Try   HackMD

Apache SSL 憑證申請安裝

Table of Contents

Image Not Showing Possible Reasons
  • The image file may be corrupted
  • The server hosting the image is unavailable
  • The image path is incorrect
  • The image format is not supported
Learn More →
建立私鑰 RSA 2048 、 產生憑證請求檔(CSR)、完成申請安裝

建立私鑰 Server.key

OpenSSL 工具

Download

● Linux:

sudo apt-get install openssl

● Windows (Chocolatey):

choco install openssl

● Windows (Scoop):

scoop install openssl

參考文獻: LinuxWindows

Location & Version

預設下載位置在 /usr/local/ssl/bin

find /-name openssl -print #找出工具安裝位置

● 查詢openssl 版本

openssl version

建議使用 ver.1.0.2beta之後版本,1.0.1~1.0.2 受到 Heartbleed Bug 影響

建立Server.key 私鑰檔案

1. 產生RSA 私鑰

openssl genrsa -des3 -out server.key 2048

genrsa: 表示產生 RSA 金鑰的操作。
-des3: 表示使用 3DES 加密演算法對產生的私密金鑰進行加密,並要求使用者輸入密碼來保護私密金鑰。
-out server.key: 指定產生的私鑰的輸出檔名為 server.key
2048: 指定產生的RSA 金鑰的長度為 2048 位元。 #國際密碼學規範需使用2048bits以上金鑰

OpenSSL 會產生一個有密碼保護的 RSA 私鑰檔案server.key,並使用 3DES 演算法對私鑰進行加密。產生金鑰後會要求輸入密碼(PEM pass phase)

Enter PEM pass phrase:
Verifying password - Enter PEM pass phrase:

以後使用私鑰時都會需要輸入。

Image Not Showing Possible Reasons
  • The image was uploaded to a note which you don't have access to
  • The note which the image was originally uploaded to has been deleted
Learn More →

2. 產生憑證請求檔(CSR)

憑證請求檔(CSR)通常會發送給證書頒發機構(CA) 以獲取相應的數位證書,以便在伺服器上使用 HTTPS 等安全協定。

openssl req -new -key server.key -out certrequest.txt

openssl: OpenSSL 工具的命令列工具。
req: 表示產生憑證簽發要求的操作。
-new: 表示建立一個新的憑證要求。
-key server.key: 指定私鑰檔案 server.key 用於產生憑證請求。
-out certrequest.txt: 指定產生的憑證要求的輸出檔案名稱 certrequest.txt。

產出過程中需要進行身分驗證:

Country Name (2 letter code) [AU]: 國家名稱 (ex.TW)
State or Province Name (full name) [Some-State]: 州或省的名稱 (ex.Taiwan)
Locality Name (eg, city) []: 城市名稱 (ex.Taipei)
Organization Name (eg, company) [Internet Widgits Pty Ltd]: 組織名稱 (ex.Google)
Organizational Unit Name (eg, section) []: 部門名稱 (ex.Information)
Common Name (e.g. server FQDN or YOUR name) []: 網域名稱 (ex. www.google.com)
Email Address []: 電子信箱 (ex. yahoo@gmail.com)

Please enter the following 'extra' attributes
to be sent with your certificate request
A challenge password []: 若不需要按Enter
An optional company name []: 若不需要按Enter
  1. 查看 RSA 內容
openssl req -noout -text -in certrequest.txt

會列出

Certificate Request:
    Data:
        Version: 1 (0x0)
        Subject: C = TW, ST = Taiwan, L = Taipei, O = Google, OU = Information, CN = www.google.com, emailAddress = yahoo@gmail.com
        Subject Public Key Info:
            Public Key Algorithm: rsaEncryption
                Public-Key: (2048 bit)
                Modulus:
                    00:ce:5d:40:84:dc:82:bd:25:43:bb:cf:57:26:3b:
                    d0:67:af:71:0a:cd:54:53:ca:f9:a7:e7:f0:82:78:
                    ~~
等等

將certrequest.txt 送至證書頒發機構(CA)

依照證書頒發機構填寫 個人/公司/法人 資料 如中華電信:

