如何實現ssl
- 1、要想使我們的web服務器支持ssl的功能,第一步需要安裝ssl的模塊
- yum install mod_ssl -y #安裝在172.16.50.5上
- 2、提供CA,CA自簽證書讓我們的服務器生成一段密鑰,把公鑰發送給服務器端,讓服務器端實現簽名
- 在這裏我們使用兩臺主機來實現CA,它們的IP地址分別爲
- 172.16.50.5,172.16.50.4,讓172.16.50.4作爲CA
- 3、生成一個私鑰(這是在172.16.50.4上生成的) 如圖1
圖1
- 4、生成自簽證書 #如圖2
- 在生成自簽證書時它會讓我們填很多的信息,填起來很煩人,但是他也有默認信息,我們只有修改
- 一下它的默認選項,下次再用時就不用填了
- vim /etc/pki/tls/openssl.cnf #編輯配置文件
- [ req_distinguished_name ]
- countryName = Country Name (2 letter code)
- countryName_default = CN #默認國家名
- countryName_min = 2
- countryName_max = 2
-
- stateOrProvinceName = State or Province Name (full name)
- stateOrProvinceName_default = Henan #默認省份
-
- localityName = Locality Name (eg, city)
localityName_default = zhengzhou #默認城市名
0.organizationName = Organization Name (eg, company)
0.organizationName_default = Magedu #組織名稱
# we can do this but it is not needed normally :-)
#1.organizationName = Second Organization Name (eg, company)
#1.organizationName_default = World Wide Web Pty Ltd
organizationalUnitName = Organizational Unit Name (eg, section)
organizationalUnitName_default = Tech #部門名稱
好了,現在我們來生成自簽證書
圖2
- 5、這裏我們還要改一下配置文件中我們生成自簽證書的路徑
- vim /etc/pki/tls/openssl.cnf
- [ CA_default ]
-
- dir = /etc/pki/CA 路徑位置 # Where everything is kept
- certs = $dir/certs 生成證書的位置 # Where the issued certs are kept
- crl_dir = $dir/crl 證書吊銷列表的位置 # Where the issued crl are kept
- database = $dir/index.txt 簽訂的證書放在這個索引文件中# database index file.
- #unique_subject = no # Set to 'no' to allow creation of
- # several ctificates with same subject.
- new_certs_dir = $dir/newcerts 新籤的證書的位置 # default place for new certs.
-
- certificate = $dir/cacert.pem CA證書 # The CA certificate
- serial = $dir/serial 序列號 # The current serial number
- crlnumber = $dir/crlnumber # the current crl number
- # must be commented out to leave a V1 CRL
- crl = $dir/crl.pem # The current CRL
- private_key = $dir/private/cakey.pem生成的私鑰# The private key
- RANDFILE = $dir/private/.rand # private random number file
-
- x509_extensions = usr_cert # The extentions to add to the cert
- 6、好了配置文件改好,接下來準備CA需要的目錄和文件(注意這些工作是在CA目錄下完成的)
- [root@server21 CA]# mkdir certs crl newcerts #創建目錄
- [root@server21 CA]# touch index.txt #創建文件
- [root@server21 CA]# echo 01 > serial #序列號
- [root@server21 CA]# ls #查看生成的目錄及文件
- cacert.pem certs crl index.txt newcerts private serial
- 現在CA就可以用了,那麼接下來如果有人需要用到證書,他只需要申請一對密鑰、並把他
- 的申請放到我們這裏,並生成一個證書籤署請求,把請求發到我們的服務器上來簽署就可以了
- 7、回到我們的服務器端(172.16.50.5)
- 如果剛纔那個證書就是給我們的web服務器用的,因此我們需要把證書放在/etc/httpd/
- [root@station41 httpd]# cd /etc/httpd/
- [root@station41 httpd]# cd
- [root@station41 ~]# cd /etc/httpd/
- [root@station41 httpd]# ls
- conf conf.d logs modules run
- [root@station41 httpd]# mkdir ssl -pv
- mkdir: created directory `ssl'
- [root@station41 httpd]# cd ssl/
- #生成一對密鑰,把公鑰包裝成證書籤署請求發送給服務器
- [root@station41 ssl]# (umask 077; openssl genrsa 1024 > httpd.key)
- Generating RSA private key, 1024 bit long modulus
- ..........................++++++
- ..............................++++++
- e is 65537 (0x10001)
- #生成證書頒發請求
- [root@station41 ssl]# openssl req -new -key httpd.key -out httpd.csr
- You are about to be asked to enter information that will be incorporated
- into your certificate request.
- What you are about to enter is what is called a Distinguished Name or a DN.
- There are quite a few fields but you can leave some blank
- For some fields there will be a default value,
- If you enter '.', the field will be left blank.
