溫馨提示×

您好,登錄后才能下訂單哦!

密碼登錄×
登錄注冊(cè)×
其他方式登錄
點(diǎn)擊 登錄注冊(cè) 即表示同意《億速云用戶(hù)服務(wù)條款》

linux下https的實(shí)現(xiàn)

發(fā)布時(shí)間:2020-08-10 18:58:59 來(lái)源:網(wǎng)絡(luò) 閱讀:734 作者:vipzhongxiaofei 欄目:系統(tǒng)運(yùn)維

部署HTTPS
本章網(wǎng)絡(luò)規(guī)劃構(gòu)建私有證書(shū)頒發(fā)機(jī)構(gòu)(CA)的主機(jī)是ca.example.com,其IP地址及子網(wǎng)掩碼前綴長(zhǎng)度是192.168.1.40/24,網(wǎng)關(guān)地址是192.168.1.1,DNS1地址是192.168.1.10。
web服務(wù)器主機(jī)是rhel7.example.com,IP是192.168.1.20/24,DNS1地址是192.168.1.10

安裝Openssl

/usr/bin/openssl:CA服務(wù)器的主程序。

/etc/pki/tls/openssl.cnf:openssl的配置文件

/etc/pki/CA:CA服務(wù)器的主目錄。

[root@ca ~]# yum -y install openssl
[root@ca ~]# vim /etc/pki/tls/openssl.cnf
# OpenSSL example configuration file.
# This is mostly being used for generation of certificate requests.
#
#省略部分輸出
####################################################################
[ ca ]
default_ca      = CA_default            # The default ca section

####################################################################
[ CA_default ]

dir             = /etc/pki/CA           # Where everything is kept      
certs           = $dir/certs            # Where the issued certs are kept
crl_dir         = $dir/crl              # Where the issued crl are kept
database        = $dir/index.txt        # database index file.
#unique_subject = no                    # Set to 'no' to allow creation of
                                        # several ctificates with same subject.
new_certs_dir   = $dir/newcerts         # default place for new certs.

certificate     = $dir/cacert.pem       # The CA certificate
serial          = $dir/serial           # The current serial number
crlnumber       = $dir/crlnumber        # the current crl number
                                        # must be commented out to leave a V1 CRL
crl             = $dir/crl.pem          # The current CRL
private_key     = $dir/private/cakey.pem# The private key
RANDFILE        = $dir/private/.rand    # private random number file

#省略部分輸出

其中,/etc/pki/CA為CA機(jī)構(gòu)的主目錄,dir表示定義的變量,$dir的值為/etc/pki/CA,如配置文件中定義CA幾個(gè)后的私鑰存放路徑為$dir/private/cakey.pem,即真正路徑為/etc/pki/CA/private/cakey.pem

構(gòu)建私有CA

為CA機(jī)構(gòu)生成自簽名證書(shū),并為CA提供所需要的目錄及文件。
使用的關(guān)鍵命令是”openssl“,其重要選項(xiàng)如下:
-new : 生成新證書(shū)的簽署請(qǐng)求
-x509 :生成自簽名證書(shū)格式,專(zhuān)用于創(chuàng)建私有CA時(shí)
-key:生成請(qǐng)求時(shí)用到的私鑰文件路徑
-out:生成后的文件存放路徑,如果是自簽名操作,將直接生成簽署過(guò)的證書(shū)
-days: 證書(shū)的有效期,單位為天,默認(rèn)為365天
①生成私鑰

