这是在Mac上给Apache的localhost配置ssl的过程及指令。
配置SSL的环境:Apache 2.4.16,OSX El Capitan (10.11.2)
Apache SSL配置
1、在目录/etc/apache2/下新建ssl目录:
sudo mkdir /etc/apache2/ssl
2、生成两个主机密钥:
sudo openssl genrsa -out /etc/apache2/server.key 2048
sudo openssl genrsa -out /etc/apache2/ssl/localhost.key 2048
sudo openssl rsa -in /etc/apache2/ssl/localhost.key -out /etc/apache2/ssl/localhost.key.rsa
3、创建配置文件/etc/apache2/ssl/localhost.conf,添加内容如下:
[req]
default_bits = 1024
distinguished_name = req_distinguished_name
req_extensions = v3_req
[req_distinguished_name]
[v3_req]
basicConstraints = CA:FALSE
keyUsage = nonRepudiation, digitalSignature, keyEncipherment
subjectAltName = @alt_names
[alt_names]
DNS.1 = localhost
DNS.2 = *.localhost
4、创建证书请求(Certificate Request)
sudo openssl req -new -key /etc/apache2/server.key -subj "/C=/ST=/L=/O=/CN=/emailAddress=/" -out /etc/apache2/server.csr
sudo openssl req -new -key /etc/apache2/ssl/localhost.key.rsa -subj "/C=/ST=/L=/O=/CN=localhost/" -out /etc/apache2/ssl/localhost.csr -config /etc/apache2/ssl/localhost.conf
- C=:ISO国家码简写
- ST=:州或省代码
- L=:城市或地区代码
- O=:组织
- CN=:Common Name
5、使用证书请求签名SSL证书:
sudo openssl x509 -req -days 365 -in /etc/apache2/server.csr -signkey /etc/apache2/server.key -out /etc/apache2/server.crt
sudo openssl x509 -req -extensions v3_req -days 365 -in /etc/apache2/ssl/localhost.csr -signkey /etc/apache2/ssl/localhost.key.rsa -out /etc/apache2/ssl/localhost.crt -extfile /etc/apache2/ssl/localhost.conf
6、添加SSL证书到钥匙串访问(Keychain Access):
sudo security add-trusted-cert -d -r trustRoot -k /Library/Keychains/System.keychain /etc/apache2/ssl/localhost.crt
Apache配置
1、编辑apache的主配置文件/etc/apache2/httpd.conf,开启支持SSL的模块:
LoadModule socache_shmcb_module libexec/apache2/mod_socache_shmcb.so
LoadModule ssl_module libexec/apache2/mod_ssl.so
2、启用安全(SSL / TLS)连接
Include /private/etc/apache2/extra/httpd-ssl.conf
Apache Virtual Host配置
编辑虚拟主机的配置/etc/apache2/extra/httpd-vhosts.conf,在文件末尾添加SSL指令:
<VirtualHost *:443>
ServerName localhost
DocumentRoot "/Library/WebServer/Documents"
SSLEngine on
SSLCipherSuite ALL:!ADH:!EXPORT56:RC4+RSA:+HIGH:+MEDIUM:+LOW:+SSLv2:+EXP:+eNULL
SSLCertificateFile /etc/apache2/ssl/localhost.crt
SSLCertificateKeyFile /etc/apache2/ssl/localhost.key
<Directory "/Library/WebServer/Documents">
Options Indexes FollowSymLinks
AllowOverride All
Order allow,deny
Allow from all
Require all granted
</Directory>
</VirtualHost>
最后重启apache
sudo apachectl restart
验证
在浏览器打开https://localhost验证配置。