<b>SSL</b><b>的實作過程</b>
<a href="http://blog.51cto.com/attachment/201304/212341879.png" target="_blank"></a>
首先,用戶端與伺服器端進行三次握手。(因為http基于TCP/IP協定進行通信),然後他們建立SSL會話,協商要使用的加密算法,當協商完成之後。伺服器端就會将自己的證書發送給用戶端,用戶端驗證發現沒有問題之後,就會生成一個對稱密鑰發送給伺服器端,然後用戶端就發送請求給伺服器端,伺服器端便會使用剛剛用戶端發來的對稱密鑰加密将内容發送給用戶端。這樣ssl會話就建立起來了。
但是,用戶端如何驗證伺服器的證書是否真實呢,那麼便需要一個CA:第三方證書頒發機構給我們的伺服器端頒發證書。是以用戶端便可以到CA去驗證伺服器端的證書。
這時候的CA,應該自己有一份證書儲存在用戶端這邊,并且這段證書是自簽的。(用以用戶端可以到CA去驗證伺服器端的證書。)
那麼伺服器端如何到CA讓CA給自己搞一份證書呢:首先伺服器端先生成一份密鑰,将公鑰交給CA,由CA對它簽署并生成證書,儲存一份并回送給伺服器端。伺服器對其進行配置使用,然後在通話過後就可以将證書發送給用戶端,用戶端詢問CA在進行驗證。
<b>①前提:</b>
要想使你的web伺服器支援ssl功能,第一步得安裝SSL子產品
[root@Cyz ~]# yum install mod_ssl
//檢視都安裝了什麼
[root@Cyz ~]# rpm -ql mod_ssl
/etc/httpd/conf.d/ssl.conf //說明是配置檔案,更改配置需要重新開機
/usr/lib/httpd/modules/mod_ssl.so
/var/cache/mod_ssl //緩存目錄
/var/cache/mod_ssl/scache.dir
/var/cache/mod_ssl/scache.pag
/var/cache/mod_ssl/scache.sem
<b>②提供CA</b>
重新找台主機,用這台主機做我們的CA:這台主機的IP為111.9
<a href="http://blog.51cto.com/attachment/201304/212603552.png" target="_blank"></a>
要想做CA,首先得生成自簽證書,:
[root@localhost ~]# cd /etc/pki/CA/
//生成私鑰
[root@localhost CA]# (umask 077; openssl genrsa -out private/cakey.pem 2048)
//umask為了生成時權限其他使用者無權限通路 –out表示路徑)
Generating RSA private key, 2048 bit long modulus
.......................................+++
........................+++
e is 65537 (0x10001)
//檢視權限
[root@localhost CA]# ls -l private/
total 8
-rw------- 1 root root 1679 Apr 10 16:15 cakey.pem //600的權限
//然後去修改配置檔案中的預設資訊,将其改為我們通常使用的
[root@localhost CA]# vim ../tls/openssl.cnf
<a href="http://blog.51cto.com/attachment/201304/212726313.png" target="_blank"></a>
//為自己生成自簽證書
[root@localhost CA]# openssl req -new -x509 -key private/cakey.pem -out cacert.pem -days 3655
//然後繼續編輯openssl.cnf找到
[ CA_default ]
dir = /etc/pki/CA//改為這樣子
//然後建立
[root@localhost CA]# mkdir certs crl newcerts
[root@localhost CA]# touch index.txt
[root@localhost CA]# echo 01 > serial
[root@localhost CA]# ls
cacert.pem certs crl index.txt newcerts private serial
//這個時候就已經準備好了CA就可以使用了
這個時候回到我們的用戶端111.1
[root@Cyz ~]# cd /etc/httpd/ //儲存在這裡
[root@Cyz httpd]# mkdir ssl
[root@Cyz httpd]# ls
conf conf.d logs modules run ssl
[root@Cyz httpd]# cd ssl/
[root@Cyz ssl]# ls
[root@Cyz ssl]# (umask 077; openssl genrsa 1024 > httpd.key) //生成密鑰
Generating RSA private key, 1024 bit long modulus
................................++++++
.....................................................++++++
[root@Cyz ssl]# ll
-rw------- 1 root root 887 Apr 10 16:33 httpd.key
[root@Cyz ssl]# openssl req -new -key httpd.key -out httpd.csr //生成證書頒發請求
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [GB]:CN
State or Province Name (full name) [Berkshire]:Henan
Locality Name (eg, city) [Newbury]:Zhengzhou
Organization Name (eg, company) [My Company Ltd]:MageEdu
Organizational Unit Name (eg, section) []:Tech
Common Name (eg, your name or your server's hostname) []:hello.magedu.com
Email Address []:[email protected]
Please enter the following 'extra' attributes
to be sent with your certificate request
A challenge password []:
An optional company name []:
httpd.csr httpd.key
[root@Cyz ssl]# scp httpd.csr 172.16.111.9:/tmp //将csr(證書簽署請求)複制到CA
The authenticity of host '172.16.111.9 (172.16.111.9)' can't be established.
RSA key fingerprint is 44:0a:1f:77:7f:cb:df:09:a8:8d:ac:23:47:b3:a8:99.
