配置httpd-2.2支援https功能
阿新 • • 發佈:2020-10-09
SSL會話的簡化過程
(1) 客戶端傳送可供選擇的加密方式,並向伺服器請求證書;
(2) 伺服器端傳送證書以及選定的加密方式給客戶端;
(3) 客戶端取得證書並進行證書驗正:
如果信任給其發證書的CA:
(a) 驗正證書來源的合法性;用CA的公鑰解密證書上數字簽名;
(b) 驗正證書的內容的合法性:完整性驗正
(c) 檢查證書的有效期限;
(d) 檢查證書是否被吊銷;
(e) 證書中擁有者的名字,與訪問的目標主機要一致;
(4) 客戶端生成臨時會話金鑰(對稱金鑰),並使用伺服器端的公鑰加密此資料傳送給伺服器,完成金鑰交換;
(5) 服務用此金鑰加密使用者請求的資源,響應給客戶端;
注意:SSL會話是基於IP地址建立;所以單IP的主機上,僅可以使用一個https虛擬主機;
配置httpd支援https:
1、為伺服器申請數字證書;
1)建立私有CA
(1)生成私鑰檔案
| 123456789 | [[email protected]~]#mkdir-p/etc/pki/CA/private#建立私鑰儲存的目錄[[email protected]~]#(umask077;opensslgenrsa-out/etc/pki/CA/private/cakey.pem4096)GeneratingRSAprivatekey,4096bitlongmodulus....................................................................++..................................................................++eis65537(0x10001)[[email protected]~]#ll/etc/pki/CA/private/#私鑰只能自己儲存,對保密性要求高總用量4-rw-------.1rootroot324311月1510:34cakey.pem |
(2)生成自簽證書
| 12345678910111213141516171819202122 | [[email protected]~]#opensslreq-new-x509-key/etc/pki/CA/private/cakey.pem-out/etc/pki/CA/cacert.pem-days3650#如果是自請自籤加-x509如果不是就不用加了#這個過程會自動從剛才第一步的私鑰中抽取公鑰#-new生成新證書籤署請求#-x509生成自籤格式證書專用於建立私有CA時#-key生成請求時用到的私有檔案路徑#-out生成的請求檔案路徑如果是自籤操作將生成簽署過的證書#-days證書的有效時常但為是dayYouareabouttobeaskedtoenterinformationthatwillbeincorporatedintoyourcertificaterequest.WhatyouareabouttoenteriswhatiscalledaDistinguishedNameoraDN.TherearequiteafewfieldsbutyoucanleavesomeblankForsomefieldstherewillbeadefaultvalue,Ifyouenter'.',thefieldwillbeleftblank.-----CountryName(2lettercode)[XX]:CN#國家StateorProvinceName(fullname)[]:SH#省LocalityName(eg,city)[DefaultCity]:SH#城市OrganizationName(eg,company)[DefaultCompanyLtd]:DZH#公司組織OrganizationalUnitName(eg,section)[]:Ops#職位CommonName(eg,yournameoryourserver'shostname)[]:ca.wlm.com#主機名EmailAddress[]:[email protected]#郵箱 |
(3)為CA提供所需的目錄和檔案
| 1234567891011 | [[email protected]~]#touch/etc/pki/CA/index.txt#建立資料庫檔案[[email protected]~]#echo01>/etc/pki/CA/serial#建立序列號檔案並給明第一個證書的序列號碼[[email protected]~]#ll/etc/pki/CA總用量8-rw-r--r--.1rootroot204911月1510:41cacert.pemdrwxr-xr-x.2rootroot66月292015certsdrwxr-xr-x.2rootroot66月292015crl-rw-r--r--.1rootroot011月1510:45index.txtdrwxr-xr-x.2rootroot66月292015newcertsdrwx------.2rootroot2211月1510:34private-rw-r--r--.1rootroot311月1510:46serial |
至此,私有CA建立完畢。
2)證書申請:
(1)在證書申請的主機上生成私鑰
| 1234567891011 | [[email protected]~]#cd/etc/httpd/[[email protected]httpd]#mkdirssl#建立儲存私鑰的目錄[[email protected]httpd]#cdssl[[email protected]ssl]#(umask077;opensslgenrsa-outhttpd.key2048)#生成私鑰GeneratingRSAprivatekey,2048bitlongmodulus......................................................+++...........................................+++eis65537(0x10001)[[email protected]ssl]#ll總用量4-rw-------.1rootroot167511月1511:05httpd.key |
(2)生成證書籤署請求
