Linux 基于openssl的https服务配置
众所周知http协议是明文传输的,所以当我们再互联网上发送一些敏感数据,特别是账号密码之类的数据时,就显得不那么安全,而http又是应用层协议中用的非常广泛的一种协议,所以此时想要使之更安全,可以借助于ssl来使用https协议。但ssl仅能支持基于IP的主机,所以想使用https,要么是使用中心主机,要么是使用多个基于主机名的虚拟主机中的一个。环境准备:
httpd服务器地址:172.16.1.111
CA服务器地址:172.16.1.110
一、httpd服务器首先安装mod_ssl模块
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
# yum install -y "mod_ssl"
Loaded plugins: fastestmirror
Loading mirror speeds from cached hostfile
* epel: mirrors.ustc.edu.cn
Setting up Install Process
Resolving Dependencies
--> Running transaction check
---> Package mod_ssl.x86_64 1:2.2.15-47.el6.centos.1 will be installed
--> Processing Dependency: httpd = 2.2.15-47.el6.centos.1 for package: 1:mod_ssl-2.2.15-47.el6.centos.1.x86_64
--> Running transaction check
---> Package httpd.x86_64 0:2.2.15-47.el6.centos will be updated
---> Package httpd.x86_64 0:2.2.15-47.el6.centos.1 will be an update
--> Processing Dependency: httpd-tools = 2.2.15-47.el6.centos.1 for package: httpd-2.2.15-47.el6.centos.1.x86_64
--> Running transaction check
---> Package httpd-tools.x86_64 0:2.2.15-47.el6.centos will be updated
---> Package httpd-tools.x86_64 0:2.2.15-47.el6.centos.1 will be an update
--> Finished Dependency Resolution
Dependencies Resolved
========================================================================================================================================
Package Arch Version Repository Size
========================================================================================================================================
Installing:
mod_ssl x86_64 1:2.2.15-47.el6.centos.1 updates 95 k
Updating for dependencies:
httpd x86_64 2.2.15-47.el6.centos.1 updates 830 k
httpd-tools x86_64 2.2.15-47.el6.centos.1 updates 77 k
Transaction Summary
========================================================================================================================================
Install 1 Package(s)
Upgrade 2 Package(s)
Total download size: 1.0 M
Downloading Packages:
(1/3): httpd-2.2.15-47.el6.centos.1.x86_64.rpm | 830 kB 00:00
(2/3): httpd-tools-2.2.15-47.el6.centos.1.x86_64.rpm |77 kB 00:00
(3/3): mod_ssl-2.2.15-47.el6.centos.1.x86_64.rpm |95 kB 00:00
----------------------------------------------------------------------------------------------------------------------------------------
Total 974 kB/s | 1.0 MB 00:01
Running rpm_check_debug
Running Transaction Test
Transaction Test Succeeded
Running Transaction
Updating : httpd-tools-2.2.15-47.el6.centos.1.x86_64 1/5
Updating : httpd-2.2.15-47.el6.centos.1.x86_64 2/5
Installing : 1:mod_ssl-2.2.15-47.el6.centos.1.x86_64 3/5
Cleanup : httpd-2.2.15-47.el6.centos.x86_64 4/5
Cleanup : httpd-tools-2.2.15-47.el6.centos.x86_64 5/5
Verifying: httpd-tools-2.2.15-47.el6.centos.1.x86_64 1/5
Verifying: httpd-2.2.15-47.el6.centos.1.x86_64 2/5
Verifying: 1:mod_ssl-2.2.15-47.el6.centos.1.x86_64 3/5
Verifying: httpd-2.2.15-47.el6.centos.x86_64 4/5
Verifying: httpd-tools-2.2.15-47.el6.centos.x86_64 5/5
Installed:
mod_ssl.x86_64 1:2.2.15-47.el6.centos.1
Dependency Updated:
httpd.x86_64 0:2.2.15-47.el6.centos.1 httpd-tools.x86_64 0:2.2.15-47.el6.centos.1
Complete!
