email Address []:cowman.chiang@gmail.com Please enter the following 'extra' attributes to be sent with your certificate request A challenge password []: #可以直接按enter忽略 An optional company name []: #可以直接按enter忽略 |
- cat csr,將資料丟到憑證申請的網站輸入
|
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 |
[root@Web test]# cat site.csr #將以下的資料複製,貼至申請的網站 -----BEGIN CERTIFICATE REQUEST----- MIIC1DCCAbwCAQAwgY4xCzAJBgNVBAYTAlRXMQ8wDQYDVQQIEwZUYWl3YW4xFDAS BgNVBAcTC1RhaXBlaSBDaXR5MQ8wDQYDVQQKEwZDb3dtYW4xCzAJBgNVBAsTAklU MRIwEAYDVQQDEwlDb3dtYW4uaXAxJjAkBgkqhkiG9w0BCQEWF2Nvd21hbi5jaGlh bmdAZ21haWwuY29tMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAuUwx YtxHedYFykUgJuhtKGF0UuzPZ195QW9imVbFy0hT3Qt9YLKrmVESTFXxcdcLI6ty uSB3kZbnsOBr7XgGezso/lsY3dEprUplyYOXkKZsYXl7n4l7KU7nf7siGW0QY6xS oq1+7IIWa7Z9sKfdYUU9BsmH4c3YduuTa4WKdhOtn1RfSmqr5Gt+i35WZXc2/NUo efTHqsTmICh26eLjCmqrjgLfnSK9FpSa5q7nKbvK9s5q9Qae3vpECgJRf1klP1cS kBUTBoa6f46Wx+nWG/+QFpsW95w84RxxAIuUsTW2VcG6Ay6Q8TDEncj7iQ0TpJnh M3BCaepcnRVB7pNmYQIDAQABoAAwDQYJKoZIhvcNAQEFBQADggEBACmQWu30vr1v UuFxszR6ZUC3e25EEwCNg5UNh8iG9abauiE2K7l9lVWPicYdoZ1GjWGT13zMslwC 4c8nxvBKZfh4QGw5ALJvb1SZhvO/OMjPGCfQjuWRza44nNaaKi+BtCVHtglqvxTP EXpCODWd+E9x5NCzKyXLGXJpT3rDg4Ov1QaGNMtNByQLD+SgsoTR+yS+RcxwS11Y Ul26LrxnrbUvkwMV0/OWvbNREKSv3RsfjMWVsAtVwmdkRKlUNAFXMIOvAwmSImd/ +0ya5gEv4M+JVWWYy6vEnUOV333eR9tR4eCw7YO862TFdic9+4OPhVFpKeWJLANz wQ4uUOWkuPA= -----END CERTIFICATE REQUEST----- |
-
以namecheap的comodo憑證為例,選擇伺服器為 apache + mod_ssl,會回傳兩個檔案至mail中
cowman_ip.ca-bundle
cowman_ip.crt -
安裝mod_ssl
|
1 |
yum install mod_ssl |
- 取消需要輸入phase的機制
|
1 2 3 |
[root@Web test]# openssl rsa -in site.key -out site-nopass.key Enter pass phrase for roamingcenter_tanet_edu_tw.key: writing RSA key |
- 編輯 apache 設定檔,範例是在 /etc/httpd/conf.d/ssl.conf
|
1 2 3 4 5 6 7 |
[root@Web test]# vim /etc/httpd/conf.d/ssl.conf <VirtualHost _default_:443> SSLEngine on SSLCertificateFile /etc/httpd/certs/cowman_ip.crt SSLCertificateKeyFile /etc/httpd/certs/site-nopass.key SSLCertificateChainFile /etc/httpd/certs/cowman_ip.ca-bundle |
- 將 http 轉至 https,修改 /etc/httpd/conf/httpd.conf
|
1 2 3 4 5 6 |
[root@Web test]# vim /etc/httpd/conf/httpd.conf #加在最後面 RewriteEngine On RewriteCond %{HTTPS} off RewriteRule (.*) https://%{HTTP_HOST}%{REQUEST_URI} |
- 重新啟動 apache
|
1 |
service httpd restart |
!! 記得檢查iptables防火牆設定