📄 ssl_faq.html.en
字号:
<li><a href="#passphrase">How can I change the pass-phrase on my private
key file?</a></li>
<li><a href="#removepassphrase">How can I get rid of the pass-phrase
dialog at Apache startup time?</a></li>
<li><a href="#verify">How do I verify that a private key matches its
Certificate?</a></li>
<li><a href="#badcert">Why do connections fail with an "alert bad
certificate" error?</a></li>
<li><a href="#keysize">Why does my 2048-bit private key not work?</a></li>
<li><a href="#hashsymlinks">Why is client authentication broken after
upgrading from SSLeay version 0.8 to 0.9?</a></li>
<li><a href="#pemder">How can I convert a certificate from PEM to DER
format?</a></li>
<li><a href="#verisign">Why can't I find the
<code>getca</code> or <code>getverisign</code> programs mentioned by
Verisign, for installing my Verisign certificate?</a></li>
<li><a href="#sgc">Can I use the Server Gated Cryptography (SGC)
facility (aka Verisign Global ID) with mod_ssl?</a></li>
<li><a href="#gid">Why do browsers complain that they cannot
verify my Verisign Global ID server certificate?</a></li>
</ul>
<h3><a name="keyscerts" id="keyscerts">What are RSA Private Keys, CSRs and Certificates?</a></h3>
<p>An RSA private key file is a digital file that you can use to decrypt
messages sent to you. It has a public component which you distribute (via
your Certificate file) which allows people to encrypt those messages to
you.</p>
<p>A Certificate Signing Request (CSR) is a digital file which contains
your public key and your name. You send the CSR to a Certifying Authority
(CA), who will convert it into a real Certificate, by signing it.</p>
<p>A Certificate contains your
RSA public key, your name, the name of the CA, and is digitally signed by
the CA. Browsers that know the CA can verify the signature on that
Certificate, thereby obtaining your RSA public key. That enables them to
send messages which only you can decrypt.</p>
<p>See the <a href="ssl_intro.html">Introduction</a> chapter for a general
description of the SSL protocol.</p>
<h3><a name="startup" id="startup">Is there a difference on startup between
the original Apache and an SSL-aware Apache?</a></h3>
<p>Yes. In general, starting Apache with
<code class="module"><a href="../mod/mod_ssl.html">mod_ssl</a></code> built-in is just like starting Apache
without it. However, if you have a passphrase on your SSL private
key file, a startup dialog will pop up which asks you to enter the
pass phrase.</p>
<p>Having to manually enter the passphrase when starting the server
can be problematic - for example, when starting the server from the
system boot scripts. In this case, you can follow the steps
<a href="#removepassphrase">below</a> to remove the passphrase from
your private key.</p>
<h3><a name="selfcert" id="selfcert">How do I create a self-signed SSL
Certificate for testing purposes?</a></h3>
<ol>
<li>Make sure OpenSSL is installed and in your <code>PATH</code>.<br />
<br />
</li>
<li>Run the following command, to create <code>server.key</code> and
<code>server.crt</code> files:<br />
<code><strong>$ openssl req -new -x509 -nodes -out server.crt
-keyout server.key</strong></code><br />
These can be used as follows in your <code>httpd.conf</code>
file:
<pre>
SSLCertificateFile /path/to/this/server.crt
SSLCertificateKeyFile /path/to/this/server.key
</pre>
</li>
<li>It is important that you are aware that this
<code>server.key</code> does <em>not</em> have any passphrase.
To add a passphrase to the key, you should run the following
command, and enter & verify the passphrase as requested.<br />
<p><code><strong>$ openssl rsa -des3 -in server.key -out
server.key.new</strong></code><br />
<code><strong>$ mv server.key.new server.key</strong></code><br /></p>
Please backup the <code>server.key</code> file, and the passphrase
you entered, in a secure location.
</li>
</ol>
<h3><a name="realcert" id="realcert">How do I create a real SSL Certificate?</a></h3>
<p>Here is a step-by-step description:</p>
<ol>
<li>Make sure OpenSSL is installed and in your <code>PATH</code>.
<br />
<br />
</li>
<li>Create a RSA private key for your Apache server
(will be Triple-DES encrypted and PEM formatted):<br />
<br />
<code><strong>$ openssl genrsa -des3 -out server.key 1024</strong></code><br />
<br />
Please backup this <code>server.key</code> file and the
pass-phrase you entered in a secure location.
You can see the details of this RSA private key by using the command:<br />
<br />
<code><strong>$ openssl rsa -noout -text -in server.key</strong></code><br />
<br />
If necessary, you can also create a decrypted PEM version (not
recommended) of this RSA private key with:<br />
<br />
<code><strong>$ openssl rsa -in server.key -out server.key.unsecure</strong></code><br />
<br />
</li>
<li>Create a Certificate Signing Request (CSR) with the server RSA private
key (output will be PEM formatted):<br />
<br />
<code><strong>$ openssl req -new -key server.key -out server.csr</strong></code><br />
<br />
Make sure you enter the FQDN ("Fully Qualified Domain Name") of the
server when OpenSSL prompts you for the "CommonName", i.e. when you
generate a CSR for a website which will be later accessed via
<code>https://www.foo.dom/</code>, enter "www.foo.dom" here.