[root@ca ~]# (umask 077;openssl genrsa -out /etc/pki/CA/private/cakey.pem)
Generating RSA private key, 1024 bit long modulus
.....++++++
.......++++++
e is 65537 (0x10001)
[root@ca ~]# cd /etc/pki/CA/private/
[root@ca private]# pwd
/etc/pki/CA/private
[root@ca private]# cat cakey.pem
-----BEGIN RSA PRIVATE KEY-----
MIICXAIBAAKBgQCstgIk2ZXLcwNDDNJYczZBCBaneWre2M+BwuJsN3IqIEQxGz3F
RoDudbSnrxgqQnJKrOyIqGwUgg3JKd+ni3t2e5uM4I2Loo/TWNf5JX9mkBtBEu6m
8iQvDBLZn/sehCG+BNxCDPu88KoOvy91tqjTCb2Uhn+5BT9E/SnQaHx/mQIDAQAB
AoGATEbWC5BNJ91Tw3kWLRo1C+OWncByApmei6CWf1S9hv1ZIJb3YPkSWD6D2srp
0UAnWfOlQ3Wexi/qBr4HmOdxTthN16AHmEF7yUIBL2VDharmBvqz26ZFLRJV0iGn
cXmr7JjmdQGYEz9C8cSt/dpQ/fsadq+oO6WI3MJqgFo3IQECQQDkMPAyDbmgOay3
FiqsCC06/FWnLD8vO0DDYAF4pLr4heZP6ZvfQb+h4O9s52ZGk9VC+DUTUWcFlGUJ
ii+4AIMVAkEAwcI10b5L6hoNvqzZmNstmcsgV0kSMmqHVh4ucmWlDohmT5iqEd+7
J9R41S9F2PRem2SPne2MUo4ghisi+4/7dQJAEQMtBS5MxotGOygl6kl5xcoGQL5l
v4m1XFuOAIaXgevJre+GtXBbbx/focjmsSBYZ/PFUTliauITXlC1Ggy/uQJAKSUx
wpmTi2H++ze/eYtJsrgE5SQ6PgSLOsleYmKdW2mxuENmEiedmcav5i2Eup6iHION
T+8q9jkCRRuR8TPRJQJBALal4fRE+m0Bl+AD/Oq2Tt6pdPqY8qe/aWBvjcHeXaQK
f9HHMKDxby0TzpIx/FlVML9cAYbIpMcIAAoof24iKEU=
-----END RSA PRIVATE KEY-----
[root@ca private]#

②生成自簽名證書(shū)

[root@ca private]# openssl req -new -x509 -key /etc/pki/CA/private/cakey.pem -out /etc/pki/CA/cacert.pem -days 365
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [XX]:CN
State or Province Name (full name) []:HN
Locality Name (eg, city) [Default City]:ZZ
Organization Name (eg, company) [Default Company Ltd]:GL
Organizational Unit Name (eg, section) []:xitong
Common Name (eg, your name or your server's hostname) []:ca.example.com
Email Address []:root@example.com

③為CA提供所需要的目錄及文件

[root@ca private]# cd ../
[root@ca CA]# touch serial
[root@ca CA]# touch index.txt
[root@ca CA]# echo 01 > /etc/pki/CA/serial

在DNS服務(wù)器上添加關(guān)于ca.example.com的A記錄
④為web站點(diǎn)請(qǐng)求web證書(shū)(需要在web服務(wù)器上操作)
本節(jié)為web服務(wù)器上的主站點(diǎn)rhel7.example.com申請(qǐng)web證書(shū)
生成私鑰,并將私鑰存放在/etc/httpd/ssl目錄,此目錄可以自定義

[root@rhel7 ~]# mkdir /etc/httpd/ssl
[root@rhel7 ~]# cd /etc/httpd/ssl/
[root@rhel7 ssl]# (umask 077;openssl genrsa -out httpd.key)
Generating RSA private key, 1024 bit long modulus
............++++++
...................................++++++
e is 65537 (0x10001)

⑤為rhel7.example.com站點(diǎn)生成簽署請(qǐng)求文件

[root@rhel7 ~]# openssl req -new -key /etc/httpd/ssl/httpd.key -out /etc/httpd/ssl/httpd.csr -days 365
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [XX]:CN
State or Province Name (full name) []:HN
Locality Name (eg, city) [Default City]:ZZ
Organization Name (eg, company) [Default Company Ltd]:GL
Organizational Unit Name (eg, section) []:xitong
Common Name (eg, your name or your server's hostname) []:rhel7.example.com
Email Address []:root@example.com

