专栏首页云+技术利用httpd+openssl来实现网站的https

利用httpd+openssl来实现网站的https

利用httpd+openssl来实现网站的https

                                        CA验证中心(颁发/吊销证书)                                         /                 \ \                                  CA 证书    /             下发   \ \ 证书请求                                          /             证书   \ \                                    client <--------数字证书------ WEB 1。web服务器,生成非对称加密密钥对(web公钥,web私钥) 2。web服务器使用 web身份信息+web公钥 生成 web服务器的证书请求 ,并将证书请求发给CA服务器 3。CA服务器使用 CA的私钥 对 web 服务器的证书请求 进行数字签名得到 web服务器的数字证书,并将web服务器的数字证书颁发给web服务器。 4。client访问web服务器,请求https连接,下载web数字证书 5。client下载 CA数字证书(CA身份信息+CA公钥,由上一级CA颁发,也可自签名颁发),验证 web数字证书(CA数字证书中有CA公钥,web数字证书是使用CA私钥签名的) 6。client与web协商对称加密算法,client生成对称加密密钥并使用web公钥加密,发送给web服务器,web服务器使用web私钥解密 7。使用对称加密密钥传输数据,并校验数据的完整性 利用httpd+openssl来实现网站的https

下面呢我们来讲一下具体步骤 配置CA服务器 ======================================================== 1.配置CA 172.16.1.2 生成CA自己的公钥 私钥 CA对自己进行证书自签名 (用脚本生成) [root@CA ~]# vim /etc/pki/tls/openssl.cnf dir             = /etc/CA                  # Where everything is kept      第45行 basicConstraints=CA:TRUE     # 自签署的证书可以使用  第178行 [root@CA ~]# vim /etc/pki/tls/misc/CA CATOP=/etc/CA            #第42行 [root@CA ~]# /etc/pki/tls/misc/CA -newca CA certificate filename (or enter to create) Making CA certificate ... Generating a 1024 bit RSA private key ......++++++ .......................++++++ writing new private key to '../../CA/private/./cakey.pem'     #私钥 Enter PEM pass phrase:123456                         #保护CA私钥 Verifying - Enter PEM pass phrase:123456 ----- You are about to be asked to enter information that will be incorporated into your certificate request. What you are about to enter is what is called a Distinguished Name or a DN. There are quite a few fields but you can leave some blank For some fields there will be a default value, If you enter '.', the field will be left blank. ----- Country Name (2 letter code) [GB]:CN                     #身份信息 State or Province Name (full name) [Berkshire]:BEIJING Locality Name (eg, city) [Newbury]:HD Organization Name (eg, company) [My Company Ltd]:UPLOOKING Organizational Unit Name (eg, section) []:IT Common Name (eg, your name or your server's hostname) []:CA.uplooking.com Email Address []:CA@uplooking.com Please enter the following 'extra' attributes to be sent with your certificate request A challenge password []: An optional company name []: Using configuration from /etc/pki/tls/openssl.cnf Enter pass phrase for ../../CA/private/./cakey.pem:123456     #使用私钥自签名 Check that the request matches the signature Signature ok Certificate Details:        Serial Number: 0 (0x0)        Validity            Not Before: Mar 5 01:40:50 2012 GMT            Not After : Mar 5 01:40:50 2015 GMT        Subject:            countryName = CN            stateOrProvinceName = BEIJING            organizationName = UPLOOKING            organizationalUnitName = IT            commonName = CA.uplooking.com            emailAddress = CA@uplooking.com        X509v3 extensions:                X509v3 Basic Constraints:                    CA:TRUE                Netscape Comment:                    OpenSSL Generated Certificate                X509v3 Subject Key Identifier:                    61:D5:3A:C7:5C:0F:66:FE:D5:EF:5D:A1:94:8F:FD:C2:E5:94:7D:D3                X509v3 Authority Key Identifier:                                keyid:61:D5:3A:C7:5C:0F:66:FE:D5:EF:5D:A1:94:8F:FD:C2:E5:94:7D:D3 Certificate is to be certified until Mar 5 01:40:50 2015 GMT (1095 days) Write out database with 1 new entries Data Base Updated [root@CA ~]# ls /etc/CA/private/cakey.pem     #CA私钥 [root@CA ~]# ls /etc/CA/cacert.pem         #CA证书 [root@CA ~]# ls /etc/CA/careq.pem         #CA证书请求 配置web服务器 =============================================================== web 生成自己的私钥 [root@www ~]# openssl genrsa -des3 -out /etc/httpd/conf.d/server.key         #使用des3保护私钥 Generating RSA private key, 512 bit long modulus .........++++++++++++ ......................++++++++++++ e is 65537 (0x10001) Enter pass phrase for /etc/httpd/conf.d/server.key:123456 Verifying - Enter pass phrase for /etc/httpd/conf.d/server.key:123456 生成证书请求(使用身份标识+公钥) [root@www ~]# openssl req -new -key /etc/httpd/conf.d/server.key -out /tmp/server.csr Enter pass phrase for /etc/httpd/conf.d/server.key:123456 You are about to be asked to enter information that will be incorporated into your certificate request.                     What you are about to enter is what is called a Distinguished Name or a DN. There are quite a few fields but you can leave some blank For some fields there will be a default value, If you enter '.', the field will be left blank. ----- ------------------------------------------------------------------------------- Country Name (2 letter code) [GB]:CN                         #这部分信息要与CA一致 !!! State or Province Name (full name) [Berkshire]:BEIJING Locality Name (eg, city) [Newbury]:HD Organization Name (eg, company) [My Company Ltd]:UPLOOKING Organizational Unit Name (eg, section) []:IT ------------------------------------------------------------------------------- Common Name (eg, your name or your server's hostname) []:www.uplooking.com Email Address []:www@uplooking.com Please enter the following 'extra' attributes to be sent with your certificate request A challenge password []: An optional company name []: 将证书请求发送给CA [root@www ~]# scp /tmp/server.csr CA.uplooking.com:/tmp/ CA服务器对证书请求进行数字签名 =============================================================================   [root@CA ~]# openssl ca -keyfile /etc/CA/private/cakey.pem -cert /etc/CA/cacert.pem -in /tmp/server.csr -out /tmp/server.crt    /etc/CA/private/cakey.pem     (这是ca的私钥)    /tmp/server.csr             (httpserver的证书请求文件)    /etc/CA/cacert.pem           (ca的证书)    /tmp/server.crt             (生成的httpserver的证书的名字) Using configuration from /etc/pki/tls/openssl.cnf Enter pass phrase for /etc/CA/private/cakey.pem: Check that the request matches the signature Signature ok Certificate Details:        Serial Number: 1 (0x1)        Validity            Not Before: Mar 5 02:20:56 2012 GMT            Not After : Mar 5 02:20:56 2013 GMT        Subject:            countryName = CN            stateOrProvinceName = BEIJING            organizationName = UPLOOKING            organizationalUnitName = IT            commonName = www.uplooking.com            emailAddress = www@uplooking.com        X509v3 extensions:            X509v3 Basic Constraints:                CA:TRUE            Netscape Comment:                OpenSSL Generated Certificate            X509v3 Subject Key Identifier:                D0:6E:C7:7D:FC:BE:0D:62:CA:B9:A2:E0:2A:9A:27:32:39:0B:91:F8            X509v3 Authority Key Identifier:                keyid:61:D5:3A:C7:5C:0F:66:FE:D5:EF:5D:A1:94:8F:FD:C2:E5:94:7D:D3 Certificate is to be certified until Mar 5 02:20:56 2013 GMT (365 days) Sign the certificate? [y/n]:y 1 out of 1 certificate requests certified, commit? [y/n]y Write out database with 1 new entries Data Base Updated 将签名后的数字证书颁发给web [root@CA ~]# scp /tmp/server.crt www.uplooking.com:/etc/httpd/conf.d/ 配置web支持ssl实现https ========================================================== [root@www ~]# yum install httpd mod_ssl [root@www ~]# vim /etc/httpd/conf.d/ssl.conf SSLCertificateFile /etc/httpd/conf.d/server.crt SSLCertificateKeyFile /etc/httpd/conf.d/server.key [root@www ~]# netstat -tunpl | grep 443 tcp 0 0 :::443 :::* LISTEN 2000/httpd Client下载CA证书并导入到浏览器,然后访问www服务器 ================================================================================== client需要下载CA证书并导入浏览器,使用https访问web,浏览器验证web数字证书是否由CA颁发 打开firefox,编辑------>首选项----->高级----> 加密----->查看证书------>导入

