apache 配置 ssl

zhltom

开始安装Apache：
tar –zxf httpd-2.0.53.tar.gz

cd httpd-2.0.53

./configure --prefix=”/usr/local/apache2” --enable-so --enable-ssl --with-ssl=”/usr/local/ssl/bin”

make

make install

这样ssl模块就被编译到httpd里去了。

--with-ssl=”/usr/local/ssl/bin”可以不用

如果想编译成单独的模块，就要用
配置：
在httpd.conf里启用Include conf/extra/httpd-ssl.conf

在httpd-ssl.conf里设置如下：
server 证书
# Server Certificate:
# Point SSLCertificateFile at a PEM encoded certificate. If
# the certificate is encrypted, then you will be prompted for a
# pass phrase. Note that a kill -HUP will prompt again. Keep
# in mind that if you have both an RSA and a DSA certificate you
# can configure both in parallel (to also allow the use of DSA
# ciphers, etc.)
SSLCertificateFile "/usr/local/apache2/conf/ssl/server/server.csr"
#SSLCertificateFile "/usr/local/apache2/conf/server-dsa.crt"

server 私证书
# Server Private Key:
# If the key is not combined with the certificate, use this
# directive to point at the key file. Keep in mind that if
# you've both a RSA and a DSA private key you can configure
# both in parallel (to also allow the use of DSA ciphers, etc.)
SSLCertificateKeyFile "/usr/local/apache2/conf/ssl/server/server-cert.pem"
#SSLCertificateKeyFile "/usr/local/apache2/conf/server-dsa.key"

server 证书链
# Server Certificate Chain:
# Point SSLCertificateChainFile at a file containing the
# concatenation of PEM encoded CA certificates which form the
# certificate chain for the server certificate. Alternatively
# the referenced file can be the same as SSLCertificateFile
# when the CA certificates are directly appended to the server
# certificate for convinience.
#SSLCertificateChainFile "/usr/local/apache2/conf/ssl/ca.pem"

信任的根证书，只能设置一个SSLCACertificateFile
可以在文件中将多个文件的内容拼起来，但要注意格式，一个空格都不能多。

# Certificate Authority (CA):
# Set the CA certificate verification path where to find CA
# certificates for client authentication or alternatively one
# huge file containing all of them (file must be PEM encoded)
# Note: Inside SSLCACertificatePath you need hash symlinks
# to point to the certificate files. Use the provided
# Makefile to update the hash symlinks after changes.
SSLCACertificatePath "/usr/local/apache2/conf/ssl/ca/"
#SSLCACertificateFile "/usr/local/apache2/conf/ssl/ca/cacert.pem"
#SSLCACertificateFile "/usr/local/apache2/conf/ssl/ca/unimas_ca.pem"
SSLCACertificateFile "/usr/local/apache2/conf/ssl/ca/cacert.pem"


# Certificate Revocation Lists (CRL):
# Set the CA revocation path where to find CA CRLs for client
# authentication or alternatively one huge file containing all
# of them (file must be PEM encoded)
# Note: Inside SSLCARevocationPath you need hash symlinks
# to point to the certificate files. Use the provided
# Makefile to update the hash symlinks after changes.
#SSLCARevocationPath "/usr/local/apache2/conf/ssl.crl"
#SSLCARevocationFile "/usr/local/apache2/conf/ssl.crl/ca-bundle.crl"

客户端的验证方式
# Client Authentication (Type):
# Client certificate verification type and depth. Types are
# none, optional, require and optional_no_ca. Depth is a
# number which specifies how deeply to verify the certificate
# issuer chain before deciding the certificate is not valid.
SSLVerifyClient require
SSLVerifyDepth 3