-
SSL协定类型设定
- sudo vim /etc/apache2/mods-enabled/ssl.conf
- [setting value]
SSLHonorCipherOrder on
SSLCipherSuite ECDHE-RSA-AES128-GCM-SHA256:ECDHE:ECDH:AES:HIGH:!CBC:!NULL:!aNULL:!MD5:!ADH:!RC4:!DH:!DHE
SSLProtocol -All -SSLv3 +TLSv1 +TLSv1.1 +TLSv1.2 (TLSv1非必要建议关掉,可提升安全性)
-
SSL证书配置
- 产生
sudo cp /usr/local/ssl/openssl.cnf ~
vim openssl.cnf
[setting value]
[ req ] 底下加入 req_extensions = v3_req
增加标签 [ alt_names ] 并在底下加入
DNS.1 = www.domian-a.com
DNS.2 = www.domian-b.com
DNS.3 = www.domian-c.com
openssl req -new -key private.key -out public.csr -config openssl.cnf - SSL证书校验
openssl x509 -noout -modulus -in public.crt | openssl md5
openssl rsa -noout -modulus -in private.key | openssl md5 - 产生的public.csr向IT提交
- 安装证书
sudo mkdir /etc/ssl/SSL
sudo unzip SSL.zip /etc/ssl/SSL/
sudo vim /etc/apache2/sites-enabled/default-ssl.conf
sudo cp “Path of PrivateKey” /etc/ssl/SSL/project/private.key
[setting value]
SSLCertificateFile /etc/ssl/project/ssl_certificate.crt
SSLCertificateKeyFile /etc/ssl/project/private.key
SSLCertificateChainFile /etc/ssl/project/IntermediateCA.crt - 重启Apache
sudo service apache2 restart
- 产生
