http
1,http
超文本传输协议,主要是用来发布和接收web网页内容。监听端口号是80
2. SSL/TLS
SSL称为安全套接层,要用来解决HTTP协议明文传输导致内容被偷窥和篡改的缺点。
TLS叫做传输层安全协议
3. HTTPS
https就是http协议和SSL/TLS的组合。 https默认端口为443
https工作原理:客服端首先发起https请求,确认支持哪些版本和加密算法,服务器确认支持的算法和加密版本,服务器将自己的公钥,证书发送给客服端,客服端确认证书,使用公钥进行加密,加密后的数据发送给服务端,服务端使用私钥解密。服务端使用私钥解密得到会话密钥,并使用会话密钥对数据加密发送到客服端,客服端使用会话密钥进行解密,得到数据。
CA
http传输过程当中可能会不法分子接受,或者是进行中间人攻击,所以此时CA进行了认证,
HTTPS通过数字证书和数字签名来验证网站的身份,并保证数据在传输过程中不会被篡改。数字证书由权威的证书颁发机构(CA)颁发,用于验证网站的身份,并确保通信双方之间建立了安全的连接。
Linux系统搭建私有CA证书服务器
[root@node2 ~]# yum -y install openssl //安装需要的工具
openssl命令选项:
-x509:生成自签名证书格式,专用于创建私有CA
-new: 生成性的证书部署请求
-day:证书有效期,默认是365天
- key:生成请求时用到的私钥文件路径
-out: 生成后的文件存放的路径,如果是自签名操作,将会生成已签署过的证书
找到openssl配置文件找到相关配置文件
vim /etc/pki/tls/openssl.conf
dir = /etc/pki/CA // 存储证书相关文件
certs = $dir/certs // 存储签发的证书
crl_dir = $dir/crl // 记录颁发的证书信息
database = $dir/index.txt // 记录证书编号
创建存放CA文件的目录
[root@node2 CA]# ls
cacert.pem certs crl index.txt newcerts private serial
index.txt // 记录生成证书的文件
serial // 证书编号
用openssl创建私钥
[root@node2 CA]# (umask 077;openssl genrsa -out /etc/pki/CA/private/cakey.pem)
// 生成私钥
为主机node2生成自签名证书
[root@node2 CA]# openssl req -new -x509 -key /etc/pki/CA/private/cakey.pem -out /etc/pki/CA/cacert.pem -days 365
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [XX]:CN // 国家
State or Province Name (full name) []:HUBEI // 省份
Locality Name (eg, city) [Default City]:WUHAN // 城市
Organization Name (eg, company) [Default Company Ltd]:CHEN // 名称单位
Organizational Unit Name (eg, section) []:BASY // 组织名称
Common Name (eg, your name or your server's hostname) []:node2.example.com // 单位的域名
Email Address []:root@example.com // 邮箱
导入证书序列号到中
[root@node2 CA]# echo 01 > serial
为WEB服务端生成私钥。
// 创建ssl目录,并生成私钥放到ssl目录下
[root@node1 named]# mkdir /etc/httpd/ssl
[root@node1 named]# (umask 077;openssl genrsa -out /etc/httpd/ssl/httpd.key)
WEB服务端生成证书签署申请文件
[root@node1 named]# openssl req -new -key /etc/httpd/ssl/httpd.key -out /etc/httpd/ssl/httpd.csr -days 365
Ignoring -days without -x509; not generating a certificate
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [XX]:CN
State or Province Name (full name) []:HUBEI
Locality Name (eg, city) [Default City]:WUHAN
Organization Name (eg, company) [Default Company Ltd]:CHEN
Organizational Unit Name (eg, section) []:BABY
Common Name (eg, your name or your server's hostname) []:CZ
Email Address []:ROOT@example.com
将web服务器上的请求文件发送给CA服务器
[root@node1 ssl]# scp httpd.csr root@192.168.100.20:/etc/pki/CA
The authenticity of host '192.168.100.20 (192.168.100.20)' can't be established.
ED25519 key fingerprint is SHA256:H3VqtOyTQrezL684uw4Tc4Pa6kz749hQbggB5A8E7rs.
This key is not known by any other names
Are you sure you want to continue connecting (yes/no/[fingerprint])? yes
Warning: Permanently added '192.168.100.20' (ED25519) to the list of known hosts.
root@192.168.100.20's password:
httpd.csr 100% 1050 1.8MB/s 00:00
[root@node1 ssl]#
CA服务器对请求文件进行签名,并指明所生成得WEB证书存放的路径。
[root@node2 CA]# openssl ca -in /etc/pki/CA/httpd.csr -out /etc/pki/CA/certs/httpd.crt -days 365
Using configuration from /etc/pki/tls/openssl.cnf
Check that the request matches the signature
Signature ok
Certificate Details:
Serial Number: 1 (0x1)
Validity
Not Before: Jul 14 07:01:37 2024 GMT
Not After : Jul 14 07:01:37 2025 GMT
Subject:
countryName = CN
stateOrProvinceName = HUBEI
organizationName = CHEN
organizationalUnitName = BASY
commonName = node1.example.com
emailAddress = root@example.com
X509v3 extensions:
X509v3 Basic Constraints:
CA:FALSE
X509v3 Subject Key Identifier:
26:BD:0D:74:D6:EE:3F:16:B7:2A:C7:1D:20:A2:FF:95:D3:C9:DF:E8
X509v3 Authority Key Identifier:
8B:11:06:8B:70:E0:EB:D3:E9:55:EE:B5:1A:FE:24:6E:17:64:9F:93
Certificate is to be certified until Jul 14 07:01:37 2025 GMT (365 days)
Sign the certificate? [y/n]:y
1 out of 1 certificate requests certified, commit? [y/n]y
Write out database with 1 new entries
Data Base Updated
然后将签名完成得证书下载到web服务器下
[root@node1 ssl]# scp root@192.168.100.20:/etc/pki/CA/certs/httpd.crt .
root@192.168.100.20's password:
httpd.crt 100% 4472 4.6MB/s 00:00
[root@node1 ssl]# ls
httpd.crt httpd.csr httpd.key
修改ssl.conf配置文件
SSLCertificateFile /etc/httpd/ssl/httpd.crt //证书存放得位置
SSLCertificateKeyFile /etc/httpd/ssl/httpd.ker //私钥存放的位置
apache用虚拟主机来做
<VirtualHost 192.168.100.10:443>
DocumentRoot "/var/www/html"
ServerName web1.example.com
SSLEngine on
SSLCertificateFile /etc/httpd/ssl/httpd.crt
SSLCertificateKeyFile /etc/httpd/ssl/httpd.ker
</VirtualHost>
启动服务并查看端口、
写入内容,在启动apache
[root@node1 html]# ls
index.html
[root@node1 html]# cat index.html
hello
[root@node1 html]#
浏览器测试访问