namecheap.com是一个老牌的的域名注册商,最近网站上推出9.96美元注册域名送whoisguard及免费PositiveSSL的促销,这个PositiveSSL的安装还是让我走了不少弯路,基于centos5.3 + apache + openssl的大致过程:
第一步:CSR的生成
执行
openssl req -nodes -newkey rsa:2048 -keyout myserver.key -out myserver.csr You will now be asked to enter details to be entered into your CSR.What you are about to enter is what is called a Distinguished Name or a DN. For some fields there will be a default value, If you enter '.', the field will be left blank. Country Name (2 letter code) [AU]: GB (国家)State or Province Name (full name) [Some-State]: Yorks (省份)Locality Name (eg, city) []: York (城市)Organization Name (eg, company) [Internet Widgits Pty Ltd]: MyCompany Ltd (公司名称)Organizational Unit Name (eg, section) []: (所在部门)Common Name (eg, YOUR name) []: www.xxx.com (应用SSL证书的网址,不要搞错了)Email Address []: (电子邮件,可不填)Please enter the following 'extra' attributes to be sent with your certificate requestA challenge password []: (免得搞这么复杂,不要填了)An optional company name []: (免得搞这么复杂,不要填了)生成两个文件,一个是myserver.key是私钥,一个就是CSR,打开CSR文件nano myserver.csr把内容拷贝下来,在namecheap.com的相关功能页面上提交CSR的内容. 提交几个小时后,namecheap.com就会把相关证书发邮件给你.邮件的附件有四张证书:AddTrustExternalCARoot.crt, UTNAddTrustServerCA.crt,PositiveSSLCA.crt,www_xxx_com.crt根证书: AddTrustExternalCARoot.crt中级1: UTNAddTrustServerCA.crt中级2: PositiveSSLCA.crt你的证书: www_xxx_com.crt第二步:安装执行cat PositiveSSLCA.crt UTNAddTrustSGCCA.crt AddTrustExternalCARoot.crt > yourDomain.ca-bundle把三张证书合并成一个文件yourDomain.ca-bundle编辑到apache的配置httpd.conf加入三句:SSLCertificateFile /etc/ssl/crt/www_xx_com.crt SSLCertificateKeyFile /etc/ssl/crt/myserver.key SSLCertificateChainFile /etc/ssl/crt/yourDomain.ca-bundle
...