Image Not Showing Possible Reasons
  • The image was uploaded to a note which you don't have access to
  • The note which the image was originally uploaded to has been deleted
Learn More →
Reference: https://publicca.hinet.net/documents.htm

根憑證/中繼憑證 安裝設定

在取得 CA 認證的 Public CA 簽發憑證後

取得 eCA自簽憑證 (根憑證 ROOTeCA)

中華電信公開金鑰基礎建設: 中華電信自簽憑證

Image Not Showing Possible Reasons
  • The image was uploaded to a note which you don't have access to
  • The note which the image was originally uploaded to has been deleted
Learn More →

取得 Public CA 憑證鏈 (中繼CA憑證)

中華電信公開金鑰基礎建設: 中華電信自身通用憑證

Image Not Showing Possible Reasons
  • The image was uploaded to a note which you don't have access to
  • The note which the image was originally uploaded to has been deleted
Learn More →

匯出 ROOTeCA(根憑證) & Public CA(中繼CA憑證)

1. PublicCA2_64 > 詳細資料 > 簽發者

Image Not Showing Possible Reasons
  • The image was uploaded to a note which you don't have access to
  • The note which the image was originally uploaded to has been deleted
Learn More →

複製到檔案

2. 憑證匯出精靈

Image Not Showing Possible Reasons
  • The image was uploaded to a note which you don't have access to
  • The note which the image was originally uploaded to has been deleted
Learn More →

下一步(N)

3. 匯出格式設定

image

選擇

Image Not Showing Possible Reasons
  • The image file may be corrupted
  • The server hosting the image is unavailable
  • The image path is incorrect
  • The image format is not supported
Learn More →
密碼編譯訊息語法標準- PKCS #7 憑證 (.P7B)
勾選
Image Not Showing Possible Reasons
  • The image file may be corrupted
  • The server hosting the image is unavailable
  • The image path is incorrect
  • The image format is not supported
Learn More →
如果可能的話,包含憑證路徑中的所有憑證

4. 另存 .P7B 檔

image

存檔

image

5. 完成憑證匯出

image

已成功匯出並串聯 ROOTeCA(根憑證) & Public CA(中繼CA憑證)

image

Apache 憑證匯入 & 設定

1. 將已匯出的 .P7B 匯入Apache

將完成匯出的 .P7B 複製到 Apache Server

Image Not Showing Possible Reasons
  • The image file may be corrupted
  • The server hosting the image is unavailable
  • The image path is incorrect
  • The image format is not supported
Learn More →
使用FTP需要以Binary格式傳輸

2. Apache console

2.1 格式轉換

原憑證(.P7B檔)為 DER encode,需要轉換成 PEM encode (Base64)

openssl pkcs7 -in eCA_PublicCA.p7b -inform DER -print_certs -out eCA_PublicCA.pem

openssl: OpenSSL 工具的命令列工具。
pkcs7: 表示 PKCS#7 相關操作。
-in eCA_PublicCA.p7b: 指定輸入的 PKCS#7 檔案名為 eCA_PublicCA.p7A。
-inform DER: 指定輸入檔的格式為DER 格式。PKCS#7 檔案可以以 DER 或 PEM 格式儲存。
-print_certs: 指示輸出列印 PKCS#7 檔案中所包含的憑證。
-out eCA_PublicCA.pem: 指定輸出檔案的檔案名為eCA_PublicCA.pem,並將憑證以 PEM 格式儲存。

image

2.2 將產出的PEM encode 憑證移置/apache/conf/ssl.crt

● Linux:

cp eCA_PublicCA.pem C:\xampp\apache\conf\ssl.crt\ca.crt

● Windows:

copy eCA_PublicCA.pem C:\xampp\apache\conf\ssl.crt\ca.crt

Image Not Showing Possible Reasons
  • The image file may be corrupted
  • The server hosting the image is unavailable
  • The image path is incorrect
  • The image format is not supported
Learn More →
C:\xampp\apache\conf\ssl.crt 依照自己 Apache 不同環境選擇不同資料夾

