仓酷云
标题:
带来一篇CentOS下使用httpd+openssl来完成网站的https
[打印本页]
作者:
仓酷云
时间:
2015-1-14 20:36
标题:
带来一篇CentOS下使用httpd+openssl来完成网站的https
欢迎大家来到仓酷云论坛!
使用httpd+openssl来完成网站的https
CA考证中央(发表/撤消证书)
/
CA证书/下发证书哀求
/证书
client<--------数字证书------WEB
1。web办事器,天生非对称加密密钥对(web公钥,web私钥)
2。web办事器利用web身份信息+web公钥天生web办事器的证书哀求,并将证书哀求发给CA办事器
3。CA办事器利用CA的私钥对web办事器的证书哀求举行数字署名失掉web办事器的数字证书,并将web办事器的数字证书发表给web办事器。
4。client会见web办事器,哀求https毗连,下载web数字证书
5。client下载CA数字证书(CA身份信息+CA公钥,由上一级CA发表,也可自署名发表),考证web数字证书(CA数字证书中有CA公钥,web数字证书是利用CA私钥署名的)
6。client与web协商对称加密算法,client天生对称加密密钥并利用web公钥加密,发送给web办事器,web办事器利用web私钥解密
7。利用对称加密密钥传输数据,并校验数据的完全性
使用httpd+openssl来完成网站的https
上面呢我们来说一下详细步调
设置CA办事器
========================================================
1.设置CA172.16.1.2天生CA本人的公钥私钥CA对本人举行证书自署名(用剧本天生)
[root@CA~]#vim/etc/pki/tls/openssl.cnf
dir=/etc/CA#Whereeverythingiskept第45行
basicConstraints=CA:TRUE#自签订的证书可使用第178行
[root@CA~]#vim/etc/pki/tls/misc/CA
CATOP=/etc/CA#第42行
[root@CA~]#/etc/pki/tls/misc/CA-newca
CAcertificatefilename(orentertocreate)
MakingCAcertificate...
Generatinga1024bitRSAprivatekey
......++++++
.......................++++++
writingnewprivatekeyto../../CA/private/./cakey.pem#私钥
EnterPEMpassphrase:123456#回护CA私钥
Verifying-EnterPEMpassphrase:123456
-----
Youareabouttobeaskedtoenterinformationthatwillbeincorporatedintoyourcertificaterequest.
WhatyouareabouttoenteriswhatiscalledaDistinguishedNameoraDN.
Therearequiteafewfieldsbutyoucanleavesomeblank
Forsomefieldstherewillbeadefaultvalue,
Ifyouenter.,thefieldwillbeleftblank.
-----
CountryName(2lettercode)[GB]:CN#身份信息
StateorProvinceName(fullname)[Berkshire]:BEIJING
LocalityName(eg,city)[Newbury]:HD
OrganizationName(eg,company)[MyCompanyLtd]:UPLOOKING
OrganizationalUnitName(eg,section)[]:IT
CommonName(eg,yournameoryourservershostname)[]:CA.uplooking.com
EmailAddress[]:CA@uplooking.com
Pleaseenterthefollowingextraattributestobesentwithyourcertificaterequest
Achallengepassword[]:
Anoptionalcompanyname[]:
Usingconfigurationfrom/etc/pki/tls/openssl.cnf
Enterpassphrasefor../../CA/private/./cakey.pem:123456#利用私钥自署名
Checkthattherequestmatchesthesignature
Signatureok
CertificateDetails:
SerialNumber:0(0x0)
Validity
NotBefore:Mar501:40:502012GMT
NotAfter:Mar501:40:502015GMT
Subject:
countryName=CN
stateOrProvinceName=BEIJING
organizationName=UPLOOKING
organizationalUnitName=IT
commonName=CA.uplooking.com
emailAddress=CA@uplooking.com
X509v3extensions:
X509v3BasicConstraints:
CA:TRUE
NetscapeComment:
OpenSSLGeneratedCertificate
X509v3SubjectKeyIdentifier:
61:D5:3A:C7:5C:0F:66:FE:D5:EF:5D:A1:94:8F:FD:C2:E5:94:7D:D3
X509v3AuthorityKeyIdentifier:
keyid:61:D5:3A:C7:5C:0F:66:FE:D5:EF:5D:A1:94:8F:FD:C2:E5:94:7D:D3
CertificateistobecertifieduntilMar501:40:502015GMT(1095days)
Writeoutdatabasewith1newentries
DataBaseUpdated
[root@CA~]#ls/etc/CA/private/cakey.pem#CA私钥
[root@CA~]#ls/etc/CA/cacert.pem#CA证书
[root@CA~]#ls/etc/CA/careq.pem#CA证书哀求
设置web办事器
===============================================================
web天生本人的私钥
[root@www~]#opensslgenrsa-des3-out/etc/httpd/conf.d/server.key#利用des3回护私钥
GeneratingRSAprivatekey,512bitlongmodulus
.........++++++++++++
......................++++++++++++
eis65537(0x10001)
Enterpassphrasefor/etc/httpd/conf.d/server.key:123456
Verifying-Enterpassphrasefor/etc/httpd/conf.d/server.key:123456
天生证书哀求(利用身份标识+公钥)
[root@www~]#opensslreq-new-key/etc/httpd/conf.d/server.key-out/tmp/server.csr
Enterpassphrasefor/etc/httpd/conf.d/server.key:123456
Youareabouttobeaskedtoenterinformationthatwillbeincorporatedintoyourcertificate
request.
WhatyouareabouttoenteriswhatiscalledaDistinguishedNameoraDN.
