https
http over ssl = https 443/tcp
ssl: v3
tls: v1
https://
SSL会话的简化过程
(1) 客户端发送可供选择的加密方式,并向服务器请求证书;
(2) 服务器端发送证书以及选定的加密方式给客户端;
(3) 客户端取得证书并进行证书验正:
如果信任给其发证书的CA:
(a) 验正证书来源的合法性;用CA的公钥解密证书上数字签名;
(b) 验正证书的内容的合法性:完整性验正
(c) 检查证书的有效期限;
(d) 检查证书是否被吊销;
(e) 证书中拥有者的名字,与访问的目标主机要一致;
(4) 客户端生成临时会话密钥(对称密钥),并使用服务器端的公钥加密此数据发送给服务器,完成密钥交换;
(5) 服务用此密钥加密用户请求的资源,响应给客户端;
注意:SSL会话是基于IP地址创建;所以单IP的主机上,仅可以使用一个https虚拟主机;
配置httpd支持https:
(1) 为服务器申请数字证书;
测试:通过私建CA发证书
(a) 创建私有CA
(b) 在服务器创建证书签署请求
(c) CA签证
(2) 配置httpd支持使用ssl,及使用的证书;
# yum -y install mod_ssl
配置文件:/etc/httpd/conf.d/ssl.conf
DocumentRoot
ServerName
SSLCertificateFile
SSLCertificateKeyFile
(3) 测试基于https访问相应的主机;
# openssl s_client [-connect host:port] [-cert filename] [-CApath directory] [-CAfile filename]
openssl CA配置部分详解
]# vim /etc/pki/tls/openssl.cnf
[ CA_default ]
dir = /etc/pki/CA # Where everything is kept 默认工作目录,数据存储目录
certs = $dir/certs # Where the issued certs are kept 存放已签署的证书
crl_dir = $dir/crl # Where the issued crl are kept 吊销列表
database = $dir/index.txt # database index file. 数据库索引文件
#unique_subject = no # Set to 'no' to allow creation of
# several ctificates with same subject.
new_certs_dir = $dir/newcerts # default place for new certs. 刚签署完的证书
certificate = $dir/cacert.pem # The CA certificate 自己的证书
serial = $dir/serial # The current serial number 被吊销的证书的序列号
crlnumber = $dir/crlnumber # the current crl number
# must be commented out to leave a V1 CRL
crl = $dir/crl.pem # The current CRL 当前正在使用的吊销列表文件
private_key = $dir/private/cakey.pem# The private key 自己私钥存放路径
RANDFILE = $dir/private/.rand # private random number file
x509_extensions = usr_cert # The extentions to add to the cert
主机ip:192.168.8.98
创建私有CA
]# cd /etc/pki/CA/
]# ls
certs crl newcerts private
(1) 创建所需要的文件
]# touch index.txt
]# echo 01 > serial
]# ll
total 20
drwxr-xr-x. 2 root root 4096 Sep 27 2013 certs
drwxr-xr-x. 2 root root 4096 Sep 27 2013 crl
-rw-r–r– 1 root root 0 Jun 21 23:39 index.txt
drwxr-xr-x. 2 root root 4096 Sep 27 2013 newcerts
drwx——. 2 root root 4096 Sep 27 2013 private
-rw-r–r– 1 root root 3 Jun 21 23:39 serial
(2) CA自签证书
生成私钥
]# (umask 077; openssl genrsa -out /etc/pki/CA/private/cakey.pem 2048)
生成证书请求
]# openssl req -new -x509 -key /etc/pki/CA/private/cakey.pem -days 3650 -out /etc/pki/CA/cacert.pem
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
—–
Country Name (2 letter code) [XX]:CN
State or Province Name (full name) []:Shanghai
Locality Name (eg, city) [Default City]:Shanghai
Organization Name (eg, company) [Default Company Ltd]:anneng
Organizational Unit Name (eg, section) []:ops
Common Name (eg, your name or your server's hostname) []:ca.anneng.com
Email Address []:809889031@qq.com
-new: 生成新证书签署请求;
-x509: 专用于CA生成自签证书;
-key: 生成请求时用到的私钥文件;
-days n:证书的有效期限;
-out /PATH/TO/SOMECERTFILE: 证书的保存路径;
主机ip:192.168.8.94
配置httpd支持https:
]# cd /etc/httpd/
]# mkdir ssl
]# cd ssl/
生成私钥
]# (umask 077; openssl genrsa -out httpd.key 2048)
创建证书签署请求
]# openssl req -new -key httpd.key -days 365 -out httpd.csr
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
—–
Country Name (2 letter code) [XX]:CN
State or Province Name (full name) []:Shanghai
Locality Name (eg, city) [Default City]:Shanghai
Organization Name (eg, company) [Default Company Ltd]:anneng
Organizational Unit Name (eg, section) []:ops
Common Name (eg, your name or your server's hostname) []:www.xzx.com
Email Address []:
Please enter the following 'extra' attributes
to be sent with your certificate request
A challenge password []:
An optional company name []:
]# ll
总用量 8
-rw-r–r– 1 root root 1005 6月 21 19:34 httpd.csr
-rw——- 1 root root 1679 6月 21 19:29 httpd.key
讲证书签署请求传递给CA
]# scp httpd.csr root@192.168.8.98:/tmp/
主机ip:192.168.8.98
签署证书并讲签署后的证书发还黑httpd服务器
]# openssl ca -in /tmp/httpd.csr -out /etc/pki/CA/certs/httpd.crt -days 365
]# scp httpd.crt root@192.168.8.94:/etc/httpd/ssl/
主机ip:192.168.8.94
安装httpd的ssl模块
]# yum -y install mod_ssl
查看模块生成的文件
]# rpm -ql mod_ssl
/etc/httpd/conf.d/ssl.conf
/usr/lib64/httpd/modules/mod_ssl.so
/var/cache/mod_ssl
/var/cache/mod_ssl/scache.dir
/var/cache/mod_ssl/scache.pag
/var/cache/mod_ssl/scache.sem
编辑httpd关于ssl的配置
]# vim /etc/httpd/conf.d/ssl.conf
<VirtualHost *:443>
DocumentRoot "/var/www/html"
ServerName www.xzx.com:44
]# service httpd restart
停止 httpd: [确定]
正在启动 httpd: [确定]
测试基于https访问相应的主机;
# openssl s_client [-connect host:port] [-cert filename] [-CApath directory] [-CAfile filename]
从本地windows端访问https服务器
修改本地hosts文件,将CA的自签证书下载到本地,并将cacert.pem修改为cacert.crt,本地安装证书,然后通过浏览器访问
原创文章,作者:809889031@qq.com,如若转载,请注明出处:http://www.178linux.com/20724
评论列表(1条)
文章有待提高呀~