ssl_faq.html

mod_ssl-2.8.31-1.3.41.tar.gz 好用的ssl工具

    RewriteEngine on
    RewriteRule   ^/(.*):SSL$   https://%{SERVER_NAME}/$1 [R,L]
    RewriteRule   ^/(.*):NOSSL$ http://%{SERVER_NAME}/$1  [R,L]
    </pre>
    This rewrite ruleset lets you use hyperlinks of the form
    <pre>
    &lt;a href="document.html:SSL"&gt
    </pre>
</ul>
<p>
<br>
<h2><a name="ToC24">About Certificates</a></h2>
<ul>
<p>
<li><a name="ToC25"></a>
    <a name="what-is"></a>
    <strong id="faq">
What are RSA Private Keys, CSRs and Certificates?</strong>
</strong>&nbsp;&nbsp;
    [<a href="http://www.modssl.org/docs/2.8/ssl_faq.html#what-is"><b>L</b></a>]
    <p>
    The RSA private key file is a digital file that you can use to decrypt
    messages sent to you. It has a public component which you distribute (via
    your Certificate file) which allows people to encrypt those messages to
    you. A Certificate Signing Request (CSR) is a digital file which contains
    your public key and your name. You send the CSR to a Certifying Authority
    (CA) to be converted into a real Certificate. A Certificate contains your
    RSA public key, your name, the name of the CA, and is digitally signed by
    your CA. Browsers that know the CA can verify the signature on that
    Certificate, thereby obtaining your RSA public key. That enables them to
    send messages which only you can decrypt.
    See the <a href="ssl_intro.html">Introduction</a> chapter for a general
    description of the SSL protocol.
<p>
<li><a name="ToC26"></a>
    <a name="startup"></a>
    <strong id="faq">
Seems like there is a difference on startup between the original Apache and an SSL-aware Apache?
</strong>&nbsp;&nbsp;
    [<a href="http://www.modssl.org/docs/2.8/ssl_faq.html#startup"><b>L</b></a>]
    <p>
    Yes, in general, starting Apache with a built-in mod_ssl is just like
    starting an unencumbered Apache, except for the fact that when you have a
    pass phrase on your SSL private key file. Then a startup dialog pops up
    asking you to enter the pass phrase.
    <p>
    To type in the pass phrase manually when starting the server can be
    problematic, for instance when starting the server from the system boot
    scripts. As an alternative to this situation you can follow the steps
    below under ``How can I get rid of the pass-phrase dialog at Apache
    startup time?''.
<p>
<li><a name="ToC27"></a>
    <a name="cert-dummy"></a>
    <strong id="faq">
How can I create a dummy SSL server Certificate for testing purposes?
</strong>&nbsp;&nbsp;
    [<a href="http://www.modssl.org/docs/2.8/ssl_faq.html#cert-dummy"><b>L</b></a>]
    <p>
    A Certificate does not have to be signed by a public CA. You can use your
    private key to sign the Certificate which contains your public key. You
    can install this Certificate into your server, and people using Netscape
    Navigator (not MSIE) will be able to connect after clicking OK to a
    warning dialogue. You can get MSIE to work, and your customers can
    eliminate the dialogue, by installing that Certificate manually into their
    browsers.
    <p>
    Just use the ``<code>make certificate</code>'' command at the top-level
    directory of the Apache source tree right before installing Apache via
    ``<code>make install</code>''. This creates a self-signed SSL Certificate
    which expires after 30 days and isn't encrypted (which means you don't
    need to enter a pass-phrase at Apache startup time).
    <p>
    BUT REMEMBER: YOU REALLY HAVE TO CREATE A REAL CERTIFICATE FOR THE LONG
    RUN! HOW THIS IS DONE IS DESCRIBED IN THE NEXT ANSWER.
<p>
<li><a name="ToC28"></a>
    <a name="cert-real"></a>
    <strong id="faq">
Ok, I've got my server installed and want to create a real SSL
server Certificate for it. How do I do it?
