RHEL5上组建Apache+SSL+PHP+PostgreSQL环境详解(一)
2008-12-20 13:51
489 查看
在linux上使用命令行编译并安装,需要确保linux上已经安装了开发工具包。
如果在安装linux的时候没有安装,请参照http://blog.csdn.net/kunshan_shenbin/archive/2008/12/20/3564157.aspx。
安装步骤如下:
1.安装openssl,网址:http://www.openssl.org/source/ 或者 ftp://ftp.openssl.org/source/
这里选择最新的openssl-0.9.8i.tar.gz版本。
# tar -zxvf openssl-0.9.8i.tar.gz
# cd openssl-0.9.8i
# ./config --prefix=/usr/local/openssl #设置安装路径
# make
# make install
2.安装apache,网址:http://httpd.apache.org/download.cgi
这里选择最新的httpd-2.2.11.tar.gz版本。
# tar -zxvf httpd-2.2.11.tar.gz
# cd httpd-2.2.11
# ./configure --enable-so --enable-ssl --with-ssl=/usr/local/openssl --enable-rewrite
# make
# make install
3.创建SSL所需证书(文件全部生成到/usr/local/apache2/conf下)
A.创建key文件
# cd /usr/local/apache2/conf/
# /usr/local/openssl/bin/openssl genrsa -des3 -out server.key 1024
这时提示输入密码,如下:(当然你可以随便使用一个密码,例如kunshan_shenbin)
Generating RSA private key, 1024 bit long modulus
......................................................++++++
............++++++
e is 65537 (0x10001)
Enter pass phrase for server.key: kunshan_shenbin
Verifying - Enter pass phrase for server.key: kunshan_shenbin
执行完后应该在当前目录中有一个server.key文件。
B.查看创建的key文件:(不是必须)
# /usr/local/openssl/bin/openssl rsa -noout -text -in server.key
C.创建pem文件:(不是必须)
# /usr/local/openssl/bin/openssl rsa -in server.key -out server.key.unsecure
D.创建scr文件:
# /usr/local/openssl/bin/openssl req -new -key server.key -out server.csr
这里需要输入很多信息,方便起见,我是一路敲回车下来的,如下:
Enter pass phrase for server.key:
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [AU]:
State or Province Name (full name) [Some-State]:
Locality Name (eg, city) []:
Organization Name (eg, company) [Internet Widgits Pty Ltd]:
Organizational Unit Name (eg, section) []:
Common Name (eg, YOUR name) []:
Email Address []:
Please enter the following 'extra' attributes
to be sent with your certificate request
A challenge password []:
An optional company name []:
执行完后应该在当前目录中有一个server.csr文件
E.创建crt文件:
# /usr/local/openssl/bin/openssl x509 -req -days 3650 -in server.csr -signkey server.key -out server.crt
执行完后应该在当前目录中有一个server.crt文件
4.修改apache的ssl配置文件
A.修改httpd.conf
在文件中找到下面一行,把注释去掉
#Include conf/extra/httpd-ssl.conf
B.修改httpd-ssl.conf
在extra目录中,修改ssl的配置文件
找到SSLCertificateFile和SSLCertificateKeyFile的配置,修改文件路径到上面创建的目录
(注意:按照上面SSL证书的生成位置应该就是httpd-ssl.conf配置文件中默认的位置,故无需更改)
此时可以通过/usr/local/apache2/bin/apachectl start命令启动Apache,输入https://localhost来访问你的https站点了。
但这时,是所有的用户都可以访问你的https站点的,如果你希望只有认证的用户才能访问的话,请继续下面的配置!
