windows下apache+https环境配置
1、修改配置文件conf/httpd.conf,去掉以下语句注释符号‘#’:
修改配置文件conf/extra/httpd-ssl.conf,把相应的选项改成如下:
2、配置php(php-5.6.30)
将php路径加入系统环境变量:
右击计算机 -> 属性 -> 高级系统设置 -> 高级 -> 环境变量 -> 用户变量 -> 新建环境变量。
变量名:PHP_HOME
变量值:D:\wamp\php-5.6.30
3、生成证书
3.1 cmd进入命令行模式,切换至apache的bin目录:cd D:\wamp\httpd-2.4.25\bin;
3.2 设置OPENSSL_CONFIG配置,执行命令:set OPENSSL_CONF=../conf/openssl.cnf
3.3 首先要生成服务端的私钥(key文件):openssl genrsa -des3 -out server.key 1024
3.4 生成server.csr,Certificate Signing Request(CSR),生成的csr文件交给CA签名后形成服务端自己的证书。屏幕上将有提示,依照其提示一步一步输入要求的个人信息即可。
openssl req -new -key server.key -out server.csr -config ../conf/openssl.cnf
3.5 对客户端也用同样的命令生成key及csr文件
openssl genrsa -des3 -out client.key 1024
openssl req -new -key client.key -out client.csr -config ../conf/openssl.cnf
3.6 CSR文件必须有CA的签名才可形成证书。可将此文件发送到verisign等地方由它验证,要交一大笔钱,何不自己做CA呢。
openssl req -new -x509 -keyout ca.key -out ca.crt -config ../conf/openssl.cnf
3.7 在bin目录下新建一个demoCA文件夹,进入它
新建newcerts文件夹,不需要进入
新建index.txt
新建serial,打开后输入01保存即可
3.8 用生成的CA的证书为刚刚生成的server.csr,client.csr文件签名:
openssl ca -in server.csr -out server.crt -cert ca.crt -keyfile ca.key -config ../conf/openssl.cnf
openssl ca -in client.csr -out client.crt -cert ca.crt -keyfile ca.key -config ../conf/openssl.cnf
注:如果指令出现如下错误,进入demoCA,然后打开index.txt.attr,把unique_subject=no即可。
3.9 生成一个ca.pfx:
openssl pkcs12 -export -in ca.crt -inkey ca.key -out ca.pfx
3.10 导入证书
打开IE浏览器 -> 工具 -> Internet选项 -> 内容 -> 证书,按照提示导入ca.pfx,这里要输入刚才生成ca.pfx过程中输入的密码。
3.11 以上操作生成了
client使用的文件有: ca.crt, client.crt, client.key
server使用的文件有:ca.crt, server.crt, server.key
把ca.crt, server.crt, server.key复制到conf目录下去。
3.12 重启apache,访问https://127.0.0.1/index.php
3.15 如果出现以下错误
Starting the 'Apache2.4' service
The 'Apache2.4' service is running.
sl:emerg] [pid 8200:tid 500] AH02577: Init: SSLPassPhraseDialog builtin is not supported on Win32 (key file D:/wamp/httpd-2.4.25/conf/server.key)
[Tue Mar 14 16:37:57.740113 2017] [ssl:emerg] [pid 8200:tid 500] AH02311: Fatal error initialising mod_ssl, exiting. See D:/wamp/httpd-2.4.25/logs/error.log for more information
[Tue Mar 14 16:37:57.740113 2017] [ssl:emerg] [pid 8200:tid 500] AH02564: Failed to configure encrypted (?) private key example:1443:0, check D:/wamp/httpd-2.4.25/conf/server.key
[Tue Mar 14 16:37:57.740113 2017] [ssl:emerg] [pid 8200:tid 500] SSL Library Error: error:0D0680A8:asn1 encoding routines:ASN1_CHECK_TLEN:wrong tag
[Tue Mar 14 16:37:57.740113 2017] [ssl:emerg] [pid 8200:tid 500] SSL Library Error: error:0D08303A:asn1 encoding routines:ASN1_TEMPLATE_NOEXP_D2I:nested asn1 error
[Tue Mar 14 16:37:57.740113 2017] [ssl:emerg] [pid 8200:tid 500] SSL Library Error: error:0D0680A8:asn1 encoding routines:ASN1_CHECK_TLEN:wrong tag
