您当前的位置： 首页 > 学无止境 > 心得笔记 网站首页心得笔记

马哥linux运维学习笔记-基于openssl的https服务配置

发布时间：2019-01-19 14:53:16编辑：雪饮阅读（）

 环境:apache2.23、redhat5.8x64

一、创建ca机构

(1)安装mod_ssl

rpm -ivh ./Server/mod_ssl-2.2.3-63.el5.x86_64.rpm

(2)生成cakey

[root@hello pki]# cd /etc/pki/CA/

[root@hello CA]# (umask 077; openssl genrsa -out private/cakey.pem 2048)

Generating RSA private key, 2048 bit long modulus

..........................................+++

...............................+++

e is 65537 (0x10001)

(3)openssl配置文件

vim /etc/pki/tls/openssl.cnf

配置如：

dir             = /etc/pki/CA

countryName_default             = CN

stateOrProvinceName_default     = Henan

localityName_default            = Zhengzhou

0.organizationName_default      = MageEdu

organizationalUnitName_default  =Tech

(4)生成自签证书

[root@hello CA]# cd /etc/pki/CA

[root@hello CA]# openssl req -new -x509 -key private/cakey.pem -out cacert.pem

You are about to be asked to enter information that will be incorporated

into your certificate request.

What you are about to enter is what is called a Distinguished Name or a DN.

There are quite a few fields but you can leave some blank

For some fields there will be a default value,

If you enter '.', the field will be left blank.

-----

Country Name (2 letter code) [CN]:

State or Province Name (full name) [Henan]:

Locality Name (eg, city) [Zhengzhou]:

Organization Name (eg, company) [MageEdu]:

Organizational Unit Name (eg, section) [Tech]:

Common Name (eg, your name or your server's hostname) []:ca.magedu.com

Email Address []:admin@magedu.com

(5)准备证书签署的存储目录及证书签署序列化

[root@hello CA]# mkdir /etc/pki/CA/{certs,crl,newcerts}

[root@hello CA]# touch /etc/pki/CA/index.txt

[root@hello CA]# echo 01 > /etc/pki/CA/serial

二、客户端(网站服务器，和上方的服务器不是同一个)证书签署申请

(1)准备证书签署请求key

[root@hello httpd]# mkdir /etc/httpd/ssl

[root@hello httpd]# cd /etc/httpd/ssl

[root@hello ssl]# (umask 077; openssl genrsa 1024 > httpd.key)

Generating RSA private key, 1024 bit long modulus

..++++++

........................................................................++++++

e is 65537 (0x10001)

(2)准备证书签署请求

[root@localhost ssl]# openssl req -new -key httpd.key -out httpd.csr

You are about to be asked to enter information that will be incorporated

into your certificate request.

What you are about to enter is what is called a Distinguished Name or a DN.

There are quite a few fields but you can leave some blank

For some fields there will be a default value,

If you enter '.', the field will be left blank.

-----

Country Name (2 letter code) [GB]:CN

State or Province Name (full name) [Berkshire]:Henan

Locality Name (eg, city) [Newbury]:Zhengzhou

Organization Name (eg, company) [My Company Ltd]:MageEdu

Organizational Unit Name (eg, section) []:Tech

Common Name (eg, your name or your server's hostname) []:hello.magedu.com

Email Address []:hello@magedu.com

 

Please enter the following 'extra' attributes

to be sent with your certificate request

A challenge password []:

An optional company name []:

(3)发送证书签署请求

[root@localhost ssl]# scp httpd.csr 192.168.43.175:/tmp

The authenticity of host '192.168.43.175 (192.168.43.175)' can't be established.

RSA key fingerprint is 43:ad:7c:4a:9f:9c:61:9f:d6:e0:40:21:93:8d:ae:ca.

Are you sure you want to continue connecting (yes/no)? yes

Warning: Permanently added '192.168.43.175' (RSA) to the list of known hosts.

root@192.168.43.175's password:

httpd.csr                                      100%  704     0.7KB/s   00:00

三、CA机构签署证书

[root@hello CA]# openssl ca -in /tmp/httpd.csr -out /tmp/httpd.crt -days 3650

Using configuration from /etc/pki/tls/openssl.cnf

Check that the request matches the signature

Signature ok

Certificate Details:

        Serial Number: 1 (0x1)

        Validity

            Not Before: Jan 19 05:27:35 2019 GMT

            Not After : Jan 16 05:27:35 2029 GMT

        Subject:

            countryName               = CN

            stateOrProvinceName       = Henan

            organizationName          = MageEdu

            organizationalUnitName    = Tech

            commonName                = hello.magedu.com

            emailAddress              = hello@magedu.com

        X509v3 extensions:

