使用openssl配置https自签证书

最新推荐文章于 2024-07-04 12:03:44 发布

追巨

最新推荐文章于 2024-07-04 12:03:44 发布

阅读量464

点赞数 1

分类专栏： Linux学习文章标签： https linux http centos

本文链接：https://blog.csdn.net/m0_47584619/article/details/129976268

版权

Linux学习专栏收录该内容

4 篇文章 0 订阅

订阅专栏

https自签证书

1、server端

1、安装证书生成工具openssl和openssl-devel

[root@server18 ~] yum install -y openssl openssl-devel
Last metadata expiration check: 2:06:56 ago on Fri 24 Mar 2023 08:33:56 AM CST.
Package openssl-1:1.1.1k-6.el8.x86_64 is already installed.
..............................
  pcre2-devel-10.32-2.el8.x86_64               pcre2-utf16-10.32-2.el8.x86_64          
  pcre2-utf32-10.32-2.el8.x86_64               zlib-devel-1.2.11-17.el8.x86_64         

Complete!
[root@server18 ~]#

2、生成密钥

[root@server18 ~] openssl genrsa -des3 -out server.key 2048
Generating RSA private key, 2048 bit long modulus (2 primes)
.................................+++++
...........................+++++
e is 65537 (0x010001)
Enter pass phrase for server.key:       #设置密码
Verifying - Enter pass phrase for server.key:  #确认密码
[root@server18 ~]#

3、导出不需要密语的密钥文件

[root@server18 ~] openssl rsa -in server.key -out unsafe.key
Enter pass phrase for server.key:  #输入上一步的密码
writing RSA key
[root@server18 ~]#

4、生成证书申请文件，使用命令：openssl req -new -in unsafe.key -out server.csr

[root@server18 ~] openssl req -new -in unsafe.key -out server.csr
Generating a RSA private key
....................................................................................+++++
...................................................................................+++++writing new private key to 'privkey.pem'
Enter PEM pass phrase:
Verifying - Enter PEM pass phrase:
-----
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [XX]:CN
State or Province Name (full name) []:TJ
Locality Name (eg, city) [Default City]:TJ
Organization Name (eg, company) [Default Company Ltd]:school.edu
Organizational Unit Name (eg, section) []:school.edu
Common Name (eg, your name or your server's hostname) []:secure.web.com
Email Address []:sm@mail.com

Please enter the following 'extra' attributes
to be sent with your certificate request
A challenge password []:  #可空
An optional company name []:  #可空
[root@server18 ~]#

5、签发证书：

[root@server18 ~] openssl x509 -req -days 365 -in server.csr -signkey unsafe.key -out server.crt
Signature ok
subject=C = CN, ST = TJ, L = TJ, O = school.edu, OU = school.edu, CN = secure.web.com, emailAddress = sm@mail.com
Getting Private key
[root@server18 ~]#

6、查看前几步生成的文件

[root@server18 ~] ls server.*
server.crt  server.csr  server.key  #证书 证书申请 密语保护
[root@server18 ~] ls unsafe.key 
unsafe.key     #无密语保护的公玥
[root@server18 ~] ls privkey.pem 
privkey.pem     #私玥
[root@server18 ~]#

7、安装扩展模块包

[root@server18 ~] yum install -y mod_ssl
Last metadata expiration check: 2:37:13 ago on Fri 24 Mar 2023 08:33:56 AM CST.
..................................
..................................
Installed:
  mod_ssl-1:2.4.37-54.module_el8.8.0+1256+e1598b50.x86_64           

