ssl_faq.html.en

Apache官方在今天放出产品系列2.2的最新版本2.2.11的源码包 最流行的HTTP服务器软件之一

<li><a href="#removepassphrase">How can I get rid of the pass-phrase 
dialog at Apache startup time?</a></li>
<li><a href="#verify">How do I verify that a private key matches its 
Certificate?</a></li>
<li><a href="#badcert">Why do connections fail with an "alert bad 
certificate" error?</a></li>
<li><a href="#keysize">Why does my 2048-bit private key not work?</a></li>
<li><a href="#hashsymlinks">Why is client authentication broken after 
upgrading from SSLeay version 0.8 to 0.9?</a></li>
<li><a href="#pemder">How can I convert a certificate from PEM to DER 
format?</a></li>
<li><a href="#verisign">Why can't I find the
<code>getca</code> or <code>getverisign</code> programs mentioned by
Verisign, for installing my Verisign certificate?</a></li>
<li><a href="#sgc">Can I use the Server Gated Cryptography (SGC)
facility (aka Verisign Global ID) with mod_ssl?</a></li>
<li><a href="#gid">Why do browsers complain that they cannot
verify my Verisign Global ID server certificate?</a></li>
</ul>

<h3><a name="keyscerts" id="keyscerts">What are RSA Private Keys, CSRs and Certificates?</a></h3>
<p>An RSA private key file is a digital file that you can use to decrypt
    messages sent to you. It has a public component which you distribute (via
    your Certificate file) which allows people to encrypt those messages to
    you.</p>
    <p>A Certificate Signing Request (CSR) is a digital file which contains
    your public key and your name. You send the CSR to a Certifying Authority
    (CA), who will convert it into a real Certificate, by signing it.</p> 
    <p>A Certificate contains your
    RSA public key, your name, the name of the CA, and is digitally signed by
    the CA. Browsers that know the CA can verify the signature on that
    Certificate, thereby obtaining your RSA public key. That enables them to
    send messages which only you can decrypt.</p>
    <p>See the <a href="ssl_intro.html">Introduction</a> chapter for a general
    description of the SSL protocol.</p>


<h3><a name="startup" id="startup">Is there a difference on startup between 
    a non-SSL-aware Apache and an SSL-aware Apache?</a></h3>
<p>Yes. In general, starting Apache with 
    <code class="module"><a href="../mod/mod_ssl.html">mod_ssl</a></code> built-in is just like starting Apache 
    without it. However, if you have a passphrase on your SSL private 
    key file, a startup dialog will pop up which asks you to enter the 
    pass phrase.</p>
    
    <p>Having to manually enter the passphrase when starting the server 
    can be problematic - for example, when starting the server from the 
    system boot scripts. In this case, you can follow the steps
    <a href="#removepassphrase">below</a> to remove the passphrase from
    your private key. Bear in mind that doing so brings additional security
    risks - proceed with caution!</p>


<h3><a name="selfcert" id="selfcert">How do I create a self-signed SSL 
Certificate for testing purposes?</a></h3>
    <ol>
    <li>Make sure OpenSSL is installed and in your <code>PATH</code>.<br />
    <br />
    </li>
    <li>Run the following command, to create <code>server.key</code> and
        <code>server.crt</code> files:<br />
	<code><strong>$ openssl req -new -x509 -nodes -out server.crt 
			-keyout server.key</strong></code><br />
	These can be used as follows in your <code>httpd.conf</code> 
	file:
        <pre>
             SSLCertificateFile    /path/to/this/server.crt
             SSLCertificateKeyFile /path/to/this/server.key
	</pre>
    </li>
    <li>It is important that you are aware that this 
	<code>server.key</code> does <em>not</em> have any passphrase.
	To add a passphrase to the key, you should run the following 
	command, and enter &amp; verify the passphrase as requested.<br />
	<p><code><strong>$ openssl rsa -des3 -in server.key -out 
	server.key.new</strong></code><br />
	<code><strong>$ mv server.key.new server.key</strong></code><br /></p>
	Please backup the <code>server.key</code> file, and the passphrase 
	you entered, in a secure location.
    </li>
    </ol>


<h3><a name="realcert" id="realcert">How do I create a real SSL Certificate?</a></h3>
<p>Here is a step-by-step description:</p>
    <ol>
    <li>Make sure OpenSSL is installed and in your <code>PATH</code>.
    <br />
    <br />
    </li>
    <li>Create a RSA private key for your Apache server
       (will be Triple-DES encrypted and PEM formatted):<br />
       <br />
       <code><strong>$ openssl genrsa -des3 -out server.key 1024</strong></code><br />
       <br />
       Please backup this <code>server.key</code> file and the
       pass-phrase you entered in a secure location.
       You can see the details of this RSA private key by using the command:<br />

       <br />
       <code><strong>$ openssl rsa -noout -text -in server.key</strong></code><br />
       <br />
       If necessary, you can also create a decrypted PEM version (not 
       recommended) of this RSA private key with:<br />
       <br />
       <code><strong>$ openssl rsa -in server.key -out server.key.unsecure</strong></code><br />
       <br />

    </li>
    <li>Create a Certificate Signing Request (CSR) with the server RSA private
       key (output will be PEM formatted):<br />
       <br />
       <code><strong>$ openssl req -new -key server.key -out server.csr</strong></code><br />
       <br />
       Make sure you enter the FQDN ("Fully Qualified Domain Name") of the
       server when OpenSSL prompts you for the "CommonName", i.e. when you
       generate a CSR for a website which will be later accessed via
       <code>https://www.foo.dom/</code>, enter "www.foo.dom" here.
       You can see the details of this CSR by using<br />