            X509v3 Basic Constraints:

                CA:FALSE

            Netscape Comment:

                OpenSSL Generated Certificate

            X509v3 Subject Key Identifier:

                FC:03:E4:BF:DE:9C:DF:6F:1A:C9:50:B3:C6:03:6A:38:0A:BF:20:D7

            X509v3 Authority Key Identifier:

                keyid:D1:65:95:1F:64:B1:F3:0C:62:EC:66:CF:37:48:6D:85:A8:9F:14:A0

 

Certificate is to be certified until Jan 16 05:27:35 2029 GMT (3650 days)

Sign the certificate? [y/n]:y

 

 

1 out of 1 certificate requests certified, commit? [y/n]y

Write out database with 1 new entries

Data Base Updated

四、客户端取证书并完成配置

(1)取证书

[root@localhost ssl]# scp 192.168.43.165:/tmp/httpd.crt ./

root@192.168.43.175's password:

httpd.crt                                      100% 3864     3.8KB/s   00:00

(2)配置ssl.conf

vim /etc/httpd/conf.d/ssl.conf如：

将default的VirtualHost配置容器的ip地址由原来的default更换为你服务器的ip地址，一个ip地址只能配置一个ssl，所以想要多站点支持ssl，则需要多个ip地址。

然后在该VirtualHost中新增配置如：

ServerName hello.magedu.com

DocumentRoot "/www/magedu.com"

修改该容器中如下两项配置如：

SSLCertificateFile /etc/httpd/ssl/httpd.crt

SSLCertificateKeyFile /etc/httpd/ssl/httpd.key

(3)创建站点目录并建立默认网页

[root@localhost ssl]# mkdir -p /www/magedu.com

[root@localhost ssl]# vim /www/magedu.com/index.html

[root@localhost ssl]# cat /www/magedu.com/index.html

this is magedu.com https site

(4)配置虚拟主机

[root@localhost ssl]# vim /etc/httpd/conf.d/virtualHost.conf

[root@localhost ssl]# cat /etc/httpd/conf.d/virtualHost.conf

<VirtualHost 192.168.43.165:80>

        ServerName hello.magedu.com

        DocumentRoot    "/www/magedu.com"

</VirtualHost>

(5)配置hosts

[root@localhost ssl]# vim /etc/hosts

[root@localhost ssl]# cat /etc/hosts

# Do not remove the following line, or various programs

# that require network functionality will fail.

127.0.0.1               localhost.localdomain localhost www.dmj.com www.snowdrink.com

::1             localhost6.localdomain6 localhost6

192.168.43.165  hello.magedu.com

(6)重启并测试

 

[root@localhost ssl]# !se

service httpd restart

Stopping httpd:                                            [  OK  ]

Starting httpd:                                            [  OK  ]

[root@localhost ssl]# netstat -tnlp

Active Internet connections (only servers)

Proto Recv-Q Send-Q Local Address               Foreign Address             State                                                                                                                                   PID/Program name

tcp        0      0 127.0.0.1:2208              0.0.0.0:*                   LISTE                                                                                                                            N      3916/./hpiod

tcp        0      0 0.0.0.0:111                 0.0.0.0:*                   LISTE                                                                                                                            N      3640/portmap

tcp        0      0 0.0.0.0:22                  0.0.0.0:*                   LISTE                                                                                                                            N      3934/sshd

tcp        0      0 127.0.0.1:631               0.0.0.0:*                   LISTE                                                                                                                            N      3943/cupsd

tcp        0      0 127.0.0.1:25                0.0.0.0:*                   LISTE                                                                                                                            N      4063/sendmail

tcp        0      0 127.0.0.1:6010              0.0.0.0:*                   LISTE                                                                                                                            N      4737/sshd

tcp        0      0 0.0.0.0:890                 0.0.0.0:*                   LISTE                                                                                                                            N      3676/rpc.statd

tcp        0      0 127.0.0.1:2207              0.0.0.0:*                   LISTE                                                                                                                            N      3921/python

tcp        0      0 :::80                       :::*                        LISTE                                                                                                                            N      6012/httpd

tcp        0      0 :::22                       :::*                        LISTE                                                                                                                            N      3934/sshd

tcp        0      0 ::1:6010                    :::*                        LISTE                                                                                                                            N      4737/sshd

tcp        0      0 :::443                      :::*                        LISTE                                                                                                                            N      6012/httpd