5.创建认证客户所需要的证书
A.创建用户的key文件:
# /usr/local/openssl/bin/openssl genrsa -des3 -out client.key 1024
B.创建用户的crt证书文件:
# /usr/local/openssl/bin/openssl req -new -x509 -days 3650 -key client.key -out client.crt
这里需要输入很多信息,方便起见,我是一路敲回车下来的,如下:
Enter pass phrase for client.key:
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [AU]:
State or Province Name (full name) [Some-State]:
Locality Name (eg, city) []:
Organization Name (eg, company) [Internet Widgits Pty Ltd]:
Organizational Unit Name (eg, section) []:
Common Name (eg, YOUR name) []:
Email Address []:
C.创建访问用户的csr文件:
# /usr/local/openssl/bin/openssl req -new -out pony.csr
这里需要输入很多信息,方便起见,我是一路敲回车下来的,如下:
Generating a 1024 bit RSA private key
....++++++
......................................................++++++
writing new private key to 'privkey.pem'
Enter PEM pass phrase:
Verifying - Enter PEM pass phrase:
-----
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [AU]:
State or Province Name (full name) [Some-State]:
Locality Name (eg, city) []:
Organization Name (eg, company) [Internet Widgits Pty Ltd]:
Organizational Unit Name (eg, section) []:
Common Name (eg, YOUR name) []:
Email Address []:
Please enter the following 'extra' attributes
to be sent with your certificate request
A challenge password []:
An optional company name []:
D.创建访问用户的crt证书文件:
# /usr/local/openssl/bin/openssl x509 -req -in pony.csr -out pony.crt -signkey client.key -CA client.crt -CAkey client.key -CAcreateserial -days 3650
E.导出为pfx证书:(ie中只能导入pfx证书)
# /usr/local/openssl/bin/openssl pkcs12 -export -in pony.crt -inkey client.key -out pony.pfx
在你的测试机的ie中导入这个pfx证书
F.修改ssl配置文件:
在httpd-ssl.conf文件中找到SSLCACertificateFile的配置,然后修改文件路径为client.crt
把以下两行注释去掉:
SSLVerifyClient require
SSLVerifyDepth 10
重新启动apache,再次访问apache的时候,ie就会弹出窗口选择证书了.
以上内容可参阅:http://www.blogjava.net/jjwwhmm/archive/2008/04/25/195964.html
如果在安装linux的时候没有安装,请参照http://blog.csdn.net/kunshan_shenbin/archive/2008/12/20/3564157.aspx。
安装步骤如下:
1.安装openssl,网址:http://www.openssl.org/source/ 或者 ftp://ftp.openssl.org/source/
这里选择最新的openssl-0.9.8i.tar.gz版本。
# tar -zxvf openssl-0.9.8i.tar.gz
# cd openssl-0.9.8i
# ./config --prefix=/usr/local/openssl #设置安装路径
# make
# make install
2.安装apache,网址:http://httpd.apache.org/download.cgi
这里选择最新的httpd-2.2.11.tar.gz版本。
# tar -zxvf httpd-2.2.11.tar.gz
# cd httpd-2.2.11
# ./configure --enable-so --enable-ssl --with-ssl=/usr/local/openssl --enable-rewrite
# make
# make install
3.创建SSL所需证书(文件全部生成到/usr/local/apache2/conf下)
A.创建key文件
# cd /usr/local/apache2/conf/
# /usr/local/openssl/bin/openssl genrsa -des3 -out server.key 1024
这时提示输入密码,如下:(当然你可以随便使用一个密码,例如kunshan_shenbin)
Generating RSA private key, 1024 bit long modulus
......................................................++++++
............++++++
e is 65537 (0x10001)
Enter pass phrase for server.key: kunshan_shenbin
Verifying - Enter pass phrase for server.key: kunshan_shenbin
执行完后应该在当前目录中有一个server.key文件。
B.查看创建的key文件:(不是必须)
# /usr/local/openssl/bin/openssl rsa -noout -text -in server.key
C.创建pem文件:(不是必须)
# /usr/local/openssl/bin/openssl rsa -in server.key -out server.key.unsecure
D.创建scr文件:
# /usr/local/openssl/bin/openssl req -new -key server.key -out server.csr
这里需要输入很多信息,方便起见,我是一路敲回车下来的,如下:
Enter pass phrase for server.key:
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [AU]:
State or Province Name (full name) [Some-State]:
Locality Name (eg, city) []:
Organization Name (eg, company) [Internet Widgits Pty Ltd]:
Organizational Unit Name (eg, section) []:
Common Name (eg, YOUR name) []:
Email Address []:
Please enter the following 'extra' attributes
to be sent with your certificate request
A challenge password []:
An optional company name []:
执行完后应该在当前目录中有一个server.csr文件
E.创建crt文件:
# /usr/local/openssl/bin/openssl x509 -req -days 3650 -in server.csr -signkey server.key -out server.crt
执行完后应该在当前目录中有一个server.crt文件
4.修改apache的ssl配置文件
A.修改httpd.conf
在文件中找到下面一行,把注释去掉
#Include conf/extra/httpd-ssl.conf
B.修改httpd-ssl.conf
在extra目录中,修改ssl的配置文件
找到SSLCertificateFile和SSLCertificateKeyFile的配置,修改文件路径到上面创建的目录
(注意:按照上面SSL证书的生成位置应该就是httpd-ssl.conf配置文件中默认的位置,故无需更改)
此时可以通过/usr/local/apache2/bin/apachectl start命令启动Apache,输入https://localhost来访问你的https站点了。
但这时,是所有的用户都可以访问你的https站点的,如果你希望只有认证的用户才能访问的话,请继续下面的配置!
