q2009a06z22 发表于 2018-11-18 08:58:12

apache之https域名证书配置

  一.环境:
系统版本是CentOS release 6.8 (Final) x86_64位最小化安装
服务器内核版本:
# uname -a
Linux localhost.localdomain 2.6.32-642.15.1.el6.x86_64 #1 SMP Fri Feb 24 14:31:22 UTC 2017 x86_64 x86_64 x86_64 GNU/Linux
  apache 是采用yum 安装
yum install httpd -y
apache 版本如下:
# httpd -v
Server version: Apache/2.2.15 (Unix)
Server built:   Jan 12 2017 17:09:39
  二.apache默认的ssl.conf配置文件参数如下:
2.1并配置单个域名证书:
# cat /etc/httpd/conf.d/ssl.conf |egrep -v "^#|^$"
LoadModule ssl_module modules/mod_ssl.so
Listen 443
SSLPassPhraseDialogbuiltin
SSLSessionCache         shmcb:/var/cache/mod_ssl/scache(512000)
SSLSessionCacheTimeout300
SSLMutex default
SSLRandomSeed startup file:/dev/urandom256
SSLRandomSeed connect builtin
SSLCryptoDevice builtin

ErrorLog logs/ssl_error_log
TransferLog logs/ssl_access_log
LogLevel warn
SSLEngine on
SSLProtocol all -SSLv2
SSLCipherSuite DEFAULT:!EXP:!SSLv2:!DES:!IDEA:!SEED:+3DES
SSLCertificateFile /etc/pki/tls/certs/2_www.onecity.com.cn.crt
SSLCertificateKeyFile /etc/pki/tls/private/3_www.onecity.com.cn.key
SSLCertificateChainFile /etc/pki/tls/certs/1_root_bundle.crt

SSLOptions +StdEnvVars


SSLOptions +StdEnvVars

SetEnvIf User-Agent ".MSIE." \
nokeepalive ssl-unclean-shutdown \
downgrade-1.0 force-response-1.0
CustomLog logs/ssl_request_log \
"%t %h %{SSL_PROTOCOL}x %{SSL_CIPHER}x \"%r\" %b"

以上测试可以https正常访问。
  沃通https域名证书申请参考文档:
https://bbs.wosign.com/forum.php?mod=viewthread&tid=2998&extra=page%3D1
同时腾讯云上可以申请免费的https证书使用一年。
  2.2申请多个域名共用一个https证书并在apache ssl.conf配置文件配置:
  n.dksj.com o.cpxc.com n.pubbf.comn.wikith.com 四个域名申请共用一个证书:
c.bc12yc.com.crt c.bc12yc.com.key root_bundle.crt
配置多域名共用一个证书配置文件如下:
# cat /etc/httpd/conf.d/ssl.conf.2017-12-09 |egrep -v "^#|^$"
LoadModule ssl_module modules/mod_ssl.so
Listen 443
SSLPassPhraseDialogbuiltin
SSLSessionCache         shmcb:/var/cache/mod_ssl/scache(512000)
SSLSessionCacheTimeout300
SSLMutex default
SSLRandomSeed startup file:/dev/urandom256
SSLRandomSeed connect builtin
SSLCryptoDevice builtin

DocumentRoot "/data/code"
ServerName n.dksj.com:443
ServerName o.cpxc.com:443
ServerName n.pubbf.com:443
ServerName n.wikith.com:443
ErrorLog logs/ssl_error_log
LogLevel warn
SSLEngine on
SSLProtocol all -SSLv2-SSLv3
SSLCipherSuite AESGCM:ALL:!DH:!EXPORT:!RC4:+HIGH:!MEDIUM:!LOW:!aNULL:!eNULL;
SSLCertificateFile /etc/pki/tls/certs/c.bc12yc.com.crt
SSLCertificateKeyFile /etc/pki/tls/private/c.bc12yc.com.key
SSLCertificateChainFile /etc/pki/tls/certs/root_bundle.crt

SSLOptions +StdEnvVars


SSLOptions +StdEnvVars

SetEnvIf User-Agent ".MSIE." \
nokeepalive ssl-unclean-shutdown \
downgrade-1.0 force-response-1.0
"%t %h %{SSL_PROTOCOL}x %{SSL_CIPHER}x \"%r\" %b"

  以上配置文件经测试可以使用



页: [1]
查看完整版本: apache之https域名证书配置