https实现

实现https 搭建CA 颁发证书

实现https 搭建CA 颁发证书

 

加密模块默认没有安装,需要安装加密模块

[root@localhost ~]# httpd -M | grep ssl

Syntax OK

 

安装模块

[root@localhost ~]# yum install mod_ssl

 

安装后查看模块

[root@localhost ~]# httpd -M | grep ssl

ssl_module (shared)

 

加载支持加密的模块的配置文件

[root@localhost ~]# rpm -ql mod_ssl

/etc/httpd/conf.d/ssl.conf

 

[root@localhost ~]# grep mod_ssl /etc/httpd/conf.d/ssl.conf

# directives see <URL:http://httpd.apache.org/docs/2.2/mod/mod_ssl.html>

LoadModule ssl_module modules/mod_ssl.so 从配置文件中加载了支持加密的模块

 

重启服务

[root@localhost ~]# service httpd restart

 

SSL加密只支持一个网站,不支持多虚拟主机,删除创建的虚拟主机

[root@localhost ~]# rm -rf /etc/httpd/conf.d/vhosts.conf

 

修改主配置文件,使用安装好httpd时使用的站点目录

DocumentRoot “/var/www/html”

 

复制创建一个用于被访问的文件

[root@localhost ~]# cp /var/log/messages /var/www/html/m.html

 

添加apache的权限

[root@localhost ~]# chmod +r /var/www/html/m.html

 

重启服务

[root@localhost ~]# service httpd restart

 

访问

 

 

查看证书 [ 自签名的证书 ]

 

 

配置文件中定义了加载证书文件的路径

[root@localhost ~]# rpm -ql mod_ssl

/etc/httpd/conf.d/ssl.conf 配置文件

 

[root@localhost ~]# cat /etc/httpd/conf.d/ssl.conf

SSLCertificateKeyFile /etc/pki/tls/private/localhost.key 私钥文件路径

SSLCertificateFile /etc/pki/tls/certs/localhost.crt 证书文件路径

#SSLCertificateChainFile /etc/httpd/conf.d/ssl/cacert.pem 根证书文件路径(已经修改过)

 

查看证书文件

[root@localhost ~]# cat /etc/pki/tls/certs/localhost.crt

—–BEGIN CERTIFICATE—–

 

[root@localhost ~]# openssl x509 -in /etc/pki/tls/certs/localhost.crt -noout -text

Certificate:

Data:

Version: 3 (0x2)

Serial Number: 2088 (0x828)

Signature Algorithm: sha256WithRSAEncryption

Issuer: C=–, ST=SomeState, L=SomeCity, O=SomeOrganization, OU=SomeOrganizationalUnit, CN=localhost/emailAddress=root@localhost 发布者

Validity

Not Before: Jan 27 08:44:14 2018 GMT

Not After : Jan 27 08:44:14 2019 GMT

Subject: C=–, ST=SomeState, L=SomeCity, O=SomeOrganization, OU=SomeOrganizationalUnit, CN=localhost/emailAddress=root@localhost 颁发给谁

Subject Public Key Info:

 

 

/etc/pki/tls/certs/localhost.crt文件是在安装mod_ssl 时,通过安装脚本生成的,不属于任何包

[root@localhost ~]# rpm -ql /etc/pki/tls/certs/localhost.crt

package /etc/pki/tls/certs/localhost.crt is not installed

 

 

搭建CA

CA 192.168.119.159

 

CA服务器

[root@localhost ~]# hostname ca

[root@localhost ~]# exec bash

[root@ca ~]#

 

Web服务器

[root@localhost ~]# hostname websrv

[root@localhost ~]# exec bash

[root@websrv ~]#

 

搭建CA

[root@ca ~]# cd /etc/pki/CA/

[root@ca /etc/pki/CA]# tree

.

├── certs

├── crl

├── newcerts

└── private

 

4 directories, 0 files

[root@ca /etc/pki/CA]#

 

[root@ca /etc/pki/CA]# touch index.txt

[root@ca /etc/pki/CA]# echo 01 > serial

 

[root@ca /etc/pki/CA]# (umask 077; openssl genrsa -out private/cakey.pem 2048)

 

[root@ca /etc/pki/CA]# tree

.

├── certs

├── crl

├── index.txt

├── newcerts

├── private

│   └── cakey.pem

└── serial

 

4 directories, 3 files

[root@ca /etc/pki/CA]#

 

 

自签名证书

[root@ca /etc/pki/CA]# openssl req -new -x509 -key private/cakey.pem -out cacert.pem -days 3650

Country Name (2 letter code) [XX]:CN

State or Province Name (full name) []:beijing

Locality Name (eg, city) [Default City]:beijing

Organization Name (eg, company) [Default Company Ltd]:magedu.com

Organizational Unit Name (eg, section) []:opt

Common Name (eg, your name or your server’s hostname) []:ca.magedu.com

Email Address []:

[root@ca /etc/pki/CA]#

 

[root@ca /etc/pki/CA]# tree

.

