安全工具ssl

如何實現ssl

1、要想使我們的web服務器支持ssl的功能，第一步需要安裝ssl的模塊
yum install mod_ssl -y   #安裝在172.16.50.5上
2、提供CA，CA自簽證書讓我們的服務器生成一段密鑰，把公鑰發送給服務器端，讓服務器端實現簽名
在這裏我們使用兩臺主機來實現CA，它們的IP地址分別爲
172.16.50.5，172.16.50.4，讓172.16.50.4作爲CA
3、生成一個私鑰（這是在172.16.50.4上生成的） 如圖1

圖1

4、生成自簽證書     #如圖2
在生成自簽證書時它會讓我們填很多的信息，填起來很煩人，但是他也有默認信息，我們只有修改
一下它的默認選項，下次再用時就不用填了
vim /etc/pki/tls/openssl.cnf   #編輯配置文件
[ req_distinguished_name ]
countryName                     = Country Name (2 letter code)
countryName_default             = CN   #默認國家名
countryName_min                 = 2
countryName_max                 = 2

stateOrProvinceName             = State or Province Name (full name)
stateOrProvinceName_default     = Henan   #默認省份

localityName                    = Locality Name (eg, city)
localityName_default            = zhengzhou   #默認城市名

0.organizationName              = Organization Name (eg, company)
0.organizationName_default      = Magedu   #組織名稱

# we can do this but it is not needed normally :-)
#1.organizationName             = Second Organization Name (eg, company)
#1.organizationName_default     = World Wide Web Pty Ltd

organizationalUnitName          = Organizational Unit Name (eg, section)
organizationalUnitName_default  = Tech   #部門名稱
好了，現在我們來生成自簽證書

圖2

5、這裏我們還要改一下配置文件中我們生成自簽證書的路徑
vim /etc/pki/tls/openssl.cnf
[ CA_default ]

dir             = /etc/pki/CA  路徑位置 # Where everything is kept
certs           = $dir/certs 生成證書的位置 # Where the issued certs are kept
crl_dir         = $dir/crl  證書吊銷列表的位置  # Where the issued crl are kept
database        = $dir/index.txt 簽訂的證書放在這個索引文件中# database index file.
#unique_subject = no                    # Set to 'no' to allow creation of
                                        # several ctificates with same subject.
new_certs_dir   = $dir/newcerts 新籤的證書的位置 # default place for new certs.

certificate     = $dir/cacert.pem CA證書      # The CA certificate
serial          = $dir/serial 序列號          # The current serial number
crlnumber       = $dir/crlnumber        # the current crl number
                                        # must be commented out to leave a V1 CRL
crl             = $dir/crl.pem          # The current CRL
private_key     = $dir/private/cakey.pem生成的私鑰# The private key
RANDFILE        = $dir/private/.rand    # private random number file

x509_extensions = usr_cert              # The extentions to add to the cert
6、好了配置文件改好，接下來準備CA需要的目錄和文件（注意這些工作是在CA目錄下完成的）
[root@server21 CA]# mkdir certs crl newcerts   #創建目錄
[root@server21 CA]# touch index.txt    #創建文件
[root@server21 CA]# echo 01 > serial    #序列號
[root@server21 CA]# ls    #查看生成的目錄及文件
cacert.pem  certs  crl  index.txt  newcerts  private  serial
現在CA就可以用了，那麼接下來如果有人需要用到證書，他只需要申請一對密鑰、並把他
的申請放到我們這裏，並生成一個證書籤署請求，把請求發到我們的服務器上來簽署就可以了
7、回到我們的服務器端（172.16.50.5）
如果剛纔那個證書就是給我們的web服務器用的，因此我們需要把證書放在/etc/httpd/
[root@station41 httpd]# cd /etc/httpd/
[root@station41 httpd]# cd
[root@station41 ~]# cd /etc/httpd/
[root@station41 httpd]# ls
conf  conf.d  logs  modules  run
[root@station41 httpd]# mkdir ssl -pv
mkdir: created directory `ssl'
[root@station41 httpd]# cd ssl/
#生成一對密鑰，把公鑰包裝成證書籤署請求發送給服務器
[root@station41 ssl]# (umask 077; openssl genrsa 1024 > httpd.key)
Generating RSA private key, 1024 bit long modulus
..........................++++++
..............................++++++
e is 65537 (0x10001)
#生成證書頒發請求
[root@station41 ssl]# openssl req -new -key httpd.key -out httpd.csr
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [CN]:國家
State or Province Name (full name) [Henan]:省份
Locality Name (eg, city) [Zhengzhou]:zhengzhou城市
Organization Name (eg, company) [MagEdu]:Magedu組織機構
Organizational Unit Name (eg, section) [Tech]: 部門
Common Name (eg, your name or your server's hostname) []:www.jll.com 主機名，你給誰用就寫誰
Email Address []:[email protected]    #郵件