You can see the details of this CSR by using<br />
<br />
<code><strong>$ openssl req -noout -text -in server.csr</strong></code><br />
<br />
</li>
<li>You now have to send this Certificate Signing Request (CSR) to
a Certifying Authority (CA) to be signed. Once the CSR has been
signed, you will have a real Certificate, which can be used by
Apache. You can have a CSR signed by a commercial CA, or you can
create your own CA to sign it.<br />
Commercial CAs usually ask you to post the CSR into a web form,
pay for the signing, and then send a signed Certificate, which
you can store in a server.crt file. For more information about
commercial CAs see the following locations:<br />
<br />
<ol>
<li> Verisign<br />
<a href="http://digitalid.verisign.com/server/apacheNotice.htm">
http://digitalid.verisign.com/server/apacheNotice.htm
</a>
</li>
<li> Thawte<br />
<a href="http://www.thawte.com/">http://www.thawte.com/</a>
</li>
<li> CertiSign Certificadora Digital Ltda.<br />
<a href="http://www.certisign.com.br">
http://www.certisign.com.br
</a>
</li>
<li> IKS GmbH<br />
<a href="http://www.iks-jena.de/leistungen/ca/">
http://www.iks-jena.de/leistungen/ca/
</a>
</li>
<li> Uptime Commerce Ltd.<br />
<a href="http://www.uptimecommerce.com">
http://www.uptimecommerce.com
</a>
</li>
<li> BelSign NV/SA<br />
<a href="http://www.belsign.be">
http://www.belsign.be
</a>
</li>
</ol>
For details on how to create your own CA, and use this to sign
a CSR, see <a href="#ownca">below</a>.<br />
Once your CSR has been signed, you can see the details of the
Certificate as follows:<br />
<br />
<code><strong>$ openssl x509 -noout -text -in server.crt</strong></code><br />
</li>
<li>You should now have two files: <code>server.key</code> and
<code>server.crt</code>. These can be used as follows in your
<code>httpd.conf</code> file:
<pre>
SSLCertificateFile /path/to/this/server.crt
SSLCertificateKeyFile /path/to/this/server.key
</pre>
The <code>server.csr</code> file is no longer needed.
</li>
</ol>
<h3><a name="ownca" id="ownca">How do I create and use my own Certificate Authority (CA)?</a></h3>
<p>The short answer is to use the <code>CA.sh</code> or <code>CA.pl</code>
script provided by OpenSSL. Unless you have a good reason not to,
you should use these for preference. If you cannot, you can create a
self-signed Certificate as follows:</p>
<ol>
<li>Create a RSA private key for your server
(will be Triple-DES encrypted and PEM formatted):<br />
<br />
<code><strong>$ openssl genrsa -des3 -out server.key 1024</strong></code><br />
<br />
Please backup this <code>host.key</code> file and the
pass-phrase you entered in a secure location.
You can see the details of this RSA private key by using the
command:<br />
<code><strong>$ openssl rsa -noout -text -in server.key</strong></code><br />
<br />
If necessary, you can also create a decrypted PEM version (not
recommended) of this RSA private key with:<br />
<br />
<code><strong>$ openssl rsa -in server.key -out server.key.unsecure</strong></code><br />
<br />
</li>
<li>Create a self-signed Certificate (X509 structure)
with the RSA key you just created (output will be PEM formatted):<br />
<br />
<code><strong>$ openssl req -new -x509 -nodes -sha1 -days 365
-key server.key -out server.crt</strong></code><br />
<br />
This signs the server CSR and results in a <code>server.crt</code> file.<br />
You can see the details of this Certificate using:<br />
<br />
<code><strong>$ openssl x509 -noout -text -in server.crt</strong></code><br />
<br />
</li>
</ol>
<h3><a name="passphrase" id="passphrase">How can I change the pass-phrase on my private key file?</a></h3>
<p>You simply have to read it with the old pass-phrase and write it again,
specifying the new pass-phrase. You can accomplish this with the following
commands:</p>
<p><code><strong>$ openssl rsa -des3 -in server.key -out server.key.new</strong></code><br />
<code><strong>$ mv server.key.new server.key</strong></code><br /></p>
<p>The first time you're asked for a PEM pass-phrase, you should
enter the old pass-phrase. After that, you'll be asked again to
enter a pass-phrase - this time, use the new pass-phrase. If you
are asked to verify the pass-phrase, you'll need to enter the new
pass-phrase a second time.</p>
<h3><a name="removepassphrase" id="removepassphrase">How can I get rid of the pass-phrase dialog at Apache startup time?</a></h3>
<p>The reason this dialog pops up at startup and every re-start
is that the RSA private key inside your server.key file is stored in
encrypted format for security reasons. The pass-phrase is needed decrypt
this file, so it can be read and parsed. Removing the pass-phrase
removes a layer of security from your server - proceed with caution!</p>
<ol>
<li>Remove the encryption from the RSA private key (while
keeping a backup copy of the original file):<br />
<br />
<code><strong>$ cp server.key server.key.org</strong></code><br />
<code><strong>$ openssl rsa -in server.key.org -out server.key</strong></code><br />
<br />
</li>
<li>Make sure the server.key file is only readable by root:<br />
<br />
<code><strong>$ chmod 400 server.key</strong></code><br />
⌨️ 快捷键说明
复制代码
Ctrl + C
搜索代码
Ctrl + F
全屏模式
F11
切换主题
Ctrl + Shift + D
显示快捷键
?
增大字号
Ctrl + =
减小字号
Ctrl + -