喜旎果 发表于 2018-11-20 11:25:03

一步一步实现linux系统apache实现https详解

  https提供安全的web通讯
原理部分:http://stlong.blog.51cto.com/5144113/1730771

  1)配置域名支持ca:
# vim /var/named/chroot/var/named/sggfu.com.zone##添加ca主机记录
ca    IN    A    192.18.100.151
:wq
# /etc/init.d/named restart##重启服务
# nslookup
> server 192.168.100.100
Default server: 192.168.100.100
Address: 192.168.100.100#53
> ca.sggfu.com
Server:      192.168.100.100
Address:    192.168.100.100#53

Name:    ca.sggfu.com
Address: 192.18.100.151
> exit

2)配置CA服务器:(192.168.100.151)
a.使用母盘克隆虚拟机,命名为ca服务器,修改如下:
# vim /etc/sysconfig/network-scripts/ifcfg-eth0
DEVICE=eth0
HWADDR=00:0C:29:75:e6:eb
TYPE=Ethernet
ONBOOT=yes
NM_CONTROLLED=no
BOOTPROTO=static
IPADDR=192.168.100.151
NETMASK=255.255.255.0
DNS1=192.168.100.100
GATEWAY=192.168.100.100
:wq

# vim /etc/sysconfig/network
HOSTNAME=ca.sggfu.com
:wq

#vim /etc/udev/rules.d/70-persistent-net.rules   ##删除eth0,修改eth1为eth0
#reboot
b.配置CA:
# hostname
ca.sggfu.com
# yum -y install openssl openssl-devel   ##安装openssl
# rpm -ql openssl
/etc/pki/CA
/etc/pki/CA/certs   ##证书存放目录
/etc/pki/CA/crl   ##吊销的证书存放的目录
/etc/pki/CA/newcerts##新证书目录
/etc/pki/CA/private ##私钥存放目录
/etc/pki/tls/openssl.cnf   ##主配置文件
/usr/bin/openssl   ##主程序命令
# vim /etc/pki/tls/openssl.cnf   ##修改主配置文件使用“:set nu”打印行号
40 [ CA_default ]
41
42 dir             = /etc/pki/CA         # Where everything is kept
43 certs         = $dir/certs            # Where the issued certs are kept
44 crl_dir         = $dir/crl            # Where the issued crl are kept
45 database      = $dir/index.txt      # database index file.
46 #unique_subject = no                  # Set to 'no' to allow creation of
47                                       # several ctificates with same subject.
48 new_certs_dir   = $dir/newcerts         # default place for new certs.
49
50 certificate   = $dir/cacert.pem       # The CA certificate
51 serial          = $dir/serial         # The current serial number
52 crlnumber       = $dir/crlnumber      # the current crl number
53                                       # must be commented out to leave a V1 CRL
54 crl             = $dir/crl.pem          # The current CRL
55 private_key   = $dir/private/cakey.pem# The private key
128 [ req_distinguished_name ]
129 countryName                     = Country Name (2 letter code)
130 countryName_default             = CN    ##修国家
131 countryName_min               = 2
132 countryName_max               = 2
133
134 stateOrProvinceName             = State or Province Name (full name)
135 stateOrProvinceName_default   = beijing   ##设置省
136
137 localityName                  = Locality Name (eg, city)
138 localityName_default            = beijing   ##设置城市
139
140 0.organizationName            = Organization Name (eg, company)
141 0.organizationName_default      = sggfu.com Ltd   ##设置组织名称
142
143 # we can do this but it is not needed normally :-)
144 #1.organizationName             = Second Organization Name (eg, company)
145 #1.organizationName_default   = World Wide Web Pty Ltd
146
147 organizationalUnitName          = Organizational Unit Name (eg, section)
148 organizationalUnitName_default= tech##设置部门
:wq
# cd /etc/pki/CA/
# ls private/
# (umask 077;openssl genrsa -out private/cakey.pem 2048)##生成私钥同时将权限设置为600
Generating RSA private key, 2048 bit long modulus
....................+++
...........................................................................................+++
e is 65537 (0x10001)
# ls -l private/##验证私钥
总用量 4
-rw-------. 1 root root 1679 1月   2 20:09 cakey.pem
#
# openssl req -new -x509 -key private/cakey.pem -out cacert.pem -days 3650##生成自签证书(根证书)
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) :
State or Province Name (full name) :
Locality Name (eg, city) :
Organization Name (eg, company) :
Organizational Unit Name (eg, section) :
Common Name (eg, your name or your server's hostname) []:ca.sggfu.com   ##主机名填写CA服务器的主机名
Email Address []:admin@sggfu.com
# ls -l cacert.pem
-rw-r--r--. 1 root root 1419 1月   2 20:13 cacert.pem
#

