一、简介
1、HTTP
HTTP是超文本传输协议,主要是用来发布和接收web网页内容。监听端口号是80。
2、SSL/TLS
SSL称为安全套接层,要用来解决HTTP协议明文传输导致内容被偷窥和篡改的缺点。
TLS叫做传输层安全协议。
3、HTTPS
https就是http协议和SSL/TLS的组合,默认端口为443。
https工作原理:客服端首先发起https请求,确认支持哪些版本和加密算法,服务器确认支持的算法和加密版本,服务器将自己的公钥,证书发送给客服端,客服端确认证书,使用公钥进行加密,加密后的数据发送给服务端,服务端使用私钥解密。服务端使用私钥解密得到会话密钥,并使用会话密钥对数据加密发送到客服端,客服端使用会话密钥进行解密,得到数据。
4、CA
http传输过程当中可能会不法分子接受,或者是进行中间人攻击,所以此时CA进行了认证,https通过数字证书和数字签名来验证网站的身份,并保证数据在传输过程中不会被篡改。数字证书由权威的证书颁发机构(CA)颁发,用于验证网站的身份,并确保通信双方之间建立了安全的连接。
二、Linux系统搭建私有CA证书服务器
安装openssl
[root@node2 ~]# yum -y install openssl # 安装需要的工具
openssl命令选项:
- -x509:生成自签名证书格式,专用于创建私有CA
- -new: 生成性的证书部署请求
- -day: 证书有效期,默认是365天
- -key: 生成请求时用到的私钥文件路径
- -out: 生成后的文件存放的路径,如果是自签名操作,将会生成已签署过的证书
找到openssl配置文件找到相关配置文件
[root@node2 ~]# vim /etc/pki/tls/openssl.conf
dir = /etc/pki/CA # 存储证书相关文件
certs = $dir/certs # 存储签发的证书
crl_dir = $dir/crl # 记录颁发的证书信息
database = $dir/index.txt # 记录证书编号
创建存放CA文件的目录
[root@node2 CA]# ls
cacert.pem certs crl index.txt newcerts private serial
index.txt # 记录生成证书的文件
serial # 证书编号
用openssl创建私钥
[root@node2 CA]# (umask 077;openssl genrsa -out /etc/pki/CA/private/cakey.pem) # 生成私钥
为主机node2生成自签名证书
[root@node2 CA]# openssl req -new -x509 -key /etc/pki/CA/private/cakey.pem -out /etc/pki/CA/cacert.pem -days 365
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [XX]:CN # 国家
State or Province Name (full name) []:HUBEI # 省份
Locality Name (eg, city) [Default City]:WUHAN # 城市
Organization Name (eg, company) [Default Company Ltd]:CHEN # 名称单位
Organizational Unit Name (eg, section) []:BASY # 组织名称
Common Name (eg, your name or your server's hostname) []:node2.example.com # 单位的域名
Email Address []:root@example.com # 邮箱
导入证书序列号到中,为WEB服务端生成私钥
[root@node2 CA]# echo 01 > serial
[root@node1 named]# mkdir /etc/httpd/ssl # 创建ssl目录,并生成私钥放到ssl目录下
[root@node1 named]# (umask 077;openssl genrsa -out /etc/httpd/ssl/httpd.key)
WEB服务端生成证书签署申请文件
[root@node1 named]# openssl req -new -key /etc/httpd/ssl/httpd.key -out /etc/httpd/ssl/httpd.csr -days 365
Ignoring -days without -x509; not generating a certificate
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [XX]:CN
State or Province Name (full name) []:HUBEI
Locality Name (eg, city) [Default City]:WUHAN
Organization Name (eg, company) [Default Company Ltd]:CHEN
Organizational Unit Name (eg, section) []:BABY
Common Name (eg, your name or your server's hostname) []:CZ
Email Address []:ROOT@example.com
将web服务器上的请求文件发送给CA服务器
[root@node1 ssl]# scp httpd.csr root@192.168.100.20:/etc/pki/CA
The authenticity of host '192.168.100.20 (192.168.100.20)' can't be established.
ED25519 key fingerprint is SHA256:H3VqtOyTQrezL684uw4Tc4Pa6kz749hQbggB5A8E7rs.
This key is not known by any other names
Are you sure you want to continue connecting (yes/no/[fingerprint])? yes
Warning: Permanently added '192.168.100.20' (ED25519) to the list of known hosts.
root@192.168.100.20's password:
httpd.csr 100% 1050 1.8MB/s 00:00
[root@node1 ssl]#
CA服务器对请求文件进行签名,并指明所生成得WEB证书存放的路径
[root@node2 CA]# openssl ca -in /etc/pki/CA/httpd.csr -out /etc/pki/CA/certs/httpd.crt -days 365
Using configuration from /etc/pki/tls/openssl.cnf
Check that the request matches the signature
Signature ok
Certificate Details:
Serial Number: 1 (0x1)
Validity
Not Before: Jul 14 07:01:37 2024 GMT
Not After : Jul 14 07:01:37 2025 GMT
Subject:
countryName = CN
stateOrProvinceName = HUBEI
organizationName = CHEN
organizationalUnitName = BASY
commonName = node1.example.com
emailAddress = root@example.com
X509v3 extensions:
X509v3 Basic Constraints:
CA:FALSE
X509v3 Subject Key Identifier:
26:BD:0D:74:D6:EE:3F:16:B7:2A:C7:1D:20:A2:FF:95:D3:C9:DF:E8
X509v3 Authority Key Identifier:
8B:11:06:8B:70:E0:EB:D3:E9:55:EE:B5:1A:FE:24:6E:17:64:9F:93
Certificate is to be certified until Jul 14 07:01:37 2025 GMT (365 days)
Sign the certificate? [y/n]:y
1 out of 1 certificate requests certified, commit? [y/n]y
Write out database with 1 new entries
Data Base Updated
然后将签名完成得证书下载到web服务器下
[root@node1 ssl]# scp root@192.168.100.20:/etc/pki/CA/certs/httpd.crt .
root@192.168.100.20's password:
httpd.crt 100% 4472 4.6MB/s 00:00
[root@node1 ssl]# ls
httpd.crt httpd.csr httpd.key
修改ssl.conf配置文件
SSLCertificateFile /etc/httpd/ssl/httpd.crt # 证书存放得位置
SSLCertificateKeyFile /etc/httpd/ssl/httpd.ker # 私钥存放的位置
apache用虚拟主机来做
<VirtualHost 192.168.100.10:443>
DocumentRoot "/var/www/html"
ServerName web1.example.com
SSLEngine on
SSLCertificateFile /etc/httpd/ssl/httpd.crt
SSLCertificateKeyFile /etc/httpd/ssl/httpd.ker
</VirtualHost>
写入内容,在启动apache
[root@node1 html]# ls
index.html
[root@node1 html]# cat index.html
hello word!