1. Open up a command line window and promote yourself to root using su - and type the following:
openssl genrsa -out sslkey.key 2048
This will create a 2048 bit rsa encrypted key. A 1024 bit key is probably plenty, but why not have a little fun and make a ridiculously high level encryption key. The “sslkey.key” is the filename and you can use whatever you want here.
2. Create a self-signed certificate from that key file that Apache will use to create our https session.
openssl req -new -key sslkey.key -x509 -out sslcert.crt
Again, “sslcert.crt” can be whatever you want. Another good name for these would be yourdomainname.crt
3. Do a little directory organization. You’re going to want to place these two files in a place that makes sense
mkdir /etc/httpd/conf/ssl.crt
mkdir /etc/httpd/conf/ssl.key
mv sslkey.key /etc/httpd/conf/ssl.key
mv sslcert.crt /etc/httpd/conf/ssl.crt
Now, I moved on to the second part of this process, which is configuring Apache to use our certificate:
4. Backup httpd.conf and open it to edit using an editor of your choice
cd /etc/httpd/conf
cp httpd.conf httpd.bak
vi httpd.conf
5. Tab to the bottom of the configuration file. Somewhere towards the bottom you’ll see a section about creating Virtualhosts. This is what we need to do for SSL to work correctly. I added the following, changing everything in caps to the settings for my server:
DocumentRoot /var/www/html
ServerName DOMAINNAME
ServerAdmin MYEMAILADDRESS
ErrorLog /var/log/error_log
TransferLog /var/log/access_log
SSLEngine on
SSLCertificateFile /etc/httpd/conf/ssl.crt/sslcert.crt
SSLCertificateKeyFile /etc/httpd/conf/ssl.key/sslkey.key
# SSLCACertificateFile /etc/httpd/conf/ssl.crt/ca-bundle.crt
SSLOptions +StdEnvVars
SSLOptions +StdEnvVars
SetEnvIf User-Agent “.*MSIE.*” nokeepalive ssl-unclean-shutdown
CustomLog /var/log/ssl_request_log \
“%t %h %{SSL_PROTOCOL}x %{SSL_CIPHER}x \”%r\” %b”
I commented out the SSLCACERTIFICATEFILE line as this is really only needed if you have multiple certificate files. It is just a file that would be used to point your clients to all the certificate files that you have. Purely option in this case.
I then issued a “service httpd restart” command to restart Apache. By default mod_ssl should be setup on Fedora Core 6. One way to check is to make sure you have an ssl.conf file in /etc/httpd/conf.d and to look for the line that makes Apache use the module:
cat /etc/httpd/conf.d/ssl.conf | grep mod_ssl.so
This should return:
LoadModule ssl_module modules/mod_ssl.so
Then you’re all set. Test this out by going to your new ssl website! https://yourdomainname
Tidak ada komentar:
Posting Komentar