3 編輯 ssl.conf 中的 SSLCertificateChainFile

編輯 httpd-ssl.conf 設定檔

vi ~apache/conf/extra/httpd-ssl.conf

httpd-ssl 會根據不同環境存在不同的資料夾中 (大多都在 apache\conf 資料夾底下)









#   Server Certificate Chain:
#   Point SSLCertificateChainFile at a file containing the
#   concatenation of PEM encoded CA certificates which form the
#   certificate chain for the server certificate. Alternatively
#   the referenced file can be the same as SSLCertificateFile "conf/ssl.crt/server.crt"
#   certificate for convenience.
SSLCertificateChainFile "/conf/ssl.crt/{your CA.CRT file}"
#上步驟申請的ca.crt

將 SSLCertificateChainFile 取消註解,加入上步驟產出的CA.CRT路徑

SSL伺服器憑證安裝

1. server.cer格式轉換

若收到的 CA 簽發的 cer 檔為 PEM encode,則可忽略此步驟1。
驗證方式: 使用文字編輯器開啟 cer 檔
1.顯示亂碼: DER encode
2.顯示 BEGIN CERTIFICATE 開頭: PEM encode

原憑證(.cer)為 DER encode,需要轉換成 PEM encode (Base64)

openssl x509 -in server.cer -inform DER -out server.pem

openssl: OpenSSL 工具的命令列工具。
x509: 表示 X.509 相關操作。
-in server.cer: 指定輸入的 X.509 憑證檔案名稱 server.cer。
-inform DER: 指定輸入檔的格式為DER 編碼。X.509 憑證可以以 DER 或 PEM 格式儲存。
-out server.pem: 指定輸出檔案的檔案名為 server.pem,並將憑證以 PEM 格式儲存。

2. 將產出的.cer/.PEM 憑證移置/apache/conf/ssl.crt

● Linux (.cer):

cp server.cer C:\xampp\apache\conf\ssl.crt\server.crt

● Windows (.cer):

copy server.cer C:\xampp\apache\conf\ssl.crt\server.crt

● Linux (.pem):

cp server.pem C:\xampp\apache\conf\ssl.crt\server.crt

● Windows (.pem):

copy server.pem C:\xampp\apache\conf\ssl.crt\server.crt

Image Not Showing Possible Reasons
  • The image file may be corrupted
  • The server hosting the image is unavailable
  • The image path is incorrect
  • The image format is not supported
Learn More →
C:\xampp\apache\conf\ssl.crt 依照自己 Apache 不同環境選擇不同資料夾

image

3. 編輯 ssl.conf

3.1 編輯 ssl.conf 中的 SSLCertificateFile

編輯 httpd-ssl.conf 設定檔

vi ~apache/conf/extra/httpd-ssl.conf

httpd-ssl 會根據不同環境存在不同的資料夾中 (大多都在 apache\conf 資料夾底下)














#   Server Certificate:
#   Point SSLCertificateFile "conf/ssl.crt/server.crt"
#   the certificate is encrypted, then you will be prompted for a
#   pass phrase.  Note that a kill -HUP will prompt again.  Keep
#   in mind that if you have both an RSA and a DSA certificate you
#   can configure both in parallel (to also allow the use of DSA
#   ciphers, etc.)
#   Some ECC cipher suites (http://www.ietf.org/rfc/rfc4492.txt)
#   require an ECC certificate which can also be configured in
#   parallel.
SSLCertificateFile "conf/ssl.crt/{your CRT file}" 
#上步驟申請的server.crt
#SSLCertificateFile "conf/ssl.crt/server.crt"

將 SSLCertificateFile 編輯成上步驟產出的 SERVER.CRT 路徑

3.1 編輯 ssl.conf 中的 SSLCertificateKeyFile

將步驟 1. 產生RSA 私鑰 產生的 server.key 複製到 /apache/conf/ssl.key 下

編輯 httpd-ssl.conf 設定檔

vi ~apache/conf/extra/httpd-ssl.conf

httpd-ssl 會根據不同環境存在不同的資料夾中 (大多都在 apache\conf 資料夾底下)