Complete!
[root@server18 ~] ls /etc/httpd/modules/ | grep ssl
mod_ssl.so
[root@server18 ~]#
[root@server ~] ls /etc/httpd/conf.modules.d/00-ssl.conf
/etc/httpd/conf.modules.d/00-ssl.conf			# 启用扩展模块
[root@server18 ~] ls /etc/httpd/conf.d/ssl.conf 
/etc/httpd/conf.d/ssl.conf   #默认的https虚拟主机配置
[root@server18 ~] grep -v '#' /etc/httpd/conf.d/ssl.conf | grep -v '^$'    查看默认配置文件
Listen 443 https     #监听 443 只响应https
SSLPassPhraseDialog exec:/usr/libexec/httpd-ssl-pass-dialog
SSLSessionCache         shmcb:/run/httpd/sslcache(512000)
SSLSessionCacheTimeout  300
SSLCryptoDevice builtin
<VirtualHost _default_:443>    #默认https虚拟主机配置
ErrorLog logs/ssl_error_log
TransferLog logs/ssl_access_log
LogLevel warn
#下面是虚拟主机启用ssl的基本配置
SSLEngine on
SSLHonorCipherOrder on
SSLCipherSuite PROFILE=SYSTEM
SSLProxyCipherSuite PROFILE=SYSTEM
SSLCertificateFile /etc/pki/tls/certs/localhost.crt
SSLCertificateKeyFile /etc/pki/tls/private/localhost.key
<FilesMatch "\.(cgi|shtml|phtml|php)$">
    SSLOptions +StdEnvVars
</FilesMatch>
<Directory "/var/www/cgi-bin">
    SSLOptions +StdEnvVars
</Directory>
BrowserMatch "MSIE [2-5]" \
         nokeepalive ssl-unclean-shutdown \
         downgrade-1.0 force-response-1.0
CustomLog logs/ssl_request_log \
          "%t %h %{SSL_PROTOCOL}x %{SSL_CIPHER}x \"%r\" %b"
</VirtualHost>
[root@server18 ~]#

8、selinux设置为宽容模式

[root@server18 ~] setenforce 0
[root@server18 ~] getenforce 
Permissive

9、

[root@server18 ~] cp unsafe.key /etc/pki/tls/private/
[root@server18 ~] cp server.crt /etc/pki/tls/certs/

10、新建/www/secure目录，作为https的家目录

[root@server18 ~] mkdir /www/secure
[root@server18 ~] ls -R /www/
/www/:
secure  vhost1  vhost2

/www/secure:

/www/vhost1:
index.html

/www/vhost2:
index.html
[root@server18 ~]#

11、编辑配置文件

[root@server18 ~] vim /etc/httpd/conf.d/vhost.conf
#加入以下内容
Listen 80
#https_setting
<VirtualHost 192.168.189.100:443>
        DocumentRoot    /www/secure
        ServerName      secure.web.com
        ServerAdmin     admin@web.com
        ErrorLog        "logs/secure_err_log"
        CustomLog       "logs/secure_access_log" combined
        SSLEngine       On
        SSLHonorCipherOrder     on
        SSLCipherSuite  PROFILE=SYSTEM
        SSLProxyCipherSuite     PROFILE=SYSTEM
        SSLCertificateFile      /etc/pki/tls/certs/server.crt
        SSLCertificateKeyFile   /etc/pki/tls/private/unsafe.key
</VirtualHost>
<Directory /www/secure>
        Require all granted
        #AllowOverride None
</Directory>

12、重启httpd

[root@server18 ~] systemctl start httpd
[root@server18 ~]#

13、放行防火墙端口服务

[root@server18 ~] firewall-cmd --add-service=https --permanent 
success
[root@server18 ~] firewall-cmd --reload 
success
[root@server18 ~] firewall-cmd --list-all
public (active)
  target: default
  icmp-block-inversion: no
  interfaces: ens160 ens224
  sources: 
  services: cockpit dhcpv6-client dns https mountd nfs rpc-bind ssh
  ports: 80/tcp
  protocols: 
  forward: no
  masquerade: no
  forward-ports: 
  source-ports: 
  icmp-blocks: 
  rich rules: 
[root@server18 ~]# 
查看https的端口
[root@server18 ~] ss -anput | grep httpd
tcp   LISTEN 0      128                         *:80                  *:*     users:(("httpd",pid=2198,fd=9),("httpd",pid=2197,fd=9),("httpd",pid=2196,fd=9),("httpd",pid=2183,fd=9))
tcp   LISTEN 0      128                         *:443                 *:*     users:(("httpd",pid=2198,fd=7),("httpd",pid=2197,fd=7),("httpd",pid=2196,fd=7),("httpd",pid=2183,fd=7))
[root@server18 ~]#

14、为https新建主页，以便验证

[root@server18 ~] echo "https web" > /www/secure/index.html
[root@server18 ~]#

2、在client端验证

1、配置hosts文件

[root@client18 ~] vim /etc/hosts
[root@client18 ~] cat /etc/hosts
127.0.0.1   localhost localhost.localdomain localhost4 localhost4.localdomain4
::1         localhost localhost.localdomain localhost6 localhost6.localdomain6
#192.168.189.100 server18
192.168.189.100 vhost1.web.com vhost2.web.com nginx.web.com web.secure.com     #将web.secure.com加入
[root@client18 ~]#