├── cacert.pem

├── certs

├── crl

├── index.txt

├── newcerts

├── private

│   └── cakey.pem

└── serial

 

4 directories, 4 files

[root@ca /etc/pki/CA]#

 

 

Web服务器申请证书

[root@websrv ~]# mkdir /etc/httpd/conf.d/ssl

[root@websrv ~]# cd /etc/httpd/conf.d/ssl

创建证书申请文件

[root@websrv /etc/httpd/conf.d/ssl]# (umask 077; openssl genrsa -out httpd.key)

Generating RSA private key, 1024 bit long modulus

…………++++++

…………………++++++

e is 65537 (0x10001)

[root@websrv /etc/httpd/conf.d/ssl]#

 

生成证书申请

[root@websrv /etc/httpd/conf.d/ssl]# openssl req -new -key httpd.key -out httpd.csr

You are about to be asked to enter information that will be incorporated

into your certificate request.

What you are about to enter is what is called a Distinguished Name or a DN.

There are quite a few fields but you can leave some blank

For some fields there will be a default value,

If you enter ‘.’, the field will be left blank.

—–

Country Name (2 letter code) [XX]:CN

State or Province Name (full name) []:beijing

Locality Name (eg, city) [Default City]:bj

Organization Name (eg, company) [Default Company Ltd]:magedu.com

Organizational Unit Name (eg, section) []:opt

Common Name (eg, your name or your server’s hostname) []:*.magedu.com

Email Address []:

 

Please enter the following ‘extra’ attributes

to be sent with your certificate request

A challenge password []:

An optional company name []:

 

[root@websrv /etc/httpd/conf.d/ssl]# ll

total 8

-rw-r–r– 1 root root 647 Jan 27 17:19 httpd.csr 证书申请文件

-rw——- 1 root root 891 Jan 27 17:16 httpd.key

 

 

把证书申请传到CA进行签名

[root@websrv /etc/httpd/conf.d/ssl]# scp httpd.csr 192.168.119.159:/etc/pki/CA

 

CA服务器查看并签名证书申请

[root@ca /etc/pki/CA]# ls

cacert.pem  certs  crl  httpd.csr  index.txt  newcerts  private  serial

 

[root@ca /etc/pki/CA]# openssl ca -in httpd.csr -out certs/httpd.crt -days 712

Using configuration from /etc/pki/tls/openssl.cnf

Check that the request matches the signature

Signature ok

Certificate Details:

Serial Number: 1 (0x1)

Validity

Not Before: Jan 27 09:22:18 2018 GMT

Not After : Jan  9 09:22:18 2020 GMT

Subject:

countryName               = CN

stateOrProvinceName       = beijing

organizationName          = magedu.com

organizationalUnitName    = opt

commonName                = *.magedu.com

X509v3 extensions:

X509v3 Basic Constraints:

CA:FALSE

Netscape Comment:

OpenSSL Generated Certificate

X509v3 Subject Key Identifier:

69:1C:DF:9F:18:D9:2F:98:1D:EF:71:D0:6D:DB:A3:35:CE:A3:1F:41

X509v3 Authority Key Identifier:

keyid:1E:A3:A2:DF:3E:17:6A:4E:F1:37:F5:4E:AA:E4:61:A8:D4:B5:4A:31

 

Certificate is to be certified until Jan  9 09:22:18 2020 GMT (712 days)

Sign the certificate? [y/n]:y

 

 

1 out of 1 certificate requests certified, commit? [y/n]y

Write out database with 1 new entries

Data Base Updated

[root@ca /etc/pki/CA]#

 

 

生成的证书文件

[root@ca /etc/pki/CA]# tree

.

├── cacert.pem

├── certs

│   └── httpd.crt

├── crl

├── httpd.csr

├── index.txt

├── index.txt.attr

├── index.txt.old

├── newcerts

│   └── 01.pem

├── private

│   └── cakey.pem

├── serial

└── serial.old

 

4 directories, 10 files

[root@ca /etc/pki/CA]#

 

 

httpd.crt 和 01.pem是同一个文件

 

把签过名的证书文件发送和申请的服务器

[root@ca /etc/pki/CA]# scp certs/httpd.crt 192.168.119.129:/etc/httpd/conf.d/ssl/

 

查看文件

[root@websrv /etc/httpd/conf.d/ssl]# ll

total 12

-rw-r–r– 1 root root 3721 Jan 27 17:24 httpd.crt

-rw-r–r– 1 root root  647 Jan 27 17:19 httpd.csr 请求文件

-rw——- 1 root root  891 Jan 27 17:16 httpd.key

 