#   Server Private Key:
#   If the key is not combined with the certificate, use this
#   directive to point at the key file.  Keep in mind that if
#   you've both a RSA and a DSA private key you can configure
#   both in parallel (to also allow the use of DSA ciphers, etc.)
#   ECC keys, when in use, can also be configured in parallel
SSLCertificateKeyFile "conf/ssl.key/{your Private key}"
#SSLCertificateKeyFile "conf/ssl.key/server.key"
#SSLCertificateKeyFile "conf/ssl.key/server.key"

將 SSLCertificateKeyFile 編輯成匯入的 SERVER.KEY 路徑

若伺服器無法重啟遇到以下相關ERROR,無法重啟:
AH02577: Init: SSLPassPhraseDialog builtin is not supported on Win32 (key file C:/xampp/apache/conf/ssl.key/{your Private key})
AH02311: Fatal error initialising mod_ssl, exiting. See C:/xampp/apache/logs/error.log for more information
AH02564: Failed to configure encrypted (?) private key www.example.com:443:0, check C:/xampp/apache/conf/ssl.key/{your Private key}
SSL Library Error: error:04800068:PEM routines::bad password read You entered an incorrect pass phrase!?
SSL Library Error: error:1E08010C:DECODER routines::unsupported (No supported data to decode. Input type: DER, Input structure: type-specific)
SSL Library Error: error:068000A8:asn1 encoding routines::wrong tag
SSL Library Error: error:0688010A:asn1 encoding routines::nested asn1 error
SSL Library Error: error:0688010A:asn1 encoding routines::nested asn1 error (Field=version, Type=RSAPrivateKey)
SSL Library Error: error:0688010A:asn1 encoding routines::nested asn1 error (Field=version, Type=PKCS8_PRIV_KEY_INFO)
SSL Library Error: error:1E08010C:DECODER routines::unsupported (No supported data to decode. Input type: DER, Input structure: type-specific)
SSL Library Error: error:0688010A:asn1 encoding routines::nested asn1 error (Type=RSAPrivateKey)
SSL Library Error: error:0688010A:asn1 encoding routines::nested asn1 error (Type=PKCS8_PRIV_KEY_INFO)

可能是 SSL 金鑰格式錯誤。先確保 SSL 金鑰檔案是正確的 PEM 格式,並且密碼 pass phrase 正確。 可使用以下 command,轉換 key 格式 (CER > PEM)

openssl rsa -inform DER -outform PEM -in C:/xampp/apache/conf/ssl.key/server.key -out C:/xampp/apache/conf/ssl.key/server.pem

重啟 Apache (完成安裝)

/apache/bin/apachectl stop
/apache/bin/apachectl start

Image Not Showing Possible Reasons
  • The image file may be corrupted
  • The server hosting the image is unavailable
  • The image path is incorrect
  • The image format is not supported
Learn More →
確認伺服器&防火牆有開啟對應的 HTTPS PORT (443)

重啟後瀏覽伺服器,確認完成SSL安裝

image

Note

若憑證過期需更換,請參考: Apache SSL 憑證更換

Apache SSL 憑證更換

tags: Apache SSL TLS
Last changed by 
CHW
Github: https://github.com/Chw41
0
1180

Read more

[OSCP, PEN-200] Cheat Sheet

[OSCP, PEN-200] Cheat Sheet Table of Contents Recon IP Nmap nmap -sC -sV -T4 {IP}\ sudo nmap -sS {IP}\ All ports: nmap -p- {IP}

May 8, 2025
[OSCP, PEN-200] Proving Grounds Practice - Windows

[OSCP, PEN-200] Proving Grounds Practice - Windows Table of Contents Algernon image Solution 1. Recon 1.1 Nmap ┌──(chw㉿CHW)-[~]

May 6, 2025
[OSCP, PEN-200] Proving Grounds Practice - Active Directory

[OSCP, PEN-200] Proving Grounds Practice - Active Directory Table of Contents Resourced image Solution 1. Recon 1.1 Nmap ┌──(chw㉿CHW)-[~/Resourced]

May 6, 2025
[OSCP, PEN-200] Proving Grounds Play - Linux

Blogger

May 6, 2025
Read more from CHW
Published on HackMD