我可以为所有 VirtualHost 使用一个 SSLCertificateFile,而不是为每个 VirtualHost 创建一个 SSLCertificateFile 吗?

发布于 2024-10-10 00:10:05 字数 1264 浏览 6 评论 0原文

我有许多 Apache VirtualHost,每个虚拟主机都使用专用的 SSLCertificateFile。

这是 VirtualHost 的配置示例:

<VirtualHost *:443>

     ServerName subdomain.domain.localhost

     DocumentRoot "/Users/<my_user_name>/Sites/users/public"
     RackEnv development

   <Directory "/Users/<my_user_name>/Sites/users/publ`enter code here`ic">
     Order allow,deny
     Allow from all
   </Directory>

    # SSL Configuration
    SSLEngine on

    #Self Signed certificates
    SSLCertificateFile /private/etc/apache2/ssl/server.crt
    SSLCertificateKeyFile /private/etc/apache2/ssl/server.key
    SSLCertificateChainFile /private/etc/apache2/ssl/ca.crt

</VirtualHost>

由于我使用 Passenger Preference Pane 维护更多 Ruby on Rails 应用程序,因此是 apache2 httpd.conf 文件的一部分:

<IfModule passenger_module>
  NameVirtualHost *:80
  <VirtualHost *:80>
    ServerName _default_
  </VirtualHost>
  Include /private/etc/apache2/passenger_pane_vhosts/*.conf
</IfModule>

我可以为所有 VirtualHost 使用单个 SSLCertificateFile (我听说过通配符),而不是为每个 VirtualHost 创建一个 SSLCertificateFile 吗? 如果是这样,我该如何更改上面列出的文件?

I have many Apache VirtualHosts for each of which I use a dedicated SSLCertificateFile.

This is an configuration example of a VirtualHost:

<VirtualHost *:443>

     ServerName subdomain.domain.localhost

     DocumentRoot "/Users/<my_user_name>/Sites/users/public"
     RackEnv development

   <Directory "/Users/<my_user_name>/Sites/users/publ`enter code here`ic">
     Order allow,deny
     Allow from all
   </Directory>

    # SSL Configuration
    SSLEngine on

    #Self Signed certificates
    SSLCertificateFile /private/etc/apache2/ssl/server.crt
    SSLCertificateKeyFile /private/etc/apache2/ssl/server.key
    SSLCertificateChainFile /private/etc/apache2/ssl/ca.crt

</VirtualHost>

Since I am maintaining more Ruby on Rails applications using Passenger Preference Pane, this is a part of the apache2 httpd.conf file:

<IfModule passenger_module>
  NameVirtualHost *:80
  <VirtualHost *:80>
    ServerName _default_
  </VirtualHost>
  Include /private/etc/apache2/passenger_pane_vhosts/*.conf
</IfModule>

Can I use a single SSLCertificateFile for all my VirtualHosts (I have heard of wildcards) instead of creating one of it for each VirtualHost? If so, how can I change the files listed above?

如果你对这篇内容有疑问,欢迎到本站社区发帖提问 参与讨论,获取更多帮助,或者扫码二维码加入 Web 技术交流群。

扫码二维码加入Web技术交流群

发布评论

需要 登录 才能够评论, 你可以免费 注册 一个本站的账号。

评论(2

若沐 2024-10-17 00:10:05

所以你有两件事需要解决;如何获得适用于所有主机的证书(pub/priv) - 然后下一步 - 如何安排虚拟主机和使用策略包含。 (我在这里忽略了 SNI 选项 - 不过请仔细阅读)。

对于第一个 - 您大致有三个选项 - 通配符证书(即 *.foo.bar.com)、DN 中具有多个 CN 的证书(例如“CN=foo.com、CN=bar.com、L=London ..") 或具有 1 个或多个包含 DNS 名称的主题备用名称的证书 (http://playnice.ly/blog/2011/01/03/multi-domain-ucc-ssl-certificates-on-nginx-with- 1-ip-地址/)。当您只有少量虚拟主机时,后两者很好(但它们可以有任何名称;因此没有通配符限制)。虽然当您拥有 10 到 100 个域名时,通配符是您唯一的选择 - 但缺点是它们必须具有相似的叶名称(尽管您会惊讶地发现意外颁发 *.com 是多么“容易”) )。

一旦你拥有了这些 beass 之一 - 只需将其包含在服务器级别即可。

因此,接下来是如何从其上拼接事物 - 这里您需要的是与 SNI 主机相同的设置(请参阅文档或 http://wiki.apache.org/httpd/NameBasedSSLVHostsWithSNI)。

为了让您的生活变得轻松 - 您可以考虑使用“包含”片段 - 或者,最坏的情况,使用一个小 shell 脚本生成配置(或者全力以赴 - 您可以包含 perl 及其即时生成的输出! )。

深度。

So you have two things to solve; how to get a cert (pub/priv) that works for all your hosts -and then next - how to arrange the vHosts and the use of strategic includes. (I am ignoring the SNI option here - do read up on that though).