Pleaseenter the following 'extra' attributes
to be sent with your certificate request
A challenge password []:
An optional company name []:
[root@station41 ssl]# ls
httpd.csr  httpd.key
8、返回CA主機，把剛纔的複製過來，或者直接在服務器端傳送，都可以
[root@server21 tmp]# scp 172.16.50.5:/etc/httpd/ssl/httpd.csr ./
[email protected]'s password:
httpd.csr                                                     100%  688     0.7KB/s   00:00
[root@server21 tmp]# ll
total 8
-rw-r--r-- 1 root root 688 Apr 10 02:15 httpd.csr
9、CA簽署
[root@server21 ~]# openssl ca -in /tmp/httpd.csr -out /tmp/httpd.crt -days 3650
Using configuration from /etc/pki/tls/openssl.cnf
Check that the request matches the signature
Signature ok
Certificate Details:
        Serial Number: 1 (0x1)
        Validity
            Not Before: Apr  9 18:20:00 2013 GMT
            Not After : Apr  7 18:20:00 2023 GMT
        Subject:
            countryName               = CN
            stateOrProvinceName       = Henan
            organizationName          = Magedu
            organizationalUnitName    = Tech
            commonName                = www.jll.com
            emailAddress              = [email protected]
        X509v3 extensions:
            X509v3 Basic Constraints:
                CA:FALSE
            Netscape Comment:
                OpenSSL Generated Certificate
            X509v3 Subject Key Identifier:
                C2:94:C8:E7:A1:70:36:09:92:4F:0D:BD:42:8A:F9:5D:1F:64:32:DC
            X509v3 Authority Key Identifier:
                keyid:27:71:DB:56:8E:33:29:76:1B:D6:92:BC:5E:57:D0:AE:70:5F:BB:8A
Certificate is to be certified until Apr  7 18:20:00 2023 GMT (3650 days)
Sign the certificate? [y/n]:y  #確定
1 out of 1 certificate requests certified, commit? [y/n]y  #確定
Write out database with 1 new entries
Data Base Updated
[root@server21 ~]# cd /etc/pki/CA/  #驗證
[root@server21 CA]# ls
cacert.pem  crl        index.txt.attr  newcerts  serial
certs       index.txt  index.txt.old   private   serial.old
[root@server21 CA]# cat index.txt  #查看
V   230407182000Z       01  unknown /C=CN/ST=Henan/O=Magedu/OU=Tech/CN=www.jll.com/[email protected]
[root@server21 CA]# cat serial   #查看序列號
02
10、簽署完成，把證書複製給172.16.50.4即可
root@server21 CA]# scp /tmp/httpd.crt 172.16.50.5:/etc/httpd/ssl/
[email protected]'s password:
httpd.crt                                                     100% 3822     3.7KB/s
11、回到172.16.50.5
查看是否複製成功
[root@station41 ssl]# ls
httpd.crt  httpd.csr  httpd.key
12、再回到172.16.50.4
此時爲了安全起見我們應該刪除tmp下安全性文件，以防別人獲取你的安全信息
[root@server21 CA]# cd /tmp/
[root@server21 tmp]# ls
httpd.crt  httpd.csr
[root@server21 tmp]# rm -rf httpd.c*
[root@server21 tmp]# ls
[root@server21 tmp]#
13、創建工作環境
[root@station41 ~]# cd /etc/httpd/conf.d/
[root@station41 conf.d]# ls
manual.conf  proxy_ajp.conf  README  ssl.conf  welcome.conf
[root@station41 conf.d]# cp ssl.conf ssl.conf.bak  #修改配置文件前先備份一份
[root@station41 conf.d]# vim ssl.conf   #修改配置文件，如圖，修改完成後在進行下面的工作




[root@station41 conf.d]# httpd -t
Warning: DocumentRoot [/www/jll.com] does not exist   #目錄不存在，創建一下即可
Syntax OK
創建虛擬主機
vim /etc/httpd/conf.d/virtual.conf
 NameVirtualHost 172.16.50.5:80
<VirtualHost 172.16.50.5:80>
 ServerName www.jll.com
 DocumentRoot "/www/jll.com"
</VirtualHost>     #這部分知識在博文apache的配置中有詳細介紹
取消中心主機
vim /etc/httpd/conf/httpd.conf
DocumentRoot "/var/www/html"    #將此行註釋掉

[root@station41 conf.d]# mkdir /www/jll.com -pv  #創建目錄
mkdir: created directory `/www'
mkdir: created directory `/www/jll.com'
[root@station41 conf.d]# httpd -t
Syntax OK
[root@station41 conf.d]# vim /www/jll.com/index.html   #編輯一下文檔
<h1>jll.com</h1>
[root@station41 conf.d]# service httpd restart   #重啓服務
Stopping httpd:                                            [  OK  ]
Starting httpd:                                            [  OK  ]
[root@station41 conf.d]# netstat -tnlp   #查看監聽的443端口是否啓動
tcp        0      0 0.0.0.0:443                 0.0.0.0:*                   LISTEN      7901/httpd
14、在windows上使用主機名解析
首先在hosts文件中添加
172.16.50.5 www.jll.com
[root@server21 ~]# cd /etc/pki/CA/    #在172.16.50.4上完成的操作
將此/etc/pki/httpd/cacert.pem導出到物理主機上,並重命名爲cacert.crt
雙擊並安裝
此時在訪問www.jll.com就可以了
https://www.jll.com 如圖

到此我們的CA認證就做好了

 

這就是簡單的CA認證，你會了嗎？可能會有一種暈的感覺，嘿嘿，多做幾遍就可以了，不要急哦！