HTTPS/LDAPS/POP3S/SMTP+TLS
加密传输的数据
用于验证通信的双方是彼此声称的那个人!
=================================================================================
SSL 3.0 ----TLS 1.0 (SSL 3.1)
ldap 389
ldap + SSL = ldaps/tcp 636 LDAP over SSL
ldap + TLS = ldaps/tcp 389
smtp 25
smtps 25
一、搭建CA机构
1. 安装软件包
[root@CA ~]# rpm -qa |grep openssl
openssl-0.9.8e-22.el5
openssl-devel-0.9.8e-22.el5
2. CA配置文件
[root@CA ~]# vim /etc/pki/tls/openssl.cnf
[ ca ]
default_ca = CA_default # The default ca section
[ CA_default ]
dir = /etc/pki/CA # Where everything is kept
certs = $dir/certs # Where the issued certs are kept
crl_dir = $dir/crl # Where the issued crl are kept
database = $dir/index.txt # database index file.
#unique_subject = no # Set to 'no' to allow creation of
# several ctificates with same subject.
new_certs_dir = $dir/newcerts # default place for new certs.
certificate = $dir/ca.crt # The CA certificate
serial = $dir/serial # The current serial number
crlnumber = $dir/crlnumber # the current crl number
# must be commented out to leave a V1 CRL
crl = $dir/ca.crl # The current CRL
private_key = $dir/private/ca.key # The private key
RANDFILE = $dir/private/.rand # private random number file
[ req_distinguished_name ]
countryName = Country Name (2 letter code)
countryName_default = CN
countryName_min = 2
countryName_max = 2
stateOrProvinceName = State or Province Name (full name)
stateOrProvinceName_default = BJ
localityName = Locality Name (eg, city)
localityName_default = BJ
0.organizationName = Organization Name (eg, company)
0.organizationName_default = uplook
3. 生成私钥和自签名的证书
[root@CA ~]# cd /etc/pki/CA
[root@CA CA]# mkdir certs crl newcerts
[root@CA CA]# touch index.txt
[root@CA CA]# echo 00 > serial
[root@CA CA]# ls
certs crl index.txt newcerts private serial
CA生成私钥
[root@CA CA]# (umask 077 ; openssl genrsa -out /etc/pki/CA/private/ca.key -des3 2048)
Generating RSA private key, 2048 bit long modulus
....................................+++
...................................+++
e is 65537 (0x10001)
Enter pass phrase for /etc/pki/CA/private/ca.key: //设置密码,之后为客户签名使用该私钥
Verifying - Enter pass phrase for /etc/pki/CA/private/ca.key:
[root@CA CA]# ll /etc/pki/CA/private/ca.key //查看私钥
-rw------- 1 root root 1743 Mar 3 17:31 /etc/pki/CA/private/ca.key
CA自签名生成CA证书
[root@CA CA]# openssl req -new -x509 -days 7300 -key private/ca.key > ca.crt //CA自签名
Enter pass phrase for private/ca.key: //提供私钥的密码
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [CN]:
State or Province Name (full name) [BJ]:
Locality Name (eg, city) [BJ]:
Organization Name (eg, company) [uplook]:
Organizational Unit Name (eg, section) []:it
Common Name (eg, your name or your server's hostname) []:ca.uplook.com
Email Address []:
二、HTTP Server实现HTTPS
[root@uplook ~]# yum -y install httpd mod_ssl
[root@uplook ~]# openssl genrsa -out /etc/httpd/httpd.key //生成私钥
[root@uplook ~]# openssl req -new -key /etc/httpd/httpd.key -out /tmp/httpd.csr //生成证书签名请求文件csr
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [CN]:CN
State or Province Name (full name) [BJ]:BJ
Locality Name (eg, city) [BJ]:BJ
Organization Name (eg, company) [uplook]:uplook
Organizational Unit Name (eg, section) []:it
Common Name (eg, your name or your server's hostname) []:www.uplook.com //客户最终访问名
Email Address []:
Please enter the following 'extra' attributes
to be sent with your certificate request
A challenge password []: //不设置额外的密码
An optional company name []:
[root@uplook ~]#
Generating RSA private key, 512 bit long modulus
....++++++++++++
...........++++++++++++
e is 65537 (0x10001)
HTTP Server等待CA为其签名,并生成数字证书...
