阿里云-云小站(无限量代金券发放中)
【腾讯云】云服务器、云数据库、COS、CDN、短信等热卖云产品特惠抢购

利用httpd+OpenSSL来实现网站的https

234次阅读
没有评论

共计 6559 个字符,预计需要花费 17 分钟才能阅读完成。

利用 httpd+openssl 来实现网站的 https

                                        CA 验证中心(颁发 / 吊销证书)
                                        /                \ \ 
                                CA 证书    /            下发  \ \ 证书请求
                                        /            证书  \ \
                                  client <——– 数字证书 —— WEB

1。web 服务器, 生成非对称加密密钥对(web 公钥,web 私钥)
2。web 服务器使用 web 身份信息+web 公钥 生成 web 服务器的证书请求,并将证书请求发给 CA 服务器
3。CA 服务器使用 CA 的私钥 对 web 服务器的证书请求 进行数字签名得到 web 服务器的数字证书,并将 web 服务器的数字证书颁发给 web 服务器。
4。client 访问 web 服务器,请求 https 连接,下载 web 数字证书
5。client 下载 CA 数字证书(CA 身份信息+CA 公钥,由上一级 CA 颁发,也可自签名颁发),验证 web 数字证书(CA 数字证书中有 CA 公钥,web 数字证书是使用 CA 私钥签名的)
6。client 与 web 协商对称加密算法,client 生成对称加密密钥并使用 web 公钥加密,发送给 web 服务器,web 服务器使用 web 私钥解密
7。使用对称加密密钥传输数据,并校验数据的完整性

下面呢我们来讲一下具体步骤

配置 CA 服务器
========================================================
1. 配置 CA 172.16.1.2 生成 CA 自己的公钥 私钥 CA 对自己进行证书自签名 (用脚本生成)
[root@CA ~]# vim /etc/pki/tls/openssl.cnf
dir            = /etc/CA                  # Where everything is kept      第 45 行
basicConstraints=CA:TRUE    # 自签署的证书可以使用  第 178 行

[root@CA ~]# vim /etc/pki/tls/misc/CA
CATOP=/etc/CA            #第 42 行

[root@CA ~]# /etc/pki/tls/misc/CA -newca
CA certificate filename (or enter to create)
Making CA certificate …
Generating a 1024 bit RSA private key
……++++++
…………………..++++++
writing new private key to ‘../../CA/private/./cakey.pem’    #私钥
Enter PEM pass phrase:123456                        #保护 CA 私钥
Verifying – Enter PEM pass phrase:123456
—–
You are about to be asked to enter information that will be incorporated into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter ‘.’, the field will be left blank.
 —–
Country Name (2 letter code) [GB]:CN                    #身份信息
State or Province Name (full name) [Berkshire]:BEIJING
Locality Name (eg, city) [Newbury]:HD
Organization Name (eg, company) [My Company Ltd]:linuxidc
Organizational Unit Name (eg, section) []:IT
Common Name (eg, your name or your server’s hostname) []:CA.linuxidc.com
Email Address []:CA@linuxidc.com

Please enter the following ‘extra’ attributes to be sent with your certificate request
A challenge password []:
An optional company name []:
Using configuration from /etc/pki/tls/openssl.cnf
Enter pass phrase for ../../CA/private/./cakey.pem:123456    #使用私钥自签名
Check that the request matches the signature
Signature ok
Certificate Details:
      Serial Number: 0 (0x0)
      Validity
          Not Before: Mar 5 01:40:50 2012 GMT
          Not After : Mar 5 01:40:50 2015 GMT
      Subject:
            countryName = CN
            stateOrProvinceName = BEIJING
            organizationName = linuxidc
            organizationalUnitName = IT
            commonName = CA.linuxidc.com
            emailAddress = CA@linuxidc.com
      X509v3 extensions:
              X509v3 Basic Constraints:
                  CA:TRUE
              Netscape Comment:
                  OpenSSL Generated Certificate
              X509v3 Subject Key Identifier:
                  61:D5:3A:C7:5C:0F:66:FE:D5:EF:5D:A1:94:8F:FD:C2:E5:94:7D:D3
              X509v3 Authority Key Identifier:           
                  keyid:61:D5:3A:C7:5C:0F:66:FE:D5:EF:5D:A1:94:8F:FD:C2:E5:94:7D:D3
Certificate is to be certified until Mar 5 01:40:50 2015 GMT (1095 days)

Write out database with 1 new entries
Data Base Updated

 

[root@CA ~]# ls /etc/CA/private/cakey.pem    #CA 私钥
[root@CA ~]# ls /etc/CA/cacert.pem        #CA 证书
[root@CA ~]# ls /etc/CA/careq.pem        #CA 证书请求

配置 web 服务器
===============================================================
web 生成自己的私钥
[root@www ~]# openssl genrsa -des3 -out /etc/httpd/conf.d/server.key        #使用 des3 保护私钥
Generating RSA private key, 512 bit long modulus
 ………++++++++++++
………………….++++++++++++
e is 65537 (0x10001)
Enter pass phrase for /etc/httpd/conf.d/server.key:123456
Verifying – Enter pass phrase for /etc/httpd/conf.d/server.key:123456

