SSL证书安装指南 - Apache-SSL / Apache ModSSL
1. 保存证书文件 Save the certificate file
一旦您申请的SSL证书成功颁发,您会收到一个邮件通知您取回证书,点击邮件中的取回证书链接,就可以得到您的证书文件。此文件是一个打包文件,包含了您申请的证书类型的证书链文件、公钥证书。或 直接给您的是包含证书公钥和私钥的打包文件,有支持所有服务器类型的3种格式证书文件和各级根证书文件。
2. 安装证书 Install the Certificate
A. 把SSL证书和中级根证书拷贝到Apache存放证书的目录中,如: /etc/httpd/conf/ssl.crt/
a. Copy the certificate and Intermediate CA Certificate to the Apache directory in which you plan to store your certificates (example: /etc/httpd/conf/ssl.key/ or /etc/httpd/conf/ssl.crt/).
B.使用文本编辑器打开http.conf文件,添加如下3行参数(如果没有的话)
b. Open the Apache httpd.conf file in a text editor (notepad/vi). Locate the SSL VirtualHost associated with your certificate. Verify that you have the following 3 directives within this virtual host. Please add them if they are not present:
SSLCertificateKeyFile /where/the/key/is/located/www.mydomain.com.key
SSLCertificateFile /where/the/certificate/is/located/www.mydomain.com.crt
SSLCACertificateFile /where/the/certificate/is/located/intermediate.crt
请注意: Apache中含有https.conf和ssl.conf两个功能相同的文件,请只修改其中一个文件,否则会有冲突而使得Apache不能正常启动。
Note that some instances of Apache contain both a httpd.conf and ssl.conf file. Please enter or amend the httpd.conf or the ssl.conf with the above directives. Do not enter the information in both as there will be a conflict and Apache will not start.
c. 保存修改。 Save the changes and exit the editor.
d. 使用如下命令停止Apache后再启动Apache,以便Apache daemon能注册修改的参数。
Stop and start the Apache daemon which will register the changes that have been made in the config file. You can use the following commands:
/usr/sbin/apachectl stop /usr/sbin/apachectl startssl
or:
/usr/sbin/httpd -k stop /usr/sbin/httpd -DSSL
3. 完成配置 Setup the server
请一定要分配443端口和一个固定的IP地址给主机(注意:防火墙一定要开放443端口TCP)。
Make sure you assign port 443 and a unique ip address (i.e <VirtualHost 192.168.20.248:443>)to the virtual host. Apache does not support name based virtual hosts therefore host headers must not be specified in the VirtualHost directive.Note: If the server is behind a firewall please make sure port 443 has been enabled on the firewall.
在浏览器地址栏输入:https://yourdomain.com(申请证书的域名)测试您的SSL证书是否安装成功,如果成功,则浏览器下方会显示一个安全锁标志。请注意:如果您的网页中有不安全的元素,则会提供“是否显示不安全的内容”,建议修改网页删除不安全的内容。
Test your certificate by using a browser to connect to your server. Use the https protocol directive (e.g. https://your server/) to indicate you wish to use secure HTTP. The padlock icon on your browser will be displayed in the locked position if your certificates are installed correctly and the server is properly configured for SSL.