衆所周知http協議是明文傳輸的,所以當我們再互聯網上發送一些敏感數據,特別是賬號密碼之類的數據時,就顯得不那麼安全,而http又是應用層協議中用的非常廣泛的一種協議,所以此時想要使之更安全,可以藉助於ssl來使用https協議。但ssl僅能支持基於IP的主機,所以想使用https,要麼是使用中心主機,要麼是使用多個基於主機名的虛擬主機中的一個。
環境準備:
httpd服務器地址:172.16.1.111
CA服務器地址:172.16.1.110
一、httpd服務器首先安裝mod_ssl模塊
[root@soysauce ~]# yum install -y "mod_ssl" Loaded plugins: fastestmirror Loading mirror speeds from cached hostfile * epel: mirrors.ustc.edu.cn Setting up Install Process Resolving Dependencies --> Running transaction check ---> Package mod_ssl.x86_64 1:2.2.15-47.el6.centos.1 will be installed --> Processing Dependency: httpd = 2.2.15-47.el6.centos.1 for package: 1:mod_ssl-2.2.15-47.el6.centos.1.x86_64 --> Running transaction check ---> Package httpd.x86_64 0:2.2.15-47.el6.centos will be updated ---> Package httpd.x86_64 0:2.2.15-47.el6.centos.1 will be an update --> Processing Dependency: httpd-tools = 2.2.15-47.el6.centos.1 for package: httpd-2.2.15-47.el6.centos.1.x86_64 --> Running transaction check ---> Package httpd-tools.x86_64 0:2.2.15-47.el6.centos will be updated ---> Package httpd-tools.x86_64 0:2.2.15-47.el6.centos.1 will be an update --> Finished Dependency Resolution Dependencies Resolved ======================================================================================================================================== Package Arch Version Repository Size ======================================================================================================================================== Installing: mod_ssl x86_64 1:2.2.15-47.el6.centos.1 updates 95 k Updating for dependencies: httpd x86_64 2.2.15-47.el6.centos.1 updates 830 k httpd-tools x86_64 2.2.15-47.el6.centos.1 updates 77 k Transaction Summary ======================================================================================================================================== Install 1 Package(s) Upgrade 2 Package(s) Total download size: 1.0 M Downloading Packages: (1/3): httpd-2.2.15-47.el6.centos.1.x86_64.rpm | 830 kB 00:00 (2/3): httpd-tools-2.2.15-47.el6.centos.1.x86_64.rpm | 77 kB 00:00 (3/3): mod_ssl-2.2.15-47.el6.centos.1.x86_64.rpm | 95 kB 00:00 ---------------------------------------------------------------------------------------------------------------------------------------- Total 974 kB/s | 1.0 MB 00:01 Running rpm_check_debug Running Transaction Test Transaction Test Succeeded Running Transaction Updating : httpd-tools-2.2.15-47.el6.centos.1.x86_64 1/5 Updating : httpd-2.2.15-47.el6.centos.1.x86_64 2/5 Installing : 1:mod_ssl-2.2.15-47.el6.centos.1.x86_64 3/5 Cleanup : httpd-2.2.15-47.el6.centos.x86_64 4/5 Cleanup : httpd-tools-2.2.15-47.el6.centos.x86_64 5/5 Verifying : httpd-tools-2.2.15-47.el6.centos.1.x86_64 1/5 Verifying : httpd-2.2.15-47.el6.centos.1.x86_64 2/5 Verifying : 1:mod_ssl-2.2.15-47.el6.centos.1.x86_64 3/5 Verifying : httpd-2.2.15-47.el6.centos.x86_64 4/5 Verifying : httpd-tools-2.2.15-47.el6.centos.x86_64 5/5 Installed: mod_ssl.x86_64 1:2.2.15-47.el6.centos.1 Dependency Updated: httpd.x86_64 0:2.2.15-47.el6.centos.1 httpd-tools.x86_64 0:2.2.15-47.el6.centos.1 Complete!