| 1234567891011121314151617181920 | [[email protected]ssl]#opensslreq-new-keyhttpd.key-outhttpd.csr-days365#在本地生成Youareabouttobeaskedtoenterinformationthatwillbeincorporatedintoyourcertificaterequest.WhatyouareabouttoenteriswhatiscalledaDistinguishedNameoraDN.TherearequiteafewfieldsbutyoucanleavesomeblankForsomefieldstherewillbeadefaultvalue,Ifyouenter'.',thefieldwillbeleftblank.-----CountryName(2lettercode)[XX]:CNStateorProvinceName(fullname)[]:SHLocalityName(eg,city)[DefaultCity]:SHOrganizationName(eg,company)[DefaultCompanyLtd]:DZHOrganizationalUnitName(eg,section)[]:OpsCommonName(eg,yournameoryourserver'shostname)[]:www.wlm.comEmailAddress[]:mail.wlm.comPleaseenterthefollowing'extra'attributestobesentwithyourcertificaterequestAchallengepassword[]:#密碼可以不設定Anoptionalcompanyname[]: |
(3)把請求傳送給CA
| 12345678 | [[email protected]ssl]#scphttpd.csr[email protected]:/tmp/ #10.10.10.3位CA主機#將請求籤發的證書發個證書伺服器,我們這裡是同一臺機器模擬了證書伺服器和申請簽發的客戶機Theauthenticityofhost'10.10.10.3(10.10.10.3)'can'tbeestablished.ECDSAkeyfingerprintis93:b6:c3:bf:a6:51:a7:4a:be:0c:14:93:ab:86:a1:56.Areyousureyouwanttocontinueconnecting(yes/no)?yesWarning:Permanentlyadded'10.10.10.3'(ECDSA)tothelistofknownhosts.[email protected]'spassword:httpd.csr100%10251.0KB/s00:0 |
(4)CA簽發證書(在CA10.10.10.3主機上操作)
| 12345678910111213141516171819202122232425262728293031323334353637383940 | [[email protected]tmp]#opensslca-in/tmp/httpd.csr-out/etc/pki/CA/certs/httpd.crt-days365#簽發證書,有效期為一年Usingconfigurationfrom/etc/pki/tls/openssl.cnfCheckthattherequestmatchesthesignatureSignatureokCertificateDetails:SerialNumber:1(0x1)ValidityNotBefore:Nov1503:15:542016GMTNotAfter:Nov1503:15:542017GMTSubject:countryName=CNstateOrProvinceName=SHorganizationName=DZHorganizationalUnitName=OpscommonName=www.wlm.comemailAddress=mail.wlm.comX509v3extensions:X509v3BasicConstraints:CA:FALSENetscapeComment:OpenSSLGeneratedCertificateX509v3SubjectKeyIdentifier:49:7A:99:41:6E:72:27:8F:B8:F0:C3:77:6C:B8:8B:C0:9F:C7:7D:2AX509v3AuthorityKeyIdentifier:keyid:A8:28:9A:3B:91:A9:4C:90:A4:08:3D:79:34:0D:D3:19:0E:68:6F:1ACertificateistobecertifieduntilNov1503:15:542017GMT(365days)Signthecertificate?[y/n]:y1outof1certificaterequestscertified,commit?[y/n]yWriteoutdatabasewith1newentriesDataBaseUpdated[[email protected]tmp]#cd/etc/pki/CA/[[email protected]CA]#lscacert.pemcrlindex.txt.attrnewcertsserialcertsindex.txtindex.txt.oldprivateserial.old[[email protected]CA]#catindex.txt#檢視第一個簽發的證書V 171115031554Z 01 unknown/C=CN/ST=SH/O=DZH/OU=Ops/CN=www.wlm.com/emailAddress=mail.wlm.com |
(5)把簽署好的證書發還給請求者
| 12345678 | [[email protected]CA]#[[email protected]CA]#pwd/etc/pki/CA[[email protected]CA]#scpcerts/httpd.crt[email protected]:/etc/httpd/ssl/#傳送證書[email protected]'spassword:httpd.crt100%57815.7KB/s00:00[[email protected]CA]#ls/etc/httpd/ssl/httpd.crthttpd.csrhttpd.key[email protected]#檢視已經簽發好的證書 |
2、配置httpd支援使用ssl,及使用的證書;
(1)安裝支援ssl的模組
[[email protected]CA]#yuminstall-ymod_ssl
(2)修改配置檔案
vim/etc/httpd/conf.d/ssl.conf <VirtualHost_default_:443> DocumentRoot"/var/www/html" ServerNamewww.wlm.com:443 SSLCertificateFile/etc/httpd/ssl/httpd.crt SSLCertificateKeyFile/etc/httpd/ssl/httpd.key
(3) 測試基於https訪問相應的主機;
重啟httpd服務之後通過瀏覽器驗證
關於httpd的配置,見http://afterdawn.blog.51cto.com/7503144/1873617
openssl詳解見:http://afterdawn.blog.51cto.com/7503144/1872753
轉載於:https://blog.51cto.com/afterdawn/1875173