openssl 生成 ssl 证书和 apache ssl 配置

1. 生成 server key

• 命令

  openssl genrsa -des3 -out server.key 2048 

• 由于 apache 不支持证书加密，需要去掉密码

  openssl rsa -in server.key -out server.key

2. 生成 CA 的 crt 文件

• 命令

  openssl req -new -x509 -key server.key -out ca.crt -days 30

  说明：days 30 代表证书有效期为30天

• 然后按照提示，根据你的情况输入以下内容：

  Country Name (2 letter code) [AU]: CN
  State or Province Name (full name) [Some-State]:Guang Dong
  Locality Name (eg, city) []:Guang Zhou
  Organization Name (eg, company) [Internet Widgits Pty Ltd]: X H
  Organizational Unit Name (eg, section) []:xh
  Common Name (e.g. server FQDN or YOUR name) []:xxx
  Email Address []:xxx@xxx.com

3. 生成 csr

• 命令

  openssl req -new -key server.key -out server.csr

• 继续按照提示，根据你的情况输入以下内容 (common name 必须和你域名吻合，否则会引发浏览器警报)

  Country Name (2 letter code) [AU]: CN
  State or Province Name (full name) [Some-State]:Guang Dong
  Locality Name (eg, city) []:Guang Zhou
  Organization Name (eg, company) [Internet Widgits Pty Ltd]:X H
  Organizational Unit Name (eg, section) []:xh
  Common Name (e.g. server FQDN or YOUR name) []: *.ws.com
  Email Address []:xxx@xxx.com
  
  Please enter the following 'extra' attributes
  to be sent with your certificate request
  A challenge password []:123456
  An optional company name []:xh

4. 通过 csr 生成 crt，根据你的系统使用下面不同的命令

• 假如你是 window 系统
  在你执行命令的目录，创建一个文件 extFile, 内容如下

   extFile:
   authorityKeyIdentifier=keyid,issuer
   basicConstraints=CA:FALSE
   keyUsage = digitalSignature, nonRepudiation, keyEncipherment, dataEncipherment
   subjectAltName = @alt_names
   [alt_names]
   DNS.1 = *.ws.com

  *.ws.com 要改成你自己的域名，然后用下面的命令生成

  openssl x509 -req -days 1  -in server.csr -CA ca.crt -CAkey server.key -CAcreateserial -extfile extFile -out server.crt

• 假如你是 linux 系统

   openssl x509 -req -days 1  -in server.csr -CA ca.crt -CAkey server.key -CAcreateserial -out server.crt

5. 修改 apache vhost 文件

• 配置如下

  <VirtualHost *:${MYPORT8644}>
  ServerName my.ws.com
  DocumentRoot "E:\bd\wamp64\www"
  
     SSLEngine on
     SSLCipherSuite ALL:!ADH:!EXPORT56:RC4+RSA:+HIGH:+MEDIUM:+LOW:+SSLv2:+EXP:+eNULL
     SSLCertificateFile "E:/bd/crt/server.crt"
     SSLCertificateKeyFile "E:/bd/crt/server.key"
     SSLCACertificateFile "E:/bd/crt/ca.crt" 
     <Directory  "E:\bd\wamp64\www">
     Options +Indexes +Includes +FollowSymLinks +MultiViews
     AllowOverride All
     Require local
     </Directory>
  </VirtualHost>

• server.crt,server.key,ca.crt 修改为上面生成的文件的路径

6. 最后，在浏览器导入 ca.crt 文件