--- title: SSL網域憑證安裝說明資訊 tags: 網域憑證 --- SSL網域憑證安裝說明資訊 === [TOC] # Apache 2.4 憑證安裝說明 ## 一、 確認已取得生成好的 Apache 憑證檔並放在伺服器能取用的路徑   ## 二、 設定httpd.conf檔案 1. 必須載入並啟用模組mod_ssl.so ```apacheconf= # # Dynamic Shared Object (DSO) Support # # To be able to use the functionality of a module which was built as a DSO you # have to place corresponding `LoadModule' lines at this location so the # directives contained in it are actually available _before_ they are used. # Statically compiled modules (those listed by `httpd -l') do not need # to be loaded here. # # Example: # LoadModule foo_module modules/mod_foo.so # LoadModule ssl_module modules/mod_ssl.so //此行 ``` 2. 引入額外httpd-ssl.conf設定檔 ```apacheconf= # Secure (SSL/TLS) connections Include conf/extra/httpd-ssl.conf //此行 # # Note: The following must must be present to support # starting without SSL on platforms with no /dev/random equivalent # but a statically compiled-in mod_ssl. # <IfModule ssl_module> SSLRandomSeed startup builtin SSLRandomSeed connect builtin </IfModule> ``` ## 三、 設定httpd-ssl.conf檔案 1. 設定聆聽通道為443埠 ```apacheconf= # # When we also provide SSL we have to listen to the # standard HTTP port (see above) and to the HTTPS port # Listen 443 //此行 ``` 2. 把SSL功能打開，將SSL傳輸作用於全局(各virtual host) ```apacheconf= # SSL Engine Switch: # Enable/Disable SSL for this virtual host. SSLEngine on //此行 ``` 3. SSLCertificateFile：設定終參照點實體憑證 SSLCertificateKeyFile：設定參照私人金鑰 SSLCertificateChainFile：設定參照中繼憑證 ```apacheconf= # Server Certificate: # Point SSLCertificateFile at a PEM encoded certificate. If # the certificate is encrypted, then you will be prompted for a # pass phrase. Note that a kill -HUP will prompt again. Keep # in mind that if you have both an RSA and a DSA certificate you # can configure both in parallel (to also allow the use of DSA # ciphers, etc.) # Some ECC cipher suites (http://www.ietf.org/rfc/rfc4492.txt) # require an ECC certificate which can also be configured in # parallel. SSLCertificateFile "ssl憑證資料夾路徑/server.cer" //此行 # Server Private Key: # If the key is not combined with the certificate, use this # directive to point at the key file. Keep in mind that if # you've both a RSA and a DSA private key you can configure # both in parallel (to also allow the use of DSA ciphers, etc.) # ECC keys, when in use, can also be configured in parallel SSLCertificateKeyFile "ssl憑證資料夾路徑/ncutserver.key" //此行 # Server Certificate Chain: # Point SSLCertificateChainFile at a file containing the # concatenation of PEM encoded CA certificates which form the # certificate chain for the server certificate. Alternatively # the referenced file can be the same as SSLCertificateFile # when the CA certificates are directly appended to the server # certificate for convenience. SSLCertificateChainFile "ssl憑證資料夾路徑/uca.cer" //此行 ``` :::warning * **設定完成後請記得重啟 Apache 伺服器** ::: # IIS 8.0、IIS 8.5 憑證安裝說明 ## 一、 確認已取得生成好的 IIS 憑證檔   ## 二、 匯入pfx憑證檔於IIS伺服器 1. 開啟 IIS 管理員並點選左側伺服器圖示  2. 在「伺服器憑證」選項按右鍵，點選「開啟功能」  3. 在右側動作中點選「匯入」  4. 選擇匯入先前下載的 IIS 憑證檔  5. 