443 communication port opening
If the server is deployed in the cloud, remember that open communication permission port 443
Production ssl certificate
The first: Free Website: https://freessl.cn/
The second: openssl (phpstudy own)
1, set the environment variable openssl
Use DOS command to enter the Apache bin directory because the directory only libeay32.dll
, openssl.exe
, ssleay32.dll
and other documents.
Run using DOS commands in the bin directory: set OPENSSL_CONF = .. \ conf \ openssl.cnf, set by this command openssl environment variable, if the command is not executed, the operation will be given later.
set OPENSSL_CONF=..\conf\openssl.cnf
2, the server private key generated
Note: This is a 128-bit key using the RSA algorithm generated can also use other algorithms to generate the key, related usage can use the search engine. 4096 is the length of the key, the value is preferably at least 4096 to use the value must be an integer power of two.
openssl genrsa 4096 > server.key
3, generating unsigned server.csr
openssl req -new -key server.key > server.csr The Name Country ( 2 Letter code) [AU]: CN ISO country code (supports only two characters) The Name Province or State (Full name) [s Some - State]: Hu Bei province where Locality Name (eg, city) []: Wu Han city Organization Name (eg, company) [Internet Widgits Pty Ltd]: Mark Company Name Organizational Unit Name (eg, section) []: IT organization name Common Name (eg server FQDN or YOUR name) []: www.phpmarker.com certificate application domain Address Email []: phpmarker @ 163 .com Administrator mailbox Please enter the following ‘extra’ attributes to be sent with your certificate request A challenge password []: can exchange key blank An optional company name []: Nullable
You may be given: ordinal xxx can not be located in the dynamic link library libeay32.dll, solution: Copy the files in the bin directory libeay32.dll apache to c: \ windows \ system32 next.
4, signed server certificate file server.crt
This command uses the third step and the fourth step of generating keys and certificates to generate a certificate server.crt, -days parameter indicates the certificate is valid, in days, x509 is generated to represent X.509 certificates.
openssl req -x509 -days 365 -key server.key -in server.csr > server.crt
5, View certificate details
openssl x509 -noout -text -in server.crt
SSL deployment
1, confirm whether there ssl apache module
Configuring Apache server supports https protocol and SSL certificates, most basic requirement is included openssl Apache module. Some have the apache / bin directory libeay32.dll
, , openssl.exe
, ssleay32.dll
comes ssl module if the module does not need to download their own separate openssl.
2, configuration file open apache conf / httpd.conf, remove the front of the module # ssl
LoadModule ssl_module modules/mod_ssl.so
...
Include conf/extra/httpd-ssl.conf
3, backup modified httpd-ssl.conf
Listen 443 SSLPassPhraseDialog builtin
<VirtualHost _default_:443> DocumentRoot "C:\Program Files\api" ServerName api.test.com ServerAlias api.test.com ErrorLog "C:\Program Files\api\logs\websslapi-error.log" TransferLog "C:\Program Files\api\logs\websslapi-access.log" <Directory "C:\Program Files\api"> Options FollowSymLinks ExecCGI AllowOverride All Order allow,deny Allow from all Require all granted </Directory> SSLEngine on SSLCipherSuite ALL:!ADH:!EXPORT56:RC4+RSA:+HIGH:+MEDIUM:+LOW:+SSLv2:+EXP:+eNULL SSLCertificateFile "C:\phpstudy\Apache\conf\ssl\api.test.com.crt" SSLCertificateKeyFile "C:\phpstudy\Apache\conf\ssl\api.test.com.key" SSLCertificateChainFile "C:\phpstudy\Apache\conf\ssl\api.test.com_ca_bundle.crt" SSLOptions +FakeBasicAuth +ExportCertData +StrictRequire BrowserMatch ".*MSIE.*" \ nokeepalive ssl-unclean-shutdown \ downgrade-1.0 force-response-1.0 CustomLog "C:\Program Files\api\logs\ssl_request.log" \ "%t %h %{SSL_PROTOCOL}x %{SSL_CIPHER}x \"%r\" %b" </VirtualHost>
4, test configuration
C:\phpstudy\Apache\bin>httpd.exe -t
Syntax OK
5, dynamic load the new configuration
C:\phpstudy\Apache\bin>httpd.exe -k restart -n apache2a
6, open the browser test
httpd-ssl.conf