呵呵，大C的SSL证书安上了

cnx

https://de.icn.name/tmp/
我的是apache的。

wzwen

贴下httpd.conf文件吧。。。

pmalc

有cpanel的话非常容易安装

cpuer

授人以渔吧

cnx

呵呵，我用的是webmin.

cnx

不知是否适用。

hx

wildcard证书就是帅啊，c大真好人。。。

cnx

1. #
   
2. #
   
3. 
   
4. LoadModule ssl_module modules/mod_ssl.so
   
5. 
   
6. #
   
7. # When we also provide SSL we have to listen to the
   
8. # the HTTPS port in addition.
   
9. #
   
10. Listen 443
    
11. 
    
12. ##
    
13. ##  SSL Global Context
    
14. ##
    
15. ##  All SSL configuration in this context applies both to
    
16. ##  the main server and all SSL-enabled virtual hosts.
    
17. ##
    
18. 
    
19. #
    
20. #   Some MIME-types for downloading Certificates and CRLs
    
21. #
    
22. AddType application/x-x509-ca-cert .crt
    
23. AddType application/x-pkcs7-crl    .crl
    
24. 
    
25. #   Pass Phrase Dialog:
    
26. #   Configure the pass phrase gathering process.
    
27. #   The filtering dialog program (`builtin' is a internal
    
28. #   terminal dialog) has to provide the pass phrase on stdout.
    
29. SSLPassPhraseDialog  builtin
    
30. 
    
31. #   Inter-Process Session Cache:
    
32. #   Configure the SSL Session Cache: First the mechanism
    
33. #   to use and second the expiring timeout (in seconds).
    
34. #SSLSessionCache        dc:UNIX:/var/cache/mod_ssl/distcache
    
35. SSLSessionCache         shmcb:/var/cache/mod_ssl/scache(512000)
    
36. SSLSessionCacheTimeout  300
    
37. 
    
38. #   Semaphore:
    
39. #   Configure the path to the mutual exclusion semaphore the
    
40. #   SSL engine uses internally for inter-process synchronization.
    
41. SSLMutex default
    
42. 
    
43. #   Pseudo Random Number Generator (PRNG):
    
44. #   Configure one or more sources to seed the PRNG of the
    
45. #   SSL library. The seed data should be of good random quality.
    
46. #   WARNING! On some platforms /dev/random blocks if not enough entropy
    
47. #   is available. This means you then cannot use the /dev/random device
    
48. #   because it would lead to very long connection times (as long as
    
49. #   it requires to make more entropy available). But usually those
    
50. #   platforms additionally provide a /dev/urandom device which doesn't
    
51. #   block. So, if available, use this one instead. Read the mod_ssl User
    
52. #   Manual for more details.
    
53. SSLRandomSeed startup file:/dev/urandom  256
    
54. SSLRandomSeed connect builtin
    
55. #SSLRandomSeed startup file:/dev/random  512
    
56. #SSLRandomSeed connect file:/dev/random  512
    
57. #SSLRandomSeed connect file:/dev/urandom 512
    
58. 
    
59. #
    
60. # Use "SSLCryptoDevice" to enable any supported hardware
    
61. # accelerators. Use "openssl engine -v" to list supported
    
62. # engine names.  NOTE: If you enable an accelerator and the
    
63. # server does not start, consult the error logs and ensure
    
64. # your accelerator is functioning properly.
    
65. #
    
66. SSLCryptoDevice builtin
    
67. #SSLCryptoDevice ubsec
    
68. 
    
69. ##
    
70. ## SSL Virtual Host Context
    
71. ##
    
72. 
    
73. <VirtualHost _default_:443>
    
74. 
    
75. # General setup for the virtual host, inherited from global configuration
    
76. #DocumentRoot "/var/www/html"
    
77. #ServerName www.example.com:443
    
78. 
    
79. # Use separate log files for the SSL virtual host; note that LogLevel
    
80. # is not inherited from httpd.conf.
    
81. ErrorLog logs/ssl_error_log
    
82. TransferLog logs/ssl_access_log
    
83. LogLevel warn
    
84. 
    
85. #   SSL Engine Switch:
    
86. #   Enable/Disable SSL for this virtual host.
    
87. SSLEngine on
    
88. 
    
