httpd配置详解(四)

https的配置(httpd+mod_ssl)

1.安装Apache的mod_ssl模块

[root@miner_k ~]# yum -y install mod_ssl

[root@miner_k html]# rpm -ql mod_ssl
/etc/httpd/conf.d/ssl.conf
/usr/lib64/httpd/modules/mod_ssl.so
/var/cache/mod_ssl
/var/cache/mod_ssl/scache.dir
/var/cache/mod_ssl/scache.pag
/var/cache/mod_ssl/scache.sem

2.配置CA服务端

修改配置文件:

[root@CA ~]# vim /etc/pki/tls/openssl.cnf

[ ca ]
default_ca      = CA_default            # The default ca section

####################################################################
[ CA_default ]

dir             = /etc/pki/CA           # CA的默认路径
certs           = $dir/certs            # 客户端证书
crl_dir         = $dir/crl              # 证书吊销列表
database        = $dir/index.txt        # 给那些人发过证书
#unique_subject = no                    # Set to 'no' to allow creation of
                                        # several ctificates with same subject.
new_certs_dir   = $dir/newcerts         # 新生成证书的存放位置

certificate     = $dir/cacert.pem       # CA 的证书
serial          = $dir/serial           # 序列号
crlnumber       = $dir/crlnumber        # 证书吊销列表的工作号
                                        # must be commented out to leave a V1 CRL
crl             = $dir/crl.pem          # 当前的证书吊销列表
private_key     = $dir/private/cakey.pem # CA的私钥
RANDFILE        = $dir/private/.rand    # private random number file

x509_extensions = usr_cert              # The extentions to add to the cert

default_days    = 365                   # 默认的认证时间是365天
default_crl_days= 30                    # 吊销列表中内容的保存时间
default_md      = default               # use public key default MD
preserve        = no      



[ req_distinguished_name ]
countryName                     = Country Name (2 letter code)
countryName_default             = CN   # 设置默认的国家
countryName_min                 = 2
countryName_max                 = 2

stateOrProvinceName             = State or Province Name (full name)
stateOrProvinceName_default     = BeiJing  #设置默认的省份

localityName                    = Locality Name (eg, city)
localityName_default    = BeiJing     #设置默认的城市

0.organizationName              = Organization Name (eg, company)
0.organizationName_default      = CA    #设置公司(组织)名称

# we can do this but it is not needed normally :-)
#1.organizationName             = Second Organization Name (eg, company)
#1.organizationName_default     = World Wide Web Pty Ltd

organizationalUnitName          = Organizational Unit Name (eg, section)
organizationalUnitName_default  = IT  #设置部门(单位)
2.1 生成CA的私钥
[root@CA CA]# (umask 077;openssl genrsa -out private/cakey.pem 2048)
Generating RSA private key, 2048 bit long modulus
...........................................+++
................................................................................................+++
e is 65537 (0x10001)
2.2 生成CA的自签证书
[root@CA CA]# openssl req -new -x509 -key private/cakey.pem -out cacert.pem -days 365
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [CN]:
State or Province Name (full name) [BeiJing]:
Locality Name (eg, city) [BeiJing]:
Organization Name (eg, company) [CA]:
Organizational Unit Name (eg, section) [IT]:
Common Name (eg, your name or your server's hostname) []:ca.miner_k.com
Email Address []:admin@miner_k.com  
2.3 将CA服务器下创建需要的文件
[root@CA CA]# touch index.txt
[root@CA CA]# echo 01 > serial
[root@CA CA]# ls
cacert.pem  certs  crl  index.txt  newcerts  private  serial

3.在Apache的服务器

3.1 生成密钥对
[root@miner_k ~]# cd /etc/httpd/
[root@miner_k httpd]# ls
conf  conf.d  logs  modules  run
[root@miner_k httpd]# mkdir ssl
[root@miner_k httpd]# cd ssl/
[root@miner_k ssl]# (umask 077;openssl genrsa 1024 > httpd.key)
Generating RSA private key, 1024 bit long modulus
....................++++++
.......................++++++
e is 65537 (0x10001)
3.2 生成证书颁发请求(.csr)【Certificate signing request】
[root@miner_k ssl]# openssl req -new -key httpd.key -out httpd.csr
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [CN]:
State or Province Name (full name) [BeiJing]:
Locality Name (eg, city) [BeiJing]:
Organization Name (eg, company) [CA]:
Organizational Unit Name (eg, section) [IT]:
Common Name (eg, your name or your server's hostname) []:www.miner_k.com        #必须是这台web服务器的域名
Email Address []:admin@miner_k.com

Please enter the following 'extra' attributes
to be sent with your certificate request
A challenge password []:
An optional company name []:

