利用httpd+OpenSSL来实现网站的https

行使httpd+openssl来兑现网址的https

                                        CA验证中央(颁发/吊销证书)
                                        /                \ \利用httpd+OpenSSL来实现网站的https。 
                                CA 证书    /            下发  \ \
证书诉求
                                        /            证书  \ \
                                  client <——–数字证书—— WEB

1。web服务器,生成非对称加密密钥对(web公钥,web私钥)
2。web服务器使用 web身份音讯+web公钥 生成 web服务器的证件必要,并将证件诉求发给CA服务器
3。CA服务器使用 CA的私钥 对 web 服务器的证明央求 实行数字签名得到web服务器的数字证书,并将web服务器的数字证书颁发给web服务器。
4。client访谈web服务器,须要https连接,下载web数字证书
5。client下载
CA数字证书(CA身份音讯+CA公钥,由上一流CA颁发,也可自签订合同颁发),验证
web数字证书(CA数字证书中有CA公钥,web数字证书是使用CA私钥签字的)
6。client与web协商对称加密算法,client生成对称加密密钥并应用web公钥加密,发送给web服务器,web服务器使用web私钥解密
7。使用对称加密密钥传输数据,并校验数据的完整性

上面呢大家来说一下具体步骤

配置CA服务器

1.配备CA 172.16.1.2 生成CA本身的公钥 私钥 CA对自个儿开展证件自具名(用脚本生成)
[[email protected]
~]# vim /etc/pki/tls/openssl.cnf
dir            = /etc/CA                  # Where everything is kept   
  第45行
basicConstraints=CA:TRUE    # 自签订合同的证件能够采用  第178行

[[email protected]
~]# vim /etc/pki/tls/misc/CA
CATOP=/etc/CA            #第42行

[[email protected]
~]#利用httpd+OpenSSL来实现网站的https。 /etc/pki/tls/misc/CA -newca
CA certificate filename (or enter to create)
Making CA certificate …
Generating a 1024 bit RSA private key
……++++++
…………………..++++++
利用httpd+OpenSSL来实现网站的https。writing new private key to ‘../../CA/private/./cakey.pem’    #私钥
Enter PEM pass phrase:123456                        #保护CA私钥

Verifying – Enter PEM pass phrase:123456

You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a
DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter ‘.’, the field will be left blank.
 —–
Country Name (2 letter code) [GB]:CN                    #身份消息
State or Province Name (full name) [Berkshire]:BEIJING
利用httpd+OpenSSL来实现网站的https。Locality Name (eg, city) [利用httpd+OpenSSL来实现网站的https。Newbury]:HD
Organization Name (eg, company) [My Company Ltd]:bkjia
Organizational Unit Name (eg, section) []:IT
Common Name (eg, your name or your server’s hostname)
[]:CA.bkjia.com
Email Address
[]:[email protected]

Please enter the following ‘extra’ attributes to be sent with your
certificate request
A challenge password []:
An optional company name []:
Using configuration from /etc/pki/tls/openssl.cnf
Enter pass phrase for ../../CA/private/./cakey.pem:123456   
#利用私钥自签署
Check that the request matches the signature
Signature ok
Certificate Details:
      Serial Number: 0 (0x0)
      Validity
          Not Before: Mar 5 01:40:50 2012 GMT
          Not After : Mar 5 01:40:50 2015 GMT
      Subject:
            countryName = CN
            stateOrProvinceName = BEIJING
            organizationName = bkjia
            organizationalUnitName = IT
            commonName = CA.bkjia.com
            emailAddress =
[email protected]
      X509v3 extensions:
              X509v3 Basic Constraints:
                  CA:TRUE
              Netscape Comment:
                  OpenSSL Generated Certificate
              X509v3 Subject Key Identifier:
                 
61:D5:3A:C7:5C:0F:66:FE:D5:EF:5D:A1:94:8F:FD:C2:E5:94:7D:D3
              X509v3 Authority Key Identifier:           
                 
keyid:61:D5:3A:C7:5C:0F:66:FE:D5:EF:5D:A1:94:8F:FD:C2:E5:94:7D:D3
Certificate is to be certified until Mar 5 01:40:50 2015 GMT (1095 days)

Write out database with 1 new entries
Data Base Updated

 

[[email protected]
~]# ls /etc/CA/private/cakey.pem    #CA私钥
[[email protected]
~]# ls /etc/CA/cacert.pem        #CA证书
[[www.602.net,email protected]
~]# ls /etc/CA/careq.pem        #CA证书央求