89. #   SSL Protocol support:
    
90. # List the enable protocol levels with which clients will be able to
    
91. # connect.  Disable SSLv2 access by default:
    
92. SSLProtocol all -SSLv2
    
93. 
    
94. #   SSL Cipher Suite:
    
95. # List the ciphers that the client is permitted to negotiate.
    
96. # See the mod_ssl documentation for a complete list.
    
97. SSLCipherSuite ALL:!ADH:!EXPORT:!SSLv2:RC4+RSA:+HIGH:+MEDIUM:+LOW
    
98. 
    
99. #   Server Certificate:
    
100. # Point SSLCertificateFile at a PEM encoded certificate.  If
     
101. # the certificate is encrypted, then you will be prompted for a
     
102. # pass phrase.  Note that a kill -HUP will prompt again.  A new
     
103. # certificate can be generated using the genkey(1) command.
     
104. #SSLCertificateFile /etc/pki/tls/certs/localhost.crt
     
105. SSLCertificateFile /etc/httpd/ssl/ssl.crt
     
106. 
     
107. #   Server Private Key:
     
108. #   If the key is not combined with the certificate, use this
     
109. #   directive to point at the key file.  Keep in mind that if
     
110. #   you've both a RSA and a DSA private key you can configure
     
111. #   both in parallel (to also allow the use of DSA ciphers, etc.)
     
112. #SSLCertificateKeyFile /etc/pki/tls/private/localhost.key
     
113. SSLCertificateKeyFile /etc/httpd/ssl/ssl.key
     
114. 
     
115. #   Server Certificate Chain:
     
116. #   Point SSLCertificateChainFile at a file containing the
     
117. #   concatenation of PEM encoded CA certificates which form the
     
118. #   certificate chain for the server certificate. Alternatively
     
119. #   the referenced file can be the same as SSLCertificateFile
     
120. #   when the CA certificates are directly appended to the server
     
121. #   certificate for convinience.
     
122. #SSLCertificateChainFile /etc/pki/tls/certs/server-chain.crt
     
123. #SSLCertificateChainFile /etc/pki/tls/certs/server-chain.crt
     
124. 
     
125. 
     
126. #   Certificate Authority (CA):
     
127. #   Set the CA certificate verification path where to find CA
     
128. #   certificates for client authentication or alternatively one
     
129. #   huge file containing all of them (file must be PEM encoded)
     
130. #SSLCACertificateFile /etc/pki/tls/certs/ca-bundle.crt
     
131. #SSLCACertificateFile /etc/pki/tls/certs/ca-bundle.crt
     
132. 
     
133. #   Client Authentication (Type):
     
134. #   Client certificate verification type and depth.  Types are
     
135. #   none, optional, require and optional_no_ca.  Depth is a
     
136. #   number which specifies how deeply to verify the certificate
     
137. #   issuer chain before deciding the certificate is not valid.
     
138. #SSLVerifyClient require
     
139. #SSLVerifyDepth  10
     
140. 
     
141. #   Access Control:
     
142. #   With SSLRequire you can do per-directory access control based
     
143. #   on arbitrary complex boolean expressions containing server
     
144. #   variable checks and other lookup directives.  The syntax is a
     
145. #   mixture between C and Perl.  See the mod_ssl documentation
     
146. #   for more details.
     
147. #<Location />
     
148. #SSLRequire (    %{SSL_CIPHER} !~ m/^(EXP|NULL)/ \
     
149. #            and %{SSL_CLIENT_S_DN_O} eq "Snake Oil, Ltd." \
     
150. #            and %{SSL_CLIENT_S_DN_OU} in {"Staff", "CA", "Dev"} \
     
151. #            and %{TIME_WDAY} >= 1 and %{TIME_WDAY} <= 5 \
     
152. #            and %{TIME_HOUR} >= 8 and %{TIME_HOUR} <= 20       ) \
     
153. #           or %{REMOTE_ADDR} =~ m/^192\.76\.162\.[0-9]+$/
     
154. #</Location>
     
155. 
     
156. #   SSL Engine Options:
     
157. #   Set various options for the SSL engine.
     
