SSL Web Server
Generate Certificates
Method 1: 不需要 CA 的憑證
mkdir /etc/apache2/certs
cd /etc/apache2/certs
openssl genrsa -out myhomepbx.key 2048
openssl req -new -key myhomepbx.key -out myhomepbx.csr
openssl x509 -req -days 3650 -in myhomepbx.csr -signkey myhomepbx.key -out myhomepbx.crtMethod 2: 需要 CA 的憑證
# generate CA
cd /etc/ssl/homepbx-certs
openssl req -new -x509 -extensions v3_ca -keyout ca.key -out ca.crt -days 3650
# generate Server certificatesprerequisites
cp /etc/ssl/openssl.conf ./openssl.homepbx.cnf
touch index.txt
echo '01' > serial
mkdir newcerts
# generate Server certificates
openssl req -config openssl.homepbx.cnf -new -nodes -keyout server.key -out server.csr
openssl ca -config openssl.homepbx.cnf -days 3650 -in server.csr -out server.crtopenssl.homepbx.cnf
...
[ CA_default ]
dir = . # Where everything is kept <== Here
certs = $dir/certs # Where the issued certs are kept
crl_dir = $dir/crl # Where the issued crl are kept
database = $dir/index.txt # database index file.
#unique_subject = no # Set to 'no' to allow creation of
# several certs with same subject.
new_certs_dir = $dir/newcerts # default place for new certs.
certificate = $dir/ca.crt # The CA certificate <== Here
serial = $dir/serial # The current serial number
crlnumber = $dir/crlnumber # the current crl number
# must be commented out to leave a V1 CRL
crl = $dir/crl.pem # The current CRL
private_key = $dir/ca.key# The private key <== Here
x509_extensions = usr_cert # The extensions to add to the cert
...
Apache Setup