带来一篇CentOS下使用httpd+openssl来完成网站的https

仓酷云

欢迎大家来到仓酷云论坛！

使用httpd+openssl来完成网站的https

CA考证中央（发表/撤消证书）
/
CA证书/下发证书哀求
/证书
client<--------数字证书------WEB

1。web办事器,天生非对称加密密钥对（web公钥，web私钥）
2。web办事器利用web身份信息＋web公钥天生web办事器的证书哀求，并将证书哀求发给CA办事器
3。CA办事器利用CA的私钥对web办事器的证书哀求举行数字署名失掉web办事器的数字证书，并将web办事器的数字证书发表给web办事器。
4。client会见web办事器，哀求https毗连，下载web数字证书
5。client下载CA数字证书（CA身份信息＋CA公钥，由上一级CA发表，也可自署名发表），考证web数字证书（CA数字证书中有CA公钥，web数字证书是利用CA私钥署名的）
6。client与web协商对称加密算法，client天生对称加密密钥并利用web公钥加密，发送给web办事器，web办事器利用web私钥解密
7。利用对称加密密钥传输数据，并校验数据的完全性



使用httpd+openssl来完成网站的https
上面呢我们来说一下详细步调
设置CA办事器
========================================================
1.设置CA172.16.1.2天生CA本人的公钥私钥CA对本人举行证书自署名(用剧本天生)
[root@CA~]#vim/etc/pki/tls/openssl.cnf
dir=/etc/CA#Whereeverythingiskept第45行
basicConstraints=CA:TRUE#自签订的证书可使用第178行

[root@CA~]#vim/etc/pki/tls/misc/CA
CATOP=/etc/CA#第42行

[root@CA~]#/etc/pki/tls/misc/CA-newca
CAcertificatefilename(orentertocreate)
MakingCAcertificate...
Generatinga1024bitRSAprivatekey
......++++++
.......................++++++
writingnewprivatekeyto../../CA/private/./cakey.pem#私钥
EnterPEMpassphrase:123456#回护CA私钥
Verifying-EnterPEMpassphrase:123456
-----
Youareabouttobeaskedtoenterinformationthatwillbeincorporatedintoyourcertificaterequest.
WhatyouareabouttoenteriswhatiscalledaDistinguishedNameoraDN.
Therearequiteafewfieldsbutyoucanleavesomeblank
Forsomefieldstherewillbeadefaultvalue,
Ifyouenter.,thefieldwillbeleftblank.
-----
CountryName(2lettercode)[GB]:CN#身份信息
StateorProvinceName(fullname)[Berkshire]:BEIJING
LocalityName(eg,city)[Newbury]:HD
OrganizationName(eg,company)[MyCompanyLtd]:UPLOOKING
OrganizationalUnitName(eg,section)[]:IT
CommonName(eg,yournameoryourservershostname)[]:CA.uplooking.com
EmailAddress[]:CA@uplooking.com

Pleaseenterthefollowingextraattributestobesentwithyourcertificaterequest
Achallengepassword[]:
Anoptionalcompanyname[]:
Usingconfigurationfrom/etc/pki/tls/openssl.cnf
Enterpassphrasefor../../CA/private/./cakey.pem:123456#利用私钥自署名
Checkthattherequestmatchesthesignature
Signatureok
CertificateDetails:
SerialNumber:0(0x0)
Validity
NotBefore:Mar501:40:502012GMT
NotAfter:Mar501:40:502015GMT
Subject:
countryName=CN
stateOrProvinceName=BEIJING
organizationName=UPLOOKING
organizationalUnitName=IT
commonName=CA.uplooking.com
emailAddress=CA@uplooking.com
X509v3extensions:
X509v3BasicConstraints:
CA:TRUE
NetscapeComment:
OpenSSLGeneratedCertificate
X509v3SubjectKeyIdentifier:
61:D5:3A:C7:5C:0F:66:FE:D5:EF:5D:A1:94:8F:FD:C2:E5:94:7D:D3
X509v3AuthorityKeyIdentifier:
keyid:61:D5:3A:C7:5C:0F:66:FE:D5:EF:5D:A1:94:8F:FD:C2:E5:94:7D:D3
CertificateistobecertifieduntilMar501:40:502015GMT(1095days)

Writeoutdatabasewith1newentries
DataBaseUpdated



[root@CA~]#ls/etc/CA/private/cakey.pem#CA私钥
[root@CA~]#ls/etc/CA/cacert.pem#CA证书
[root@CA~]#ls/etc/CA/careq.pem#CA证书哀求


设置web办事器
===============================================================
web天生本人的私钥
[root@www~]#opensslgenrsa-des3-out/etc/httpd/conf.d/server.key#利用des3回护私钥
GeneratingRSAprivatekey,512bitlongmodulus
.........++++++++++++
......................++++++++++++
eis65537(0x10001)
Enterpassphrasefor/etc/httpd/conf.d/server.key:123456
Verifying-Enterpassphrasefor/etc/httpd/conf.d/server.key:123456

