利用httpd+openssl來實作網站的https
CA驗證中心(頒發/吊銷證書)
/ \ \
CA 證書 / 下發 \ \ 證書請求
/ 證書 \ \
client <--------數字證書------ WEB
1。web伺服器,生成非對稱加密密鑰對(web公鑰,web私鑰)
2。web伺服器使用 web身份資訊+web公鑰 生成 web伺服器的證書請求 ,并将證書請求發給CA伺服器
3。CA伺服器使用 CA的私鑰 對 web 伺服器的證書請求 進行數字簽名得到 web伺服器的數字證書,并将web伺服器的數字證書頒發給web伺服器。
4。client通路web伺服器,請求https連接配接,下載下傳web數字證書
5。client下載下傳 CA數字證書(CA身份資訊+CA公鑰,由上一級CA頒發,也可自簽名頒發),驗證 web數字證書(CA數字證書中有CA公鑰,web數字證書是使用CA私鑰簽名的)
6。client與web協商對稱加密算法,client生成對稱加密密鑰并使用web公鑰加密,發送給web伺服器,web伺服器使用web私鑰解密
7。使用對稱加密密鑰傳輸資料,并校驗資料的完整性
下面呢我們來講一下具體步驟
配置CA伺服器
========================================================
1.配置CA 172.16.1.2 生成CA自己的公鑰 私鑰 CA對自己進行證書自簽名 (用腳本生成)
[root@CA ~]# vim /etc/pki/tls/openssl.cnf
dir = /etc/CA # Where everything is kept 第45行
basicConstraints=CA:TRUE # 自簽署的證書可以使用 第178行
[root@CA ~]# vim /etc/pki/tls/misc/CA
CATOP=/etc/CA #第42行
[root@CA ~]# /etc/pki/tls/misc/CA -newca
CA certificate filename (or enter to create)
Making CA certificate ...
Generating a 1024 bit RSA private key
......++++++
.......................++++++
writing new private key to '../../CA/private/./cakey.pem' #私鑰
Enter PEM pass phrase:123456 #保護CA私鑰
Verifying - Enter PEM pass phrase:123456
-----
You are about to be asked to enter information that will be incorporated into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
Country Name (2 letter code) [GB]:CN #身份資訊
State or Province Name (full name) [Berkshire]:BEIJING
Locality Name (eg, city) [Newbury]:HD
Organization Name (eg, company) [My Company Ltd]:UPLOOKING
Organizational Unit Name (eg, section) []:IT
Common Name (eg, your name or your server's hostname) []:CA.uplooking.com
Email Address []:[email protected]
Please enter the following 'extra' attributes to be sent with your certificate request
A challenge password []:
An optional company name []:
Using configuration from /etc/pki/tls/openssl.cnf
Enter pass phrase for ../../CA/private/./cakey.pem:123456 #使用私鑰自簽名
Check that the request matches the signature
Signature ok
Certificate Details:
Serial Number: 0 (0x0)
Validity
Not Before: Mar 5 01:40:50 2012 GMT
Not After : Mar 5 01:40:50 2015 GMT
Subject:
countryName = CN
stateOrProvinceName = BEIJING
organizationName = UPLOOKING
organizationalUnitName = IT
commonName = CA.uplooking.com
emailAddress = [email protected]
X509v3 extensions:
X509v3 Basic Constraints:
CA:TRUE
Netscape Comment:
OpenSSL Generated Certificate
X509v3 Subject Key Identifier:
61:D5:3A:C7:5C:0F:66:FE:D5:EF:5D:A1:94:8F:FD:C2:E5:94:7D:D3
X509v3 Authority Key Identifier:
keyid:61:D5:3A:C7:5C:0F:66:FE:D5:EF:5D:A1:94:8F:FD:C2:E5:94:7D:D3
Certificate is to be certified until Mar 5 01:40:50 2015 GMT (1095 days)
Write out database with 1 new entries
Data Base Updated
[root@CA ~]# ls /etc/CA/private/cakey.pem #CA私鑰
[root@CA ~]# ls /etc/CA/cacert.pem #CA憑證
[root@CA ~]# ls /etc/CA/careq.pem #CA憑證請求
配置web伺服器
===============================================================
web 生成自己的私鑰
[root@www ~]# openssl genrsa -des3 -out /etc/httpd/conf.d/server.key #使用des3保護私鑰
Generating RSA private key, 512 bit long modulus
.........++++++++++++
......................++++++++++++
e is 65537 (0x10001)
Enter pass phrase for /etc/httpd/conf.d/server.key:123456
Verifying - Enter pass phrase for /etc/httpd/conf.d/server.key:123456
生成證書請求(使用身份辨別+公鑰)
[root@www ~]# openssl req -new -key /etc/httpd/conf.d/server.key -out /tmp/server.csr
You are about to be asked to enter information that will be incorporated into your certificate
request.
