1. Install openssl
and download Openssl: http://www.openssl.org/source/ or https://github.com/openssl/openssl
tar -zxf openssl-1.0.2n.tar.gz //Unzip the installation package
cd openssl -1.0.2n //Enter the decompressed installation package./config
//Configure the installation. It is recommended to use the default configuration
make && make install //Compiling and installing
openssl will be installed to /usr/local/ssl by default
2. Let apache support ssl. When compiling, specify ssl support.
Static or dynamic
static method is --enable-ssl=static --with-ssl=/usr/local/ssl
dynamic method --enable-ssl=shared --with-ssl=/usr/local/ssl
The second The method will generate the mod_ssl.so module in the module/ directory, but not statically. Of course, the second method also needs to add
LoadModule ssl_module modules/mod_ssl.so to httpd.conf
3. Obtain a certificate
3. 1 Create a private key
Before creating a certificate request, you need to generate a server certificate private key file first.
cd /usr/local/ssl/bin //Enter the openssl installation directory
openssl genrsa -out server.key 2048 //Run the openssl command to generate a 2048-bit private key server.key file. If you need to add a protection password to server.key, use the -des3 extension command. The encrypted private key is not supported in the Windows environment. When the encrypted private key is used in the Linux environment, you need to enter the private key password (for example: openssl genrsa -des3 -out server.key 2048) every time you restart Apache.
cp server.key /usr/local/apache/conf/ssl.key/
3.2 Generate Certificate Request (CSR) file
openssl req -new -key server.key -out certreq.csr
Country Name: // ISO standard for your country Code name, China is CN
State or Province Name: //The province/autonomous region/municipality
where your unit is located Locality Name: //The city/county/district where your unit is located
Organization Name: //The legal name of your unit/organization/enterprise
Organizational Unit Name: //Department name
Common Name: //Common name, for example: www.itrus.com.cn . This item must exactly match the domain name you use to access the server that provides SSL services.
Email Address: //Your email address, no need to enter it, just press Enter to skip
"extra" attributes //The following information does not need to be entered, press Enter to skip until the command is executed.
3.3 Backup the private key and submit the certificate request
Please submit the certificate request file certreq.csr to Tianwei Chengxin, and back up and save the certificate private key file server.key, waiting for the issuance of the certificate. The server certificate-key pair must be used in pairs. Loss of the private key file will cause the certificate to be unavailable.
4. Install the certificate
4.1 Obtain the server certificate Intermediate CA certificate
In order to ensure the compatibility of the server certificate on the client side, the server certificate needs to install two intermediate CA certificates (different brand certificates may only have one intermediate certificate).
Get the intermediate CA certificate from the mail:
The content of the two intermediate CA certificates from BEGIN to END in the certificate issuance email (including "-----BEGIN CERTIFICATE-----" and "-----END CERTIFICATE-----") Paste into the same text editor such as Notepad, separated by carriage return and line feed. Modify the file extension and save it as a conf/ssl.crt/intermediatebundle.crt file (if there is only one intermediate certificate, you only need to save and install one intermediate certificate).
4.2 Obtain the EV server certificate
and sign the server certificate content from BEGIN to END in the certificate issuance email (including "-----BEGIN CERTIFICATE-----" and "-----END CERTIFICATE-----" ”) paste it into a text editor such as Notepad, save it as ssl.crt/server.crt file
4.3 apache configuration 2.0 configuration
httpd.conf Add
Listen 443
NameVirtualHost *:443
DocumentRoot "/data/web/www"
ServerName aaa.com:443
ErrorLog "logs/error.log"
CustomLog "logs/access.log" combined
SSLEngine on
SSLCertificateFile /usr/local/apache/conf/ssl.crt/server.crt
SSLCertificateKeyFile /usr/local/apache/conf /ssl.key/server.key
SSLCertificateChainFile /usr/local/apache/conf/ssl.crt/intermediatebundle.crt