» ssl の記事

~ Apache 上配置多張 SSL Cert ~

connie 2012.12.28 | ubuntu | | No Comments

有好多人會以為配置SSL virtual Host 時,會同普通http virtual Host 一樣,
copy 多一set virtual host 改servername , restart 就完成.

但你好快會發現有問題出現
假設你有2個SSL site, 同樣都有cert的.
SSL Site B 會使用了 Site A 張cert

要解決這個問題有三個可行的方法

  1. use Wildcard SSL
  2. set different port listener
  3. use mod_guntls mod

總之要點係每個SSL VirtualHost 都要有獨立的IP:PORT組合,不然就要用wildcard SSL

1]Activate the SSL Module

sudo a2enmod ssl
sudo service apache2 restart

2]create a new directory where we will store the server key and certificate

sudo mkdir /etc/apache2/ssl

3]Create a Self Signed SSL Certificate
this certificate will expire after one year.

sudo openssl req -x509 -nodes -days 365 -newkey rsa:2048 -keyout /etc/apache2/ssl/apache.key -out /etc/apache2/ssl/apache.crt

4]The most important line is “Common Name”. Enter your official domain name here or, if you don’t have one yet, your site’s IP address.
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter ‘.’, the field will be left blank.
—–
Country Name (2 letter code) [AU]:US
State or Province Name (full name) [Some-State]:New York
Locality Name (eg, city) []:NYC
Organization Name (eg, company) [Internet Widgits Pty Ltd]:Awesome Inc
Organizational Unit Name (eg, section) []:Dept of Merriment
Common Name (e.g. server FQDN or YOUR name) []:example.com
Email Address []:[email protected]

5]Set Up the Certificate

sudo nano /etc/apache2/sites-available/default-ssl
ServerName example.com:443
SSLEngine on
SSLCertificateFile /etc/apache2/ssl/apache.crt
SSLCertificateKeyFile /etc/apache2/ssl/apache.key

6]Activate the New Virtual Host

sudo a2ensite default-ssl
sudo service apache2 reload
| HOME |