配置httpd-2.2支援https功能
SSL會話的簡化過程
(1) 客戶端傳送可供選擇的加密方式,並向伺服器請求證書;
(2) 伺服器端傳送證書以及選定的加密方式給客戶端;
(3) 客戶端取得證書並進行證書驗正:
如果信任給其發證書的CA:
(a) 驗正證書來源的合法性;用CA的公鑰解密證書上數字簽名;
(b) 驗正證書的內容的合法性:完整性驗正
(c) 檢查證書的有效期限;
(d) 檢查證書是否被吊銷;
(e) 證書中擁有者的名字,與訪問的目標主機要一致;
(4) 客戶端生成臨時會話金鑰(對稱金鑰),並使用伺服器端的公鑰加密此資料傳送給伺服器,完成金鑰交換;
(5) 服務用此金鑰加密使用者請求的資源,響應給客戶端;
注意:SSL會話是基於IP地址建立;所以單IP的主機上,僅可以使用一個https虛擬主機;
配置httpd支援https:
1、為伺服器申請數字證書;
1)建立私有CA
(1)生成私鑰檔案
123456789 | [[email protected]~] #mkdir-p/etc/pki/CA/private#建立私鑰儲存的目錄 [[email protected]~] #(umask077;opensslgenrsa-out/etc/pki/CA/private/cakey.pem4096) GeneratingRSAprivatekey,4096bitlongmodulus ....................................................................++ ..................................................................++ eis65537(0x10001) [[email protected]~] #ll/etc/pki/CA/private/#私鑰只能自己儲存,對保密性要求高 總用量4 -rw-------.1rootroot324311月1510:34cakey.pem |
(2)生成自簽證書
12345678910111213141516171819202122 | [[email protected]~] #opensslreq-new-x509-key/etc/pki/CA/private/cakey.pem-out/etc/pki/CA/cacert.pem-days3650 #如果是自請自籤加-x509如果不是就不用加了 #這個過程會自動從剛才第一步的私鑰中抽取公鑰 #-new生成新證書籤署請求 #-x509生成自籤格式證書專用於建立私有CA時 #-key生成請求時用到的私有檔案路徑 #-out生成的請求檔案路徑如果是自籤操作將生成簽署過的證書 #-days證書的有效時常但為是day Youareabouttobeaskedtoenterinformationthatwillbeincorporated intoyourcertificaterequest. WhatyouareabouttoenteriswhatiscalledaDistinguishedNameoraDN. Therearequiteafewfieldsbutyoucanleavesomeblank Forsomefieldstherewillbeadefaultvalue, Ifyouenter '.' ,thefieldwillbeleftblank. ----- CountryName(2lettercode)[XX]:CN #國家 StateorProvinceName(fullname)[]:SH #省 LocalityName(eg,city)[DefaultCity]:SH #城市 OrganizationName(eg,company)[DefaultCompanyLtd]:DZH #公司組織 OrganizationalUnitName(eg,section)[]:Ops #職位 CommonName(eg,yournameoryourserver's hostname )[]:ca.wlm.com #主機名 EmailAddress[]:[email protected] #郵箱 |
(3)為CA提供所需的目錄和檔案
1234567891011 | [[email protected]~] #touch/etc/pki/CA/index.txt#建立資料庫檔案 [[email protected]~] #echo01>/etc/pki/CA/serial#建立序列號檔案並給明第一個證書的序列號碼 [[email protected]~] #ll/etc/pki/CA 總用量8 -rw-r--r--.1rootroot204911月1510:41cacert.pem drwxr-xr-x.2rootroot66月292015certs drwxr-xr-x.2rootroot66月292015crl -rw-r--r--.1rootroot011月1510:45index.txt drwxr-xr-x.2rootroot66月292015newcerts drwx------.2rootroot2211月1510:34private -rw-r--r--.1rootroot311月1510:46serial |
至此,私有CA建立完畢。
2)證書申請:
(1)在證書申請的主機上生成私鑰
1234567891011 | [[email protected]~] #cd/etc/httpd/ [[email protected]httpd] #mkdirssl#建立儲存私鑰的目錄 [[email protected]httpd] #cdssl [[email protected]ssl] #(umask077;opensslgenrsa-outhttpd.key2048)#生成私鑰 GeneratingRSAprivatekey,2048bitlongmodulus ......................................................+++ ...........................................+++ eis65537(0x10001) [[email protected]ssl] #ll 總用量4 -rw-------.1rootroot167511月1511:05httpd.key |
(2)生成證書籤署請求