如果还有不明白怎么生产openssl证书的可以去看下我的这篇文章:

http://sangh.blog.51cto.com/6892345/1355878  我在上次的时候就发表了大家可以看看

本文参与腾讯云自媒体分享计划,欢迎正在阅读的你也加入,一起分享。

我来说两句

0 条评论
登录 后参与评论

相关文章

  • 未来趋势------云计算

    云计算是一种新兴的商业计算模型,它利用高速互联网的传输能力,将数据的处理过程从个人计算机或服务器转移到一个大型的计算中心,并将计算能力、存储能力当作服务来提供,...

    DevinGeng
  • centos 6.3搭建个人私有云存储owncloud

    ownCloud 是一个来自 KDE 社区开发的免费软件,提供私人的 Web 服务。当前主要功能包括文件管理(内建文件分享)、音乐、日历、联系人等等,可在PC和...

    DevinGeng
  • OpenStack Juno系列之网络节点搭建

    apt-get install neutron-plugin-ml2 neutron-plugin-openvswitch-agent \

    DevinGeng
  • C++ 类成员变量初始化

    本文是对《Effective C++》的”Item 4: Make sure that objects are initialized before they’...

    mzlogin
  • CA中心构建及证书签发实录

    本实验中,我们将通过开源工具OpenSSL构建一个私有CA中心,并以其为根CA,设立一个子CA机构,并为Client提供证书签署服务。

    用户1456517
  • 内网创建私有CA证书

    小柒吃地瓜
  • 金融盾中证书申请之RA系统介绍

    金融盾中首要的任务是证书申请,证书申请涉及到银行系统、CA机构、RA机构等等,不管是PC时代还是移动互联网时代,银行系统、CA、RA后台服务系统基本一致。我们今...

    安智客
  • openssl创建CA、申请证书及其给web服务颁发证书

    一、创建私有的CA 1)查看openssl的配置文件:/etc/pki/tls/openssl.cnf ? 2)创建所需的文件 touch /etc/pki...

    小小科
  • 小米乐视撕逼,真把用户当傻子?

    昨日小米“海”纳百川发布会上雷军爆出雷语:小米电视内容第一,随后乐视回应,你来我往,开启新一轮撕逼大战。响铃这货闲的蛋疼看完对骂内容后评论3句:

    曾响铃
  • 为什么你不该用免费公共WiFi?

    商业区的饭馆或咖啡厅,一般都会在门口显著的位置贴几个科技感十足的标志。除了“大众点评合作商家”、“支持支付宝/微信支付”,最能吸引眼球的就是“本店提供免费WiF...

    王树义

扫码关注云+社区

领取腾讯云代金券