按F5重新整理，會有*.ncut.edu.tw資料  ## 三、 繫結 SSL 憑證於站台中 1. 左側選擇站台並在右側動作中選擇「繫結」  2. 在「站台繫結」中點選點選「新增」  3. 類型選擇https，SSL憑證選*.ncut.edu.tw，按下確定，即設定完成。  <!-- :::info --> <!-- <div> <p style="float: left;width:50%;text-align:left;">參考資料：IIS匯入SSL.docx</p> <p style="float: left;width:50%;text-align:right;">撰寫自<strong>李佳玲</strong></p> </div> --> <!-- <div style="clear: both;"></div> --> <!-- ::: --> # Nginx 憑證安裝說明 ## 一、 確認已取得生成好的 Nginx 憑證檔並放在伺服器能取用的路徑   ## 二、 設定Nginx.conf檔案 1. 設定聆聽通道為443埠 2. ssl_certificate：設定終參照點實體憑證與中繼憑證 ssl_certificate_key：設定參照私人金鑰 ```= # HTTPS server server { listen 443 ssl; // 第一項 server_name test.ncut.edu.tw; ssl_certificate "ssl憑證資料夾路徑/server.pem"; // 第二項 ssl_certificate_key "ssl憑證資料夾路徑/ncutserver.key"; // 第二項 ssl_session_cache shared:SSL:1m; ssl_session_timeout 5m; ssl_protocols SSLv3 TLSv1 TLSv1.1 TLSv1.2; ssl_ciphers ALL:!ADH:!EXPORT56:RC4+RSA:+HIGH:+MEDIUM:+LOW:+SSLv3:+EXP; ssl_prefer_server_ciphers on; location / { root html; index index.html index.htm; } } ``` :::warning * **設定完成後請記得重啟 Nginx 伺服器** ::: # 適用其他伺服器的 SSL 憑證安裝手冊 * [SSL伺服器數位憑證Apache 2.2伺服器操作手冊V1.3.pdf](<https://cc.ncut.edu.tw/var/file/32/1032/img/230/444133220.pdf>) * [SSL伺服器數位憑證Apache 2.4伺服器操作手冊V1.0.pdf](<https://cc.ncut.edu.tw/var/file/32/1032/img/230/122098698.pdf>) * [SSL伺服器數位憑證IIS 6.0操作手冊V3.3.pdf](<https://cc.ncut.edu.tw/var/file/32/1032/img/230/402591621.pdf>) * [SSL伺服器數位憑證IIS 7.0與7.5操作手冊V1.1.pdf](<https://cc.ncut.edu.tw/var/file/32/1032/img/230/752407146.pdf>) * [SSL伺服器數位憑證IIS 8.0與8.5操作手冊V1.0.pdf](<https://cc.ncut.edu.tw/var/file/32/1032/img/230/795040364.pdf>) * [SSL伺服器數位憑證IIS 10.0 操作手冊V5.0.pdf](<https://cc.ncut.edu.tw/var/file/32/1032/img/230/285432942.pdf>) * [SSL伺服器數位憑證Nginx操作手冊V5.1.pdf](<https://cc.ncut.edu.tw/var/file/32/1032/img/230/912487002.pdf>) * [SSL伺服器數位憑證Tomcat 6.0伺服器操作手冊V5.0.pdf](<https://cc.ncut.edu.tw/var/file/32/1032/img/230/284109962.pdf>) * [SSL伺服器數位憑證Tomcat 8.5 伺服器操作手冊V5.1.pdf](<https://cc.ncut.edu.tw/var/file/32/1032/img/230/873213831.pdf>) * [SSL伺服器數位憑證Resin操作手冊V5.0.pdf](<https://cc.ncut.edu.tw/var/file/32/1032/img/230/523145230.pdf>) # 參考 - [Apache 2.2-SSL操作大全](https://geotrust.cloudmax.com.tw/guide/install_apache.asp) - [httpd/httpd-ssl.conf.in at 2.4.x · apache/httpd · GitHub](https://github.com/apache/httpd/blob/2.4.x/docs/conf/extra/httpd-ssl.conf.in) - [httpd/httpd.conf.in at 2.4.x · apache/httpd · GitHub](https://github.com/apache/httpd/blob/2.4.x/docs/conf/httpd.conf.in) - [Module ngx_http_ssl_module](http://nginx.org/en/docs/http/ngx_http_ssl_module.html) - [Configuring HTTPS servers](http://nginx.org/en/docs/http/configuring_https_servers.html) - [nginx/nginx.conf at master · nginx/nginx · GitHub](https://github.com/nginx/nginx/blob/master/conf/nginx.conf) - [Nginx 安全性 Security – 1 | Clay 的 DevOps 筆記](https://www.claytontan.net/2020/01/09/nginx-%E5%AE%89%E5%85%A8%E6%80%A7-security-%E4%B8%80/) - [Apache Nginx上安裝 TWCA憑證 - Alvin Chen Club](http://www.alvinchen.club/2018/09/27/apache-nginx%E4%B8%8A%E5%AE%89%E8%A3%9D-twca%E6%86%91%E8%AD%89/)