$sudo openssl req -x509 -nodes -days 365 -newkey rsa:2048 -keyout /etc/apache2/ssl/apache.key -out /etc/apache2/ssl/apache.crt
證書的有效期是可以由我們自己來決定的,如果懶一點可以設定到10年也可以,在-days 365更改為-days 3650就行,有關產生器openssl的參數設定請上openssl網站查詢
指令下達後會在console上要你回覆有關證書的相關資訊,其中最重要的部分是在 Common Name 的部分,你必須在這里輸入你網站的官方domain name或者是實體IP位址。
You are about to be asked to enter information that will be incorporatedinto your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,If you enter '.', the field will be left blank.-----
Country Name (2 letter code) [AU]: US
State or Province Name (full name) [Some-State]:New Yor
Locality Name (eg, city) []: NYC
Organization Name (eg, company) [Internet Widgits Pty Ltd]: Awesome Inc
Organizational Unit Name (eg, section) []: Dept of Merriment
Common Name (e.g. server FQDN or YOUR name) []: example.com
Email Address []: webmaster@awesomeinc.com
4. 把證書設起來
現在我們已經備齊了所有需要的東西了,接下來就是去設定好網站主機去顯示我們的新證書了。
先打開SSL的設定檔
$sudo nano /etc/apache2/sites-available/default-ssl
在檔案中開頭為 <VirtualHost default:443> 的這段中做底下的修改
加你server name 在 Server Admin email: 的右下方,增加底下一行參數
ServerName example.com:443
注意:example.com 應要用你自己網站的domain或實體IP取代,這必須要更你在證書產生時所指定的Common Nane要一致。
然後再找出底下二行,並確定是否跟你的證書和金鑰一致否
在
# A self-signed (snakeoil) certificate can be created by installing
# the ssl-cert package. See
# /usr/share/doc/apache2.2-common/README.Debian.gz for more info.
# If both key and certificate are stored in the same file, only the
# SSLCertificateFile directive is needed.
SSLCertificateFile /etc/ssl/certs/ssl-cert-snakeoil.pem
SSLCertificateKeyFile /etc/ssl/private/ssl-cert-snakeoil.key
改為我們自己產生的證書和金鑰,包括路徑也要正確
SSLEngine on SSLCertificateFile /etc/apache2/ssl/apache.crt
SSLCertificateKeyFile /etc/apache2/ssl/apache.key