       <br />
       <code><strong>$ openssl req -noout -text -in server.csr</strong></code><br />
       <br />
    </li>
    <li>You now have to send this Certificate Signing Request (CSR) to
       a Certifying Authority (CA) to be signed. Once the CSR has been 
       signed, you will have a real Certificate, which can be used by
       Apache. You can have a CSR signed by a commercial CA, or you can 
       create your own CA to sign it.<br />
       Commercial CAs usually ask you to post the CSR into a web form, 
       pay for the signing, and then send a signed Certificate, which 
       you can store in a server.crt file. For more information about 
       commercial CAs see the following locations:<br />
       <br />
       <ol>
       <li>  Verisign<br />
             <a href="http://digitalid.verisign.com/server/apacheNotice.htm">
             http://digitalid.verisign.com/server/apacheNotice.htm
             </a>
       </li>
       <li>  Thawte<br />
         <a href="http://www.thawte.com/">http://www.thawte.com/</a>
       </li>
       <li>  CertiSign Certificadora Digital Ltda.<br />
             <a href="http://www.certisign.com.br">
             http://www.certisign.com.br
             </a>
       </li>
       <li>  IKS GmbH<br />
             <a href="http://www.iks-jena.de/leistungen/ca/">
             http://www.iks-jena.de/leistungen/ca/
             </a>
       </li>
       <li>  Uptime Commerce Ltd.<br />
             <a href="http://www.uptimecommerce.com">
             http://www.uptimecommerce.com
             </a>
       </li>
       <li>  BelSign NV/SA<br />
             <a href="http://www.belsign.be">
             http://www.belsign.be
             </a>
       </li>
       </ol>

       For details on how to create your own CA, and use this to sign
       a CSR, see <a href="#ownca">below</a>.<br />
       
       Once your CSR has been signed, you can see the details of the 
       Certificate as follows:<br />
       <br />
       <code><strong>$ openssl x509 -noout -text -in server.crt</strong></code><br />

    </li>
    <li>You should now have two files: <code>server.key</code> and
    <code>server.crt</code>. These can be used as follows in your
    <code>httpd.conf</code> file:
       <pre>
       SSLCertificateFile    /path/to/this/server.crt
       SSLCertificateKeyFile /path/to/this/server.key
       </pre>
       The <code>server.csr</code> file is no longer needed.
    </li>

    </ol>


<h3><a name="ownca" id="ownca">How do I create and use my own Certificate Authority (CA)?</a></h3>
    <p>The short answer is to use the <code>CA.sh</code> or <code>CA.pl</code>
    script provided by OpenSSL. Unless you have a good reason not to, 
    you should use these for preference. If you cannot, you can create a
    self-signed Certificate as follows:</p>
    
    <ol>
    <li>Create a RSA private key for your server
       (will be Triple-DES encrypted and PEM formatted):<br />
       <br />
       <code><strong>$ openssl genrsa -des3 -out server.key 1024</strong></code><br />
       <br />
       Please backup this <code>host.key</code> file and the
       pass-phrase you entered in a secure location.
       You can see the details of this RSA private key by using the 
       command:<br />
       <code><strong>$ openssl rsa -noout -text -in server.key</strong></code><br />
       <br />
       If necessary, you can also create a decrypted PEM version (not 
       recommended) of this RSA private key with:<br />
       <br />
       <code><strong>$ openssl rsa -in server.key -out server.key.unsecure</strong></code><br />
       <br />
    </li>
    <li>Create a self-signed Certificate (X509 structure)
       with the RSA key you just created (output will be PEM formatted):<br />
       <br />
       <code><strong>$ openssl req -new -x509 -nodes -sha1 -days 365 
		       -key server.key -out server.crt</strong></code><br />
       <br />
       This signs the server CSR and results in a <code>server.crt</code> file.<br />
       You can see the details of this Certificate using:<br />
       <br />
       <code><strong>$ openssl x509 -noout -text -in server.crt</strong></code><br />
       <br />
    </li>
    </ol>


<h3><a name="passphrase" id="passphrase">How can I change the pass-phrase on my private key file?</a></h3>
<p>You simply have to read it with the old pass-phrase and write it again,
    specifying the new pass-phrase. You can accomplish this with the following
    commands:</p>

    
    <p><code><strong>$ openssl rsa -des3 -in server.key -out server.key.new</strong></code><br />
    <code><strong>$ mv server.key.new server.key</strong></code><br /></p>
    
    <p>The first time you're asked for a PEM pass-phrase, you should
    enter the old pass-phrase. After that, you'll be asked again to 
    enter a pass-phrase - this time, use the new pass-phrase. If you
    are asked to verify the pass-phrase, you'll need to enter the new 
    pass-phrase a second time.</p>


<h3><a name="removepassphrase" id="removepassphrase">How can I get rid of the pass-phrase dialog at Apache startup time?</a></h3>
<p>The reason this dialog pops up at startup and every re-start
    is that the RSA private key inside your server.key file is stored in
    encrypted format for security reasons. The pass-phrase is needed to decrypt
    this file, so it can be read and parsed. Removing the pass-phrase 
    removes a layer of security from your server - proceed with caution!</p>
    <ol>
    <li>Remove the encryption from the RSA private key (while
       keeping a backup copy of the original file):<br />
       <br />
       <code><strong>$ cp server.key server.key.org</strong></code><br />
       <code><strong>$ openssl rsa -in server.key.org -out server.key</strong></code><br />

       <br />
    </li>
    <li>Make sure the server.key file is only readable by root:<br />
       <br />
       <code><strong>$ chmod 400 server.key</strong></code><br />
       <br />