配置web服务器

web 生成自身的私钥
[[email protected]
~]# openssl genrsa -des3 -out /etc/httpd/conf.d/server.key       
#选择des3爱抚私钥
Generating RSA private key, 512 bit long modulus
 ………++++++++++++
………………….++++++++++++
e is 65537 (0x10001)
Enter pass phrase for /etc/httpd/conf.d/server.key:123456
Verifying – Enter pass phrase for /etc/httpd/conf.d/server.key:123456

转变证书哀告(使用地方标志+公钥)
[[email protected]
~]# openssl req -new -key /etc/httpd/conf.d/server.key -out
/tmp/server.csr
Enter pass phrase for /etc/httpd/conf.d/server.key:123456
You are about to be asked to enter information that will be incorporated
into your certificate
request.                   
What you are about to enter is what is called a Distinguished Name or a
DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,

If you enter ‘.’, the field will be left blank.


Country Name (2 letter code) [GB]:CN                       
#这部分新闻要与CA一致 !!!
State or Province Name (full name) [Berkshire]:BEIJING
Locality Name (eg, city) [Newbury]:HD
Organization Name (eg, company) [My Company Ltd]:bkjia

Organizational Unit Name (eg, section) []:IT

Common Name (eg, your name or your server’s hostname)
[]:www.bkjia.com
Email Address
[]:[email protected]

Please enter the following ‘extra’ attributes to be sent with your
certificate request
A challenge password []:
An optional company name []:

将证书诉求发送给CA
[[email protected]
~]# scp /tmp/server.csr CA.bkjia.com:/tmp/

CA服务器对表明央求举办数字具名
============================================================================= 
[[email protected]
~]# openssl ca -keyfile /etc/CA/private/cakey.pem -cert
/etc/CA/cacert.pem -in /tmp/server.csr -out /tmp/server.crt

    /etc/CA/private/cakey.pem    (这是ca的私钥)
  /tmp/server.csr            (httpserver的证件央浼文件)
  /etc/CA/cacert.pem          (ca的证书)
  /tmp/server.crt            (生成的httpserver的证件的名字)

Using configuration from /etc/pki/tls/openssl.cnf
Enter pass phrase for /etc/CA/private/cakey.pem:
Check that the request matches the signature
Signature ok
Certificate Details:
      Serial Number: 1 (0x1)
      Validity
          Not Before: Mar 5 02:20:56 2012 GMT
            Not After : Mar 5 02:20:56 2013 GMT
      Subject:
            countryName = CN
            stateOrProvinceName = BEIJING
            organizationName = bkjia
            organizationalUnitName = IT
            commonName = www.bkjia.com
            emailAddress =
[email protected]
      X509v3 extensions:
          X509v3 Basic Constraints:
              CA:TRUE
          Netscape Comment:
              OpenSSL Generated Certificate
          X509v3 Subject Key Identifier:
             
D0:6E:C7:7D:FC:BE:0D:62:CA:B9:A2:E0:2A:9A:27:32:39:0B:91:F8
          X509v3 Authority Key Identifier:
             
keyid:61:D5:3A:C7:5C:0F:66:FE:D5:EF:5D:A1:94:8F:FD:C2:E5:94:7D:D3
Certificate is to be certified until Mar 5 02:20:56 2013 GMT (365
days)
Sign the certificate? [y/n]:y

1 out of 1 certificate requests certified, commit? [y/n]y
Write out database with 1 new entries
Data Base Updated

将签订后的数字证书颁发给web
[[email protected]
~]# scp /tmp/server.crt www.bkjia.com:/etc/httpd/conf.d/

配置web支持ssl实现https

[[email protected]
~]# yum install httpd mod_ssl
[[email protected]
~]# vim /etc/httpd/conf.d/ssl.conf
SSLCertificateFile /etc/httpd/conf.d/server.crt
SSLCertificateKeyFile /etc/httpd/conf.d/server.key

[[email protected]
~]# netstat -tunpl | grep 443
tcp 0 0 :::443 :::* LISTEN 2000/httpd

Client下载CA证书并导入到浏览器,然后访谈www服务器

client须求下载CA证书并导入浏览器,使用https访谈web,浏览器验证web数字证书是或不是由CA颁发
展开firefox,编辑——>主要推荐项—–>高档—->
加密—–>查看证书——>导入

如若还可能有不明了怎么生产openssl证书的能够去看下作者的那篇小说:

OpenSSL 的详细介绍:请点这里
OpenSSL 的下载地址:请点这里

推荐阅读:

透过OpenSSL提供FTP+SSL/TLS认证功效,并促成安全部据传输

CA验证中央(颁发/吊销证书) / \ \ CA 证书 / 下发 \ \ 证书哀告 / 证书
\ \ client ——–数字证书—— WEB 1。…

发表评论

电子邮件地址不会被公开。 必填项已用*标注