https
全称是:
Hypertext Transfer Protocol over Secure Socket Layer
,是以安全为目标的
http
通道,也可以说是
http
的安全版本。即是
http
系加入
ssl
层,当然
https
的安全是基于
ssl
,然而
https
加密的详细内容就需要
ssl
。
https
是有
netspace
开发并内置于浏览器中的用于对数据进行压缩内核解压并在网络上传送的结果。
http
是应用的
tcp
的
80
端口,而
https
应用的
tcp
的
443
端口
https
主要作用可以分为两种:一种是建立一个信息安全通道,来保证数据传输的安全;另一种就是确认网站的真实性
当然在开启是https服务是必须先安装http软件包,
# rpm -hiv httpd-2.2.3-31.el5
#rpm -vhi distcache-1.4.5-14.1
# rpm -vhi mod_ssl-2.2.3-31.el5
1
在
/etc/httpd/
目录下面创建文嘉
ssl
并在目录文件
ssl
下面创建目录文件
private
#cd /etc/httpd
#mkdir -pv ./ssl/private
mkdir: created directory `ssl'
mkdir :created directory `/ssl/private’
2
用
tree
命令查看
ssl
的树目录
# tree ssl/
ssl
`-- private
1 directory, 0 files
3
基于
ssl
的认证,为了保障安全,需要用
CA
来颁发证书,以确定身份,,因为只有
CA
才有权限为其他用户颁发证书,在
CA
颁发证书之前必须先为自己做自签认证,
接下来;去配置
CA
4
生成密钥文件
[root@station90 private]# openssl genrsa 1024 >cakey.pem
Generating RSA private key, 1024 bit long modulus
.....++++++
..++++++
e is 65537 (0x10001)
5
为
CA
生成请求文件
[root@station90 CA ]# openssl req -x509 -new -key cakey.pem -out cacert.pem –days 3600
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [GB]:CN
State or Province Name (full name) [Berkshire]:HENAN
Locality Name (eg, city) [Newbury]:ZZ
Organization Name (eg, company) [My Company Ltd]:ZZU
Organizational Unit Name (eg, section) []:CA
Common Name (eg, your name or your server's hostname) []:windbbs.test.com
Email Address []:windbbs@test.com
Please enter the following 'extra' attributes
to be sent with your certificate request
A challenge password []:
An optional company name []:
6
修改
cakey.pem
的权限修改为
600
,
以提高安全性
[root@station90 private]# chmod 600 cakey.pem
当然为了提高安全性,还可以把文件
cacert.pem
的权限改为
600
但是必须把该文件的的属组改为
apache
不然的,
https
不能运行
7
查看文件
cacert.pem
的文件的权限
#[root@station90 CA]# ll
total 12
-rw------- 1 root root 688 Mar 7 22:35 cacert.pem
drwx------ 2 root root 4096 Mar 7 22:39 private
[root@station90 CA]# ll ./privare
-rw------- 1 root root 887 Mar 7 21:54 cakey.pem
8
创建文件
newcerts index.txt
及
serial
文件
# mkdir newcerts
#touch index.txt
并给文件
serial
文件一个初值,应为在后面
CA
在为其做自签是需要序列号,
#vim serial
并给其初始值为
00
9
修改文件
/etc/pki/tls/openssl.conf
[ CA_default ]
dir = /etc/pki/CA # Where everything is kept
certs = $dir/certs # Where the issued certs are kept
crl_dir = $dir/crl # Where the issued crl are kept
database = $dir/index.txt # database index file.
#unique_subject = no # Set to 'no' to allow creation of
# several ctificates with same subject.
new_certs_dir = $dir/newcerts # default place for new certs.
certificate = $dir/cacert.pem # The CA certificate
serial = $dir/serial # The current serial number
crlnumber = $dir/crlnumber # the current crl number
10
生成
key
文件,但是需要进入到自己建的目录中,
/etc/httpd/ssl
[root@station90 ssl]# pwd
/etc/httpd/ssl
[root@station90ssl]#openssl genrsa 1024 >private/windbbs.test.com.key
Generating RSA private key, 1024 bit long modulus
............++++++
............................++++++
e is 65537 (0x10001
Generating RSA private key, 1024 bit long modulus
............++++++
............................++++++
e is 65537 (0x10001)
11
为
CA
生成请求文件
[root@station90 ssl]# openssl req -new -key private/windbbs.test.com.key -out windbbs.test.com.csr
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [GB]:CN
State or Province Name (full name) [Berkshire]:HENAN
Locality Name (eg, city) [Newbury]:ZZ
Organization Name (eg, company) [My Company Ltd]:ZZU
Organizational Unit Name (eg, section) []:CA
Common Name (eg, your name or your server's hostname) []:windbbs.test.com
Email Address []:windbbs@test.com
Please enter the following 'extra' attributes
to be sent with your certificate request
A challenge password []:
An optional company name []:
12
为
CA
生成自签文件
[root@station90 ssl] #openssl ca -in ./private/windbbs.test.com.csr -out windbbs.test.com.crt -days 3600
13
下该修改文件
/etc/httpd/conf.d/ssl.conf
文件指出证书的位置,应为证书和密钥我们放在
/etc/httpd/ssl
下面,所以我们应该修改文件
#vim /etc/httpd/conf.d/ssl.conf
把一下两行
SSLCertificateFile
SSLCertificateKeyFile
改成
SSLCertificateFile /etc/httpd/ssl/httpd.crt
SSLCertificateKeyFile /etc/httpd/ssl/httpd.key
14
并重启
apache
[root@station90 ssl]#service httpd restart
14
重启后可以用用客户机验证,如果不成功请检查做的步骤
转载于:https://blog.51cto.com/freehat/284336