|
|
众所周知http协议是明文传输的,所以当我们再互联网上发送一些敏感数据,特别是账号密码之类的数据时,就显得不那么安全,而http又是应用层协议中用的非常广泛的一种协议,所以此时想要使之更安全,可以借助于ssl来使用https协议。但ssl仅能支持基于IP的主机,所以想使用https,要么是使用中心主机,要么是使用多个基于主机名的虚拟主机中的一个。
环境准备:
httpd服务器地址:172.16.1.111
CA服务器地址:172.16.1.110
一、httpd服务器首先安装mod_ssl模块
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
| [iyunv@soysauce ~]# yum install -y "mod_ssl"
Loaded plugins: fastestmirror
Loading mirror speeds from cached hostfile
* epel: mirrors.ustc.edu.cn
Setting up Install Process
Resolving Dependencies
--> Running transaction check
---> Package mod_ssl.x86_64 1:2.2.15-47.el6.centos.1 will be installed
--> Processing Dependency: httpd = 2.2.15-47.el6.centos.1 for package: 1:mod_ssl-2.2.15-47.el6.centos.1.x86_64
--> Running transaction check
---> Package httpd.x86_64 0:2.2.15-47.el6.centos will be updated
---> Package httpd.x86_64 0:2.2.15-47.el6.centos.1 will be an update
--> Processing Dependency: httpd-tools = 2.2.15-47.el6.centos.1 for package: httpd-2.2.15-47.el6.centos.1.x86_64
--> Running transaction check
---> Package httpd-tools.x86_64 0:2.2.15-47.el6.centos will be updated
---> Package httpd-tools.x86_64 0:2.2.15-47.el6.centos.1 will be an update
--> Finished Dependency Resolution
Dependencies Resolved
========================================================================================================================================
Package Arch Version Repository Size
========================================================================================================================================
Installing:
mod_ssl x86_64 1:2.2.15-47.el6.centos.1 updates 95 k
Updating for dependencies:
httpd x86_64 2.2.15-47.el6.centos.1 updates 830 k
httpd-tools x86_64 2.2.15-47.el6.centos.1 updates 77 k
Transaction Summary
========================================================================================================================================
Install 1 Package(s)
Upgrade 2 Package(s)
Total download size: 1.0 M
Downloading Packages:
(1/3): httpd-2.2.15-47.el6.centos.1.x86_64.rpm | 830 kB 00:00
(2/3): httpd-tools-2.2.15-47.el6.centos.1.x86_64.rpm | 77 kB 00:00
(3/3): mod_ssl-2.2.15-47.el6.centos.1.x86_64.rpm | 95 kB 00:00
----------------------------------------------------------------------------------------------------------------------------------------
Total 974 kB/s | 1.0 MB 00:01
Running rpm_check_debug
Running Transaction Test
Transaction Test Succeeded
Running Transaction
Updating : httpd-tools-2.2.15-47.el6.centos.1.x86_64 1/5
Updating : httpd-2.2.15-47.el6.centos.1.x86_64 2/5
Installing : 1:mod_ssl-2.2.15-47.el6.centos.1.x86_64 3/5
Cleanup : httpd-2.2.15-47.el6.centos.x86_64 4/5
Cleanup : httpd-tools-2.2.15-47.el6.centos.x86_64 5/5
Verifying : httpd-tools-2.2.15-47.el6.centos.1.x86_64 1/5
Verifying : httpd-2.2.15-47.el6.centos.1.x86_64 2/5
Verifying : 1:mod_ssl-2.2.15-47.el6.centos.1.x86_64 3/5
Verifying : httpd-2.2.15-47.el6.centos.x86_64 4/5
Verifying : httpd-tools-2.2.15-47.el6.centos.x86_64 5/5
Installed:
mod_ssl.x86_64 1:2.2.15-47.el6.centos.1
Dependency Updated:
httpd.x86_64 0:2.2.15-47.el6.centos.1 httpd-tools.x86_64 0:2.2.15-47.el6.centos.1
Complete!