If you enter '.', the field will be left blank.
-------------------------------------------------------------------------------
Country Name (2 letter code) [GB]:CN #這部分資訊要與CA一緻 !!!
Organizational Unit Name (eg, section) []:IT
Common Name (eg, your name or your server's hostname) []:www.uplooking.com
Email Address []:[email protected]
将證書請求發送給CA
[root@www ~]# scp /tmp/server.csr CA.uplooking.com:/tmp/
CA伺服器對證書請求進行數字簽名
=============================================================================
[root@CA ~]# openssl ca -keyfile /etc/CA/private/cakey.pem -cert /etc/CA/cacert.pem -in /tmp/server.csr -out /tmp/server.crt
/etc/CA/private/cakey.pem (這是ca的私鑰)
/tmp/server.csr (httpserver的證書請求檔案)
/etc/CA/cacert.pem (ca的證書)
/tmp/server.crt (生成的httpserver的證書的名字)
Enter pass phrase for /etc/CA/private/cakey.pem:
Serial Number: 1 (0x1)
Not Before: Mar 5 02:20:56 2012 GMT
Not After : Mar 5 02:20:56 2013 GMT
commonName = www.uplooking.com
emailAddress = [email protected]
X509v3 Basic Constraints:
CA:TRUE
Netscape Comment:
OpenSSL Generated Certificate
X509v3 Subject Key Identifier:
D0:6E:C7:7D:FC:BE:0D:62:CA:B9:A2:E0:2A:9A:27:32:39:0B:91:F8
X509v3 Authority Key Identifier:
keyid:61:D5:3A:C7:5C:0F:66:FE:D5:EF:5D:A1:94:8F:FD:C2:E5:94:7D:D3
Certificate is to be certified until Mar 5 02:20:56 2013 GMT (365 days)
Sign the certificate? [y/n]:y
1 out of 1 certificate requests certified, commit? [y/n]y
将簽名後的數字證書頒發給web
[root@CA ~]# scp /tmp/server.crt www.uplooking.com:/etc/httpd/conf.d/
配置web支援ssl實作https
==========================================================
[root@www ~]# yum install httpd mod_ssl
[root@www ~]# vim /etc/httpd/conf.d/ssl.conf
SSLCertificateFile /etc/httpd/conf.d/server.crt
SSLCertificateKeyFile /etc/httpd/conf.d/server.key
[root@www ~]# netstat -tunpl | grep 443
tcp 0 0 :::443 :::* LISTEN 2000/httpd
Client下載下傳CA憑證并導入到浏覽器,然後通路www伺服器
==================================================================================
client需要下載下傳CA憑證并導入浏覽器,使用https通路web,浏覽器驗證web數字證書是否由CA頒發 打開firefox,編輯------>首選項----->進階----> 加密----->檢視證書------>導入
如果還有不明白怎麼生産openssl證書的可以去看下我的這篇文章:
本文轉自Devin 51CTO部落格,原文連結:http://blog.51cto.com/devingeng/1384464
![Windows指令行使用Git下的Curl指令[圖]](data:image/gif;base64,R0lGODlhAQABAIAAAP///wAAACwAAAAAAQABAAACAkQBADs=)