HTTPS原理
HTTPS(全称:Hypertext Transfer Protocol over Secure Socket Layer),是以安全为目标的HTTP通道,简单讲是HTTP的安全版。即HTTP下加入SSL层,HTTPS的安全基础是SSL。它是一个URI scheme(抽象标识符体系),句法类同http:体系。用于安全的HTTP数据传输。https:URL表明它使用了HTTP,但HTTPS存在不同于HTTP的默认端口及一个加密/身份验证层(在HTTP与TCP之间)。这个系统的最初研发由网景公司进行,提供了身份验证与加密通讯方法,现在它被广泛用于万维网上安全敏感的通讯,例如交易支付方面。它是由Netscape开发并内置于其浏览器中,用于对数据进行压缩和解压操作,并返回网络上传送回的结果。HTTPS实际上应用了Netscape的安全套接字层(SSL)作为HTTP应用层的子层。(HTTPS使用端口443,而不是象HTTP那样使用端口80来和TCP/IP进行通信。)SSL使用40 位关键字作为RC4流加密算法,这对于商业信息的加密是合适的。HTTPS和SSL支持使用X.509数字认证,如果需要的话用户可以确认发送者是谁。
8.[iyunv@localhost CA]# openssl req -new -key private/cakey.pem -x509 -out cacert.pem -days 3650 //产生证书
(命令解释:-x509表示证书格式 –out表示产生证书 –days 3650 有效期限)
Country Name (2 letter code) [CN]:
State or Province Name (full name) [BEIJING]:
Locality Name (eg, city) [BEIJING]:
Organization Name (eg, company) [My Company Ltd]:yang
Organizational Unit Name (eg, section) []:tec
Common Name (eg, your name or your server's hostname) []:rootca.net.net
Email Address []:
二.Web服务器
1. 私有钥匙
[iyunv@localhost CA]# mkdir -pv /etc/httpd/certs //创建一个目录
[iyunv@localhost CA]# cd /etc/httpd/certs
[iyunv@localhost certs]# openssl genrsa 1024 >httpd.key
2.证书请求
[iyunv@localhost certs]# openssl req -new -key httpd.key -out httpd.csr
Country Name (2 letter code) [CN]:
State or Province Name (full name) [BEIJING]:henan
Locality Name (eg, city) [BEIJING]:zhengzhou
Organization Name (eg, company) [My Company Ltd]:tec
Organizational Unit Name (eg, section) []:tec
Common Name (eg, your name or your server's hostname) []:www.tec.com
Email Address []:
Please enter the following 'extra' attributes
to be sent with your certificate request
A challenge password []:
An optional company name []:
3.申请证书
[iyunv@localhost certs]# openssl ca -in httpd.csr -out httpd.cert
Using configuration from /etc/pki/tls/openssl.cnf
Check that the request matches the signature
Signature ok
Certificate Details:
Serial Number: 1 (0x1)
Validity
Not Before: Aug 21 08:57:07 2012 GMT
Not After : Aug 21 08:57:07 2013 GMT
Subject:
countryName = CN
stateOrProvinceName = henan
organizationName = tec
organizationalUnitName = tec
commonName = www.tec.com
X509v3 extensions:
X509v3 Basic Constraints:
CA:FALSE
Netscape Comment:
OpenSSL Generated Certificate
X509v3 Subject Key Identifier:
35:4C:5F:D7:E6:D5:35:D2:C9:B4:03:3B:21:35:F9:B3:70:DD:40:76
X509v3 Authority Key Identifier:
keyid:23:FB:61:B4:E8:27:0E:09:58:B6:11:60:61:D6:37:90:70:F5:62:5C
Certificate is to be certified until Aug 21 08:57:07 2013 GMT (365 days)
Sign the certificate? [y/n]:y
1 out of 1 certificate requests certified, commit? [y/n]y
Write out database with 1 new entries
Data Base Updated
4.[iyunv@localhost certs]# chmod 600 * //修改权限,为了安全