二、建立CA服务器
(1)、生成CA自己的私钥
1
2
3
4
5
6
7
8
# cd /etc/pki/CA/
# (umask 077;openssl genrsa -out private/cakey.pem 2048)
Generating RSA private key, 2048 bit long modulus
.................................................................................+++
...+++
e is 65537 (0x10001)
# ll private/cakey.pem
-rw------- 1 root root 1679 Dec 12 03:58 private/cakey.pem
(2)、修改openssl配置文件,定义各项默认属性以及CA目录
1
2
3
4
5
6
7
8
9
10
11
# vim ../tls/openssl.cnf
# grep "_default" ../tls/openssl.cnf | tail -6
countryName_default = CN
stateOrProvinceName_default = HuBei
localityName_default = HuangGang
0.organizationName_default= Soysauce
#1.organizationName_default = World Wide Web Pty Ltd
organizationalUnitName_default= Tech
# grep "^dir" ../tls/openssl.cnf
dir = /etc/pki/CA # Where everything is kept
(3)、生成自签证书
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
# openssl req -new -x509 -key private/cakey.pem -out cacert.pem -days 3655
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) :
State or Province Name (full name) :
Locality Name (eg, city) :
Organization Name (eg, company) :
Organizational Unit Name (eg, section) :
Common Name (eg, your name or your server's hostname) []:ca.soysauce.com
Email Address []:admin@soysauce.com
(4)、准备几个目录及文件
1
2
3
# mkdir certs crl newcerts
# touch index.txt
# echo 01 > serial
三、httpd服务器生成密钥,并生成签署正式申请发送给CA服务器
(1)、httpd服务器生成一对密钥
1
2
3
4
5
6
7
8
9
10
11
# cd /etc/httpd/
# mkdir ssl
# cd ssl/
# (umask 077;openssl genrsa -out httpd.key 2048)
Generating RSA private key, 2048 bit long modulus
............+++
.............................+++
e is 65537 (0x10001)
# ll
total 4
-rw------- 1 root root 1675 Dec 12 13:04 httpd.key
(2)、httpd服务器生成证书签署请求(hostname一定要保持一致)
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
# scp 172.16.1.110:/etc/pki/tls/openssl.cnf /etc/pki/tls/openssl.cnf
# openssl req -new -key httpd.key -out httpd.csr
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) :
State or Province Name (full name) :
Locality Name (eg, city) :
Organization Name (eg, company) :
Organizational Unit Name (eg, section) :
Common Name (eg, your name or your server's hostname) []:www.a.com
Email Address []:admin@a.com
Please enter the following 'extra' attributes
to be sent with your certificate request
A challenge password []:
An optional company name []:
(3)、将证书签署申请发送给CA服务器端
1
# scp httpd.csr 172.16.1.110:/tmp/
四、CA签署此证书请求并回送给httpd服务器
(1)、CA服务器端签署证书申请
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
# openssl ca -in /tmp/httpd.csr -out /tmp/httpd.crt -days 3650
Using configuration from /etc/pki/tls/openssl.cnf
Check that the request matches the signature
Signature ok
Certificate Details:
Serial Number: 1 (0x1)
Validity
Not Before: Dec 11 20:23:59 2015 GMT
Not After : Dec8 20:23:59 2025 GMT
Subject:
countryName = CN
stateOrProvinceName = HuBei
organizationName = Soysauce
organizationalUnitName = Tech
commonName = www.soysauce.com
emailAddress = admin@soysauce.com
X509v3 extensions:
X509v3 Basic Constraints:
CA:FALSE
Netscape Comment:
OpenSSL Generated Certificate
X509v3 Subject Key Identifier:
35:E0:03:B1:67:28:A9:A9:39:F0:DB:0D:26:0B:ED:AD:B2:F6:FA:4A
X509v3 Authority Key Identifier:
keyid:9D:DF:4E:04:DC:31:25:24:2B:F6:65:05:9C:B3:96:8E:DC:6A:FB:4B
Certificate is to be certified until Dec8 20:23:59 2025 GMT (3650 days)
Sign the certificate? :y
1 out of 1 certificate requests certified, commit? y
Write out database with 1 new entries
Data Base Updated
# cd /etc/pki/CA/
# ls
cacert.pemcertscrlindex.txtindex.txt.attrindex.txt.oldnewcertsprivateserialserial.old
# cat index.txt
V 251208202359Z 01unknown /C=CN/ST=HuBei/O=Soysauce/OU=Tech/CN=www.soysauce.com/emailAddress=admin@soysauce.com
# cat serial
02
(2)、将签署好的证书返回给httpd客户端
1
# scp /tmp/httpd.crt 172.16.1.111:/etc/httpd/ssl/httpd.crt
(3)、删除httpd服务器的证书
1
# rm -fhttpd.csr httpd.crt
五、httpd服务器端编辑ssl.conf文件配置使用https
(1)、编辑ssl.conf配置文件
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
# cd /etc/httpd/conf.d/
# ls
READMEssl.confvirtualhost.confwelcome.conf
# cp ssl.conf{,.back}
# vim ssl.conf
# grep -A 4 "<Virtu" ssl.conf
<VirtualHost 172.16.1.111:443>
ServerName www.soysauce.com
DocumentRoot "/data/www/soysauce.com"
ErrorLog "/var/log/httpd/soysauce.com/ssl_error_log"
TransferLog "/var/log/httpd/soysauce.com/ssl_access_log"
# grep "^SSLCertificate" ssl.conf
SSLCertificateFile /etc/httpd/ssl/httpd.crt
SSLCertificateKeyFile /etc/httpd/ssl/httpd.key
(2)、然后重启httpd服务,客户端再访问即可
1
2
3
4
5
6
7
8
# vim /etc/hosts
# tail -1 /etc/hosts # 修改的是客户端的hosts文件
172.16.1.111 www.soysauce.com
# httpd -t
Syntax OK
# service httpd restart
Stopping httpd:
Starting httpd:
到此处一个支持https的Web服务器已然完成
页:
[1]