SSL會話過程
(1)客戶端發送可供選擇的加密方式,並向服務器請求證書
(2)服務器端發送證書以及選定的加密方式給客戶端
(3)客戶端取得證書並進行證書驗證;
如果新人給其發證書的CA;
(a)驗證證書來源的合法性;用CA的公鑰解密證書上的數字簽名;
(b)驗證證書的內容的合法性;完整性驗證;
(c)檢查證書的有效期限,是否過期;
(d)檢查證書是否被吊銷;
(e)證書中擁有者的名字,與訪問的目標主機要一致;
(4)客戶端生成臨時會話密鑰(對稱密鑰),並使用服務器端的公鑰加密此數據發送給服務器,完成密鑰交換;
(5)服務器使用此密鑰加密用戶請求的資源,響應給客戶端;
需要注意的是,SSL會話是基於IP地址創建的;所以單IP的主機上,僅可以使用一個https虛擬主機;
配置過程:
(1)爲服務器申請數字證書;一般我們使用私建CA發證書
(a)在172.16.20.244上創建私有CA
1、生產密鑰對,創建私鑰,公鑰不需處理
[root@localhost CA]# (umask 077;openssl genrsa -out private/cakey.pem 2048) Generating RSA private key, 2048 bit long modulus ..........+++ ..............+++ e is 65537 (0x10001) [root@localhost CA]#
2、生成自簽證書
[root@localhost CA]# openssl req -new -x509 -key private/cakey.pem -out cacert.pem -days 3655 You are about to be asked to enter information that will be incorporated into your certificate request. What you are about to enter is what is called a Distinguished Name or a DN. There are quite a few fields but you can leave some blank For some fields there will be a default value, If you enter '.', the field will be left blank. ----- Country Name (2 letter code) [XX]:CN // 這裏需要輸入證書的相關信息,需要注意的是 State or Province Name (full name) []:Beijing // 這裏輸入的信息要和http服務器生成證書請求 Locality Name (eg, city) [Default City]:Beijing // 部分保持一致,因爲這是私建CA Organization Name (eg, company) [Default Company Ltd]:Gump Ltd Organizational Unit Name (eg, section) []:Ops Common Name (eg, your name or your server's hostname) []:ca.gump.com Email Address []:[email protected] [root@localhost CA]#
3、在簽署證書之前,需要手動創建兩個文件,具體細節請參考openssl篇
[root@localhost CA]# touch /etc/pki/CA/index.txt [root@localhost CA]# touch /etc/pki/CA/serial [root@localhost CA]# echo 01 > /etc/pki/CA/serial
(2)在http服務器172.16.20.242上生成證書請求
(a)先生成密鑰,保存到應用此證書的服務的配置文件目錄下,https會話的建立以及數據傳輸過程中,都需要用到這個密鑰
[root@localhost ~]# mkdir /etc/httpd/ssl [root@localhost ~]# cd /etc/httpd/ssl [root@localhost ssl]# (umask 077;openssl genrsa -out httpd.key 1024) Generating RSA private key, 1024 bit long modulus .......++++++ ..........++++++ e is 65537 (0x10001) [root@localhost ssl]#
(b)根據密鑰生成證書申請請求
[root@localhost ssl]# openssl req -new -key httpd.key -out httpd.csr You are about to be asked to enter information that will be incorporated into your certificate request. What you are about to enter is what is called a Distinguished Name or a DN. There are quite a few fields but you can leave some blank For some fields there will be a default value, If you enter '.', the field will be left blank. ----- Country Name (2 letter code) [XX]:CN State or Province Name (full name) []:Beijing Locality Name (eg, city) [Default City]:Beijing Organization Name (eg, company) [Default Company Ltd]:Gump Ltd Organizational Unit Name (eg, section) []:Ops Common Name (eg, your name or your server's hostname) []:web1.gump.com Email Address []:[email protected] Please enter the following 'extra' attributes to be sent with your certificate request A challenge password []: // 這裏的密碼和名字沒有必要的情況下可以 An optional company name []: // 直接忽略 [root@localhost ssl]#
這裏可以看到的是,密鑰和證書請求都存放在之前創建好的/etc/httpd/ssl/目錄下
