CentOS下利用httpd openssl来实现网站的httpscentos.docx
《CentOS下利用httpd openssl来实现网站的httpscentos.docx》由会员分享,可在线阅读,更多相关《CentOS下利用httpd openssl来实现网站的httpscentos.docx(5页珍藏版)》请在冰豆网上搜索。
CentOS下利用httpdopenssl来实现网站的httpscentos
CentOS下利用httpd+openssl来实现网站的httpscentos
下面呢我们来讲一下具体步骤
配置CA服务器
========================================================
1.配置CA172.16.1.2生成CA自己的公钥私钥CA对自己进行证书自签名(用脚本生成)
[root@CA~]#vim/etc/pki/tls/f
dir=/etc/CA#Whereeverythingiskept第45行
basicConstraints=CA:
TRUE#自签署的证书可以使用第178行[root@CA~]#vim/etc/pki/tls/misc/CA
CATOP=/etc/CA#第42行[root@CA~]#/etc/pki/tls/misc/CA-newca
CAcertificatefilename(orentertocreate)
MakingCAcertificate...
Generatinga1024bitRSAprivatekey
......++++++
.......................++++++
writingnewprivatekeyto'../../CA/private/./cakey.pem'#私钥
EnterPEMpassphrase:
123456#保护CA私钥
Verifying-EnterPEMpassphrase:
123456
-----
Youareabouttobeaskedtoenterinformationthatwillbeincorporatedintoyourcertificaterequest.
WhatyouareabouttoenteriswhatiscalledaDistinguishedNameoraDN.
Therearequiteafewfieldsbutyoucanleavesomeblank
Forsomefieldstherewillbeadefaultvalue,
Ifyouenter'.',thefieldwillbeleftblank.
-----
CountryName(2lettercode)[GB]:
CN#身份信息
StateorProvinceName(fullname)[Berkshire]:
BEIJING
LocalityName(eg,city)[Newbury]:
HD
OrganizationName(eg,company)[MyCompanyLtd]:
UPLOOKING
OrganizationalUnitName(eg,section)[]:
IT
CommonName(eg,yournameoryourserver'shostname)[]:
CA
EmailAddress[]:
CA@Pleaseenterthefollowing'extra'attributestobesentwithyourcertificaterequest
Achallengepassword[]:
Anoptionalcompanyname[]:
Usingconfigurationfrom/etc/pki/tls/f
Enterpassphrasefor../../CA/private/./cakey.pem:
123456#使用私钥自签名
Checkthattherequestmatchesthesignature
Signatureok
CertificateDetails:
SerialNumber:
0(0x0)
Validity
NotBefore:
Mar501:
40:
502012GMT
NotAfter:
Mar501:
40:
502015GMT
Subject:
countryName=CN
stateOrProvinceName=BEIJING
organizationName=UPLOOKING
organizationalUnitName=IT
commonName=CA
emailAddress=CA@
X509v3extensions:
X509v3BasicConstraints:
CA:
TRUE
NetscapeComment:
OpenSSLGeneratedCertificate
X509v3SubjectKeyIdentifier:
61:
D5:
3A:
C7:
5C:
0F:
66:
FE:
D5:
EF:
5D:
A1:
94:
8F:
FD:
C2:
E5:
94:
7D:
D3
X509v3AuthorityKeyIdentifier:
keyid:
61:
D5:
3A:
C7:
5C:
0F:
66:
FE:
D5:
EF:
5D:
A1:
94:
8F:
FD:
C2:
E5:
94:
7D:
D3
CertificateistobecertifieduntilMar501:
40:
502015GMT(1095days)Writeoutdatabasewith1newentries
DataBaseUpdated[root@CA~]#ls/etc/CA/private/cakey.pem#CA私钥
[root@CA~]#ls/etc/CA/cacert.pem#CA证书
[root@CA~]#ls/etc/CA/careq.pem#CA证书请求配置web服务器
===============================================================
web生成自己的私钥
[root@www~]#opensslgenrsa-des3-out/etc/httpd/conf.d/server.key#使用des3保护私钥
GeneratingRSAprivatekey,512bitlongmodulus
.........++++++++++++
......................++++++++++++
eis65537(0x10001)
Enterpassphrasefor/etc/httpd/conf.d/server.key:
123456
Verifying-Enterpassphrasefor/etc/httpd/conf.d/server.key:
123456生成证书请求(使用身份标识+公钥)
[root@www~]#opensslreq-new-key/etc/httpd/conf.d/server.key-out/tmp/server.csr
Enterpassphrasefor/etc/httpd/conf.d/server.key:
123456
Youareabouttobeaskedtoenterinformationthatwillbeincorporatedintoyourcertificate
request.
