先确认是否安装有openssl:

which openssl

如果没装,就先行安装openssl

sudo apt install openssl

以root身份登录,省得后续输入命令时都要加sudo

sudo -i

新建ssl目录用来存放证书文件

mkdir -p /etc/apache2/ssl

然后生成一个新的证书,假设限期为3年(1095天),证书和密钥存放在刚才新建的目录中

openssl req -x509 -nodes -days 1095 -newkey rsa:2048 -out /etc/apache2/ssl/server.crt -keyout /etc/apache2/ssl/server.key

这时openssl会以交互形式配置证书,终端会显示类似下面的提示:

Generating a 2048 bit RSA private key
............................................+++
.....................+++
writing new private key to '/etc/apache2/ssl/server.key'
-----
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [AU]:CN #双字母国别码,按需要填写即可;
State or Province Name (full name) [Some-State]:Guangdong #州名或省名;
Locality Name (eg, city) []:Guangzhou #地区或城市名;
Organization Name (eg, company) [Internet Widgits Pty Ltd]:OrganizationName #组织/公司/机构名;
Organizational Unit Name (eg, section) []:DepartmentName #部门名;
Common Name (e.g. server FQDN or YOUR name) []:your.domain.name #域名,这个最好填写互联网上能访问的地址;
Email Address []:your@email.com #邮箱地址;

完成后,为Apache安装SSL模块:

a2enmod ssl

然后要在Apache配置文件中做一点改动,在sites-enabled目录中放置一个名为000-default-ssl.conf的软链接,指向sites-available目录下的default-ssl.conf:

ln -s /etc/apache2/sites-available/default-ssl.conf /etc/apache2/sites-enabled/000-default-ssl.conf

编辑一下这个文件的内容:

nano /etc/apache2/sites-enabled/000-default-ssl.conf

找到下面两行,按上面的路径修改,如果行头有注释用的“#”号,删了:

SSLCertificateFile    /etc/apache2/ssl/server.crt
SSLCertificateKeyFile    /etc/apache2/ssl/server.key

编辑好后按下Ctrl+X退出nano,nano提示询问是否保存,再按Y确认保存。
这个时候我们重启Apache:

service apache2 restart
最后修改:2021 年 08 月 05 日 11 : 49 PM
如果觉得我的文章对你有用,请随意赞赏