配置httpd-2.2支持https功能
SSL会话的简化过程(1) 客户端发送可供选择的加密方式,并向服务器请求证书;
(2) 服务器端发送证书以及选定的加密方式给客户端;
(3) 客户端取得证书并进行证书验正:
如果信任给其发证书的CA:
(a) 验正证书来源的合法性;用CA的公钥解密证书上数字签名;
(b) 验正证书的内容的合法性:完整性验正
(c) 检查证书的有效期限;
(d) 检查证书是否被吊销;
(e) 证书中拥有者的名字,与访问的目标主机要一致;
(4) 客户端生成临时会话密钥(对称密钥),并使用服务器端的公钥加密此数据发送给服务器,完成密钥交换;
(5) 服务用此密钥加密用户请求的资源,响应给客户端;
注意:SSL会话是基于IP地址创建;所以单IP的主机上,仅可以使用一个https虚拟主机;
配置httpd支持https:
1、为服务器申请数字证书;
1)创建私有CA(1)生成私钥文件
1
2
3
4
5
6
7
8
9
# mkdir -p /etc/pki/CA/private #创建私钥保存的目录
# (umask 077;openssl genrsa -out /etc/pki/CA/private/cakey.pem 4096)
Generating RSA private key, 4096 bit long modulus
....................................................................++
..................................................................++
e is 65537 (0x10001)
# ll /etc/pki/CA/private/ # 私钥只能自己保存,对保密性要求高
总用量 4
-rw-------. 1 root root 3243 11月 15 10:34 cakey.pem
(2)生成自签证书
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
# openssl req -new -x509 -key /etc/pki/CA/private/cakey.pem -out /etc/pki/CA/cacert.pem -days 3650
# 如果是自请自签 加-x509 如果不是就不用加了
#这个过程会自动从刚才第一步的私钥中抽取公钥
#-new 生成新证书签署请求
#-x509 生成自签格式证书 专用于创建私有CA时
#-key 生成请求时用到的私有文件路径
#-out 生成的请求文件路径 如果是自签操作将生成签署过的证书
#-days 证书的有效时常 但为是day
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) :CN #国家
State or Province Name (full name) []:SH #省
Locality Name (eg, city) :SH #城市
Organization Name (eg, company) :DZH #公司组织
Organizational Unit Name (eg, section) []:Ops #职位
Common Name (eg, your name or your server's hostname) []:ca.wlm.com #主机名
Email Address []:mail@wlm.com #邮箱
(3)为CA提供所需的目录和文件
1
2
3
4
5
6
7
8
9
10
11
# touch /etc/pki/CA/index.txt # 创建数据库文件
# echo 01 > /etc/pki/CA/serial # 创建序列号文件并给明第一个证书的序列号码
# ll /etc/pki/CA
总用量 8
-rw-r--r--. 1 root root 2049 11月 15 10:41 cacert.pem
drwxr-xr-x. 2 root root 6 6月29 2015 certs
drwxr-xr-x. 2 root root 6 6月29 2015 crl
-rw-r--r--. 1 root root 0 11月 15 10:45 index.txt
drwxr-xr-x. 2 root root 6 6月29 2015 newcerts
drwx------. 2 root root 22 11月 15 10:34 private
-rw-r--r--. 1 root root 3 11月 15 10:46 serial
至此,私有CA创建完毕。2)证书申请: (1)在证书申请的主机上生成私钥
1
2
3
4
5
6
7
8
9
10
11
# cd /etc/httpd/
# mkdir ssl #创建保存私钥的目录
# cd ssl
# (umask 077;openssl genrsa -out httpd.key 2048) #生成私钥
Generating RSA private key, 2048 bit long modulus
......................................................+++
...........................................+++
e is 65537 (0x10001)
# ll
总用量 4
-rw-------. 1 root root 1675 11月 15 11:05 httpd.key
(2)生成证书签署请求
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
# openssl req -new -key httpd.key -out httpd.csr -days 365 # 在本地生成
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) :CN
State or Province Name (full name) []:SH
Locality Name (eg, city) :SH
Organization Name (eg, company) :DZH
Organizational Unit Name (eg, section) []:Ops
Common Name (eg, your name or your server's hostname) []:www.wlm.com
Email Address []:mail.wlm.com
Please enter the following 'extra' attributes
to be sent with your certificate request
A challenge password []: #密码可以不设置
An optional company name []:
(3)把请求发送给CA
1
2
3
4
5
6
7
8
# scp httpd.csr root@10.10.10.3:/tmp/ # 10.10.10.3位CA主机
# 将请求签发的证书发个证书服务器,我们这里是同一台机器模拟了证书服务器和申请签发的客户机
The authenticity of host '10.10.10.3 (10.10.10.3)' can't be established.
