PositiveSSL 部署记录[Apache]

前段时间在namecheap购买了PositiveSSL(便宜),今天在开发机上部署的时候出了些幺蛾子,几经周则总算部署上去了。下面直接记录步骤

申请

  • 生成csr和key,用于生成证书
[skidu@localhost ~]# openssl req -new -newkey rsa:2048 -nodes -keyout server.key -out server.csr
Generating a 2048 bit RSA private key
.........................+++
.....................+++
writing new private key to 'server.key'
-----
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [XX]:CN                       # CN
State or Province Name (full name) []:Beijing              # 地区
Locality Name (eg, city) [Default City]:Beijing            # 地区
Organization Name (eg, company) [Default Company Ltd]:     # 公司、组织名称等
Organizational Unit Name (eg, section) []:                 # 部门名称,也可以和前一项一样
Common Name (eg, your name or your server's hostname) []:  # 证书对应的域名,如 www.skidu.me 
                                                           # 如果是Wildcard Certificate则可以用通配符,如 *.skidu.me
Email Address []:                                          # 管理员邮箱,一般是 postmaster@domain.com 格式

lease enter the following 'extra' attributes
to be sent with your certificate request
A challenge password []:                        # 管理密码,根据需要设置或者流寇
An optional company name []:                    # 
  • 将server.csr的内容在namecheap页面提交后会收到一封来自comodo.com的确认信,然后拿着信中提供的验证码到指定的地方去完成验证。
  • 接着就会收到一封带有附件的邮件了,附件内容列表大致如下
Root CA Certificate - AddTrustExternalCARoot.crt
Intermediate CA Certificate - COMODORSAAddTrustCA.crt
Intermediate CA Certificate - COMODORSADomainValidationSecureServerCA.crt
Your PositiveSSL Wildcard Certificate -www_skidu_me.crt
  • 至此申请步骤结束

部署

  • 上传邮件附件至服务器任意位置(假设是/path/to/ssl)
  • 提取CA证书(以前他家是会直接提供一个叫PositiveCA的证书的,现在貌似没有了)
cat COMODORSADomainValidationSecureServerCA.crt COMODORSAAddTrustCA.crt AddTrustExternalCARoot.crt >> ca.crt
  • 编辑httpd.conf,打开下列module的引用
mod_socache_shmcb.so
mod_ssl.so
  • 让apache监听443端口
Listen 443
  • 配置虚拟主
<VirtualHost *:443>
    ServerName www.skidu.me
    DocumentRoot /data/skidume
    DirectoryIndex index.php index.html
    SSLEngine on
    SSLCipherSuite ALL:!ADH:!EXPORT56:RC4+RSA:+HIGH:+MEDIUM:+LOW:+SSLv2:+EXP:+eNULL
    SSLCertificateFile    "/path/to/ssl/www_skidu_me.crt"
    SSLCertificateKeyFile "/path/to/ssl/server.key"
    SSLCertificateChainFile "/path/to/ssl/ca.crt"

    BrowserMatch MSIE \
        nokeepalive \
        ssl-unclean-shutdown \
        downgrade-1.0 \
        force-response-1.0

    <Directory /data/skidume>
        Options FollowSymLinks
        AllowOverride All
        Order deny,allow
        Allow from all
        Require all granted
        php_admin_value open_basedir /data/skidume:/data/tmp
    </Directory>
</VirtualHOst>
  • 重启apache,大功告成

标签: ssl apache, positivessl, positivessl apache

评论已关闭