158. #   o FakeBasicAuth:
     
159. #     Translate the client X.509 into a Basic Authorisation.  This means that
     
160. #     the standard Auth/DBMAuth methods can be used for access control.  The
     
161. #     user name is the `one line' version of the client's X.509 certificate.
     
162. #     Note that no password is obtained from the user. Every entry in the user
     
163. #     file needs this password: `xxj31ZMTZzkVA'.
     
164. #   o ExportCertData:
     
165. #     This exports two additional environment variables: SSL_CLIENT_CERT and
     
166. #     SSL_SERVER_CERT. These contain the PEM-encoded certificates of the
     
167. #     server (always existing) and the client (only existing when client
     
168. #     authentication is used). This can be used to import the certificates
     
169. #     into CGI scripts.
     
170. #   o StdEnvVars:
     
171. #     This exports the standard SSL/TLS related `SSL_*' environment variables.
     
172. #     Per default this exportation is switched off for performance reasons,
     
173. #     because the extraction step is an expensive operation and is usually
     
174. #     useless for serving static content. So one usually enables the
     
175. #     exportation for CGI and SSI requests only.
     
176. #   o StrictRequire:
     
177. #     This denies access when "SSLRequireSSL" or "SSLRequire" applied even
     
178. #     under a "Satisfy any" situation, i.e. when it applies access is denied
     
179. #     and no other module can change it.
     
180. #   o OptRenegotiate:
     
181. #     This enables optimized SSL connection renegotiation handling when SSL
     
182. #     directives are used in per-directory context.
     
183. #SSLOptions +FakeBasicAuth +ExportCertData +StrictRequire
     
184. <Files ~ "\.(cgi|shtml|phtml|php3?)$">
     
185.     SSLOptions +StdEnvVars
     
186. </Files>
     
187. <Directory "/var/www/cgi-bin">
     
188.     SSLOptions +StdEnvVars
     
189. </Directory>
     
190. 
     
191. #   SSL Protocol Adjustments:
     
192. #   The safe and default but still SSL/TLS standard compliant shutdown
     
193. #   approach is that mod_ssl sends the close notify alert but doesn't wait for
     
194. #   the close notify alert from client. When you need a different shutdown
     
195. #   approach you can use one of the following variables:
     
196. #   o ssl-unclean-shutdown:
     
197. #     This forces an unclean shutdown when the connection is closed, i.e. no
     
198. #     SSL close notify alert is send or allowed to received.  This violates
     
199. #     the SSL/TLS standard but is needed for some brain-dead browsers. Use
     
200. #     this when you receive I/O errors because of the standard approach where
     
201. #     mod_ssl sends the close notify alert.
     
202. #   o ssl-accurate-shutdown:
     
203. #     This forces an accurate shutdown when the connection is closed, i.e. a
     
204. #     SSL close notify alert is send and mod_ssl waits for the close notify
     
205. #     alert of the client. This is 100% SSL/TLS standard compliant, but in
     
206. #     practice often causes hanging connections with brain-dead browsers. Use
     
207. #     this only for browsers where you know that their SSL implementation
     
208. #     works correctly.
     
209. #   Notice: Most problems of broken clients are also related to the HTTP
     
210. #   keep-alive facility, so you usually additionally want to disable
     
211. #   keep-alive for those clients, too. Use variable "nokeepalive" for this.
     
212. #   Similarly, one has to force some clients to use HTTP/1.0 to workaround
     
213. #   their broken HTTP/1.1 implementation. Use variables "downgrade-1.0" and
     
214. #   "force-response-1.0" for this.
     
215. SetEnvIf User-Agent ".*MSIE.*" \
     
216.          nokeepalive ssl-unclean-shutdown \
     
217.          downgrade-1.0 force-response-1.0
     
218. 
     
219. #   Per-Server Logging:
     
220. #   The home of a custom SSL log file. Use this when you want a
     
221. #   compact non-error SSL logfile on a virtual host basis.
     
222. CustomLog logs/ssl_request_log \
     
223.           "%t %h %{SSL_PROTOCOL}x %{SSL_CIPHER}x "%r" %b"
     
224. 
     
225. </VirtualHost>                                 

复制代码

cnx

上面是webmin的ssl.conf文件。
我只改动了两处，其它的都没动。
你可以参考一下。

wzwen

ssl.crl文件我怎么没有呢。。。