Please enter the following 'extra' attributes
to be sent with your certificate request
A challenge password []:
An optional company name []:

⑥將簽署請(qǐng)求文件通過(guò)可靠的方式發(fā)送給CA服務(wù)器

[root@rhel7 ~]# scp /etc/httpd/ssl/httpd.csr root@ca.example.com:/etc/pki/CA/
The authenticity of host 'ca.example.com (172.16.30.40)' can't be established.
ECDSA key fingerprint is 4e:38:22:c7:5d:1a:ed:1c:ab:54:4f:7e:b2:84:6b:b5.
Are you sure you want to continue connecting (yes/no)? yes
Warning: Permanently added 'ca.example.com,172.16.30.40' (ECDSA) to the list of known hosts.
root@ca.example.com's password:
httpd.csr                                                                                100%  688     0.7KB/s   00:00

⑦在CA服務(wù)器主機(jī)上對(duì)簽署請(qǐng)求進(jìn)行數(shù)字簽名,并指明所生成的web證書(shū)的存放路徑

[root@ca ~]# openssl ca -in /etc/pki/CA/httpd.csr -out /etc/pki/CA/certs/httpd.crt -days 365
Using configuration from /etc/pki/tls/openssl.cnf
Check that the request matches the signature
Signature ok
Certificate Details:
        Serial Number: 1 (0x1)
        Validity
            Not Before: Oct  9 16:58:42 2019 GMT
            Not After : Oct  8 16:58:42 2020 GMT
        Subject:
            countryName               = CN
            stateOrProvinceName       = HN
            organizationName          = GL
            organizationalUnitName    = xitong
            commonName                = rhel7.example.com
            emailAddress              = root@example.com
        X509v3 extensions:
            X509v3 Basic Constraints:
                CA:FALSE
            Netscape Comment:
                OpenSSL Generated Certificate
            X509v3 Subject Key Identifier:
                B5:E9:B1:1E:D7:9F:3B:DC:97:D4:40:CE:7E:4A:2E:06:0D:15:08:5D
            X509v3 Authority Key Identifier:
                keyid:5F:68:24:75:05:1E:8C:C2:ED:34:CF:FF:B7:04:47:1A:83:E0:BC:F3

Certificate is to be certified until Oct  8 16:58:42 2020 GMT (365 days)
Sign the certificate? [y/n]:y

1 out of 1 certificate requests certified, commit? [y/n]y
Write out database with 1 new entries
Data Base Updated
[root@ca ~]#

⑧在web服務(wù)器主機(jī)上將CA服務(wù)器上已經(jīng)數(shù)字簽名后的web證書(shū)通過(guò)scp命令下載到/etc/httpd/ssl目錄下

