Lighttpd - HTTPS(SSL)

 
1.建立存放私鑰及證書目錄 

#mkdir /etc/lighttpd/ssl
#cd /etc/lighttpd/ssl

 
2. 產生私鑰(Private key)
openssl genrsa -out privkey.pem 2048
Generating RSA private key, 2048 bit long modulus
.......................................+++
.........................................................................................................................+++
e is 65537 (0x10001)
 
3. 產生需求證書(CSR)
openssl req -new -key privkey.pem -out cert.csr
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [GB]:TW
State or Province Name (full name) [Berkshire]:Taiwan
Locality Name (eg, city) [Newbury]:Taipei
Organization Name (eg, company) [My Company Ltd]:Catchlink
Organizational Unit Name (eg, section) []:MIS
Common Name (eg, your name or your server's hostname) []:*.catchlink.com
Email Address []:[email protected]
 
Please enter the following 'extra' attributes
to be sent with your certificate request
A challenge password []:
An optional company name []:
 
這個命令將會生成一個證書請求,當然,用到了前面生成的金鑰privkey.pem檔案
這裡將生成一個新的檔cert.csr,即一個證書請求檔,你可以拿著這個檔去數位憑證頒發機構(即CA)申請一個數位憑證。CA會給你一個新的檔cacert.pem,那才是你的數位憑證。
 
如果是自己做測試,那麼證書的申請機構和頒發機構都是自己。就可以用下面這個命令來生成證書:
openssl req -new -x509 -days 3650 -key privkey.pem -out cacert.pem
這個命令將用上面生成的金鑰privkey.pem生成一個數位憑證cacert.pem
 
openssl req -new -x509 -days 3650 -key privkey.pem -out cacert.pem
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [GB]:TW
State or Province Name (full name) [Berkshire]:Taiwan
Locality Name (eg, city) [Newbury]:Taipei
Organization Name (eg, company) [My Company Ltd]: Catchlink
Organizational Unit Name (eg, section) []:MIS
Common Name (eg, your name or your server's hostname) []:*.catchlink.com
Email Address []:[email protected]
 # ls -l
total 12
-rw-r--r-- 1 root root 1663 Dec 25 08:22 cacert.pem
-rw-r--r-- 1 root root 1675 Dec 25 08:21 privkey.pem
 

4.將私鑰及證書整合一個file
# cat privkey.pem cacert.pem >lighttpd.pem
# ls -l
total 12
-rw-r--r-- 1 root root 1663 Dec 25 08:22 cacert.pem
-rw-r--r-- 1 root root 3338 Dec 25 08:24 lighttpd.pem
-rw-r--r-- 1 root root 1675 Dec 25 08:21 privkey.pem
#chmod  -R 600 /etc/lighttpd/ssl
 
5.編輯vhosts.conf檔案
# vi /etc/lighttpd/conf.d/vhosts.conf
$SERVER["socket"] == "192.168.11.201:443" {
        ssl.engine = "enable"
        ssl.pemfile = "/etc/lighttpd/ssl/lighttpd.pem"

        server.name = "www.aaa.com"
        server.document-root="/var/lighttpd/blog.aaa.com"
        server.errorlog="/var/log/lighttpd/blog.aaa.com.error.log"
        accesslog.filename="/var/log/lighttpd/blog.aaa.com.access.log"

}

 
https://192.168.11.201

點閱: 56

By tony

自由軟體愛好者~喜歡不斷的思考各種問題,有新的事物都會想去學習嘗試 做實驗並熱衷研究 沒有所謂頂天的技術 只有謙虛及不斷的學習 精進專業,本站主要以分享系統及網路相關知識、資源而建立。 Github http://stnet253.github.io

發佈留言

發佈留言必須填寫的電子郵件地址不會公開。

這個網站採用 Akismet 服務減少垃圾留言。進一步了解 Akismet 如何處理網站訪客的留言資料