目录
主要步骤
- 安装mod_ssl模块,使其支持ssl
为服务器申请数字证书
- 创建私有CA
- 在服务器创建证书签署请求
- CA签证
搭建DNS
- 修改配置文件
- 测试基于https访问响应的主机
1. 安装mod_ssl模块,使其支持ssl
[root@centos6 ~]# yum install -y mod_ssl
[root@centos6 ~]# rpm -ql mod_ssl # 生成了以下文件
/etc/httpd/conf.d/ssl.conf # 新生成的配置文件
/usr/lib64/httpd/modules/mod_ssl.so
/var/cache/mod_ssl
/var/cache/mod_ssl/scache.dir
/var/cache/mod_ssl/scache.pag
/var/cache/mod_ssl/scache.sem
[root@centos6 ~]# service httpd reload # 重新加载配置文件
Reloading httpd:
直接访问测试
现在我们已经可以访问了,还有两个问题:站点还未被信任和证书并不是自己的。
问题如下
2. 为服务器申请数字证书
创建私有CA
[root@centos7 ~]# touch /etc/pki/CA/index.txt
[root@centos7 ~]# echo 01 > /etc/pki/CA/serial
[root@centos7 ~]# cd /etc/pki/CA/
[root@centos7 CA]# (umask 066 ; openssl genrsa -out /etc/pki/CA/private/cakey.pem 2048)
Generating RSA private key, 2048 bit long modulus
...................+++
.....................................................................+++
e is 65537 (0x10001)
[root@centos7 CA]# openssl req -new -x509 -key /etc/pki/CA/private/cakey.pem -days 7300 -out /etc/pki/CA/cacert.pem
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [XX]:CN
State or Province Name (full name) []:beijing
Locality Name (eg, city) [Default City]:hlg
Organization Name (eg, company) [Default Company Ltd]:ihaiyun.com
Organizational Unit Name (eg, section) []:opt
Common Name (eg, your name or your server's hostname) []:ca.ihaiyun.com
Email Address []:
在服务器创建证书签署请求
[root@centos6 ~]# (umask 066 ; openssl genrsa -out /etc/pki/tls/private/test.key 2048)
Generating RSA private key, 2048 bit long modulus
..........................................................+++
.............................................................................................................................................................................+++
e is 65537 (0x10001)
[root@centos6 ~]# openssl req -new -key /etc/pki/tls/private/test.key -days 365 -out /etc/pki/tls/test.csr
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [XX]:CN
State or Province Name (full name) []:beijing
Locality Name (eg, city) [Default City]:caoyang
Organization Name (eg, company) [Default Company Ltd]:ihaiyun.com
Organizational Unit Name (eg, section) []:opt
Common Name (eg, your name or your server's hostname) []:www.ihaiyun.com
Email Address []:
Please enter the following 'extra' attributes
to be sent with your certificate request
A challenge password []:
An optional company name []:
[root@centos6 tls]# scp test.csr 192.168.8.135:/etc/pki/CA
root@192.168.8.135's password:
test.csr 100% 1029 1.0KB/s 00:00
CA签证
[root@centos7 CA]# openssl ca -in /etc/pki/CA/test.csr -out /etc/pki/CA/certs/test.crt
Using configuration from /etc/pki/tls/openssl.cnf
Check that the request matches the signature
Signature ok
Certificate Details:
Serial Number: 1 (0x1)
Validity
Not Before: Oct 9 01:18:33 2017 GMT
Not After : Oct 9 01:18:33 2018 GMT
Subject:
countryName = CN
stateOrProvinceName = beijing
organizationName = ihaiyun.com
organizationalUnitName = www.ihaiyun.com
commonName = www.ihaiyun.com
X509v3 extensions:
X509v3 Basic Constraints:
CA:FALSE
Netscape Comment:
OpenSSL Generated Certificate
X509v3 Subject Key Identifier:
A6:59:85:90:9D:84:C4:80:6B:27:E2:A2:57:44:58:FA:69:64:CB:00
X509v3 Authority Key Identifier:
keyid:43:65:C5:B5:03:8E:E9:2E:82:C9:0D:5F:87:72:2D:F1:81:5F:FB:CE
Certificate is to be certified until Oct 9 01:18:33 2018 GMT (365 days)
Sign the certificate? [y/n]:y
1 out of 1 certificate requests certified, commit? [y/n]y
Write out database with 1 new entries
Data Base Updated
获取证书
[root@centos6 ~]# mkdir /etc/httpd/ssl # 新建目录用来存放证书文件
[root@centos7 CA]# scp certs/test.crt 192.168.8.128:/etc/httpd/ssl # 将证书发送到192.168.8.128
root@192.168.8.128's password:
test.crt 100% 4507 4.4KB/s 00:00
[root@centos7 CA]# scp cacert.pem 192.168.8.128:/etc/httpd/ssl # 将根的证书发送给192.168.8.128
root@192.168.8.128's password:
cacert.pem 100% 1326 1.3KB/s 00:00
3. 搭建DNS
[root@centos7 ~]# vim /etc/named.conf
options {
// listen-on port 53 { 127.0.0.1; };
listen-on-v6 port 53 { ::1; };
directory "/var/named";
dump-file "/var/named/data/cache_dump.db";
statistics-file "/var/named/data/named_stats.txt";
memstatistics-file "/var/named/data/named_mem_stats.txt";
// allow-query { localhost; };
[root@centos7 ~]# tail -5 /etc/named.rfc1912.zones
zone "ihaiyun.com" IN {
type master;
file "ihaiyun.com.zone";
allow-update { none; };
};
[root@centos7 ~]# cp -p /var/named/named.localhost /var/named/ihaiyun.com.zone
[root@centos7 ~]# cat /var/named/ihaiyun.com.zone
$TTL 1D
@ IN SOA dns1 admin.ihaiyun.com. (
0 ; serial
1D ; refresh
1H ; retry
1W ; expire
3H ) ; minimum
NS dns1
dns1 A 192.168.8.135
www A 192.168.8.128
4. 修改配置文件
[root@centos6 ~]# cp /etc/pki/tls/private/test.key /etc/httpd/ssl/ # 将key文件cp到/etc/httpd/ssl目录下方便管理
[root@centos6 ~]# vim /etc/httpd/conf.d/ssl.conf
SSLCertificateFile /etc/httpd/ssl/test.crt
SSLCertificateKeyFile /etc/httpd/ssl/test.key
SSLCACertificateFile /etc/httpd/ssl/cacert.pem
[root@centos6 ~]# service httpd restart
Stopping httpd: [ OK ]
Starting httpd: [ OK ]
5. 测试
直接访问测试
还是提醒我们证书不安全
将根证书导入到测试客户端中
需要把根证书下载到客户端中,具体怎么下载,相信你们会有办法。导入方法如下:
再次测试
https已经实现