如何配置安全的http服务 让服务变得更加安全,正好大家也可以了解一下ca是怎么工作的,好好学吧。
HTTP + SSL = HTTPS
配置 CA 服务器
========================================================
1.配置 CA 172.16.1.2 生成 CA 自己的公钥 私钥 CA 对自己进行证书自签名 (用脚本生成)
CA服务器配置
制作证书 并且验证 最后用CA认证
vim /etc/pki/tls/openssl.cnf -----------修改路径位置
45 dir = /etc/pki/CA
vim /etc/pki/tls/misc/CA---------------修改脚本路径位置
42 CATOP=/etc/pki/CA
vim /etc/pki/tls/openssl.cnf ----------自签署的证书可以使用
#basicConstraints=CA:FALSE
basicConstraints=CA:TRUE
/etc/pki/tls/misc/CA -newca---------创建一个新的CA
CA certificate filename (or enter to create)
Making CA certificate ...
Generating a 1024 bit RSA private key
..........++++++
...........................++++++
writing new private key to '/etc/pki/CA/private/./cakey.pem'
Enter PEM pass phrase: -------------------设置密码123456
Verifying - Enter PEM pass phrase:---------------重复密码
-----
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few f some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [GB]:CN------------------国家
State or Province Name (full name) [Berkshire]:BEIJING---------------州
Locality Name (eg, city) [Newbury]:BJ--------------------地区
Organization Name (eg, company) [My Company Ltd]:UPLOOKING------------公司
Organizational Unit Name (eg, section) []:IT------------------部门
Common Name (eg, your name or your server's hostname) []:SERVER113---------计算机名字
Email Address []:ROOT@UPLOOKING.COM----------------邮箱
Please enter the following 'extra' attributes
to be sent with your certificate request
A challenge password []: -----------是不是要重新该密码 不写
An optional company name []: ------------要不要该公司名字 不写
Using configuration from /etc/pki/tls/openssl.cnf
Enter pass phrase for /etc/pki/CA/private/./cakey.pem: ----------输入上面的密码123456
Check that the request matches the signature
Signature ok
Certificate Details:
Serial Number: 0 (0x0)
Validity
Not Before: Mar 30 05:49:33 2013 GMT
Not After : Mar 29 05:49:33 2016 GMT
Subject:
countryName = CN
stateOrProvinceName = BEIJING
organizationName = UPLOOKING
organizationalUnitName = IT
commonName = SERVER113
emailAddress = ROOT@UPLOOKING.COM
X509v3 extensions:
X509v3 Basic Constraints:
CA:TRUE
Netscape Comment:
OpenSSL Generated Certificate
X509v3 Subject Key Identifier:
3A:85:EC:6B:00:D4:3F:91:F3:6B:14:47:4D:3F:02:52:6F:BC:93:85
X509v3 Authority Key Identifier:
keyid:3A:85:EC:6B:00:D4:3F:91:F3:6B:14:47:4D:3F:02:52:6F:BC:93:85
Certificate is to be certified until Mar 29 05:49:33 2016 GMT (1095 days)
Write out database with 1 new entries
Data Base Updated
[root@localhost tls]# ls /etc/pki/CA/private/./cakey.pem -------#私钥
[root@localhost tls]# ls /etc/pki/CA/cacert.pem -----------#证书
[root@localhost tls]# ls /etc/pki/CA/careq.pem ----------#证书请求
配置 web 服务器
===============================================================================
web 生成自己的私钥
[root@node1 ~]# openssl genrsa -des3 -out /etc/httpd/conf.d/server.key (使用 des3 保护私钥)
Generating RSA private key, 512 bit long modulus
............++++++++++++
...............++++++++++++
e is 65537 (0x10001)
Enter pass phrase for /etc/httpd/conf.d/server.key: ----------生成自己私匙的密码123456
Verifying - Enter pass phrase for /etc/httpd/conf.d/server.key:--------重复输入123456
[root@localhost conf.d]# openssl req -new -key /etc/httpd/conf.d/server.key -out /tmp/server.csr-----(使用身份标识+公钥)生成证书请求
Enter pass phrase for /etc/httpd/conf.d/server.key: -------------输入私钥密码
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----这部分信息要与 CA 一致
Country Name (2 letter code) [GB]:CN ---------------国家 和CA要一至
State or Province Name (full name) [Berkshire]:BEIJING--------和CA要一至
Locality Name (eg, city) [Newbury]:BJ-----------和CA要一至
Organization Name (eg, company) [My Company Ltd]:UPLOOKING-------和CA要一至
Organizational Unit Name (eg, section) []:IT--------
Common Name (eg, your name or your server's hostname) []:SERVER---------这里不要一样了
Email Address []:name@UPLOOKING.COM------这里不要一样了
Please enter the following 'extra' attributes
to be sent with your certificate request
A challenge password []:
An optional company name []:
[root@node1 ~]# scp /tmp/server.csr node2:/tmp/-----------将证书请求发送给 CA(如果是两台电脑就是复制一下)
CA 服务器对证书请求进行数字签名
=============================================================================
[root@localhost CA]# cp /etc/pki/CA/cacert.pem /etc/CA/---------ca证书复制一份
[root@localhost CA]# cp /etc/pki/CA/private/./cakey.pem /etc/CA/private/-------复制过去ca的私钥
[root@node2 CA]# openssl ca -keyfile /etc/CA/private/cakey.pem -cert /etc/CA/cacert.pem -in /tmp/server.csr -out /tmp/server.crt---------crt生成证书名字
/etc/CA/private/cakey.pem------(这是 ca 的私钥)
/tmp/server.csr -----------(httpserver 的证书请求文件)
/etc/CA/cacert.pem---------(ca 的证书)
/tmp/server.crt------------(生成的 httpserver 的证书的名字)
将签名后的数字证书颁发给 web
[root@node2 CA]# scp /tmp/server.crt node1:/etc/httpd/conf.d/
配置 web 支持 ssl 实现 https
===============================================================================
[root@node1 ~]# yum install mod_ssl
[root@node1 ~]# vim /etc/httpd/conf.d/ssl.conf
112 SSLCertificateFile /etc/httpd/conf.d/server.crt
119 SSLCertificateKeyFile /etc/httpd/conf.d/server.key
client 需要下载 CA 证书并导入浏览器,使用 https 访问 web,浏览器验证 web 数字证书是否
由 CA 颁发
打开 firefox,编辑------>首选项----->高级----> 加密----->查看证书------>导入 ---------这里是导入CA的证书/etc/CA/cacert.pem
[root@localhost mnt]# service httpd restart
Stopping httpd: [ OK ]
Starting httpd: Apache/2.2.3 mod_ssl/2.2.3 (Pass Phrase Dialog)
Some of your private key files are encrypted for security reasons.
In order to read them you have to provide the pass phrases.
Server localhost.localdomain:443 (RSA)
Enter pass phrase:--------------------输入私钥密码123456
OK: Pass Phrase Dialog successful.
[ OK ]
[root@localhost mnt]#
[root@node1 ~]# netstat -tunpl | grep 443
转载于:https://blog.51cto.com/historys/1296712
6108
被折叠的 条评论
为什么被折叠?
到【灌水乐园】发言