三、CA服务器签名
[root@CA CA]# openssl ca -in /tmp/httpd.csr -out /tmp/httpd.crt //签名
Using configuration from /etc/pki/tls/openssl.cnf
Enter pass phrase for /etc/pki/CA/private/ca.key: //提供CA私钥密码
Check that the request matches the signature
Signature ok
Certificate Details:
Serial Number: 1 (0x1)
Validity
Not Before: Mar 3 10:02:20 2013 GMT
Not After : Mar 3 10:02:20 2014 GMT
Subject:
countryName = CN
stateOrProvinceName = BJ
organizationName = uplook
organizationalUnitName = it
commonName = www.uplook.com
X509v3 extensions:
X509v3 Basic Constraints:
CA:FALSE
Netscape Comment:
OpenSSL Generated Certificate
X509v3 Subject Key Identifier:
11:12:DB:3B:92:8C:CD:4E:4B:FE:80:7D:BC:0B:AE:2E:84:1D:A9:16
X509v3 Authority Key Identifier:
keyid:83:91:3F:1C:71:C2:0C:A2:08:EF:3B:D5:CD:47:B7:32:2F:C1:73:1A
Certificate is to be certified until Mar 3 10:02:20 2014 GMT (365 days)
Sign the certificate? [y/n]:y
1 out of 1 certificate requests certified, commit? [y/n]y
Write out database with 1 new entries
Data Base Updated
签名完成后,将数字证书发给HTTP Server
四、HTTP Server(Apache)
1. Apache支持SSL
[root@uplook ~]# yum -y install mod_ssl
[root@uplook ~]# ls /etc/httpd/
conf conf.d httpd.crt httpd.key logs modules run
2. 配置指定证书和私钥
[root@uplook ~]# grep '^SSLCert' /etc/httpd/conf.d/ssl.conf
SSLCertificateFile /etc/httpd/httpd.crt
SSLCertificateKeyFile /etc/httpd/httpd.key
[root@uplook ~]# service httpd restart
Stopping httpd: [ OK ]
Starting httpd: [ OK ]
======================================================================
3. 虚拟主机支持(扩展知识)
https://www.zhuzhu.com
https://www.yang.com
证书申请及签名
[root@uplook CA]# mkdir /webroot/zhuzhu -p
[root@uplook CA]# echo "zhuzhu test..." > /webroot/zhuzhu/index.html
[root@uplook CA]# openssl genrsa -out /etc/httpd/zhuzhu.key
[root@uplook CA]# openssl req -new -key /etc/httpd/zhuzhu.key -out /tmp/zhuzhu.csr
[root@uplook CA]# openssl ca -in /tmp/zhuzhu.csr -out /etc/httpd/zhuzhu.crt
虚拟主机配置
[root@uplook ~]# vim /etc/httpd/conf.d/www.zhuzhu.com.conf
<VirtualHost 1.1.1.10:443>
DocumentRoot /webroot/zhuzhu
ServerName www.zhuzhu.com
SSLEngine on
SSLProtocol all -SSLv2 -SSLv3
SSLCipherSuite ALL:!ADH:!EXPORT:!SSLv2:RC4+RSA:+HIGH:+MEDIUM:+LOW
SSLCertificateFile /etc/httpd/zhuzhu.crt
SSLCertificateKeyFile /etc/httpd/zhuzhu.key
SSLCACertificateFile /etc/httpd/ca.crt
</VirtualHost>
[root@uplook ~]# cat /etc/httpd/conf.d/www.yang.com.conf
<VirtualHost 1.1.1.20:443>
DocumentRoot /var/www/html
ServerName www.yang.com
SSLEngine on
SSLProtocol all -SSLv2 -SSLv3
SSLCipherSuite ALL:!ADH:!EXPORT:!SSLv2:RC4+RSA:+HIGH:+MEDIUM:+LOW
SSLCertificateFile /etc/httpd/httpd.crt
SSLCertificateKeyFile /etc/httpd/httpd.key
SSLCACertificateFile /etc/httpd/ca.crt
</VirtualHost>
======================================================================
五、HTTP Server (Nginx)
1. Nginx支持SSL
[root@uplook nginx-1.2.0]# ./configure \
> --user=www \
> --group=www \
> --prefix=/usr/local/nginx \
> --with-http_stub_status_module \
> --with-http_sub_module \
> --with-http_ssl_module
2. 配置指定证书和私钥
[root@uplook ~]# vim /usr/local/nginx/conf/nginx.conf
listen 443;
ssl on;
ssl_certificate /usr/local/nginx/nginx.crt;
ssl_certificate_key /usr/local/nginx/nginx.key;
ssl_session_timeout 3m;
ssl_protocols SSLv2 SSLv3 TLSv1;
六、LDAP
[root@uplook ~]# vim /etc/openldap/slapd.conf
TLSCACertificateFile /etc/openldap/certs/ca.crt
TLSCertificateFile /etc/openldap/certs/ldap.crt
TLSCertificateKeyFile /etc/openldap/certs/ldap.key
七、从客户端测试
1. 导入ca的公钥
2. https://www.uplook.com
八、其它服务器
Postfix: SMTP + TLS
Dovecot: POP3S