5.创建认证客户所需要的证书
A.创建用户的key文件:
# /usr/local/openssl/bin/openssl genrsa -des3 -out client.key 1024
B.创建用户的crt证书文件:
# /usr/local/openssl/bin/openssl req -new -x509 -days 3650 -key client.key -out client.crt
这里需要输入很多信息,方便起见,我是一路敲回车下来的,如下:
Enter pass phrase for client.key:
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [AU]:
State or Province Name (full name) [Some-State]:
Locality Name (eg, city) []:
Organization Name (eg, company) [Internet Widgits Pty Ltd]:
Organizational Unit Name (eg, section) []:
Common Name (eg, YOUR name) []:
Email Address []:
C.创建访问用户的csr文件:
# /usr/local/openssl/bin/openssl req -new -out pony.csr
这里需要输入很多信息,方便起见,我是一路敲回车下来的,如下:
Generating a 1024 bit RSA private key
....++++++
......................................................++++++
writing new private key to 'privkey.pem'
Enter PEM pass phrase:
Verifying - Enter PEM pass phrase:
-----
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [AU]:
State or Province Name (full name) [Some-State]:
Locality Name (eg, city) []:
Organization Name (eg, company) [Internet Widgits Pty Ltd]:
Organizational Unit Name (eg, section) []:
Common Name (eg, YOUR name) []:
Email Address []:
Please enter the following 'extra' attributes
to be sent with your certificate request
A challenge password []:
An optional company name []:
D.创建访问用户的crt证书文件:
# /usr/local/openssl/bin/openssl x509 -req -in pony.csr -out pony.crt -signkey client.key -CA client.crt -CAkey client.key -CAcreateserial -days 3650
E.导出为pfx证书:(ie中只能导入pfx证书)
# /usr/local/openssl/bin/openssl pkcs12 -export -in pony.crt -inkey client.key -out pony.pfx
在你的测试机的ie中导入这个pfx证书
F.修改ssl配置文件:
在httpd-ssl.conf文件中找到SSLCACertificateFile的配置,然后修改文件路径为client.crt
把以下两行注释去掉:
SSLVerifyClient require
SSLVerifyDepth 10
重新启动apache,再次访问apache的时候,ie就会弹出窗口选择证书了.
以上内容可参阅:http://www.blogjava.net/jjwwhmm/archive/2008/04/25/195964.html
相关文章推荐
- RHEL5上组建Apache+SSL+PHP+PostgreSQL环境详解(二)
- RHEL5上组建Apache+SSL+PHP+PostgreSQL环境详解(三)
- RHEL4环境部署Linux+Apache+MySQL+PostgreSQL+PHP环境(未完善)
- RHEL4环境部署Linux+Apache+MySQL+PostgreSQL+PHP环境
- Windows Server 2016 上配置 APACHE+SSL+PHP+perl的教程详解
- Windows下的PHP开发环境搭建——PHP线程安全与非线程安全、Apache版本选择,及详解五种运行模式。
- WAMP(win+apache+mysql+php)开发环境安装配置图文详解
- PHP开发环境配置系列(一)-Apache无法启动(SSL冲突)
- 组建php环境时,配置apache对php的支持【问题记录】
- 转:Windows下的PHP开发环境搭建——PHP线程安全与非线程安全、Apache版本选择,及详解五种运行模式。
- MAC下配置PHP环境详解, Apache,MySQL数据库,vim
- windows环境下apache+php+mysql的安装配置详解之安装apache
- apache+mysql+php环境部署详解
- Windows下的PHP开发环境搭建——PHP线程安全与非线程安全、Apache版本选择,及详解五种运行模式。
- Linux+Apache+PHP+MySQL+SSL配置详解
- apache+mysql+php环境部署详解
- windows 下搭建 apache + php52 + postgreSQL7/8/9环境
- 虚拟机VMWare安装RHEL 7.0以及安装配置LAMP环境(Apache+PHP+MariaDB)
- Linux Debian系统配置LAMP(Apache, MySQL, PHP)网站环境详解