生成证书请求(使用身份标识+公钥)
[root@www ~]# openssl req -new -key /etc/httpd/conf.d/server.key -out /tmp/server.csr
Enter pass phrase for /etc/httpd/conf.d/server.key:123456
You are about to be asked to enter information that will be incorporated into your certificate
request.                   
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter ‘.’, the field will be left blank.
—–
——————————————————————————-
Country Name (2 letter code) [GB]:CN                        #这部分信息要与 CA 一致 !!!
State or Province Name (full name) [Berkshire]:BEIJING
Locality Name (eg, city) [Newbury]:HD
Organization Name (eg, company) [My Company Ltd]:linuxidc
Organizational Unit Name (eg, section) []:IT
——————————————————————————-
Common Name (eg, your name or your server’s hostname) []:www.linuxidc.com
Email Address []:www@linuxidc.com

Please enter the following ‘extra’ attributes to be sent with your certificate request
A challenge password []:
An optional company name []:

将证书请求发送给 CA
[root@www ~]# scp /tmp/server.csr CA.linuxidc.com:/tmp/

CA 服务器对证书请求进行数字签名
============================================================================= 
[root@CA ~]# openssl ca -keyfile /etc/CA/private/cakey.pem -cert /etc/CA/cacert.pem -in /tmp/server.csr -out /tmp/server.crt

    /etc/CA/private/cakey.pem(这是 ca 的私钥)
  /tmp/server.csr(httpserver 的证书请求文件)
  /etc/CA/cacert.pem          (ca 的证书)
  /tmp/server.crt(生成的 httpserver 的证书的名字)

Using configuration from /etc/pki/tls/openssl.cnf
Enter pass phrase for /etc/CA/private/cakey.pem:
Check that the request matches the signature
Signature ok
Certificate Details:
      Serial Number: 1 (0x1)
      Validity
          Not Before: Mar 5 02:20:56 2012 GMT
            Not After : Mar 5 02:20:56 2013 GMT
      Subject:
            countryName = CN
            stateOrProvinceName = BEIJING
            organizationName = linuxidc
            organizationalUnitName = IT
            commonName = www.linuxidc.com
            emailAddress = www@linuxidc.com
      X509v3 extensions:
          X509v3 Basic Constraints:
              CA:TRUE
          Netscape Comment:
              OpenSSL Generated Certificate
          X509v3 Subject Key Identifier:
              D0:6E:C7:7D:FC:BE:0D:62:CA:B9:A2:E0:2A:9A:27:32:39:0B:91:F8
          X509v3 Authority Key Identifier:
              keyid:61:D5:3A:C7:5C:0F:66:FE:D5:EF:5D:A1:94:8F:FD:C2:E5:94:7D:D3
Certificate is to be certified until Mar 5 02:20:56 2013 GMT (365 days)
Sign the certificate? [y/n]:y

1 out of 1 certificate requests certified, commit? [y/n]y
Write out database with 1 new entries
Data Base Updated

将签名后的数字证书颁发给 web
[root@CA ~]# scp /tmp/server.crt www.linuxidc.com:/etc/httpd/conf.d/

配置 web 支持 ssl 实现 https
==========================================================
[root@www ~]# yum install httpd mod_ssl
[root@www ~]# vim /etc/httpd/conf.d/ssl.conf
SSLCertificateFile /etc/httpd/conf.d/server.crt
SSLCertificateKeyFile /etc/httpd/conf.d/server.key

[root@www ~]# netstat -tunpl | grep 443
tcp 0 0 :::443 :::* LISTEN 2000/httpd

Client 下载 CA 证书并导入到浏览器,然后访问 www 服务器
==================================================================================
client 需要下载 CA 证书并导入浏览器,使用 https 访问 web,浏览器验证 web 数字证书是否由 CA 颁发 打开 firefox,编辑 ——> 首选项 —–> 高级 —-> 加密 —–> 查看证书 ——> 导入

如果还有不明白怎么生产 openssl 证书的可以去看下我的这篇文章:http://www.linuxidc.com/Linux/2014-03/98955.htm

OpenSSL 的详细介绍 :请点这里
OpenSSL 的下载地址 :请点这里

推荐阅读:

通过 OpenSSL 提供 FTP+SSL/TLS 认证功能,并实现安全数据传输 http://www.linuxidc.com/Linux/2013-05/84986.htm

正文完
星哥说事-微信公众号
post-qrcode
 0
星锅
版权声明:本站原创文章,由 星锅 于2022-01-20发表,共计6559字。
转载说明:除特殊说明外本站文章皆由CC-4.0协议发布,转载请注明出处。
【腾讯云】推广者专属福利,新客户无门槛领取总价值高达2860元代金券,每种代金券限量500张,先到先得。
阿里云-最新活动爆款每日限量供应
评论(没有评论)
验证码
【腾讯云】云服务器、云数据库、COS、CDN、短信等云产品特惠热卖中