</strong>&nbsp;&nbsp;
    [<a href="http://www.modssl.org/docs/2.8/ssl_faq.html#cert-real"><b>L</b></a>]
    <p>
    Here is a step-by-step description:
    <p>
    <ol>
    <li>Make sure OpenSSL is really installed and in your <code>PATH</code>.
        But some commands even work ok when you just run the
        ``<code>openssl</code>'' program from within the OpenSSL source tree as
        ``<code>./apps/openssl</code>''.
    <p>
    <li>Create a RSA private key for your Apache server
       (will be Triple-DES encrypted and PEM formatted):
       <p>
       <code><strong>$ openssl genrsa -des3 -out server.key 1024</strong></code>
       <p>
       Please backup this <code>server.key</code> file and remember the
       pass-phrase you had to enter at a secure location.
       You can see the details of this RSA private key via the command:
       <p>
       <code><strong>$ openssl rsa -noout -text -in server.key</strong></code>
       <p>
       And you could create a decrypted PEM version (not recommended)
       of this RSA private key via:
       <p>
       <code><strong>$ openssl rsa -in server.key -out server.key.unsecure</strong></code>
    <p>
    <li>Create a Certificate Signing Request (CSR) with the server RSA private
       key (output will be PEM formatted):
       <p>
       <code><strong>$ openssl req -new -key server.key -out server.csr</strong></code>
       <p>
       Make sure you enter the FQDN ("Fully Qualified Domain Name") of the
       server when OpenSSL prompts you for the "CommonName", i.e. when you
       generate a CSR for a website which will be later accessed via
       <code>https://www.foo.dom/</code>, enter "www.foo.dom" here.
       You can see the details of this CSR via the command
       <p>
       <code><strong>$ openssl req -noout -text -in server.csr</strong></code>
    <p>
    <li>You now have to send this Certificate Signing Request (CSR) to
       a Certifying Authority (CA) for signing. The result is then a real
       Certificate which can be used for Apache. Here you have two options:
       First you can let the CSR sign by a commercial CA like Verisign or
       Thawte. Then you usually have to post the CSR into a web form, pay for
       the signing and await the signed Certificate you then can store into a
       server.crt file. For more information about commercial CAs have a look
       at the following locations:
       <p>
       <ul>
       <li>  Verisign<br>
             <a href="http://digitalid.verisign.com/server/apacheNotice.htm">
             http://digitalid.verisign.com/server/apacheNotice.htm
             </a>
       <li>  Thawte Consulting<br>
             <a href="http://www.thawte.com/certs/server/request.html">
             http://www.thawte.com/certs/server/request.html
             </a>
       <li>  CertiSign Certificadora Digital Ltda.<br>
             <a href="http://www.certisign.com.br">
             http://www.certisign.com.br
             </a>
       <li>  IKS GmbH<br>
             <a href="http://www.iks-jena.de/produkte/ca/">
             http://www.iks-jena.de/produkte/ca/
             </a>
       <li>  Uptime Commerce Ltd.<br>
             <a href="http://www.uptimecommerce.com">
             http://www.uptimecommerce.com
             </a>
       <li>  BelSign NV/SA<br>
             <a href="http://www.belsign.be">
             http://www.belsign.be
             </a>
       </ul>
       <p>
       Second you can use your own CA and now have to sign the CSR yourself by
       this CA. Read the next answer in this FAQ on how to sign a CSR with
       your CA yourself.
       You can see the details of the received Certificate via the command:
       <p>
       <code><strong>$ openssl x509 -noout -text -in server.crt</strong></code>
    <p>
    <li>Now you have two files: <code>server.key</code> and
    <code>server.crt</code>. These now can be used as following inside your
    Apache's <code>httpd.conf</code> file:
       <pre>
       SSLCertificateFile    /path/to/this/server.crt
       SSLCertificateKeyFile /path/to/this/server.key
       </pre>
       The <code>server.csr</code> file is no longer needed.
    </ol>
<p>
<li><a name="ToC29"></a>
    <a name="cert-ownca"></a>
    <strong id="faq">
How can I create and use my own Certificate Authority (CA)?