ECDSA key fingerprint is 93:b6:c3:bf:a6:51:a7:4a:be:0c:14:93:ab:86:a1:56.
Are you sure you want to continue connecting (yes/no)? yes
Warning: Permanently added '10.10.10.3' (ECDSA) to the list of known hosts.
root@192.168.208.130's password:
httpd.csr 100% 1025 1.0KB/s 00:0
(4)CA签发证书(在CA10.10.10.3主机上操作)
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
# openssl ca -in /tmp/httpd.csr -out /etc/pki/CA/certs/httpd.crt -days 365
# 签发证书,有效期为一年
Using configuration from /etc/pki/tls/openssl.cnf
Check that the request matches the signature
Signature ok
Certificate Details:
Serial Number: 1 (0x1)
Validity
Not Before: Nov 15 03:15:54 2016 GMT
Not After : Nov 15 03:15:54 2017 GMT
Subject:
countryName = CN
stateOrProvinceName = SH
organizationName = DZH
organizationalUnitName = Ops
commonName = www.wlm.com
emailAddress = mail.wlm.com
X509v3 extensions:
X509v3 Basic Constraints:
CA:FALSE
Netscape Comment:
OpenSSL Generated Certificate
X509v3 Subject Key Identifier:
49:7A:99:41:6E:72:27:8F:B8:F0:C3:77:6C:B8:8B:C0:9F:C7:7D:2A
X509v3 Authority Key Identifier:
keyid:A8:28:9A:3B:91:A9:4C:90:A4:08:3D:79:34:0D:D3:19:0E:68:6F:1A
Certificate is to be certified until Nov 15 03:15:54 2017 GMT (365 days)
Sign the certificate? :y
1 out of 1 certificate requests certified, commit? y
Write out database with 1 new entries
Data Base Updated
# cd /etc/pki/CA/
# ls
cacert.pemcrl index.txt.attrnewcertsserial
certs index.txtindex.txt.old private serial.old
# cat index.txt #查看第一个签发的证书
V 171115031554Z 01unknown /C=CN/ST=SH/O=DZH/OU=Ops/CN=www.wlm.com/emailAddress=mail.wlm.com
(5)把签署好的证书发还给请求者
1
2
3
4
5
6
7
8
#
# pwd
/etc/pki/CA
# scp certs/httpd.crt root@10.10.10.4:/etc/httpd/ssl/ # 发送证书
root@192.168.208.130's password:
httpd.crt 100% 5781 5.7KB/s 00:00
# ls /etc/httpd/ssl/
httpd.crthttpd.csrhttpd.keyroot@192.168.208.130 # 查看已经签发好的证书
2、配置httpd支持使用ssl,及使用的证书;
(1)安装支持ssl的模块
1
# yum install -y mod_ssl
(2)修改配置文件
1
2
3
4
5
6
vim /etc/httpd/conf.d/ssl.conf
<VirtualHost _default_:443>
DocumentRoot "/var/www/html"
ServerName www.wlm.com:443
SSLCertificateFile /etc/httpd/ssl/httpd.crt
SSLCertificateKeyFile /etc/httpd/ssl/httpd.key
(3) 测试基于https访问相应的主机;
重启httpd服务
1
2
Linux命令行测试命令:
# openssls_client[-connect host:port] [-cert filename] [-CApath directory] [-CAfile filename]
浏览器:
页:
[1]