1234567891011121314151617181920 | [[email protected]ssl] #opensslreq-new-keyhttpd.key-outhttpd.csr-days365#在本地生成 Youareabouttobeaskedtoenterinformationthatwillbeincorporated intoyourcertificaterequest. WhatyouareabouttoenteriswhatiscalledaDistinguishedNameoraDN. Therearequiteafewfieldsbutyoucanleavesomeblank Forsomefieldstherewillbeadefaultvalue, Ifyouenter '.' ,thefieldwillbeleftblank. ----- CountryName(2lettercode)[XX]:CN StateorProvinceName(fullname)[]:SH LocalityName(eg,city)[DefaultCity]:SH OrganizationName(eg,company)[DefaultCompanyLtd]:DZH OrganizationalUnitName(eg,section)[]:Ops CommonName(eg,yournameoryourserver's hostname )[]:www.wlm.com EmailAddress[]:mail.wlm.com Pleaseenterthefollowing 'extra' attributes tobesentwithyourcertificaterequest Achallengepassword[]: #密碼可以不設定 Anoptionalcompanyname[]: |
(3)把請求傳送給CA
12345678 | [[email protected]ssl] #scphttpd.csr[email protected]:/tmp/ #10.10.10.3位CA主機 #將請求籤發的證書發個證書伺服器,我們這裡是同一臺機器模擬了證書伺服器和申請簽發的客戶機 Theauthenticityofhost '10.10.10.3(10.10.10.3)' can'tbeestablished. ECDSAkeyfingerprintis93:b6:c3:bf:a6:51:a7:4a:be:0c:14:93:ab:86:a1:56. Areyousureyouwantto continue connecting( yes /no )? yes Warning:Permanentlyadded '10.10.10.3' (ECDSA)tothelistofknownhosts. [email protected]'spassword: httpd.csr100%10251.0KB /s 00:0 |
(4)CA簽發證書(在CA10.10.10.3主機上操作)
12345678910111213141516171819202122232425262728293031323334353637383940 | [[email protected]tmp] #opensslca-in/tmp/httpd.csr-out/etc/pki/CA/certs/httpd.crt-days365 #簽發證書,有效期為一年 Usingconfigurationfrom /etc/pki/tls/openssl .cnf Checkthattherequestmatchesthesignature Signatureok CertificateDetails:
SerialNumber:1(0x1)
Validity
NotBefore:Nov1503:15:542016GMT
NotAfter:Nov1503:15:542017GMT
Subject:
countryName=CN
stateOrProvinceName=SH
organizationName=DZH
organizationalUnitName=Ops
commonName=www.wlm.com
emailAddress=mail.wlm.com
X509v3extensions:
X509v3BasicConstraints:
CA:FALSE
NetscapeComment:
OpenSSLGeneratedCertificate
X509v3SubjectKeyIdentifier:
49:7A:99:41:6E:72:27:8F:B8:F0:C3:77:6C:B8:8B:C0:9F:C7:7D:2A
X509v3AuthorityKeyIdentifier:
keyid:A8:28:9A:3B:91:A9:4C:90:A4:08:3D:79:34:0D:D3:19:0E:68:6F:1A Certificateistobecertified until Nov1503:15:542017GMT(365days) Signthecertificate?[y /n ]:y 1outof1certificaterequestscertified,commit?[y /n ]y Writeoutdatabasewith1newentries DataBaseUpdated [[email protected]tmp] #cd/etc/pki/CA/ [[email protected]CA] #ls cacert.pemcrlindex.txt.attrnewcertsserial certsindex.txtindex.txt.oldprivateserial.old [[email protected]CA] #catindex.txt#檢視第一個簽發的證書 V 171115031554Z 01 unknown /C =CN /ST =SH /O =DZH /OU =Ops /CN =www.wlm.com /emailAddress =mail.wlm.com |
(5)把簽署好的證書發還給請求者
12345678 | [[email protected]CA] # [[email protected]CA] #pwd /etc/pki/CA [[email protected]CA] #scpcerts/httpd.crt[email protected]:/etc/httpd/ssl/#傳送證書 [email protected]'spassword: httpd.crt100%57815.7KB /s 00:00 [[email protected]CA] #ls/etc/httpd/ssl/ httpd.crthttpd.csrhttpd.key[email protected] #檢視已經簽發好的證書 |
2、配置httpd支援使用ssl,及使用的證書;
(1)安裝支援ssl的模組
[[email protected]CA]#yuminstall-ymod_ssl
(2)修改配置檔案
vim/etc/httpd/conf.d/ssl.conf <VirtualHost_default_:443> DocumentRoot"/var/www/html" ServerNamewww.wlm.com:443 SSLCertificateFile/etc/httpd/ssl/httpd.crt SSLCertificateKeyFile/etc/httpd/ssl/httpd.key
(3) 測試基於https訪問相應的主機;
重啟httpd服務之後通過瀏覽器驗證
關於httpd的配置,見http://afterdawn.blog.51cto.com/7503144/1873617
openssl詳解見:http://afterdawn.blog.51cto.com/7503144/1872753
轉載於:https://blog.51cto.com/afterdawn/1875173