Apache-2.2

將網站安全證書從 Windows IIS 傳輸到 Apache

  • November 5, 2016

我按照這個網站的指示(https://www.sslshopper.com/move-or-copy-an-ssl-certificate-from-a-windows-server-to-an-apache-server.html)將我的 GoDaddy.com 證書從 Windows Server 2003 機器遷移到執行 Debian 和 Apache (v 2.4.10) 的伺服器。我將 .pfx 文件轉換為 .txt 並打開它以提取私鑰和證書。但是,我的文件有三個證書,而不僅僅是教程中的那個。那麼,哪個部分是我的 SSLCertificateFile、SSLCertificateKeyFile 或 SSLCertificateChainFile?我嘗試將頂部添加為我的私鑰,將第二部分添加為我的證書,但在 Chrome 中,我在導航到我的網站時收到“NET:ERR_CERT_AUTHORITY_INVALID”消息。任何幫助將不勝感激。

Bag Attributes
Microsoft Local Key set: <No Values>
localKeyID: 01 00 00 00 
Microsoft CSP Name: Microsoft RSA SChannel Cryptographic Provider
friendlyName: 921ddddfb37214c2d5593e0c9b386a34_bc31898e-7ad7-4e24-9c39-0088bf3b937a
Key Attributes
X509v3 Key Usage: 10 
-----BEGIN ENCRYPTED PRIVATE KEY-----
Some Text Here   
-----END ENCRYPTED PRIVATE KEY-----
Bag Attributes
localKeyID: 01 00 00 00 
subject=/OU=Domain Control Validated/CN=example.com
issuer=/C=US/ST=Arizona/L=Scottsdale/O=GoDaddy.com, Inc./OU=http://certs.godaddy.com/repository//CN=Go Daddy Secure Certificate Authority - G2
-----BEGIN CERTIFICATE-----
More Text here 
-----END CERTIFICATE-----
Bag Attributes
friendlyName: Go Daddy Root Certificate Authority  G2
subject=/C=US/ST=Arizona/L=Scottsdale/O=GoDaddy.com, Inc./CN=Go Daddy Root Certificate Authority - G2
issuer=/C=US/ST=Arizona/L=Scottsdale/O=GoDaddy.com, Inc./CN=Go Daddy Root Certificate Authority - G2
-----BEGIN CERTIFICATE-----
Other Text here as well
-----END CERTIFICATE-----
Bag Attributes: <Empty Attributes>
subject=/C=US/ST=Arizona/L=Scottsdale/O=GoDaddy.com, Inc./OU=http://certs.godaddy.com/repository//CN=Go Daddy Secure Certificate Authority - G2
issuer=/C=US/ST=Arizona/L=Scottsdale/O=GoDaddy.com, Inc./CN=Go Daddy Root Certificate Authority - G2
-----BEGIN CERTIFICATE-----
Last bit of text here 
-----END CERTIFICATE-----

(為了便於閱讀和安全,刪除了證書的文本)

文本:

-----BEGIN ENCRYPTED PRIVATE KEY-----
Some Text Here   
-----END ENCRYPTED PRIVATE KEY-----

是一個加密的 PKCS#8 私鑰,它應該放在一個文件中,並使用以下命令刪除密碼:

openssl pkcs8 -topk8 -inform PEM -in <in file> -nocrypt -out private.key

請注意,上述命令將要求輸入密碼。

private.key文件由 指向SSLCertificateKeyFile

各個部分:

-----BEGIN CERTIFICATE-----
Text here 
-----END CERTIFICATE-----

是你的證書。它們需要按如下方式放置在文件中:

下面的一個subject=/OU=Domain Control Validated/CN=example.com是您的站點證書,應該放在一個由SSLCertificateFile.

最後一個是您頒發 CA 的證書,應該放在一個由 . 指向的文件中SSLCertificateChainFile

剩下的一個(上述兩者之間的那個)是根 CA 證書,應該已經儲存在所有客戶端的信任錨儲存中。你不需要對那個做任何事情。

引用自:https://serverfault.com/questions/813384