PositiveSSL 部署记录[Apache]
前段时间在namecheap购买了PositiveSSL(便宜),今天在开发机上部署的时候出了些幺蛾子,几经周则总算部署上去了。下面直接记录步骤
申请
- 生成csr和key,用于生成证书
[skidu@localhost ~]# openssl req -new -newkey rsa:2048 -nodes -keyout server.key -out server.csr
Generating a 2048 bit RSA private key
.........................+++
.....................+++
writing new private key to 'server.key'
-----
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [XX]:CN # CN
State or Province Name (full name) []:Beijing # 地区
Locality Name (eg, city) [Default City]:Beijing # 地区
Organization Name (eg, company) [Default Company Ltd]: # 公司、组织名称等
Organizational Unit Name (eg, section) []: # 部门名称,也可以和前一项一样
Common Name (eg, your name or your server's hostname) []: # 证书对应的域名,如 www.skidu.me
# 如果是Wildcard Certificate则可以用通配符,如 *.skidu.me
Email Address []: # 管理员邮箱,一般是 postmaster@domain.com 格式
lease enter the following 'extra' attributes
to be sent with your certificate request
A challenge password []: # 管理密码,根据需要设置或者流寇
An optional company name []: #
- 将server.csr的内容在namecheap页面提交后会收到一封来自comodo.com的确认信,然后拿着信中提供的验证码到指定的地方去完成验证。
- 接着就会收到一封带有附件的邮件了,附件内容列表大致如下
Root CA Certificate - AddTrustExternalCARoot.crt
Intermediate CA Certificate - COMODORSAAddTrustCA.crt
Intermediate CA Certificate - COMODORSADomainValidationSecureServerCA.crt
Your PositiveSSL Wildcard Certificate -www_skidu_me.crt
- 至此申请步骤结束
部署
- 上传邮件附件至服务器任意位置(假设是/path/to/ssl)
- 提取CA证书(以前他家是会直接提供一个叫
PositiveCA
的证书的,现在貌似没有了)
cat COMODORSADomainValidationSecureServerCA.crt COMODORSAAddTrustCA.crt AddTrustExternalCARoot.crt >> ca.crt
- 编辑
httpd.conf
,打开下列module的引用
mod_socache_shmcb.so
mod_ssl.so
- 让apache监听443端口
Listen 443
- 配置虚拟主
<VirtualHost *:443>
ServerName www.skidu.me
DocumentRoot /data/skidume
DirectoryIndex index.php index.html
SSLEngine on
SSLCipherSuite ALL:!ADH:!EXPORT56:RC4+RSA:+HIGH:+MEDIUM:+LOW:+SSLv2:+EXP:+eNULL
SSLCertificateFile "/path/to/ssl/www_skidu_me.crt"
SSLCertificateKeyFile "/path/to/ssl/server.key"
SSLCertificateChainFile "/path/to/ssl/ca.crt"
BrowserMatch MSIE \
nokeepalive \
ssl-unclean-shutdown \
downgrade-1.0 \
force-response-1.0
<Directory /data/skidume>
Options FollowSymLinks
AllowOverride All
Order deny,allow
Allow from all
Require all granted
php_admin_value open_basedir /data/skidume:/data/tmp
</Directory>
</VirtualHOst>
- 重启apache,大功告成