Usually, a server that wants to configure https needs an X509 certificate certified by a formal CA organization. When the client connects to the https server, it will check the correctness of the certificate through the CA's * * * key. But getting the certificate of CA is a very troublesome thing, and it also costs a certain amount of money. So usually some small organizations will use self-signed certificates. That is, make your own CA and sign your own server certificate.
There are two main steps in this process. The first step is to generate your own CA certificate, and then generate and sign the certificate of each server. I use OpenSSL to generate a self-signed certificate.
The first step is to make the certificate of CA:
OpenSSL gen RSA-des 3-out my-ca . key 2048
OpenSSL req-new-x509-days 3650-key my-ca . key-out my-ca . CRT
This will generate my-ca.key and my-ca.crt files. The former stores the key necessary for signing with my-ca.crt and should be kept properly. The latter can be made public. The validity period set by the above command for my-ca.key is 10 year.
Use order
OpenSSL x509-in my-ca . CRT-text-noout
You can view the contents of the my-ca.crt file.
With CA certificates, you can generate certificates for your own servers:
OpenSSL gen RSA-des 3-out mars-server . key 1024
OpenSSL req-new-key mars-server . key-out mars-server . CSR
OpenSSL x509-req-in mars-server . CSR-out mars-server . CRT-sha 1-CA my-CA . CRT-CAkey my-CA . key-cacreate serial-days 3650
The first two commands will generate the key and csr file, and the last command will make x509 signing certificate for mars-server.csr through my-ca.crt
It should be noted that when executing the above second command, the common name option should be the domain name of the server, otherwise the user will have extra prompt information every time he accesses through the https protocol.
Use order
OpenSSL x509-in mars-server . CRT-text-noout
You can view the contents of the mars-server.crt file.
2. Configure Apache server
First, create the /etc/apache2/ssl directory, and copy my-ca.crt, mars-server.key and mars-server.crt files just made into this directory.
Then execute the command.
a2emod ssl
Activate the SSL module of Apache and add a virtual host in /etc/apache2/sites-enable/. This process is similar to adding an ordinary virtual host, except that the port of the host should be 443. The configuration is as follows:
NameVirtualHost *:443
& ltvirtual host *:443 & gt;
Server Name Local Host
Document root directory /var/www
SSLEngine On
SSLCipherSuite high: medium
SSL protocol all -SSLv2
SSL certificate file/etc/Apache 2/SSL/mars-server . CRT
SSL certificate keyfile/etc/Apache 2/SSL/mars-server . key
SSL certificate file/etc/Apache 2/SSL/my-ca . CRT
& ltdirectory/var/www & gt;
Order denied, allowed
Allow from local host
& lt/Directory & gt;
& lt/virtual host & gt;
& ltvirtual host *:80 & gt;
Server Name Local Host
Document root directory /var/www
& ltdirectory/var/www & gt; Order denied, allowed
Allow from local host
& lt/Directory & gt;
& lt/virtual host & gt;
The above configuration ensures that users can see the same content when accessing ports 443 and 80, but only use different protocols. After modifying the configuration, you can restart the Apache server. At this time, you need to enter the password of mars-server.key and access it with a browser.
https://localhost/
At this time, you should see a pop-up dialog box to confirm whether you trust the certificate of this site. After choosing Trust, you can view the contents of this website.
Since most Apache servers are automatically started when the server is started, in order to avoid entering a password when starting Apache, you can use the following command to generate an unencrypted mars-server.key file:
OpenSSL RSA-in mars-server . key-out mars-server . key . unsecured
Just replace the original key file with the newly generated Mars-server.key.unsecured.