ssl证书续费价格 | SSL证书知识

介绍如何在apache 安装配置SSL证书，以及相关注意事项

准备所需文件

安装SSL证书到Apache服务器上，我们需要3个文件，进入你的证书详情页去下载证书，解压后有一个 apache 文件夹，里面有这2个文件，分别是服务器证书 server.crt 和中级证书 ca.crt 。第三个需要的文件是私钥，这是你提交订单前生成CSR的时候生成的，如果你在提交订单时候选择系统生成CSR的，请检查邮箱，有一封邮件主题是 “订单编号xxxx的CSR和私钥“的邮件，下载server.key 这个附件，这个文件就是私钥。

(1) . 服务器证书 server.crt;
(2) . 中级证书 ca.crt;
(3) . 私钥(Key) server.key;

配置Apache

参考下面的代码，在Apache目录下的 httpd.conf 文件增加一个虚拟主机

<VirtualHost *:443>
…
SSLEngine on
SSLCertificateKeyFile /etc/ssl/server.key
SSLCertificateFile /etc/ssl/server.crt
SSLCertificateChainFile /etc/ssl/ca.crt

SSLProtocol All -SSLv2 -SSLv3
SSLCipherSuite ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA:ECDHE-RSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-RSA-AES256-SHA256:DHE-RSA-AES256-SHA:ECDHE-ECDSA-DES-CBC3-SHA:ECDHE-RSA-DES-CBC3-SHA:EDH-RSA-DES-CBC3-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:DES-CBC3-SHA:!DSS
SSLHonorCipherOrder on
SSLCompression off
SSLSessionTickets off

……..

</VirtualHost>

然后保存。重启Apache

/etc/init.d/httpd restart

Apache重定向http到https

在Apache服务器上，让安装了SSL证书的网站默认使用https访问网站，只需在网站目录下面的.htaccess 文件加上下面几行代码：

RewriteEngine On
RewriteCond %{HTTPS} off
RewriteRule (.*) https://%{HTTP_HOST}%{REQUEST_URI}

如果你的网站上面没有.htaccess文件，你可以自己建立一个，然后将上面的代码复制过去即可。

如果你只是想让某个页面强制使用https访问，如访问 https://www.sslgood.com/123.html 自动跳转到 https://www.sslgood.com/123.html 可以参考如下代码

RewriteEngine On
RewriteRule ^123\.html$ https://www.sslgood.com/123.html [R=301,L]

Apache的SSL证书安全与兼容性设置

禁用 SSLv2 and SSLv3

SSLProtocol All -SSLv2 -SSLv3

如果Apache 2.2.24+ 以上版本添加以下代码

SSLCompression off

使用安全的Cipher Suite

SSLCipherSuite EECDH+AESGCM:EDH+AESGCM:AES256+EECDH:AES256+EDH

如果想兼容XP/IE6 ,请使用以下的 Cipher Suite

SSLCipherSuite EECDH+AESGCM:EDH+AESGCM:AES256+EECDH:ECDHE-RSA-AES128-SHA:DHE-RSA-AES128-GCM-SHA256:AES256+EDH:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES128-SHA256:ECDHE-RSA-AES256-SHA:DHE-RSA-AES256-SHA256:DHE-RSA-AES128-SHA256:DHE-RSA-AES256-SHA:DHE-RSA-AES128-SHA:ECDHE-RSA-DES-CBC3-SHA:EDH-RSA-DES-CBC3-SHA:AES256-GCM-SHA384:AES128-GCM-SHA256:AES256-SHA256:AES128-SHA256:AES256-SHA:AES128-SHA:DES-CBC3-SHA:HIGH:!aNULL:!eNULL:!EXPORT:!DES:!MD5:!PSK:!RC4

Forward Secrecy & Diffie Hellman Ephemeral Parameters ，如果你用的 Apache 2.4.8以上 OpenSSL 1.0.2 或以上版本，可以运行一下命令

cd /etc/ssl/certs
openssl dhparam -out dhparam.pem 4096

然后将以下代码添加到网站配置文件

SSLOpenSSLConfCmd DHParameters "/etc/ssl/certs/dhparam.pem"

根据你的apache版本不同，将代码添加到apache的网站配置文件里面，参考下面的例子

<VirtualHost *:443>
ServerAdmin webmaster@example.com
DocumentRoot "/home/sslgood"
ServerName www.sslgood.com
SSLEngine on
SSLCertificateKeyFile /usr/local/httpd/sslgood.key
SSLCertificateFile /usr/local/httpd/sslgood.crt
SSLCertificateChainFile /usr/local/httpd/sslgood.bundle

####///////////////////SSL安全设置代码 开始//////
SSLOpenSSLConfCmd DHParameters "/etc/ssl/certs/dhparam.pem"
SSLHonorCipherOrder     on
SSLCompression off
SSLProtocol All -SSLv2 -SSLv3
SSLCipherSuite EECDH+AESGCM:EDH+AESGCM:AES256+EECDH:ECDHE-RSA-AES128-SHA:DHE-RSA-AES128-GCM-SHA256:AES256+EDH:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES128-SHA256:ECDHE-RSA-AES256-SHA:DHE-RSA-AES256-SHA256:DHE-RSA-AES128-SHA256:DHE-RSA-AES256-SHA:DHE-RSA-AES128-SHA:ECDHE-RSA-DES-CBC3-SHA:EDH-RSA-DES-CBC3-SHA:AES256-GCM-SHA384:AES128-GCM-SHA256:AES256-SHA256:AES128-SHA256:AES256-SHA:AES128-SHA:DES-CBC3-SHA:HIGH:!aNULL:!eNULL:!EXPORT:!DES:!MD5:!PSK:!RC4
#####//////////////////SSL安全设置代码 结束//////////

......
</VirtualHost>

SSL证书知识