https的配置(httpd+mod_ssl)
1.安装Apache的mod_ssl模块
[root@miner_k ~]# yum -y install mod_ssl
[root@miner_k html]# rpm -ql mod_ssl
/etc/httpd/conf.d/ssl.conf
/usr/lib64/httpd/modules/mod_ssl.so
/var/cache/mod_ssl
/var/cache/mod_ssl/scache.dir
/var/cache/mod_ssl/scache.pag
/var/cache/mod_ssl/scache.sem2.配置CA服务端
修改配置文件:
[root@CA ~]# vim /etc/pki/tls/openssl.cnf
[ ca ]
default_ca = CA_default # The default ca section
####################################################################
[ CA_default ]
dir = /etc/pki/CA # CA的默认路径
certs = $dir/certs # 客户端证书
crl_dir = $dir/crl # 证书吊销列表
database = $dir/index.txt # 给那些人发过证书
#unique_subject = no # Set to 'no' to allow creation of
# several ctificates with same subject.
new_certs_dir = $dir/newcerts # 新生成证书的存放位置
certificate = $dir/cacert.pem # CA 的证书
serial = $dir/serial # 序列号
crlnumber = $dir/crlnumber # 证书吊销列表的工作号
# must be commented out to leave a V1 CRL
crl = $dir/crl.pem # 当前的证书吊销列表
private_key = $dir/private/cakey.pem # CA的私钥
RANDFILE = $dir/private/.rand # private random number file
x509_extensions = usr_cert # The extentions to add to the cert
default_days = 365 # 默认的认证时间是365天
default_crl_days= 30 # 吊销列表中内容的保存时间
default_md = default # use public key default MD
preserve = no
[ req_distinguished_name ]
countryName = Country Name (2 letter code)
countryName_default = CN # 设置默认的国家
countryName_min = 2
countryName_max = 2
stateOrProvinceName = State or Province Name (full name)
stateOrProvinceName_default = BeiJing #设置默认的省份
localityName = Locality Name (eg, city)
localityName_default = BeiJing #设置默认的城市
0.organizationName = Organization Name (eg, company)
0.organizationName_default = CA #设置公司(组织)名称
# we can do this but it is not needed normally :-)
#1.organizationName = Second Organization Name (eg, company)
#1.organizationName_default = World Wide Web Pty Ltd
organizationalUnitName = Organizational Unit Name (eg, section)
organizationalUnitName_default = IT #设置部门(单位)2.1 生成CA的私钥
[root@CA CA]# (umask 077;openssl genrsa -out private/cakey.pem 2048)
Generating RSA private key, 2048 bit long modulus
...........................................+++
................................................................................................+++
e is 65537 (0x10001)2.2 生成CA的自签证书
[root@CA CA]# openssl req -new -x509 -key private/cakey.pem -out cacert.pem -days 365
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [CN]:
State or Province Name (full name) [BeiJing]:
Locality Name (eg, city) [BeiJing]:
Organization Name (eg, company) [CA]:
Organizational Unit Name (eg, section) [IT]:
Common Name (eg, your name or your server's hostname) []:ca.miner_k.com
Email Address []:admin@miner_k.com 2.3 将CA服务器下创建需要的文件
[root@CA CA]# touch index.txt
[root@CA CA]# echo 01 > serial
[root@CA CA]# ls
cacert.pem certs crl index.txt newcerts private serial3.在Apache的服务器
3.1 生成密钥对
[root@miner_k ~]# cd /etc/httpd/
[root@miner_k httpd]# ls
conf conf.d logs modules run
[root@miner_k httpd]# mkdir ssl
[root@miner_k httpd]# cd ssl/
[root@miner_k ssl]# (umask 077;openssl genrsa 1024 > httpd.key)
Generating RSA private key, 1024 bit long modulus
....................++++++
.......................++++++
e is 65537 (0x10001)3.2 生成证书颁发请求(.csr)【Certificate signing request】
[root@miner_k ssl]# openssl req -new -key httpd.key -out httpd.csr
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [CN]:
State or Province Name (full name) [BeiJing]:
Locality Name (eg, city) [BeiJing]:
Organization Name (eg, company) [CA]:
Organizational Unit Name (eg, section) [IT]:
Common Name (eg, your name or your server's hostname) []:www.miner_k.com #必须是这台web服务器的域名
Email Address []:admin@miner_k.com
Please enter the following 'extra' attributes
to be sent with your certificate request
A challenge password []:
An optional company name []:注意:由于是私有的CA服务器,关于默认的城市以及机构等都必须和CA的是一样的
3.3 将证书发送给CA的服务器
[root@miner_k ssl]# scp httpd.csr 101.200.87.99:/root
The authenticity of host '101.200.87.99 (101.200.87.99)' can't be established.