|
二、建立CA服务器
(1)、生成CA自己的私钥
1
2
3
4
5
6
7
8
| [iyunv@CentOS5 ~]# cd /etc/pki/CA/
[iyunv@CentOS5 CA]# (umask 077;openssl genrsa -out private/cakey.pem 2048)
Generating RSA private key, 2048 bit long modulus
.................................................................................+++
...+++
e is 65537 (0x10001)
[iyunv@CentOS5 CA]# ll private/cakey.pem
-rw------- 1 root root 1679 Dec 12 03:58 private/cakey.pem
|
(2)、修改openssl配置文件,定义各项默认属性以及CA目录
1
2
3
4
5
6
7
8
9
10
11
| [iyunv@CentOS5 CA]# vim ../tls/openssl.cnf
[iyunv@CentOS5 CA]# grep "_default" ../tls/openssl.cnf | tail -6
countryName_default = CN
stateOrProvinceName_default = HuBei
localityName_default = HuangGang
0.organizationName_default = Soysauce
#1.organizationName_default = World Wide Web Pty Ltd
organizationalUnitName_default = Tech
[iyunv@CentOS5 CA]# grep "^dir" ../tls/openssl.cnf
dir = /etc/pki/CA # Where everything is kept
|
(3)、生成自签证书
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
| [iyunv@CentOS5 CA]# openssl req -new -x509 -key private/cakey.pem -out cacert.pem -days 3655
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [CN]:
State or Province Name (full name) [HuBei]:
Locality Name (eg, city) [HuangGang]:
Organization Name (eg, company) [Soysauce]:
Organizational Unit Name (eg, section) [Tech]:
Common Name (eg, your name or your server's hostname) []:ca.soysauce.com
Email Address []:admin@soysauce.com
|
(4)、准备几个目录及文件
1
2
3
| [iyunv@CentOS5 CA]# mkdir certs crl newcerts
[iyunv@CentOS5 CA]# touch index.txt
[iyunv@CentOS5 CA]# echo 01 > serial
|
三、httpd服务器生成密钥,并生成签署正式申请发送给CA服务器
(1)、httpd服务器生成一对密钥
1
2
3
4
5
6
7
8
9
10
11
| [iyunv@soysauce ~]# cd /etc/httpd/
[iyunv@soysauce httpd]# mkdir ssl
[iyunv@soysauce httpd]# cd ssl/
[iyunv@soysauce ssl]# (umask 077;openssl genrsa -out httpd.key 2048)
Generating RSA private key, 2048 bit long modulus
............+++
.............................+++
e is 65537 (0x10001)
[iyunv@soysauce ssl]# ll
total 4
-rw------- 1 root root 1675 Dec 12 13:04 httpd.key
|
(2)、httpd服务器生成证书签署请求(hostname一定要保持一致)
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
| [iyunv@soysauce ssl]# scp 172.16.1.110:/etc/pki/tls/openssl.cnf /etc/pki/tls/openssl.cnf
[iyunv@soysauce ssl]# openssl req -new -key httpd.key -out httpd.csr
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [CN]:
State or Province Name (full name) [HuBei]:
Locality Name (eg, city) [HuangGang]:
Organization Name (eg, company) [NetWork]:
Organizational Unit Name (eg, section) [Tech]:
Common Name (eg, your name or your server's hostname) []:www.a.com
Email Address []:admin@a.com
Please enter the following 'extra' attributes
to be sent with your certificate request
A challenge password []:
An optional company name []:
|
(3)、将证书签署申请发送给CA服务器端
1