Are you sure you want to continue connecting (yes/no)? yes
Warning: Permanently added '172.16.111.9' (RSA) to the list of known hosts.
[email protected]'s password:
httpd.csr 100% 704 0.7KB/s 00:00
然後回到CA進行簽署
[root@localhost CA]# openssl ca -in /tmp/httpd.csr -out /tmp/httpd.crt -days 3650
Using configuration from /etc/pki/tls/openssl.cnf
Check that the request matches the signature
Signature ok
Certificate Details:
Serial Number: 1 (0x1)
Validity
Not Before: Apr 10 08:41:24 2013 GMT
Not After : Apr 8 08:41:24 2023 GMT
Subject:
countryName = CN
stateOrProvinceName = Henan
organizationName = MageEdu
organizationalUnitName = Tech
commonName = hello.magedu.com
emailAddress = [email protected]
X509v3 extensions:
X509v3 Basic Constraints:
CA:FALSE
Netscape Comment:
OpenSSL Generated Certificate
X509v3 Subject Key Identifier:
10:B1:D2:C5:48:58:66:7B:35:71:BD:62:1D:77:85:12:EB:36:DF:63
X509v3 Authority Key Identifier:
keyid:30:86:2F:D5:DC:10:09:DA:38:19:E5:72:34:05:D5:5D:CE:83:B2:86
Certificate is to be certified until Apr 8 08:41:24 2023 GMT (3650 days)
Sign the certificate? [y/n]:y
1 out of 1 certificate requests certified, commit? [y/n]y
Write out database with 1 new entries
Data Base Updated //頒發成功
//去檢視生成的證書
[root@localhost CA]# cd /etc/pki/CA/
cacert.pem crl index.txt.attr newcerts serial
certs index.txt index.txt.old private serial.old
[root@localhost CA]# cat index.txt //檢視内容
V 230408084124Z 01 unknown /C=CN/ST=Henan/O=MageEdu/OU=Tech/CN=hello.magedu.com/[email protected]
[root@localhost CA]# cat serial //已經自動排序
02
//然後把證書發送給請求者。這裡我們到用戶端去複制證書
[root@Cyz ssl]# scp 172.16.111.9:/tmp/httpd.crt ./
httpd.crt 100% 3864 3.8KB/s 00:00
這個時候要記得傳回CA中将tmp下的臨時檔案給删除掉以免别人擷取
[root@localhost CA]# cd /tmp/
[root@localhost tmp]# ls
busybox grub-install.log.s11228 httpd.csr whatis.Fa3163
grub-install.img.o11227 httpd.crt initrd
[root@localhost tmp]# rm httpd.c*
rm: remove regular file `httpd.crt'? y
rm: remove regular file `httpd.csr'? y
這個時候證書已經簽署成功了,我們應該如何配置使用它呢:
[root@Cyz ssl]# cd /etc/httpd/conf.d/
[root@Cyz conf.d]# ls
manual.conf php.conf proxy_ajp.conf README ssl.conf virtual.conf welcome.con1
[root@Cyz conf.d]# vim ssl.conf
//将裡面的内容作如下修改:
<VirtualHost 172.16.111.1:443>
#ServerName www.example.com:443
ServerName hello.magedu.com
DocumentRoot "/www/magedu.com"
SSLCertificateFile /etc/httpd/ssl/httpd.crt //證書檔案
SSLCertificateKeyFile /etc/httpd/ssl/httpd.key //密鑰檔案
//檢查文法
[root@Cyz conf.d]# httpd -t
Syntax OK
//重新開機服務
[root@Cyz conf.d]# service httpd restart
<a href="http://blog.51cto.com/attachment/201304/212851238.png" target="_blank"></a>
然後繼續修改實體機的HOSTS檔案
<a href="http://blog.51cto.com/attachment/201304/212523176.png" target="_blank"></a>
//添加如下
172.16.111.1 hello.magedu.com
然後我們來通路下:(我們這裡的是https://)系統提示我們這個網站安全證書有問題,原因是因為我們CA不受信任,解決方法自然是我們手動導入證書了:
<a href="http://blog.51cto.com/attachment/201304/212920468.png" target="_blank"></a>
我們來到CA,将CA的證書發送給實體主機一份
<a href="http://blog.51cto.com/attachment/201304/212939503.png" target="_blank"></a>
點選這裡的綠色按鈕
<a href="http://blog.51cto.com/attachment/201304/212957356.png" target="_blank"></a>
<a href="http://blog.51cto.com/attachment/201304/213054357.jpg" target="_blank"></a>
将其擴充名改為crt 會發現變了樣子
<a href="http://blog.51cto.com/attachment/201304/213109509.jpg" target="_blank"></a>
然後輕按兩下進行安裝
完成之後就可以打來IE來驗證啦
<a href="http://blog.51cto.com/attachment/201304/213217215.jpg" target="_blank"></a>
本文轉自 陳延宗 51CTO部落格,原文連結:http://blog.51cto.com/407711169/1175701,如需轉載請自行聯系原作者
![linux-svn解除安裝與安裝[圖]](data:image/gif;base64,R0lGODlhAQABAIAAAP///wAAACwAAAAAAQABAAACAkQBADs=)