RSA key fingerprint is c8:bb:dc:fc:d0:27:4d:48:d2:0a:0f:db:a2:51:10:d2.
Are you sure you want to continue connecting (yes/no)? yes
Warning: Permanently added '101.200.87.99' (RSA) to the list of known hosts.
root@101.200.87.99's password:
httpd.csr 100% 696 0.7KB/s 00:00 4.在CA服务器上的操作
4.1 签署Apache发送的证书请求
[root@CA ~]# openssl ca -in httpd.csr -out httpd.crt -days 365
Using configuration from /etc/pki/tls/openssl.cnf
Check that the request matches the signature
Signature ok
Certificate Details:
Serial Number: 1 (0x1)
Validity
Not Before: May 24 06:12:47 2017 GMT
Not After : May 24 06:12:47 2018 GMT
Subject:
countryName = CN
stateOrProvinceName = BeiJing
organizationName = CA
organizationalUnitName = IT
commonName = www.miner_k.com
emailAddress = admin@miner_k.com
X509v3 extensions:
X509v3 Basic Constraints:
CA:FALSE
Netscape Comment:
OpenSSL Generated Certificate
X509v3 Subject Key Identifier:
ED:E8:48:9D:30:0F:95:0B:19:63:D8:F9:9C:70:5C:7E:26:36:DA:30
X509v3 Authority Key Identifier:
keyid:12:0E:C7:0F:0B:A6:06:3D:27:A1:5B:A7:EA:3D:C3:36:07:BE:77:13
Certificate is to be certified until May 24 06:12:47 2018 GMT (365 days)
Sign the certificate? [y/n]:y
1 out of 1 certificate requests certified, commit? [y/n]y
Write out database with 1 new entries
Data Base Updated4.2 将签署的证书发送给Apache服务器
[root@CA ~]# scp httpd.crt 114.*.*.229:/etc/httpd/ssl/5. 在Apache服务器上httpd的配置
[root@miner_k ssl]# cd /etc/httpd/conf.d/
[root@miner_k conf.d]# ls
README ssl.conf welcome.conf
[root@miner_k conf.d]# cp ssl.conf{,.bak}
[root@miner_k conf.d]# ls
README ssl.conf ssl.conf.bak welcome.conf
修改配置文件ssl.conf
[root@miner_k conf.d]# grep -v "^#" ssl.conf | grep -v "^$"
LoadModule ssl_module modules/mod_ssl.so
Listen 443
SSLPassPhraseDialog builtin
SSLSessionCache shmcb:/var/cache/mod_ssl/scache(512000)
SSLSessionCacheTimeout 300
SSLMutex default
SSLRandomSeed startup file:/dev/urandom 256
SSLRandomSeed connect builtin
SSLCryptoDevice builtin
<VirtualHost _default_:443> #默认主机,可以设置为IP地址
ErrorLog logs/ssl_error_log
TransferLog logs/ssl_access_log
LogLevel warn
SSLEngine on
SSLProtocol all -SSLv2
SSLCipherSuite DEFAULT:!EXP:!SSLv2:!DES:!IDEA:!SEED:+3DES
SSLCertificateFile /etc/httpd/ssl/httpd.crt #修改内容,证书位置
SSLCertificateKeyFile /etc/httpd/ssl/httpd.key #修改内容,私钥位置
<Files ~ "\.(cgi|shtml|phtml|php3?)$">
SSLOptions +StdEnvVars
</Files>
<Directory "/var/www/cgi-bin">
SSLOptions +StdEnvVars
</Directory>
SetEnvIf User-Agent ".*MSIE.*" \
nokeepalive ssl-unclean-shutdown \
downgrade-1.0 force-response-1.0
CustomLog logs/ssl_request_log \
"%t %h %{SSL_PROTOCOL}x %{SSL_CIPHER}x \"%r\" %b"
</VirtualHost> 6.测试
6.1 直接使用浏览器测试https的网页
重新启动httpd服务:
[root@miner_k conf.d]# service httpd restart
使用https协议访问,但是可以看出是不安全的。
6.2 在客户端加载CA的证书
- 1.将CA中的cacert.pem下载到本地然后改为为cacert.crt
- 2.将证书导入到浏览器中
489
被折叠的 条评论
为什么被折叠?
到【灌水乐园】发言
