以下配置是按照高职网络系统管理技术大赛的的要求实现
证书服务之前,最好看看以下的文章有助于对证书服务器的理解
图解证书http://www.ruanyifeng.com/blog/2011/08/what_is_a_digital_signature.html
一、dns配置
cd /etc/bind/
46 vim named.conf.default-zones
31 zone "chinaskills.com" {
32 type master;
33 file "/etc/bind/db.chinaskills.com";
34 };
35
36 zone "50.168.192.in-addr.arpa" {
37 type master;
38 file "/etc/bind/db.50.168.192";
39 };
cp -a db.empty db.chinaskills.com
cp -a db.empty db.50.168.192
vim db.chinaskills.com
6 $TTL 86400
7 @ IN SOA server01. root.localhost. (
8 1 ; Serial
9 604800 ; Refresh
10 86400 ; Retry
11 2419200 ; Expire
12 86400 ) ; Negative Cache TTL
13 ;
14 @ IN NS server01.
15 www IN A 192.168.50.10
vim db.50.168.192
systemctl restart bind9
apt install dnsutils
nslookup www.chianskills.com
vim /etc/resolv.conf
nslookup www.chianskills.com
二 apache
1、创建网站根目录。创建首页文件
mkdir -p /data/share/htdocs/skills
echo “This is the front page of sdskills’s website.”> /data/share/htdocs/skills/index.html
2、安装 apache2
apt install apache2 -y
3、修改apache用户
groupadd webuser
useradd -g webuser webuser
vim /etc/apache2/apache2.conf
User webuser
Group webuser
4、修改首页的位置
cd /etc/apache2
vim sites-enabled/000-default.conf
12 DocumentRoot /data/share/htdocs/skills
重启服务验证:systemctl restart apahce2
5、认证网页
vim apache2.conf
176 <Directory /data/share/htdocs/skills/staff.html>
177 Options Indexes FollowSymLinks
178 AllowOverride None
179 AuthName "please input password"
180 AuthType Basic
181 AuthUserFile /data/share/htdocs/skills/.htpasswd
182 Require user zsuser lsuser
183 </Directory>
htpasswd -c /data/share/htdocs/skills/.htpasswd zsuser
htpasswd /data/share/htdocs/skills/.htpasswd lsuser
以上配置完成,可以通过http访问网站,下面通过证书实现网站的https访问
三、CA配置
使用本地的默认的证书
apt install openssl
启用apache的ssl配置
a2enmod ssl
a2ensite default-ssl.conf
3.1 在CA服务器的操作。安装openssl
创建证书存放的目录 :mkdir -p /CA
将证书模板拷贝到自己的目录: cp -rf /etc/ssl/* /CA
创建模板、序号文件:
cd /CA #以下操作都是在/CA目录下进行
touch index.html
echo 01 > serial
修改根证书的位置:
vim openssl.cnf
48 dir = /CA
3…1.2 CA服务器生成密钥
openssl genrsa -out private/cakey.pem
3.1.3 为服务器生成一个根证书
openssl req -new -x509 -key private/cakey.pem -out certs/cacert.pem
#生成根证书命令,
Country Name (2 letter code) [AU]:CN #国家
State or Province Name (full name) [Some-State]:JILIN #省
Locality Name (eg, city) []:SIPING #市
Organization Name (eg, company) [Internet Widgits Pty Ltd]:SPZD #单位
Organizational Unit Name (eg, section) []:JSJ #部门
Common Name (e.g. server FQDN or YOUR name) []:www.chinaskills.com
#关键,要写申请 服务器的域名或者ip
Email Address []:123@abc.com #邮件地址
3.2在apache服务器上操作
mkdir /CA
cp -rf /etc/ssl/* /CA
cd /CA #以下操作都是在/CA目录下进行
touch index.html
echo 01 > serial
vim openssl.cnf
48 dir = /CA
3.2.1 生成服务器的秘钥
openssl genrsa -out private/apache.key
3.2.2 生成服务端请求文件
openssl req -new -key private/apache.key -out apache.csr
#服务端请求文件要求Ca服务器的根证书一致
Country Name (2 letter code) [AU]:CN
State or Province Name (full name) [Some-State]:JILIN
Locality Name (eg, city) []:SIPING
Organization Name (eg, company) [Internet Widgits Pty Ltd]:SPZD
Organizational Unit Name (eg, section) []:JSJ
Common Name (e.g. server FQDN or YOUR name) []:www.chinaskills.com
Email Address []:
Please enter the following 'extra' attributes
to be sent with your certificate request
A challenge password []:
An optional company name []:
3.3 将请求文件发给CA服务器
scp apache.csr 192.168.50.132:/CA
#远程拷贝命令
Are you sure you want to continue connecting (yes/no)? yes
root@192.168.50.132's password:#输入远程服务器的密码
3.4 在CA服务上操作,为apache服务器颁发数据证书
root@debian:/CA# openssl x509 -req -in apache.csr -CA /certs/cacert.pem -CAkey /private/cakey.pem -CAcreateserial -out apache.crt
Signature ok
subject=C = CN, ST = JILIN, L = SIPING, O = SPZD, OU = JSJ, CN = www.chinaskills.com
Getting CA Private Key
3.5 将CA服务生成的证书回传给apache服务器
scp apache.crt 192.168.50.10:/CA
3.6 将证书应用apache服务器
a2enmod ssl #启用ssl模块
a2ensite default-ssl.conf
cd /etc/apache2
vim sites-enabled/default-ssl.conf
32 SSLCertificateFile /CA/apache.crt
33 SSLCertificateKeyFile /CA/privite/apache.key
3.7 重启apache服务,systemctl restart apache2
3.8 在浏览器中验证
3245
被折叠的 条评论
为什么被折叠?
到【灌水乐园】发言