修改配置文件

[root@websrv /etc/httpd/conf.d]# vim ssl.conf

ServerName www.magedu.com:443

SSLCertificateFile /etc/httpd/conf.d/ssl/httpd.crt

SSLCertificateKeyFile /etc/httpd/conf.d/ssl/httpd.key

 

重新启动服务

[root@websrv /etc/httpd/conf.d]# service httpd restart

 

 

把上级CA的证书传输给下级CA,否则会导致证书不被信任

[root@ca /etc/pki/CA]# scp cacert.pem 192.168.119.129:/etc/httpd/conf.d/ssl/

 

 

 

查看

[root@websrv /etc/httpd/conf.d/ssl]# ls

cacert.pem  httpd.crt  httpd.csr  httpd.key

 

修改配置文件

[root@websrv /etc/httpd/conf.d/ssl]# vim /etc/httpd/conf.d/ssl.conf

SSLCertificateChainFile /etc/httpd/conf.d/ssl/cacert.pem CA的证书文件

 

重启服务

[root@websrv /etc/httpd/conf.d/ssl]# service httpd restart

 

 

访问测试

 

 

根CA不受信任,需要把CA的证书导入到计算机的受信任的CA证书列表中

 

[root@websrv /etc/httpd/conf.d/ssl]# ll

total 16

-rw-r–r– 1 root root 1334 Jan 27 17:33 cacert.pem

 

cacert.pem CA服务器的证书文件,需要导入到计算机的列表中

 

 

导出的文件后缀不对无法打开,所以需要修改文件的后缀

 

 

 

 

安装证书

 

 

因为签名的证书是www.magedu.com,所以需要使用FQDN访问,修改本地的/hosts文件,访问测试

 

C:\Windows\System32\drivers\etc\hosts

192.168.119.129 www.magedu.com

 

 

 

 

 

本文来自投稿,不代表Linux运维部落立场,如若转载,请注明出处:http://www.178linux.com/91330

(1)
无言胜千言无言胜千言
上一篇 2018-01-28 21:35
下一篇 2018-01-29

相关推荐

  • 马哥教育网络班21期+第2周课程练习

    一:在Linux上的文件管理类命令都有哪些,其常用的使用方法及其相关示例。     在Linux中,文件管理类命令主要有cp,mv,rm三个     其中cp命令的使用格式如下:           …

    Linux干货 2016-07-16
  • AIDE入侵检测

    AIDE

    当一个入侵者进入了你的系统并且种植了木马,通常会想 办法来隐蔽这个木马(除了木马自身的一些隐蔽特性外, 他会尽量给你检查系统的过程设置障碍),通常入侵者会 修改一些文件,比如管理员通常用ps -aux来查看系统进 程,那么入侵者很可能用自己经过修改的ps程序来替换掉 你系统上的ps程序,以使用ps命令查不到正在运行的木马 程序。如果入侵者发现管理员正在运行crontab作业,也 有可能替换掉crontab程序等等。所以由此可以看出对于 系统文件或是关键文件的检查是很必要的。目前就系统完 整性检查的工具用的比较多的有两款:Tripwire和AIDE ,前者是一款商业软件,后者是一款免费的但功能也很强 大的工具

    2018-01-08
  • DNS域名解析系统搭建(BIND)

        【本文导航】    零、准备工作    一、根域服务器配置    二、com顶级域配置    三、linux.com域主服务器配置(DNS1)    四…

    Linux干货 2016-12-21
  • 马哥教育首届IT技术博客大赛–结果揭晓

    号外、号外!!马哥教育首届博客大赛已圆满结束。感谢小伙伴们的积极参与! 噼里啪啦,小伙伴们掌声响起来,啤酒烤鸭high起来~~咳咳,跑题了,小编好像忘了一件很重要的事: 马帮博客大赛就是与众不同,全银河系也就仅此一家,为啥这么说呢,您看啊,咱就喜欢原创,鼓励原创,酷爱原创,以原创博客作为技术交流的平台供大家随意围观和吐槽,您看看,除了马哥这里,哪里还有这么自…

    Linux干货 2016-06-22
  • 正则表达式练习

    一: 1、找出ifconfig命令结果中本机的所有IPv4地址         2、查出分区空间使用率的最大百分比值 3、查出用户UID最大值的用户名、UID及shell类型 4、查出/tmp的权限,以数字方式显示 二: 1、显示/proc/meminfo文件中以大小s开头的行;(要求:使用两种方式) 2、显示/etc…

    Linux干货 2016-08-12
  • vim编辑器-练习题

    1 、复制/etc/profile至/tmp/目录,用查找替换命令删除/tmp/profile文件中的行首的空白字符 #cp /etc/profile /tmp #vim /tmp/profile :%s/^[[:space:]]\+// 2 、复制/etc/rc.d/init.d/functions 文件至/tmp 目录,用查找替换命令为/tmp/func…

    Linux干货 2016-08-15