如何配置安全的http服務 讓服務變得更加安全,正好大家也可以了解一下ca是怎麼工作的,好好學吧。
HTTP + SSL = HTTPS
配置 CA 伺服器
========================================================
1.配置 CA 172.16.1.2 生成 CA 自己的公鑰 私鑰 CA 對自己進行證書自簽名 (用腳本生成)
CA伺服器配置
制作證書 并且驗證 最後用CA認證
vim /etc/pki/tls/openssl.cnf -----------修改路徑位置
45 dir = /etc/pki/CA
vim /etc/pki/tls/misc/CA---------------修改腳本路徑位置
42 CATOP=/etc/pki/CA
vim /etc/pki/tls/openssl.cnf ----------自簽署的證書可以使用
#basicConstraints=CA:FALSE
basicConstraints=CA:TRUE
/etc/pki/tls/misc/CA -newca---------建立一個新的CA
CA certificate filename (or enter to create)
Making CA certificate ...
Generating a 1024 bit RSA private key
..........++++++
...........................++++++
writing new private key to '/etc/pki/CA/private/./cakey.pem'
Enter PEM pass phrase: -------------------設定密碼123456
Verifying - Enter PEM pass phrase:---------------重複密碼
-----
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few f some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
Country Name (2 letter code) [GB]:CN------------------國家
State or Province Name (full name) [Berkshire]:BEIJING---------------州
Locality Name (eg, city) [Newbury]:BJ--------------------地區
Organization Name (eg, company) [My Company Ltd]:UPLOOKING------------公司
Organizational Unit Name (eg, section) []:IT------------------部門
Common Name (eg, your name or your server's hostname) []:SERVER113---------計算機名字
Email Address []:[email protected]----------------郵箱
Please enter the following 'extra' attributes
to be sent with your certificate request
A challenge password []: -----------是不是要重新該密碼 不寫
An optional company name []: ------------要不要該公司名字 不寫
Using configuration from /etc/pki/tls/openssl.cnf
Enter pass phrase for /etc/pki/CA/private/./cakey.pem: ----------輸入上面的密碼123456
Check that the request matches the signature
Signature ok
Certificate Details:
Serial Number: 0 (0x0)
Validity
Not Before: Mar 30 05:49:33 2013 GMT
Not After : Mar 29 05:49:33 2016 GMT
Subject:
countryName = CN
stateOrProvinceName = BEIJING
organizationName = UPLOOKING
organizationalUnitName = IT
commonName = SERVER113
emailAddress = [email protected]
X509v3 extensions:
X509v3 Basic Constraints:
CA:TRUE
Netscape Comment:
OpenSSL Generated Certificate
X509v3 Subject Key Identifier:
3A:85:EC:6B:00:D4:3F:91:F3:6B:14:47:4D:3F:02:52:6F:BC:93:85
X509v3 Authority Key Identifier:
keyid:3A:85:EC:6B:00:D4:3F:91:F3:6B:14:47:4D:3F:02:52:6F:BC:93:85
Certificate is to be certified until Mar 29 05:49:33 2016 GMT (1095 days)
Write out database with 1 new entries
Data Base Updated
[root@localhost tls]# ls /etc/pki/CA/private/./cakey.pem -------#私鑰
[root@localhost tls]# ls /etc/pki/CA/cacert.pem -----------#證書
[root@localhost tls]# ls /etc/pki/CA/careq.pem ----------#證書請求
配置 web 伺服器
===============================================================================
web 生成自己的私鑰
[root@node1 ~]# openssl genrsa -des3 -out /etc/httpd/conf.d/server.key (使用 des3 保護私鑰)
Generating RSA private key, 512 bit long modulus
............++++++++++++
...............++++++++++++
e is 65537 (0x10001)
Enter pass phrase for /etc/httpd/conf.d/server.key: ----------生成自己私匙的密碼123456
Verifying - Enter pass phrase for /etc/httpd/conf.d/server.key:--------重複輸入123456
[root@localhost conf.d]# openssl req -new -key /etc/httpd/conf.d/server.key -out /tmp/server.csr-----(使用身份辨別+公鑰)生成證書請求
Enter pass phrase for /etc/httpd/conf.d/server.key: -------------輸入私鑰密碼
There are quite a few fields but you can leave some blank
-----這部分資訊要與 CA 一緻
Country Name (2 letter code) [GB]:CN ---------------國家 和CA要一至
State or Province Name (full name) [Berkshire]:BEIJING--------和CA要一至
Locality Name (eg, city) [Newbury]:BJ-----------和CA要一至
Organization Name (eg, company) [My Company Ltd]:UPLOOKING-------和CA要一至
Organizational Unit Name (eg, section) []:IT--------
Common Name (eg, your name or your server's hostname) []:SERVER---------這裡不要一樣了
Email Address []:[email protected]------這裡不要一樣了
A challenge password []:
An optional company name []:
[root@node1 ~]# scp /tmp/server.csr node2:/tmp/-----------将證書請求發送給 CA(如果是兩台電腦就是複制一下)
CA 伺服器對證書請求進行數字簽名
=============================================================================
[root@localhost CA]# cp /etc/pki/CA/cacert.pem /etc/CA/---------ca證書複制一份
[root@localhost CA]# cp /etc/pki/CA/private/./cakey.pem /etc/CA/private/-------複制過去ca的私鑰
[root@node2 CA]# openssl ca -keyfile /etc/CA/private/cakey.pem -cert /etc/CA/cacert.pem -in /tmp/server.csr -out /tmp/server.crt---------crt生成證書名字
/etc/CA/private/cakey.pem------(這是 ca 的私鑰)
/tmp/server.csr -----------(httpserver 的證書請求檔案)
/etc/CA/cacert.pem---------(ca 的證書)
/tmp/server.crt------------(生成的 httpserver 的證書的名字)
将簽名後的數字證書頒發給 web
[root@node2 CA]# scp /tmp/server.crt node1:/etc/httpd/conf.d/
配置 web 支援 ssl 實作 https
[root@node1 ~]# yum install mod_ssl
[root@node1 ~]# vim /etc/httpd/conf.d/ssl.conf
112 SSLCertificateFile /etc/httpd/conf.d/server.crt
119 SSLCertificateKeyFile /etc/httpd/conf.d/server.key
client 需要下載下傳 CA 證書并導入浏覽器,使用 https 通路 web,浏覽器驗證 web 數字證書是否
由 CA 頒發
打開 firefox,編輯------>首選項----->進階----> 加密----->檢視證書------>導入 ---------這裡是導入CA的證書/etc/CA/cacert.pem
[root@localhost mnt]# service httpd restart
Stopping httpd: [ OK ]
Starting httpd: Apache/2.2.3 mod_ssl/2.2.3 (Pass Phrase Dialog)
Some of your private key files are encrypted for security reasons.
In order to read them you have to provide the pass phrases.
Server localhost.localdomain:443 (RSA)
Enter pass phrase:--------------------輸入私鑰密碼123456
OK: Pass Phrase Dialog successful.
[ OK ]
[root@localhost mnt]#
[root@node1 ~]# netstat -tunpl | grep 443
![1.6 Linux指令行使用[圖]](data:image/gif;base64,R0lGODlhAQABAIAAAP///wAAACwAAAAAAQABAAACAkQBADs=)