</strong>&nbsp;&nbsp;
    [<a href="http://www.modssl.org/docs/2.8/ssl_faq.html#cert-ownca"><b>L</b></a>]
    <p>
    The short answer is to use the <code>CA.sh</code> or <code>CA.pl</code>
    script provided by OpenSSL. The long and manual answer is this:
    <p>
    <ol>
    <li>Create a RSA private key for your CA
       (will be Triple-DES encrypted and PEM formatted):
       <p>
       <code><strong>$ openssl genrsa -des3 -out ca.key 1024</strong></code>
       <p>
       Please backup this <code>ca.key</code> file and remember the
       pass-phrase you currently entered at a secure location.
       You can see the details of this RSA private key via the command
       <p>
       <code><strong>$ openssl rsa -noout -text -in ca.key</strong></code>
       <p>
       And you can create a decrypted PEM version (not recommended) of this
       private key via:
       <p>
       <code><strong>$ openssl rsa -in ca.key -out ca.key.unsecure</strong></code>
    <p>
    <li>Create a self-signed CA Certificate (X509 structure)
       with the RSA key of the CA (output will be PEM formatted):
       <p>
       <code><strong>$ openssl req -new -x509 -days 365 -key ca.key -out ca.crt</strong></code>
       <p>
       You can see the details of this Certificate via the command:
       <p>
       <code><strong>$ openssl x509 -noout -text -in ca.crt</strong></code>
    <p>
    <li>Prepare a script for signing which is needed because
       the ``<code>openssl ca</code>'' command has some strange requirements
       and the default OpenSSL config doesn't allow one easily to use
       ``<code>openssl ca</code>'' directly. So a script named
       <code>sign.sh</code> is distributed with the mod_ssl distribution
       (subdir <code>pkg.contrib/</code>). Use this script for signing.
    <p>
    <li>Now you can use this CA to sign server CSR's in order to create real
       SSL Certificates for use inside an Apache webserver (assuming
       you already have a <code>server.csr</code> at hand):
       <p>
       <code><strong>$ ./sign.sh server.csr</strong></code>
       <p>
       This signs the server CSR and results in a <code>server.crt</code> file.
    </ol>
<p>
<li><a name="ToC30"></a>
    <a name="change-passphrase"></a>
    <strong id="faq">
How can I change the pass-phrase on my private key file?
</strong>&nbsp;&nbsp;
    [<a href="http://www.modssl.org/docs/2.8/ssl_faq.html#change-passphrase"><b>L</b></a>]
    <p>
    You simply have to read it with the old pass-phrase and write it again
    by specifying the new pass-phrase. You can accomplish this with the following
    commands:
    <p>
    <code><strong>$ openssl rsa -des3 -in server.key -out server.key.new</strong></code><br>
    <code><strong>$ mv server.key.new server.key</strong></code><br>
    <p>
    Here you're asked two times for a PEM pass-phrase. At the first
    prompt enter the old pass-phrase and at the second prompt
    enter the new pass-phrase.
<p>
<li><a name="ToC31"></a>
    <a name="remove-passphrase"></a>
    <strong id="faq">
How can I get rid of the pass-phrase dialog at Apache startup time?
</strong>&nbsp;&nbsp;
    [<a href="http://www.modssl.org/docs/2.8/ssl_faq.html#remove-passphrase"><b>L</b></a>]
    <p>
    The reason why this dialog pops up at startup and every re-start
    is that the RSA private key inside your server.key file is stored in
    encrypted format for security reasons. The pass-phrase is needed to be
    able to read and parse this file. When you can be sure that your server is
    secure enough you perform two steps:
    <p>
    <ol>
    <li>Remove the encryption from the RSA private key (while
       preserving the original file):
       <p>
       <code><strong>$ cp server.key server.key.org</strong></code><br>
       <code><strong>$ openssl rsa -in server.key.org -out server.key</strong></code>
    <p>
    <li>Make sure the server.key file is now only readable by root:
       <p>
       <code><strong>$ chmod 400 server.key</strong></code>