# mkdir -p certs crl newcerts
# touch index.txt##证书索引
# echo 00 >serial##证书序列号
# ls
cacert.pemcertscrlindex.txtnewcertsprivateserial
#

3)配置web服务器支持https:
a.为web服务器生成密钥和证书请求:
# mkdir /usr/local/httpd/conf/ssl
# cd /usr/local/httpd/conf/ssl/
# (umask 077;openssl genrsa 2048 >httpd.key)
# scp root@192.168.100.151:/etc/pki/tls/openssl.cnf /etc/pki/tls/openssl.cnf##复制openssl配置文件
# openssl req -new -key httpd.key -out httpd.csr
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) :
State or Province Name (full name) :
Locality Name (eg, city) :
Organization Name (eg, company) :
Organizational Unit Name (eg, section) :
Common Name (eg, your name or your server's hostname) []:www.sggfu.com##必须填写web服务器的主机名,注意web虚拟主
机只能有唯一一个站点可以设置为https
Email Address []:admin@sggfu.com

Please enter the following 'extra' attributes
to be sent with your certificate request
A challenge password []:   ##证书保护的密码短语,直接回车
An optional company name []:
#
# scp httpd.csr root@192.168.100.151:/tmp##将证书认证请求复制给CA服务器

b.登录到192.168.100.151,为web服务器签发证书:
# openssl ca -in /tmp/httpd.csr -out /tmp/httpd.crt -days 3650##签发证书httpd.crt,执行中y回车即可
# ls /tmp/httpd.c*##验证
/tmp/httpd.crt/tmp/httpd.csr
# scp /tmp/httpd.crt root@192.168.100.150:/usr/local/httpd/conf/ssl   ##复制证书给web服务器
# rm -rf /tmp/httpd.*##删除证书,避免非法用户获取证书

c.修改web服务器配置文件:登录192.168.100.150
# cd /usr/local/httpd/conf/extra/
# cp httpd-ssl.conf httpd-ssl.conf.bak##备份证书
# vim httpd-ssl.conf##修改如下
74
77 DocumentRoot "/usr/local/httpd/htdocs/sggfu/"   ##注意和http的网页根目录一致
78 ServerName www.sggfu.com:443
79 ServerAdmin admin@sggfu.com
80 ErrorLog "/usr/local/httpd/logs/error_log"
81 TransferLog "/usr/local/httpd/logs/access_log"
85 SSLEngine on   ##确认为on,表示开启https
99 SSLCertificateFile "/usr/local/httpd/conf/ssl/httpd.crt"##指定证书路径
107 SSLCertificateKeyFile "/usr/local/httpd/conf/ssl/httpd.key"##指定私钥路径,注意私钥必须小心保管
:wq
# vim /usr/local/httpd/conf/httpd.conf##修改主配置文件,调用httpd-ssl.conf
399 Include conf/extra/httpd-ssl.conf
:wq
# /etc/init.d/httpd restart##重启服务器

4)共享根证书:
# cd /usr/local/httpd/htdocs/sggfu/
# scp root@192.168.100.151:/etc/pki/CA/cacert.pem cacert.crt##复制CA服务器的证书(根证书)
# vim index.html   ##通过首页共享根证书



www.sggfu.com


www.sggfu.com
为了你更好的访问网站,请下载安装根证书


:wq

5)测试:
http://www.sggfu.com##下载证书并导入证书
https://www.sggfu.com##访问测试





页: [1]
查看完整版本: 一步一步实现linux系统apache实现https详解