For the first - you roughly have threee options - a wildcard cert (i.e. *.foo.bar.com), a cert with multiple CN's in the DN (E.g. "CN=foo.com, CN=bar.com, L=London..") or a cert with 1 or more Subject Alternative Names containing DNS names (http://playnice.ly/blog/2011/01/03/multi-domain-ucc-ssl-certificates-on-nginx-with-1-ip-address/). The latter two are good when you have just a handful of vhosts (but they can have any name; so no wildcard limits). While the wildcard is your only option when you have 10's to 100's of domains - but the downside is that they have to have a similar leaf name (though you'd be surprised how 'easy' is to get a *.com issued by accident).

Once you have one of these beass - simply include it on server level.

So next up is how to splice things from thereon - what you need here is the same setup as for an SNI host (see docs or http://wiki.apache.org/httpd/NameBasedSSLVHostsWithSNI).

To make your live easy - you could consider using 'include' snippets - or, worst case, generate the config with a small shell script (or go all out - you can include perl and the output it generates 'virtually' on the fly!).

Dw.

踏雪无痕 2024-10-17 00:10:05
#!/bin/bash

clear

path="$HOME/Desktop"
days=""

echo -ne "Hello. You must be hoping to create a SSL/TLS security certificate (and key).\n\nBy default, this key will be self-signed. However, you can decide instead to\ncreate an un-signed certificate request (.pem) file to be signed by a\nrecognized certificate authority.\n\nPlease choose from the following options.\n\n s: create a self-signed certificate .crt file (default)\n u: create an un-signed certificate request .pem file\n q: quit\n> "
read go

if [ "$go" = "u" ]; then

  echo -ne "What is your country code?\n> "
  read c
  echo -ne "What is your state/province?\n> "
  read st
  echo -ne "What is your city?\n> "
  read l
  echo -ne "What is your organization name?\n> "
  read o

elif [ "$go" = "q" ]; then

  echo -e "\nHave a nice day."
  exit 0

fi

echo -ne "What is your domain name?\n> "
read domain

if [ -z "$domain" ]; then
  echo "No domain was given."
  exit 0
fi

echo -ne "What is the path where your certificate files should be saved?\n> "
read path
echo -ne "For how many days will your certificate be valid?\n> "
read days

if [ -z "$path" ]; then path="."; fi
if [ -z "$c" ]; then c="US"; fi
if [ -z "$st" ]; then st="Arizona"; fi
if [ -z "$l" ]; then l="Phoenix"; fi
if [ -z "$o" ]; then o="PLUG"; fi
if [ -z "$days" ]; then days="365"; fi

if [ -d "$path" ]; then
  echo -ne "\nCreating your certificate ..."
  if [ "$go" = "u" ]; then
    (echo -e "oid_section = new_oids\n[ new_oids ]\n[ req ]\ndefault_days = $days\ndefault_keyfile = $path/$domain.key\ndistinguished_name = req_distinguished_name\nencrypt_key = no\nstring_mask = nombstr\nreq_extensions = v3_req\n[ req_distinguished_name ]\ncommonName = Common Name (eg, YOUR name)\ncommonName_default = $domain\ncommonName_max = 64\n[ v3_req ]\nsubjectAltName=DNS:$domain,DNS:*.$domain" > deleteme.cfg) &> /dev/null;
    (openssl req -batch -config deleteme.cfg -newkey rsa:2048 -out $path/$domain.pem) &> /dev/null;
    (rm deleteme.cfg) &> /dev/null;
  else
    (echo -e "subjectAltName=DNS:$domain,DNS:*.$domain" > deleteme.cfg) &> /dev/null;
    (openssl genrsa -out $path/$domain.key 2048) &> /dev/null;
    (openssl req -new -key $path/$domain.key -subj "/C=$c/ST=$st/L=$l/O=$o/CN=$domain" -out deleteme.csr) &> /dev/null;
    (openssl x509 -req -in deleteme.csr -signkey $path/$domain.key -days $days -text -extfile deleteme.cfg -out $path/$domain.crt) &> /dev/null;
    (rm deleteme.cfg deleteme.csr) &> /dev/null;
  fi
  (chmod 400 $path/$domain.key) &> /dev/null;
  echo " done."
else
  echo "No such directory exists."
fi

echo -e "\nHave a nice day."