二、建立CA服務器
(1)、生成CA自己的私鑰
[root@CentOS5 ~]# cd /etc/pki/CA/ [root@CentOS5 CA]# (umask 077;openssl genrsa -out private/cakey.pem 2048) Generating RSA private key, 2048 bit long modulus .................................................................................+++ ...+++ e is 65537 (0x10001) [root@CentOS5 CA]# ll private/cakey.pem -rw------- 1 root root 1679 Dec 12 03:58 private/cakey.pem
(2)、修改openssl配置文件,定義各項默認屬性以及CA目錄
[root@CentOS5 CA]# vim ../tls/openssl.cnf [root@CentOS5 CA]# grep "_default" ../tls/openssl.cnf | tail -6 countryName_default = CN stateOrProvinceName_default = HuBei localityName_default = HuangGang 0.organizationName_default = Soysauce #1.organizationName_default = World Wide Web Pty Ltd organizationalUnitName_default = Tech [root@CentOS5 CA]# grep "^dir" ../tls/openssl.cnf dir = /etc/pki/CA # Where everything is kept
(3)、生成自簽證書
[root@CentOS5 CA]# openssl req -new -x509 -key private/cakey.pem -out cacert.pem -days 3655 You are about to be asked to enter information that will be incorporated into your certificate request. What you are about to enter is what is called a Distinguished Name or a DN. There are quite a few fields but you can leave some blank For some fields there will be a default value, If you enter '.', the field will be left blank. ----- Country Name (2 letter code) [CN]: State or Province Name (full name) [HuBei]: Locality Name (eg, city) [HuangGang]: Organization Name (eg, company) [Soysauce]: Organizational Unit Name (eg, section) [Tech]: Common Name (eg, your name or your server's hostname) []:ca.soysauce.com Email Address []:[email protected]
(4)、準備幾個目錄及文件
[root@CentOS5 CA]# mkdir certs crl newcerts [root@CentOS5 CA]# touch index.txt [root@CentOS5 CA]# echo 01 > serial
三、httpd服務器生成密鑰,並生成簽署正式申請發送給CA服務器
(1)、httpd服務器生成一對密鑰
[root@soysauce ~]# cd /etc/httpd/ [root@soysauce httpd]# mkdir ssl [root@soysauce httpd]# cd ssl/ [root@soysauce ssl]# (umask 077;openssl genrsa -out httpd.key 2048) Generating RSA private key, 2048 bit long modulus ............+++ .............................+++ e is 65537 (0x10001) [root@soysauce ssl]# ll total 4 -rw------- 1 root root 1675 Dec 12 13:04 httpd.key
(2)、httpd服務器生成證書籤署請求(hostname一定要保持一致)
[root@soysauce ssl]# scp 172.16.1.110:/etc/pki/tls/openssl.cnf /etc/pki/tls/openssl.cnf [root@soysauce ssl]# openssl req -new -key httpd.key -out httpd.csr You are about to be asked to enter information that will be incorporated into your certificate request. What you are about to enter is what is called a Distinguished Name or a DN. There are quite a few fields but you can leave some blank For some fields there will be a default value, If you enter '.', the field will be left blank. ----- Country Name (2 letter code) [CN]: State or Province Name (full name) [HuBei]: Locality Name (eg, city) [HuangGang]: Organization Name (eg, company) [NetWork]: Organizational Unit Name (eg, section) [Tech]: Common Name (eg, your name or your server's hostname) []:www.a.com Email Address []:[email protected] Please enter the following 'extra' attributes to be sent with your certificate request A challenge password []: An optional company name []:
(3)、將證書籤署申請發送給CA服務器端
[root@soysauce ssl]# scp httpd.csr 172.16.1.110:/tmp/
四、CA簽署此證書請求並回送給httpd服務器
(1)、CA服務器端簽署證書申請
[root@CentOS5 CA]# openssl ca -in /tmp/httpd.csr -out /tmp/httpd.crt -days 3650 Using configuration from /etc/pki/tls/openssl.cnf Check that the request matches the signature Signature ok Certificate Details: Serial Number: 1 (0x1) Validity Not Before: Dec 11 20:23:59 2015 GMT Not After : Dec 8 20:23:59 2025 GMT Subject: countryName = CN stateOrProvinceName = HuBei organizationName = Soysauce organizationalUnitName = Tech commonName = www.soysauce.com emailAddress = [email protected] X509v3 extensions: X509v3 Basic Constraints: CA:FALSE Netscape Comment: OpenSSL Generated Certificate X509v3 Subject Key Identifier: 35:E0:03:B1:67:28:A9:A9:39:F0:DB:0D:26:0B:ED:AD:B2:F6:FA:4A X509v3 Authority Key Identifier: keyid:9D:DF:4E:04:DC:31:25:24:2B:F6:65:05:9C:B3:96:8E:DC:6A:FB:4B Certificate is to be certified until Dec 8 20:23:59 2025 GMT (3650 days) Sign the certificate? [y/n]:y 1 out of 1 certificate requests certified, commit? [y/n]y Write out database with 1 new entries Data Base Updated [root@CentOS5 ~]# cd /etc/pki/CA/ [root@CentOS5 CA]# ls cacert.pem certs crl index.txt index.txt.attr index.txt.old newcerts private serial serial.old [root@CentOS5 CA]# cat index.txt V 251208202359Z 01 unknown /C=CN/ST=HuBei/O=Soysauce/OU=Tech/CN=www.soysauce.com/[email protected] [root@CentOS5 CA]# cat serial 02
(2)、將簽署好的證書返回給httpd客戶端
[root@CentOS5 CA]# scp /tmp/httpd.crt 172.16.1.111:/etc/httpd/ssl/httpd.crt
(3)、刪除httpd服務器的證書
[root@CentOS5 tmp]# rm -f httpd.csr httpd.crt
五、httpd服務器端編輯ssl.conf文件配置使用https
(1)、編輯ssl.conf配置文件
[root@soysauce ssl]# cd /etc/httpd/conf.d/ [root@soysauce conf.d]# ls README ssl.conf virtualhost.conf welcome.conf [root@soysauce conf.d]# cp ssl.conf{,.back} [root@soysauce conf.d]# vim ssl.conf [root@soysauce conf.d]# grep -A 4 "<Virtu" ssl.conf <VirtualHost 172.16.1.111:443> ServerName www.soysauce.com DocumentRoot "/data/www/soysauce.com" ErrorLog "/var/log/httpd/soysauce.com/ssl_error_log" TransferLog "/var/log/httpd/soysauce.com/ssl_access_log" [root@soysauce conf.d]# grep "^SSLCertificate" ssl.conf SSLCertificateFile /etc/httpd/ssl/httpd.crt SSLCertificateKeyFile /etc/httpd/ssl/httpd.key
(2)、然後重啓httpd服務,客戶端再訪問即可
[root@soysauce conf.d]# vim /etc/hosts [root@soysauce conf.d]# tail -1 /etc/hosts # 修改的是客戶端的hosts文件 172.16.1.111 www.soysauce.com [root@soysauce conf.d]# httpd -t Syntax OK [root@soysauce conf.d]# service httpd restart Stopping httpd: [ OK ] Starting httpd: [ OK ]
到此處一個支持https的Web服務器已然完成