Lighttpd - HTTPS(SSL)
1.建立存放私鑰及證書目錄
#mkdir /etc/lighttpd/ssl
#cd /etc/lighttpd/ssl
2. 產生私鑰(Private key)
# openssl genrsa -out privkey.pem 2048
Generating RSA private key, 2048 bit long modulus
.......................................+++
.........................................................................................................................+++
e is 65537 (0x10001)
3. 產生需求證書(CSR)
# openssl req -new -key privkey.pem -out cert.csr
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [GB]:TW
State or Province Name (full name) [Berkshire]:Taiwan
Locality Name (eg, city) [Newbury]:Taipei
Organization Name (eg, company) [My Company Ltd]:Catchlink
Organizational Unit Name (eg, section) []:MIS
Common Name (eg, your name or your server's hostname) []:*.catchlink.com
Email Address []:[email protected]
Please enter the following 'extra' attributes
to be sent with your certificate request
A challenge password []:
An optional company name []:
這個命令將會生成一個證書請求,當然,用到了前面生成的金鑰privkey.pem檔案
這裡將生成一個新的檔cert.csr,即一個證書請求檔,你可以拿著這個檔去數位憑證頒發機構(即CA)申請一個數位憑證。CA會給你一個新的檔cacert.pem,那才是你的數位憑證。
如果是自己做測試,那麼證書的申請機構和頒發機構都是自己。就可以用下面這個命令來生成證書:
openssl req -new -x509 -days 3650 -key privkey.pem -out cacert.pem
這個命令將用上面生成的金鑰privkey.pem生成一個數位憑證cacert.pem
# openssl req -new -x509 -days 3650 -key privkey.pem -out cacert.pem
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [GB]:TW
State or Province Name (full name) [Berkshire]:Taiwan
Locality Name (eg, city) [Newbury]:Taipei
Organization Name (eg, company) [My Company Ltd]: Catchlink
Organizational Unit Name (eg, section) []:MIS
Common Name (eg, your name or your server's hostname) []:*.catchlink.com
Email Address []:[email protected]
# ls -l
total 12
-rw-r--r-- 1 root root 1663 Dec 25 08:22 cacert.pem
-rw-r--r-- 1 root root 1675 Dec 25 08:21 privkey.pem
total 12
-rw-r--r-- 1 root root 1663 Dec 25 08:22 cacert.pem
-rw-r--r-- 1 root root 1675 Dec 25 08:21 privkey.pem
4.將私鑰及證書整合一個file
# cat privkey.pem cacert.pem >lighttpd.pem
# ls -l
total 12
-rw-r--r-- 1 root root 1663 Dec 25 08:22 cacert.pem
-rw-r--r-- 1 root root 3338 Dec 25 08:24 lighttpd.pem
-rw-r--r-- 1 root root 1675 Dec 25 08:21 privkey.pem
#chmod -R 600 /etc/lighttpd/ssl
total 12
-rw-r--r-- 1 root root 1663 Dec 25 08:22 cacert.pem
-rw-r--r-- 1 root root 3338 Dec 25 08:24 lighttpd.pem
-rw-r--r-- 1 root root 1675 Dec 25 08:21 privkey.pem
#chmod -R 600 /etc/lighttpd/ssl
5.編輯vhosts.conf檔案
# vi /etc/lighttpd/conf.d/vhosts.conf
$SERVER["socket"] == "192.168.11.201:443" {
ssl.engine = "enable"
ssl.pemfile = "/etc/lighttpd/ssl/lighttpd.pem"
server.name = "www.aaa.com"
server.document-root="/var/lighttpd/blog.aaa.com"
server.errorlog="/var/log/lighttpd/blog.aaa.com.error.log"
accesslog.filename="/var/log/lighttpd/blog.aaa.com.access.log"
ssl.engine = "enable"
ssl.pemfile = "/etc/lighttpd/ssl/lighttpd.pem"
server.name = "www.aaa.com"
server.document-root="/var/lighttpd/blog.aaa.com"
server.errorlog="/var/log/lighttpd/blog.aaa.com.error.log"
accesslog.filename="/var/log/lighttpd/blog.aaa.com.access.log"
}
https://192.168.11.201