| [iyunv@soysauce ssl]# scp httpd.csr 172.16.1.110:/tmp/
|
四、CA签署此证书请求并回送给httpd服务器
(1)、CA服务器端签署证书申请
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
| [iyunv@CentOS5 CA]# openssl ca -in /tmp/httpd.csr -out /tmp/httpd.crt -days 3650
Using configuration from /etc/pki/tls/openssl.cnf
Check that the request matches the signature
Signature ok
Certificate Details:
Serial Number: 1 (0x1)
Validity
Not Before: Dec 11 20:23:59 2015 GMT
Not After : Dec 8 20:23:59 2025 GMT
Subject:
countryName = CN
stateOrProvinceName = HuBei
organizationName = Soysauce
organizationalUnitName = Tech
commonName = www.soysauce.com
emailAddress = admin@soysauce.com
X509v3 extensions:
X509v3 Basic Constraints:
CA:FALSE
Netscape Comment:
OpenSSL Generated Certificate
X509v3 Subject Key Identifier:
35:E0:03:B1:67:28:A9:A9:39:F0:DB:0D:26:0B:ED:AD:B2:F6:FA:4A
X509v3 Authority Key Identifier:
keyid:9D:DF:4E:04:DC:31:25:24:2B:F6:65:05:9C:B3:96:8E:DC:6A:FB:4B
Certificate is to be certified until Dec 8 20:23:59 2025 GMT (3650 days)
Sign the certificate? [y/n]:y
1 out of 1 certificate requests certified, commit? [y/n]y
Write out database with 1 new entries
Data Base Updated
[iyunv@CentOS5 ~]# cd /etc/pki/CA/
[iyunv@CentOS5 CA]# ls
cacert.pem certs crl index.txt index.txt.attr index.txt.old newcerts private serial serial.old
[iyunv@CentOS5 CA]# cat index.txt
V 251208202359Z 01 unknown /C=CN/ST=HuBei/O=Soysauce/OU=Tech/CN=www.soysauce.com/emailAddress=admin@soysauce.com
[iyunv@CentOS5 CA]# cat serial
02
|
(2)、将签署好的证书返回给httpd客户端
1
| [iyunv@CentOS5 CA]# scp /tmp/httpd.crt 172.16.1.111:/etc/httpd/ssl/httpd.crt
|
(3)、删除httpd服务器的证书
1
| [iyunv@CentOS5 tmp]# rm -f httpd.csr httpd.crt
|
五、httpd服务器端编辑ssl.conf文件配置使用https
(1)、编辑ssl.conf配置文件
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
| [iyunv@soysauce ssl]# cd /etc/httpd/conf.d/
[iyunv@soysauce conf.d]# ls
README ssl.conf virtualhost.conf welcome.conf
[iyunv@soysauce conf.d]# cp ssl.conf{,.back}
[iyunv@soysauce conf.d]# vim ssl.conf
[iyunv@soysauce conf.d]# grep -A 4 "<Virtu" ssl.conf
<VirtualHost 172.16.1.111:443>
ServerName www.soysauce.com
DocumentRoot "/data/www/soysauce.com"
ErrorLog "/var/log/httpd/soysauce.com/ssl_error_log"
TransferLog "/var/log/httpd/soysauce.com/ssl_access_log"
[iyunv@soysauce conf.d]# grep "^SSLCertificate" ssl.conf
SSLCertificateFile /etc/httpd/ssl/httpd.crt
SSLCertificateKeyFile /etc/httpd/ssl/httpd.key
|
(2)、然后重启httpd服务,客户端再访问即可
1
2
3
4
5
6
7
8
| [iyunv@soysauce conf.d]# vim /etc/hosts
[iyunv@soysauce conf.d]# tail -1 /etc/hosts # 修改的是客户端的hosts文件
172.16.1.111 www.soysauce.com
[iyunv@soysauce conf.d]# httpd -t
Syntax OK
[iyunv@soysauce conf.d]# service httpd restart
Stopping httpd: [ OK ]
Starting httpd: [ OK ]
|
到此处一个支持https的Web服务器已然完成
|
|
QQ群⑧:
窥视卡
雷达卡
发表于 2015-12-17 08:38:00
提升卡
置顶卡
沉默卡
喧嚣卡
变色卡
千斤顶
显身卡