天生证书哀求（利用身份标识＋公钥）
[root@www~]#opensslreq-new-key/etc/httpd/conf.d/server.key-out/tmp/server.csr
Enterpassphrasefor/etc/httpd/conf.d/server.key:123456
Youareabouttobeaskedtoenterinformationthatwillbeincorporatedintoyourcertificate
request.
WhatyouareabouttoenteriswhatiscalledaDistinguishedNameoraDN.
Therearequiteafewfieldsbutyoucanleavesomeblank
Forsomefieldstherewillbeadefaultvalue,
Ifyouenter.,thefieldwillbeleftblank.
-----
-------------------------------------------------------------------------------
CountryName(2lettercode)[GB]:CN#这局部信息要与CA分歧!!!
StateorProvinceName(fullname)[Berkshire]:BEIJING
LocalityName(eg,city)[Newbury]:HD
OrganizationName(eg,company)[MyCompanyLtd]:UPLOOKING
OrganizationalUnitName(eg,section)[]:IT
-------------------------------------------------------------------------------
CommonName(eg,yournameoryourservershostname)[]:www.uplooking.com
EmailAddress[]:www@uplooking.com

Pleaseenterthefollowingextraattributestobesentwithyourcertificaterequest
Achallengepassword[]:
Anoptionalcompanyname[]:

将证书哀求发送给CA
[root@www~]#scp/tmp/server.csrCA.uplooking.com:/tmp/



CA办事器对质书哀求举行数字署名
=============================================================================
[root@CA~]#opensslca-keyfile/etc/CA/private/cakey.pem-cert/etc/CA/cacert.pem-in/tmp/server.csr-out/tmp/server.crt

/etc/CA/private/cakey.pem（这是ca的私钥）
/tmp/server.csr（httpserver的证书哀求文件）
/etc/CA/cacert.pem(ca的证书)
/tmp/server.crt（天生的httpserver的证书的名字）

Usingconfigurationfrom/etc/pki/tls/openssl.cnf
Enterpassphrasefor/etc/CA/private/cakey.pem:
Checkthattherequestmatchesthesignature
Signatureok
CertificateDetails:
SerialNumber:1(0x1)
Validity
NotBefore:Mar502:20:562012GMT
NotAfter:Mar502:20:562013GMT
Subject:
countryName=CN
stateOrProvinceName=BEIJING
organizationName=UPLOOKING
organizationalUnitName=IT
commonName=www.uplooking.com
emailAddress=www@uplooking.com
X509v3extensions:
X509v3BasicConstraints:
CA:TRUE
NetscapeComment:
OpenSSLGeneratedCertificate
X509v3SubjectKeyIdentifier:
D0:6E:C7:7D:FC:BE:0D:62:CA:B9:A2:E0:2A:9A:27:32:39:0B:91:F8
X509v3AuthorityKeyIdentifier:
keyid:61:D5:3A:C7:5C:0F:66:FE:D5:EF:5D:A1:94:8F:FD:C2:E5:94:7D:D3
CertificateistobecertifieduntilMar502:20:562013GMT(365days)
Signthecertificate?[y/n]:y

1outof1certificaterequestscertified,commit?[y/n]y
Writeoutdatabasewith1newentries
DataBaseUpdated

将署名后的数字证书发表给web
[root@CA~]#scp/tmp/server.crtwww.uplooking.com:/etc/httpd/conf.d/



设置web撑持ssl完成https
==========================================================
[root@www~]#yuminstallhttpdmod_ssl
[root@www~]#vim/etc/httpd/conf.d/ssl.conf
SSLCertificateFile/etc/httpd/conf.d/server.crt
SSLCertificateKeyFile/etc/httpd/conf.d/server.key

[root@www~]#netstat-tunpl|grep443
tcp00:::443:::*LISTEN2000/httpd

Client下载CA证书并导进到扫瞄器，然后会见www办事器
==================================================================================
client必要下载CA证书并导进扫瞄器，利用https会见web，扫瞄器考证web数字证书是不是由CA发表翻开firefox，编纂------>首选项----->初级---->加密----->检察证书------>导进

假如另有不分明怎样临盆openssl证书的能够往看下我的这篇文章：
http://sangh.blog.51cto.com/6892345/1355878
如果您觉得本篇CentOSLinux教程讲得好，请记得点击右边漂浮的分享程序，把好文章分享给你的好朋友们！

掌握在Linux系统中安装软件，在安装Linux工具盘后大致日常所需的软件都会有,一般网络提供下载的软件都会有安装说明。

首先Linux是开源的，这也是最主要的原因，想学windows，Unix，对不起我们没源代码。也正是因为这样，Linux才能够像滚雪球一样越滚越大，发展到现在这种规模。

在系统检测不到与Linux兼容的显卡，那么此次安装就可能不支持图形化界面安装，而只能用文本模式安装等等。

我想即使Linux高手也很难快速准确精练的回答你。

直到学习Linux这门课以后，我才知道，原来我错了。?

直到学习Linux这门课以后，我才知道，原来我错了。?

硬盘安装及光盘安装，清楚了解安装Linux应注意的有关问题，如安装Linux应在最后一个分区内，至少分二个分区。

如果你想深入学习Linux,看不懂因为文档实在是太难了。写的最好的、最全面的文档都是英语写的,最先发布的技术信息也都是用英语写的。