[root@localhost ssl]# pwd /etc/httpd/ssl [root@localhost ssl]# ls httpd.csr httpd.key [root@localhost ssl]#
(3)將http服務器172.16.20.242上的證書申請請求發送至CA服務器172.16.20.244上完成證書籤署
172.16.20.242:
[root@localhost ssl]# scp httpd.csr [email protected]:/tmp/ The authenticity of host '172.16.20.244 (172.16.20.244)' can't be established. ECDSA key fingerprint is bc:9c:21:b5:a6:4d:ef:b6:f3:00:94:80:b4:7f:18:f5. Are you sure you want to continue connecting (yes/no)? yes Warning: Permanently added '172.16.20.244' (ECDSA) to the list of known hosts. [email protected]'s password: httpd.csr 100% 696 0.7KB/s 00:00 [root@localhost ssl]#
172.16.20.244:
[root@localhost CA]# openssl ca -in /tmp/httpd.csr -out certs/web1.gump.com.crt -days 365 Using configuration from /etc/pki/tls/openssl.cnf Check that the request matches the signature Signature ok Certificate Details: Serial Number: 1 (0x1) Validity Not Before: Aug 21 13:20:11 2017 GMT Not After : Aug 21 13:20:11 2018 GMT Subject: countryName = CN stateOrProvinceName = Beijing organizationName = Gump Ltd organizationalUnitName = Ops commonName = web1.gump.com emailAddress = [email protected] X509v3 extensions: X509v3 Basic Constraints: CA:FALSE Netscape Comment: OpenSSL Generated Certificate X509v3 Subject Key Identifier: 23:C2:7E:52:B5:AB:E8:A1:06:53:38:7A:39:F0:EB:E3:1C:B3:1F:76 X509v3 Authority Key Identifier: keyid:EB:31:34:C3:C5:7C:E4:BB:EE:C3:7C:11:5E:F1:70:5C:88:E5:87:D8 Certificate is to be certified until Aug 21 13:20:11 2018 GMT (365 days) Sign the certificate? [y/n]:y 1 out of 1 certificate requests certified, commit? [y/n]y Write out database with 1 new entries Data Base Updated [root@localhost CA]#
(4)將簽署完成的證書web1.gump.com.crt傳輸給http服務器172.16.20.242
[root@localhost CA]# scp certs/web1.gump.com.crt [email protected]:/etc/httpd/ssl/ The authenticity of host '172.16.20.242 (172.16.20.242)' can't be established. RSA key fingerprint is 5a:10:33:a2:bf:5b:06:82:25:01:fb:c2:74:93:34:95. Are you sure you want to continue connecting (yes/no)? yes Warning: Permanently added '172.16.20.242' (RSA) to the list of known hosts. [email protected]'s password: web1.gump.com.crt 100% 3858 3.8KB/s 00:00 [root@localhost CA]#
(5)安裝ssl模塊
[root@localhost CA]# yum install mod_ssl -y
(6)配置ssl文件/etc/httpd/conf.d/ssl.conf
一般需要修改以下配置項
DocumentRoot // 根路徑,需要和httpd.conf中的根路徑一致
ServerName // 服務器名,需要和簽署的證書的服務器名一致
SSLCertfifcateFile // 證書文件存放目錄
SSLCertificateKeyFile // 密鑰文件存目錄
如果是應用到虛擬主機上,則同時也需要修改以下配置項
<VirtualHost _default_:443>
這裏的default即默認虛擬主機的IP地址,因爲SSL會話是基於IP地址創建的,所以有多個地址,需要填寫默認地址
[root@localhost CA]# vim /etc/httpd/conf.d/ssl.conf DocumentRoot /www/htdocs ServerName web1.gump.com SSLCertificateFile /etc/httpd/ssl/web1.gump.com.crt SSLCertificateKeyFile /etc/httpd/ssl/httpd.key
(7)配置完成後,需要重新載入http配置文件才能生效,而新增的ssl模塊則是動態加載,無需重啓服務即可生效
測試配置效果
# openssl s_client [-connect host:port] [-cert filename] [-CApath directory] [-CAfile filename] 目標主機名 服務器端證書 CA證書目錄 CA證書文件名 [root@localhost CA]# openssl s_client -connect 172.16.20.244:443 -CApath /etc/pki/CA/casert.pem
也可以直接用瀏覽器端測試,在瀏覽器地址欄中輸入:https://172.16.20.242,如果可以成功訪問,說明配置成功。
寫的比較潦草,如有遺漏錯誤和爭議之處,歡迎大家的批評指正和討論,謝謝。