[root@rhel7 ~]# scp root@ca.example.com:/etc/pki/CA/certs/httpd.crt /etc/httpd/ssl/
root@ca.example.com's password:
httpd.crt                                                                                100% 3198     3.1KB/s   00:00    
[root@rhel7 ~]#
[root@rhel7 ~]# cd /etc/httpd/ssl/
[root@rhel7 ssl]# ls
httpd.crt  httpd.csr  httpd.key
[root@rhel7 ssl]# cat httpd.crt
Certificate:
    Data:
        Version: 3 (0x2)
        Serial Number: 1 (0x1)
    Signature Algorithm: sha256WithRSAEncryption
        Issuer: C=CN, ST=HN, L=ZZ, O=GL, OU=xitong, CN=ca.example.com/emailAddress=root@example.com
        Validity
            Not Before: Oct  9 16:58:42 2019 GMT
            Not After : Oct  8 16:58:42 2020 GMT
        Subject: C=CN, ST=HN, O=GL, OU=xitong, CN=rhel7.example.com/emailAddress=root@example.com
        Subject Public Key Info:
            Public Key Algorithm: rsaEncryption
                Public-Key: (1024 bit)
                Modulus:
                    00:d3:60:22:af:b5:4f:85:05:44:42:4f:ad:a2:71:
                    b7:a4:74:88:fb:76:c0:89:91:c8:f1:87:c6:a0:f6:
                    92:52:51:ff:3d:c8:fa:0e:3b:9f:68:77:6b:f9:77:
                    11:aa:96:d7:53:50:cb:40:72:54:3d:89:08:8e:51:
                    22:3c:b9:f3:a0:fb:3d:a4:09:58:22:80:2e:4b:4a:
                    b2:b7:7e:84:c6:29:0c:97:2e:d2:cf:d0:b1:93:53:
                    82:7d:e7:99:a9:79:ee:f5:c8:d8:9b:8f:6e:5e:2a:
                    61:47:56:c7:a0:dc:1f:7c:ad:75:6e:4e:bb:a9:33:
                    92:37:fd:01:d4:92:81:44:c9
                Exponent: 65537 (0x10001)
        X509v3 extensions:
            X509v3 Basic Constraints:
                CA:FALSE
            Netscape Comment:
                OpenSSL Generated Certificate
            X509v3 Subject Key Identifier:
                B5:E9:B1:1E:D7:9F:3B:DC:97:D4:40:CE:7E:4A:2E:06:0D:15:08:5D
            X509v3 Authority Key Identifier:
                keyid:5F:68:24:75:05:1E:8C:C2:ED:34:CF:FF:B7:04:47:1A:83:E0:BC:F3

    Signature Algorithm: sha256WithRSAEncryption
         03:a8:b2:ef:1a:3c:08:71:36:79:e8:0c:24:41:2a:dc:63:7b:
         12:36:62:75:04:e6:5a:85:5d:a4:99:9a:be:69:35:19:0e:26:
         fb:4e:b0:75:59:98:94:3f:03:7c:5e:97:ea:fe:eb:66:d9:9b:
         61:91:e2:9d:9d:b5:9e:a2:f1:c5:db:bd:da:25:65:f1:68:69:
         2d:13:b0:b4:1c:77:64:75:39:2a:ca:0e:91:89:4c:94:42:4d:
         aa:77:69:33:ce:7e:4d:3d:a0:a8:0d:e2:6a:b7:b5:33:e7:e9:
         d6:1b:ea:a5:92:5f:e9:cf:7e:7f:58:fe:cf:8b:1e:19:ac:17:
         cc:fc
-----BEGIN CERTIFICATE-----
MIIC5TCCAk6gAwIBAgIBATANBgkqhkiG9w0BAQsFADB/MQswCQYDVQQGEwJDTjEL
MAkGA1UECAwCSE4xCzAJBgNVBAcMAlpaMQswCQYDVQQKDAJHTDEPMA0GA1UECwwG
eGl0b25nMRcwFQYDVQQDDA5jYS5leGFtcGxlLmNvbTEfMB0GCSqGSIb3DQEJARYQ
cmvdEBleGFtcGxlLmNvbTAeFw0xOTEwMDkxNjU4NDJaFw0yMDEwMDgxNjU4NDJa
MHUxCzAJBgNVBAYTAkNOMQswCQYDVQQIDAJITjELMAkGA1UECgwCR0wxDzANBgNV
BAsMBnhpdG9uZzEaMBgGA1UEAwwRcmhlbDcuZXhhbXBsZS5jb20xHzAdBgkqhkiG
9w0BCQEWEHJvb3RAZXhhbXBsZS5jb20wgZ8wDQYJKoZIhvcNAQEBBQADgY0AMIGJ
AoGBANNgIq+1T4UFREJPraJxt6R0iPt2wImRyPGHxqD2klJR/z3I+g47n2h4a/l3
EaqW11NQy0ByVD2JCI5RIjy586D7PaQJWCKALktKsrd+hMYpDJcu0s/QsZNTgn3n
mal57vXI2JuPbl4qYUdWx6DcH3ytdW5Ou6kzkjf9AdSSgUTJAgMBAAGjezB5MAkG
A1UdEwQCMAAwLAYJYIZIAYb4QgENBB8WHU9wZW5TU0wgR2VuZXJhdGVkIENlcnRp
ZmljYXRlMB0GA1UdDgQWBBS16bEe15873JfUQM5+Si4GDRUIXTAfBgNVHSMEGDAW
gBRfaCR1BR6Mwu00z/+3BEcag+C88zANBgkqhkiG9w0BAQsFAAOBgQADqLLvGjwI
cTZ56AwkQSrcY3sSNmJ1BOZahV2kmZq+aTUZDib7TrB1WZiUPwN8Xpfq/utm2Zth
keKdnbWeovHF273aJWXxaGktE7C0HHdkdTkqyg6RiUyUQk2qd2kzzn5NPaCoDeJq
t7Uz5+nWG+qlkl/pz35/WP7Pix4ZrBfM/A==
-----END CERTIFICATE-----
[root@rhel7 ssl]#