Therearequiteafewfieldsbutyoucanleavesomeblank
Forsomefieldstherewillbeadefaultvalue,
Ifyouenter.,thefieldwillbeleftblank.
-----
-------------------------------------------------------------------------------
CountryName(2lettercode)[GB]:CN#这局部信息要与CA分歧!!!
StateorProvinceName(fullname)[Berkshire]:BEIJING
LocalityName(eg,city)[Newbury]:HD
OrganizationName(eg,company)[MyCompanyLtd]:UPLOOKING
OrganizationalUnitName(eg,section)[]:IT
-------------------------------------------------------------------------------
CommonName(eg,yournameoryourservershostname)[]:www.uplooking.com
EmailAddress[]:www@uplooking.com
Pleaseenterthefollowingextraattributestobesentwithyourcertificaterequest
Achallengepassword[]:
Anoptionalcompanyname[]:
将证书哀求发送给CA
[root@www~]#scp/tmp/server.csrCA.uplooking.com:/tmp/
CA办事器对质书哀求举行数字署名
=============================================================================
[root@CA~]#opensslca-keyfile/etc/CA/private/cakey.pem-cert/etc/CA/cacert.pem-in/tmp/server.csr-out/tmp/server.crt
/etc/CA/private/cakey.pem(这是ca的私钥)
/tmp/server.csr(httpserver的证书哀求文件)
/etc/CA/cacert.pem(ca的证书)
/tmp/server.crt(天生的httpserver的证书的名字)
Usingconfigurationfrom/etc/pki/tls/openssl.cnf
Enterpassphrasefor/etc/CA/private/cakey.pem:
Checkthattherequestmatchesthesignature
Signatureok
CertificateDetails:
SerialNumber:1(0x1)
Validity
NotBefore:Mar502:20:562012GMT
NotAfter:Mar502:20:562013GMT
Subject:
countryName=CN
stateOrProvinceName=BEIJING
organizationName=UPLOOKING
organizationalUnitName=IT
commonName=www.uplooking.com
emailAddress=www@uplooking.com
X509v3extensions:
X509v3BasicConstraints:
CA:TRUE
NetscapeComment:
OpenSSLGeneratedCertificate
X509v3SubjectKeyIdentifier:
D0:6E:C7:7D:FC:BE:0D:62:CA:B9:A2:E0:2A:9A:27:32:39:0B:91:F8
X509v3AuthorityKeyIdentifier:
keyid:61:D5:3A:C7:5C:0F:66:FE:D5:EF:5D:A1:94:8F:FD:C2:E5:94:7D:D3
CertificateistobecertifieduntilMar502:20:562013GMT(365days)
Signthecertificate?[y/n]:y
1outof1certificaterequestscertified,commit?[y/n]y
Writeoutdatabasewith1newentries
DataBaseUpdated
将署名后的数字证书发表给web
[root@CA~]#scp/tmp/server.crtwww.uplooking.com:/etc/httpd/conf.d/
设置web撑持ssl完成https
==========================================================
[root@www~]#yuminstallhttpdmod_ssl
[root@www~]#vim/etc/httpd/conf.d/ssl.conf
SSLCertificateFile/etc/httpd/conf.d/server.crt
SSLCertificateKeyFile/etc/httpd/conf.d/server.key
[root@www~]#netstat-tunpl|grep443
tcp00:::443:::*LISTEN2000/httpd
Client下载CA证书并导进到扫瞄器,然后会见www办事器
==================================================================================
client必要下载CA证书并导进扫瞄器,利用https会见web,扫瞄器考证web数字证书是不是由CA发表翻开firefox,编纂------>首选项----->初级---->加密----->检察证书------>导进
假如另有不分明怎样临盆openssl证书的能够往看下我的这篇文章:
http://sangh.blog.51cto.com/6892345/1355878
如果您觉得本篇CentOSLinux教程讲得好,请记得点击右边漂浮的分享程序,把好文章分享给你的好朋友们!
作者:
再现理想
时间:
2015-1-16 21:03
标题:
带来一篇CentOS下使用httpd+openssl来完成网站的https
掌握在Linux系统中安装软件,在安装Linux工具盘后大致日常所需的软件都会有,一般网络提供下载的软件都会有安装说明。
作者:
不帅
时间:
2015-1-24 16:11
首先Linux是开源的,这也是最主要的原因,想学windows,Unix,对不起我们没源代码。也正是因为这样,Linux才能够像滚雪球一样越滚越大,发展到现在这种规模。
作者:
简单生活
时间:
2015-2-2 11:37
在系统检测不到与Linux兼容的显卡,那么此次安装就可能不支持图形化界面安装,而只能用文本模式安装等等。
作者:
只想知道
时间:
2015-2-7 21:17
我想即使Linux高手也很难快速准确精练的回答你。
作者:
若天明
时间:
2015-2-23 23:12
直到学习Linux这门课以后,我才知道,原来我错了。?
作者:
乐观
时间:
2015-3-7 11:45
直到学习Linux这门课以后,我才知道,原来我错了。?
作者:
爱飞
时间:
2015-3-15 07:28
硬盘安装及光盘安装,清楚了解安装Linux应注意的有关问题,如安装Linux应在最后一个分区内,至少分二个分区。
作者:
山那边是海
时间:
2015-3-21 23:32
如果你想深入学习Linux,看不懂因为文档实在是太难了。写的最好的、最全面的文档都是英语写的,最先发布的技术信息也都是用英语写的。
欢迎光临 仓酷云 (http://ckuyun.com/)
Powered by Discuz! X3.2