注意:由于是私有的CA服务器,关于默认的城市以及机构等都必须和CA的是一样的

3.3 将证书发送给CA的服务器
[root@miner_k ssl]# scp httpd.csr 101.200.87.99:/root
The authenticity of host '101.200.87.99 (101.200.87.99)' can't be established.
RSA key fingerprint is c8:bb:dc:fc:d0:27:4d:48:d2:0a:0f:db:a2:51:10:d2.
Are you sure you want to continue connecting (yes/no)? yes
Warning: Permanently added '101.200.87.99' (RSA) to the list of known hosts.
root@101.200.87.99's password: 
httpd.csr                                                                                          100%  696     0.7KB/s   00:00 

4.在CA服务器上的操作

4.1 签署Apache发送的证书请求
[root@CA ~]# openssl ca -in httpd.csr -out httpd.crt -days 365
Using configuration from /etc/pki/tls/openssl.cnf
Check that the request matches the signature
Signature ok
Certificate Details:
        Serial Number: 1 (0x1)
        Validity
            Not Before: May 24 06:12:47 2017 GMT
            Not After : May 24 06:12:47 2018 GMT
        Subject:
            countryName               = CN
            stateOrProvinceName       = BeiJing
            organizationName          = CA
            organizationalUnitName    = IT
            commonName                = www.miner_k.com
            emailAddress              = admin@miner_k.com
        X509v3 extensions:
            X509v3 Basic Constraints: 
                CA:FALSE
            Netscape Comment: 
                OpenSSL Generated Certificate
            X509v3 Subject Key Identifier: 
                ED:E8:48:9D:30:0F:95:0B:19:63:D8:F9:9C:70:5C:7E:26:36:DA:30
            X509v3 Authority Key Identifier: 
                keyid:12:0E:C7:0F:0B:A6:06:3D:27:A1:5B:A7:EA:3D:C3:36:07:BE:77:13

Certificate is to be certified until May 24 06:12:47 2018 GMT (365 days)
Sign the certificate? [y/n]:y


1 out of 1 certificate requests certified, commit? [y/n]y
Write out database with 1 new entries
Data Base Updated
4.2 将签署的证书发送给Apache服务器
[root@CA ~]# scp httpd.crt   114.*.*.229:/etc/httpd/ssl/

5. 在Apache服务器上httpd的配置

[root@miner_k ssl]# cd /etc/httpd/conf.d/
[root@miner_k conf.d]# ls
README  ssl.conf  welcome.conf
[root@miner_k conf.d]# cp ssl.conf{,.bak} 
[root@miner_k conf.d]# ls
README  ssl.conf  ssl.conf.bak  welcome.conf

修改配置文件ssl.conf
[root@miner_k conf.d]# grep -v "^#" ssl.conf | grep -v "^$"
LoadModule ssl_module modules/mod_ssl.so
Listen 443
SSLPassPhraseDialog  builtin
SSLSessionCache         shmcb:/var/cache/mod_ssl/scache(512000)
SSLSessionCacheTimeout  300
SSLMutex default
SSLRandomSeed startup file:/dev/urandom  256
SSLRandomSeed connect builtin
SSLCryptoDevice builtin
_:443>    #默认主机,可以设置为IP地址
ErrorLog logs/ssl_error_log
TransferLog logs/ssl_access_log
LogLevel warn
SSLEngine on
SSLProtocol all -SSLv2
SSLCipherSuite DEFAULT:!EXP:!SSLv2:!DES:!IDEA:!SEED:+3DES
SSLCertificateFile /etc/httpd/ssl/httpd.crt    #修改内容,证书位置
SSLCertificateKeyFile /etc/httpd/ssl/httpd.key #修改内容,私钥位置
"\.(cgi|shtml|phtml|php3?)$">
    SSLOptions +StdEnvVars

/var/www/cgi-bin">
    SSLOptions +StdEnvVars

SetEnvIf User-Agent ".*MSIE.*" \
         nokeepalive ssl-unclean-shutdown \
         downgrade-1.0 force-response-1.0
CustomLog logs/ssl_request_log \
          "%t %h %{SSL_PROTOCOL}x %{SSL_CIPHER}x \"%r\" %b"
</VirtualHost>                           

6.测试

6.1 直接使用浏览器测试https的网页

重新启动httpd服务:
[root@miner_k conf.d]# service httpd restart
httpd配置详解(四)_第1张图片
使用https协议访问,但是可以看出是不安全的。

6.2 在客户端加载CA的证书
  • 1.将CA中的cacert.pem下载到本地然后改为为cacert.crt
    httpd配置详解(四)_第2张图片
  • 2.将证书导入到浏览器中

httpd配置详解(四)_第3张图片

httpd配置详解(四)_第4张图片

httpd配置详解(四)_第5张图片

httpd配置详解(四)_第6张图片

httpd配置详解(四)_第7张图片

httpd配置详解(四)_第8张图片

你可能感兴趣的:(linux,……【httpd】)