- 论坛徽章:
- 0
|
solaris 10中启用apache的ssl认证
1,以root用户登录,执行以下命令来启用ssl服务:
solaris# svcprop -p httpd/ssl svc:network/http:apache2
如果出现失败信息,可以尝试以下的命令来启用:
solaris# svccfg -s http:apache2 setprop httpd/ssl=true
solaris# svcadm refresh http:apache2
solaris# svcprop -p httpd/ssl svc:network/http:apache2
2,创建证书目录和密钥目录:
solaris# mkdir /etc/apache2/ssl.crt
solaris# mkdir /etc/apache2/ssl.key
3.创建一个RSA密钥:
solaris# /usr/sfw/bin/openssl genrsa -des3 1024 > etc/apache2/ssl.key/server.key
Generating RSA private key, 1024 bit long modulus
..........................++++++
.........++++++
e is 65537 (0x10001)
Enter pass phrase: ********
Verifying - Enter pass phrase: ********
4,创建一个认证请求:
solaris# /usr/sfw/bin/openssl req -new -key /etc/apache2/ssl.key/server.key >
\>
/etc/apache2/ssl.crt/server.csr
Enter pass phrase for /etc/apache2/ssl.key/server.key: ********
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a
DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [US]::US
State or Province Name (full name) [Some-State]:OR
Locality Name (eg, city) []:Blodgett
Organization Name (eg, company) [Unconfigured OpenSSL Installation]:DIS
Organizational Unit Name (eg, section) []:IT
Common Name (eg, YOUR name) []:Big Cheese
Email Address []:test@126.com
Please enter the following 'extra' attributes
to be sent with your certificate request
A challenge password []: ********
An optional company name []: Live Free or Die
5.安装个人证书:
solaris# /usr/sfw/bin/openssl req -x509 -days 3650 -key \
> /etc/apache2/ssl.key/server.key \
> -in /etc/apache2/ssl.crt/server.csr > \
> /etc/apache2/ssl.crt/server.crt
Enter pass phrase for /etc/apache2/ssl.key/server.key: ********
6.修改ssl.conf来启用证书.
solaris# cd /etc/apache2
solaris# ls -l
total 334
-rw-r--r-- 1 root bin 1987 Jan 6 21:10 highperformancestd.conf
-rw-r--r-- 1 root bin 1987 Jan 6 21:10 highperformance.conf
-rw-r--r-- 1 root bin 37519 Jan 6 21:10 httpd-std.conf
-rw-r--r-- 1 root root 37660 Jan 18 21:49 httpd.conf
-rw-r--r-- 1 root bin 37661 Jul 20 2005 httpd.conf-example
-rw-r--r-- 1 root bin 12959 Jan 6 21:10 magic
-rw-r--r-- 1 root bin 15020 Jan 6 21:10 mime.types
-rw-r--r-- 1 root bin 10759 Jan 6 21:10 ssl-std.conf
-rw-r--r-- 1 root bin 10996 Jan 6 21:10 ssl.conf
drwxr-xr-x 2 root root 512 Jan 19 03:24 ssl.crt
drwxr-xr-x 2 root root 512 Jan 19 02:52 ssl.key
编辑ssl.conf文件中以"ServerAdmin"开头的行,为服务器管理员设置一个email地址或者别名。
7.测试apache的ssl认证;
• 如果apache服务被启用则禁用apache服务:
solaris# svcs | grep -i apache2
online 3:29:01 svc:/network/http:apache2
solaris# svcadm disable apache2
• 启用apache的ssl服务:
solaris# /usr/apache2/bin/apachectl startssl
Apache/2.0.52 mod_ssl/2.0.52 (Pass Phrase Dialog)
Some of your private key files are encrypted for security reasons.
In order to read them you have to provide us with the pass phrases.
Server 127.0.0.1:443 (RSA)
Enter pass phrase: ********
Ok: Pass Phrase Dialog successful.
如果测试中出现'vhost.c:232 assertion "rv == APR_SUCCESS"failed on startssl'错误,则说明你的服务器不能使用dns解析主机名。则修改/etc/nsswitch.conf这个配置文件,在以hosts开头的行中加入dns即可,即hosts: files dns。修改完后重启apache服务继续测试。
solaris# ps -ef | grep httpd
root 1392 575 0 03:45:16 ? 0:01 /
usr/apache2/bin/httpd -k start -DSSL
root 1400 1116 0 03:45:51 pts/3 0:00 grep httpd
webservd 1393 1392 0 03:45:18 ? 0:00 /
usr/apache2/bin/httpd -k start -DSSL
webservd 1397 1392 0 03:45:18 ? 0:00 /
usr/apache2/bin/httpd -k start -DSSL
webservd 1396 1392 0 03:45:18 ? 0:00 /
usr/apache2/bin/httpd -k start -DSSL
webservd 1395 1392 0 03:45:18 ? 0:00 /
usr/apache2/bin/httpd -k start -DSSL
webservd 1394 1392 0 03:45:18 ? 0:00 /
usr/apache2/bin/httpd -k start -DSSL
8.使apache的ssl服务作为一项服务自动启动:
solaris# cd /etc/apache2/ssl.key
solaris# cp server.key server.key.org
solaris# /usr/sfw/bin/openssl rsa -in server.key.org -out server.key
Enter pass phrase for server.key.org: ********
writing RSA key
solaris# chmod 400 server.key
solaris# svcadm enable apache2
solaris# svcs | grep -i apache2
online 4:29:01 svc:/network/http:apache2
apache 2 on solaris 10
1.以root身份登录,创建httpd.conf文件:
solaris# cp /etc/apache2/httpd.conf-example /etc/apache2/httpd.conf
2.编辑 /etc/apache2/httpd.conf
• Set ServerName if necessary (default is 127.0.0.1)
• Set ServerAdmin to a valid email address
3.启用apache服务:
solaris# svcadm enable apache2
本文来自ChinaUnix博客,如果查看原文请点:http://blog.chinaunix.net/u1/36549/showart_300201.html |
|
免费注册
发表于 2007-05-13 17:47