[Tue Mar 14 16:37:57.740113 2017] [ssl:emerg] [pid 8200:tid 500] SSL Library Error: error:0D07803A:asn1 encoding routines:ASN1_ITEM_EX_D2I:nested asn1 error (Type=RSA)
[Tue Mar 14 16:37:57.740113 2017] [ssl:emerg] [pid 8200:tid 500] SSL Library Error: error:04093004:rsa routines:OLD_RSA_PRIV_DECODE:RSA lib
[Tue Mar 14 16:37:57.740113 2017] [ssl:emerg] [pid 8200:tid 500] SSL Library Error: error:0D0680A8:asn1 encoding routines:ASN1_CHECK_TLEN:wrong tag
[Tue Mar 14 16:37:57.740113 2017] [ssl:emerg] [pid 8200:tid 500] SSL Library Error: error:0D07803A:asn1 encoding routines:ASN1_ITEM_EX_D2I:nested asn1 error (Type=PKCS8_PRIV_KEY_INFO)
AH00016: Configuration Failed
这就是说windows不支持加密密钥,还记得生成server.key输入的密码吗?就是这个地方的错误,现在取消它。
openssl rsa -in server.key -out server.key
把生成的server.key复制到conf目录下覆盖原来的。
5.参考资料
http://blog.csdn.net/wlmnzf/article/details/50244409
http://blog.csdn.net/decajes/article/details/41706739
windows下配置apache+https
1. 修改conf/httpd.conf
2. 生成证书
2.1 设置OPENSSL_CONFIG配置
2.2 生成服务端的key文件
2.3 生成签署申请
2.4 生成CA的key文件
2.5 生成CA自签署证书
2.6 生成CA的服务器签署证书
3. 修改conf/extra/httpd-ssl.conf文件
3.1 修改https端口号
3.2 修改相关证书路径
4. 重启apache
5. 项目部署方式
5.1 以https的方式部署项目
- <VirtualHost *:6443>
- ServerName localhost
- DocumentRoot D:/javapro/bms
- SSLEngine on
- SSLProxyEngine on
- SSLCertificateFile "D:/myplatform/Apache2.2/conf/key/server.crt"
- SSLCertificateKeyFile "D:/myplatform/Apache2.2/conf/key/server.key"
- <Directory "/">
- Options None
- AllowOverride All
- Order allow,deny
- Allow From All
- </Directory>
- </VirtualHost>
5.2 以反向代理的方式部署项目
5.2.1 以二级目录的方式部署反向代理
- <VirtualHost *:80>
- ServerName local.bms
- DocumentRoot "D:/javapro/bms"
- Alias /bms "D:/javapro/bms"
- <Directory "/">
- Options None
- AllowOverride All
- Order allow,deny
- Allow From All
- </Directory>
- </VirtualHost>
- <VirtualHost *:6443>
- ServerName localhost
- SSLEngine on
- SSLProxyEngine on
- SSLCertificateFile "D:/myplatform/Apache2.2/conf/key/server.crt"
- SSLCertificateKeyFile "D:/myplatform/Apache2.2/conf/key/server.key"
- ProxyRequests Off
- <Proxy *>
- Order allow,deny
- Allow from all
- </Proxy>
- ProxyPass /bms http://local.bms/bms
- ProxyPassReverse /bms http://local.bms/bms
- </VirtualHost>
5.2.2 以一级目录的方式部署反向代理
- <VirtualHost *:80>
- ServerName local.bms
- DocumentRoot "D:/javapro/bms"
- <Directory "/">
- Options None
- AllowOverride All
- Order allow,deny
- Allow From All
- </Directory>
- </VirtualHost>
- <VirtualHost *:6443>
- ServerName localhost
- SSLEngine on
- SSLProxyEngine on
- SSLCertificateFile "D:/myplatform/Apache2.2/conf/key/server.crt"
- SSLCertificateKeyFile "D:/myplatform/Apache2.2/conf/key/server.key"
- ProxyRequests Off
- <Proxy *>
- Order allow,deny
- Allow from all
- </Proxy>
- ProxyPass / http://local.bms/
- ProxyPassReverse / http://local.bms/
- </VirtualHost>