WhatyouareabouttoenteriswhatiscalledaDistinguishedNameoraDN.
Therearequiteafewfieldsbutyoucanleavesomeblank
Forsomefieldstherewillbeadefaultvalue,
Ifyouenter'.',thefieldwillbeleftblank.
-----
-------------------------------------------------------------------------------
CountryName(2lettercode)[GB]:
CN#这部分信息要与CA一致!
!
!
StateorProvinceName(fullname)[Berkshire]:
BEIJING
LocalityName(eg,city)[Newbury]:
HD
OrganizationName(eg,company)[MyCompanyLtd]:
UPLOOKING
OrganizationalUnitName(eg,section)[]:
IT
-------------------------------------------------------------------------------
CommonName(eg,yournameoryourserver'shostname)[]:
EmailAddress[]:
Pleaseenterthefollowing'extra'attributestobesentwithyourcertificaterequest
Achallengepassword[]:
Anoptionalcompanyname[]:
将证书请求发送给CA
[root@www~]#scp/tmp/server.csrCA:
/tmp/CA服务器对证书请求进行数字签名
=============================================================================
[root@CA~]#opensslca-keyfile/etc/CA/private/cakey.pem-cert/etc/CA/cacert.pem-in/tmp/server.csr-out/tmp/server.crt/etc/CA/private/cakey.pem(这是ca的私钥)
/tmp/server.csr(httpserver的证书请求文件)
/etc/CA/cacert.pem(ca的证书)
/tmp/server.crt(生成的httpserver的证书的名字)Usingconfigurationfrom/etc/pki/tls/f
Enterpassphrasefor/etc/CA/private/cakey.pem:
Checkthattherequestmatchesthesignature
Signatureok
CertificateDetails:
SerialNumber:
1(0x1)
Validity
NotBefore:
Mar502:
20:
562012GMT
NotAfter:
Mar502:
20:
562013GMT
Subject:
countryName=CN
stateOrProvinceName=BEIJING
organizationName=UPLOOKING
organizationalUnitName=IT
commonName=
emailAddress=
X509v3extensions:
X509v3BasicConstraints:
CA:
TRUE
NetscapeComment:
OpenSSLGeneratedCertificate
X509v3SubjectKeyIdentifier:
D0:
6E:
C7:
7D:
FC:
BE:
0D:
62:
CA:
B9:
A2:
E0:
2A:
9A:
27:
32:
39:
0B:
91:
F8
X509v3AuthorityKeyIdentifier:
keyid:
61:
D5:
3A:
C7:
5C:
0F:
66:
FE:
D5:
EF:
5D:
A1:
94:
8F:
FD:
C2:
E5:
94:
7D:
D3
CertificateistobecertifieduntilMar502:
20:
562013GMT(365days)
Signthecertificate?
[y/n]:
y1outof1certificaterequestscertified,commit?
[y/n]y
Writeoutdatabasewith1newentries
DataBaseUpdated将签名后的数字证书颁发给web
[root@CA~]#scp/tmp/server.crt:
/etc/httpd/conf.d/配置web支持ssl实现https
==========================================================
[root@www~]#yuminstallhttpdmod_ssl
[root@www~]#vim/etc/httpd/conf.d/ssl.conf
SSLCertificateFile/etc/httpd/conf.d/server.crt
SSLCertificateKeyFile/etc/httpd/conf.d/server.key[root@www~]#netstat-tunpl|grep443
tcp00:
:
:
443:
:
:
*LISTEN2000/httpdClient下载CA证书并导入到浏览器,然后访问www服务器
==================================================================================
client需要下载CA证书并导入浏览器,使用https访问web,浏览器验证web数字证书是否由CA颁发打开firefox,编辑------>首选项----->高级---->加密----->查看证书------>导入
升级会员 