-
- Country Name (2 letter code) [CN]:國家
- State or Province Name (full name) [Henan]:省份
- Locality Name (eg, city) [Zhengzhou]:zhengzhou城市
- Organization Name (eg, company) [MagEdu]:Magedu組織機構
- Organizational Unit Name (eg, section) [Tech]: 部門
- Common Name (eg, your name or your server's hostname) []:www.jll.com 主機名,你給誰用就寫誰
- Email Address []:[email protected] #郵件
-
- Pleaseenter the following 'extra' attributes
- to be sent with your certificate request
- A challenge password []:
- An optional company name []:
- [root@station41 ssl]# ls
- httpd.csr httpd.key
- 8、返回CA主機,把剛纔的複製過來,或者直接在服務器端傳送,都可以
- [root@server21 tmp]# scp 172.16.50.5:/etc/httpd/ssl/httpd.csr ./
- [email protected]'s password:
- httpd.csr 100% 688 0.7KB/s 00:00
- [root@server21 tmp]# ll
- total 8
- -rw-r
- 9、CA簽署
- [root@server21 ~]# openssl ca -in /tmp/httpd.csr -out /tmp/httpd.crt -days 3650
- Using configuration from /etc/pki/tls/openssl.cnf
- Check that the request matches the signature
- Signature ok
- Certificate Details:
- Serial Number: 1 (0x1)
- Validity
- Not Before: Apr 9 18:20:00 2013 GMT
- Not After : Apr 7 18:20:00 2023 GMT
- Subject:
- countryName = CN
- stateOrProvinceName = Henan
- organizationName = Magedu
- organizationalUnitName = Tech
- commonName = www.jll.com
- emailAddress = [email protected]
- X509v3 extensions:
- X509v3 Basic Constraints:
- CA:FALSE
- Netscape Comment:
- OpenSSL Generated Certificate
- X509v3 Subject Key Identifier:
- C2:94:C8:E7:A1:70:36:09:92:4F:0D:BD:42:8A:F9:5D:1F:64:32:DC
- X509v3 Authority Key Identifier:
- keyid:27:71:DB:56:8E:33:29:76:1B:D6:92:BC:5E:57:D0:AE:70:5F:BB:8A
- Certificate is to be certified until Apr 7 18:20:00 2023 GMT (3650 days)
- Sign the certificate? [y/n]:y #確定
- 1 out of 1 certificate requests certified, commit? [y/n]y #確定
- Write out database with 1 new entries
- Data Base Updated
- [root@server21 ~]# cd /etc/pki/CA/ #驗證
- [root@server21 CA]# ls
- cacert.pem crl index.txt.attr newcerts serial
- certs index.txt index.txt.old private serial.old
- [root@server21 CA]# cat index.txt #查看
- V 230407182000Z 01 unknown /C=CN/ST=Henan/O=Magedu/OU=Tech/CN=www.jll.com/[email protected]
- [root@server21 CA]# cat serial #查看序列號
- 02
- 10、簽署完成,把證書複製給172.16.50.4即可
- root@server21 CA]# scp /tmp/httpd.crt 172.16.50.5:/etc/httpd/ssl/
- [email protected]'s password:
- httpd.crt 100% 3822 3.7KB/s
- 11、回到172.16.50.5
- 查看是否複製成功
- [root@station41 ssl]# ls
- httpd.crt httpd.csr httpd.key
- 12、再回到172.16.50.4
- 此時爲了安全起見我們應該刪除tmp下安全性文件,以防別人獲取你的安全信息
- [root@server21 CA]# cd /tmp/
- [root@server21 tmp]# ls
- httpd.crt httpd.csr
- [root@server21 tmp]# rm -rf httpd.c*
- [root@server21 tmp]# ls
- [root@server21 tmp]#
- 13、創建工作環境
- [root@station41 ~]# cd /etc/httpd/conf.d/
- [root@station41 conf.d]# ls
- manual.conf proxy_ajp.conf README ssl.conf welcome.conf
- [root@station41 conf.d]# cp ssl.conf ssl.conf.bak #修改配置文件前先備份一份
- [root@station41 conf.d]# vim ssl.conf #修改配置文件,如圖,修改完成後在進行下面的工作
-
-
- [root@station41 conf.d]# httpd -t
- Warning: DocumentRoot [/www/jll.com] does not exist #目錄不存在,創建一下即可
- Syntax OK
- 創建虛擬主機
- vim /etc/httpd/conf.d/virtual.conf
- NameVirtualHost 172.16.50.5:80
- <VirtualHost 172.16.50.5:80>
- ServerName www.jll.com
- DocumentRoot "/www/jll.com"
- </VirtualHost> #這部分知識在博文apache的配置中有詳細介紹
- 取消中心主機
- vim /etc/httpd/conf/httpd.conf
- DocumentRoot "/var/www/html" #將此行註釋掉
-
- [root@station41 conf.d]# mkdir /www/jll.com -pv #創建目錄
- mkdir: created directory `/www'
- mkdir: created directory `/www/jll.com'
- [root@station41 conf.d]# httpd -t
- Syntax OK
- [root@station41 conf.d]# vim /www/jll.com/index.html #編輯一下文檔
- <h1>jll.com</h1>
- [root@station41 conf.d]# service httpd restart #重啓服務
- Stopping httpd: [ OK ]
- Starting httpd: [ OK ]
- [root@station41 conf.d]# netstat -tnlp #查看監聽的443端口是否啓動
- tcp 0 0 0.0.0.0:443 0.0.0.0:* LISTEN 7901/httpd
- 14、在windows上使用主機名解析
- 首先在hosts文件中添加
- 172.16.50.5 www.jll.com
- [root@server21 ~]# cd /etc/pki/CA/ #在172.16.50.4上完成的操作
- 將此/etc/pki/httpd/cacert.pem導出到物理主機上,並重命名爲cacert.crt
- 雙擊並安裝
- 此時在訪問www.jll.com就可以了
- https://www.jll.com 如圖
- 到此我們的CA認證就做好了
這就是簡單的CA認證,你會了嗎?可能會有一種暈的感覺,嘿嘿,多做幾遍就可以了,不要急哦!