⑨安裝apache HTTP擴(kuò)展模塊mod_ssl,以支持TLS

[root@rhel7 ~]# yum -y install mod_ssl

安裝完畢后,在/etc/httpd/conf.d目錄下會(huì)生成配置文件ssl.conf,編輯配置文件ssl.conf。將rhel7.example.com站點(diǎn)部署成HTTPS

#
# When we also provide SSL we have to listen to the
# the HTTPS port in addition.
#
Listen 443 https
#省略部分輸出
# General setup for the virtual host, inherited from global configuration
DocumentRoot "/var/www/html"
ServerName www.example.com:443

# Use separate log files for the SSL virtual host; note that LogLevel
# is not inherited from httpd.conf.
ErrorLog logs/ssl_error_log
TransferLog logs/ssl_access_log
LogLevel warn

#   SSL Engine Switch:
#   Enable/Disable SSL for this virtual host.
SSLEngine on
#省略部分輸出
#   Server Certificate:
# Point SSLCertificateFile at a PEM encoded certificate.  If
# the certificate is encrypted, then you will be prompted for a
# pass phrase.  Note that a kill -HUP will prompt again.  A new
# certificate can be generated using the genkey(1) command.
SSLCertificateFile /etc/httpd/ssl/httpd.crt

#   Server Private Key:
#   If the key is not combined with the certificate, use this
#   directive to point at the key file.  Keep in mind that if
#   you've both a RSA and a DSA private key you can configure
#   both in parallel (to also allow the use of DSA ciphers, etc.)
SSLCertificateKeyFile /etc/httpd/ssl/httpd.key

#   Server Certificate Chain:
#省略部分輸出

重啟服務(wù),設(shè)置防火墻

[root@rhel7 ~]# systemctl restart httpd
[root@rhel7 ~]# firewall-cmd --add-service=https --permanent
success
[root@rhel7 ~]# firewall-cmd --reload

訪(fǎng)問(wèn)測(cè)試:
https://rhel7.example.com

向AI問(wèn)一下細(xì)節(jié)

免責(zé)聲明:本站發(fā)布的內(nèi)容(圖片、視頻和文字)以原創(chuàng)、轉(zhuǎn)載和分享為主,文章觀點(diǎn)不代表本網(wǎng)站立場(chǎng),如果涉及侵權(quán)請(qǐng)聯(lián)系站長(zhǎng)郵箱:is@yisu.com進(jìn)行舉報(bào),并提供相關(guān)證據(jù),一經(jīng)查實(shí),將立刻刪除涉嫌侵權(quán)內(nèi)容。

AI