这是一个 bash 脚本 - 所以你可以将它保存到 BSD/Linux/Mac/UNIX/etc 上的一个文件中(随意命名)。电脑,随时随地。然后您将打开一个终端并执行以下操作:

$ cd wherever
$ chmod +x whatever
$ ./whatever

然后您将按照说明进行操作。它会说“您想要自签名证书还是其他人可以签名的证书请求?”,然后它会说“您的域名是什么?”以及“什么时候到期?”等等。

完成后,您将拥有两个文件。您将拥有一个写保护的 .key 文件,其中包含您的私钥。您将拥有一个包含自签名证书的 .crt 文件,或一个包含未签名证书请求的 .pem 文件。该脚本将让您指定要保存文件的位置。

如果您打算使用自签名证书,那么您就完成了。继续在服务器上设置虚拟主机(正如您似乎已经完成的那样)。如果您计划使用第三方签名机构(即 Verisign 等),那么您必须将 .pem 文件发送给他们,他们将通过向您发送签名的 .crt 文件进行响应。

#!/bin/bash

clear

path="$HOME/Desktop"
days=""

echo -ne "Hello. You must be hoping to create a SSL/TLS security certificate (and key).\n\nBy default, this key will be self-signed. However, you can decide instead to\ncreate an un-signed certificate request (.pem) file to be signed by a\nrecognized certificate authority.\n\nPlease choose from the following options.\n\n s: create a self-signed certificate .crt file (default)\n u: create an un-signed certificate request .pem file\n q: quit\n> "
read go

if [ "$go" = "u" ]; then

  echo -ne "What is your country code?\n> "
  read c
  echo -ne "What is your state/province?\n> "
  read st
  echo -ne "What is your city?\n> "
  read l
  echo -ne "What is your organization name?\n> "
  read o

elif [ "$go" = "q" ]; then

  echo -e "\nHave a nice day."
  exit 0

fi

echo -ne "What is your domain name?\n> "
read domain

if [ -z "$domain" ]; then
  echo "No domain was given."
  exit 0
fi

echo -ne "What is the path where your certificate files should be saved?\n> "
read path
echo -ne "For how many days will your certificate be valid?\n> "
read days

if [ -z "$path" ]; then path="."; fi
if [ -z "$c" ]; then c="US"; fi
if [ -z "$st" ]; then st="Arizona"; fi
if [ -z "$l" ]; then l="Phoenix"; fi
if [ -z "$o" ]; then o="PLUG"; fi
if [ -z "$days" ]; then days="365"; fi

if [ -d "$path" ]; then
  echo -ne "\nCreating your certificate ..."
  if [ "$go" = "u" ]; then
    (echo -e "oid_section = new_oids\n[ new_oids ]\n[ req ]\ndefault_days = $days\ndefault_keyfile = $path/$domain.key\ndistinguished_name = req_distinguished_name\nencrypt_key = no\nstring_mask = nombstr\nreq_extensions = v3_req\n[ req_distinguished_name ]\ncommonName = Common Name (eg, YOUR name)\ncommonName_default = $domain\ncommonName_max = 64\n[ v3_req ]\nsubjectAltName=DNS:$domain,DNS:*.$domain" > deleteme.cfg) &> /dev/null;
    (openssl req -batch -config deleteme.cfg -newkey rsa:2048 -out $path/$domain.pem) &> /dev/null;
    (rm deleteme.cfg) &> /dev/null;
  else
    (echo -e "subjectAltName=DNS:$domain,DNS:*.$domain" > deleteme.cfg) &> /dev/null;
    (openssl genrsa -out $path/$domain.key 2048) &> /dev/null;
    (openssl req -new -key $path/$domain.key -subj "/C=$c/ST=$st/L=$l/O=$o/CN=$domain" -out deleteme.csr) &> /dev/null;
    (openssl x509 -req -in deleteme.csr -signkey $path/$domain.key -days $days -text -extfile deleteme.cfg -out $path/$domain.crt) &> /dev/null;
    (rm deleteme.cfg deleteme.csr) &> /dev/null;
  fi
  (chmod 400 $path/$domain.key) &> /dev/null;
  echo " done."
else
  echo "No such directory exists."
fi

echo -e "\nHave a nice day."

It's a bash script - so you'd save it to a file (name it whatever) on your BSD/Linux/Mac/UNIX/etc. computer, wherever you want. Then you'd open up a terminal and do something like this:

$ cd wherever
$ chmod +x whatever
$ ./whatever

And then you'd follow the instructions. It'll say "do you want a self signed certificate or a certificate request that somebody else can sign?", and then it'll say "what's your domain name?" and "when should this expire?", and so forth.

When it's done, you'll have two files. You'll have a .key file that is write-protected and that contains your private key. And you'll have a .crt file that contains the self-signed certificate, or a .pem file that contains the un-signed certificate request. The script will let you specify where you want the files saved.

If you are planning to use a self-signed certificate, you're done. Go ahead and setup your virtualhost on your server (as you seem to have done already). If you are planning to use a third-party signing authority (i.e., Verisign, etc.), then you'll have to send your .pem file to them and they will respond by sending you a signed .crt file.

~没有更多了~
我们使用 Cookies 和其他技术来定制您的体验包括您的登录状态等。通过阅读我们的 隐私政策 了解更多相关信息。 单击 接受 或继续使用网站,即表示您同意使用 Cookies 和您的相关数据。
原文