配置HTTPS

环境为CentOS 7.3、httpd2.4.6

一 搭建证书

CA 主机为192.168.29.3

client主机为 192.168.29.100

1 生成私钥

[root@centos7 ~]# (umask 077 ; openssl genrsa -out /etc/pki/CA/private/cakey.pem 4096)
Generating RSA private key, 4096 bit long modulus
.....................++
...........................................................................................................................................................................................++
e is 65537 (0x10001)

2 生成自签证书

[root@centos7 ~]# openssl req -new -x509 -key /etc/pki/CA/private/cakey.pem -out /etc/pki/CA/cacert.pem -days 365
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [XX]:CN
State or Province Name (full name) []:BeiJing
Locality Name (eg, city) [Default City]:BeiJing
Organization Name (eg, company) [Default Company Ltd]:Company
Organizational Unit Name (eg, section) []:OPS
Common Name (eg, your name or your server's hostname) []:www.test.com
Email Address []:
[root@centos7 ~]#

3 为CA提供所需的目录及文件

(1)所需目录,如果无,则创建

/etc/pki/CA/certs/

/etc/pki/CA/crl/

/etc/pki/CA/newcerts/

(2)所需文件

[root@centos7 ~]# touch /etc/pki/CA/serial #序列号文件

[root@centos7 ~]# touch /etc/pki/CA/index.txt #数据库文件

(3)

[root@centos7 ~]# echo 01 > /etc/pki/CA/serial #维护ca的序列号

4 在client上进行如下操作

(1)创建放置公钥私钥的文件夹

[root@CentOS7 ~]# mkdir /etc/httpd/ssl

(2)生成自己的私钥

[root@CentOS7 ~]# (umask 077; openssl genrsa -out /etc/httpd/ssl/httpd.key 2048)

Generating RSA private key, 2048 bit long modulus

…………………………………+++

……………………………..+++

e is 65537 (0x10001)

[root@CentOS7 ~]#

(3)请CA为自己生成公钥

[root@CentOS7 ~]# openssl req -new -key /etc/httpd/ssl/httpd.key -out /etc/httpd/ssl/httpd.csr -days 365
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [XX]:CN
State or Province Name (full name) []:BeiJing
Locality Name (eg, city) [Default City]:BeiJing
Organization Name (eg, company) [Default Company Ltd]:Company
Organizational Unit Name (eg, section) []:OPS
Common Name (eg, your name or your server's hostname) []:www.test.com
Email Address []:
Please enter the following 'extra' attributes
to be sent with your certificate request
A challenge password []:
An optional company name []:

(4)把生成的公钥发送给CA

[root@CentOS7 ~]# scp /etc/httpd/ssl/httpd.csr root@192.168.29.3:/tmp/
The authenticity of host '192.168.29.3 (192.168.29.3)' can't be established.
ECDSA key fingerprint is f2:2e:89:a2:8d:22:22:9c:a9:f8:c9:19:18:d3:b6:c4.
Are you sure you want to continue connecting (yes/no)? yes
Warning: Permanently added '192.168.29.3' (ECDSA) to the list of known hosts.
root@192.168.29.3's password:
httpd.csr 100% 1005 1.0KB/s 00:00

5 在CA主机上为client签证

[root@centos7 ~]# openssl ca -in /tmp/httpd.csr -out /etc/pki/CA/certs/httpd.crt -days 365
Using configuration from /etc/pki/tls/openssl.cnf
Check that the request matches the signature
Signature ok
Certificate Details:
Serial Number: 1 (0x1)
Validity
Not Before: Jun 3 02:54:23 2017 GMT
Not After : Jun 3 02:54:23 2018 GMT
Subject:
countryName = CN
stateOrProvinceName = BeiJing
organizationName = Company
organizationalUnitName = OPS
commonName = www.test.com
X509v3 extensions:
X509v3 Basic Constraints:
CA:FALSE
Netscape Comment:
OpenSSL Generated Certificate
X509v3 Subject Key Identifier:
5D:A9:5A:90:29:F3:3A:7F:76:BE:21:78:14:80:E5:FB:5E:03:D8:D9
X509v3 Authority Key Identifier:
keyid:9E:1E:F3:84:4D:D0:79:E2:BD:DD:A8:50:29:6C:BA:0C:21:60:CA:96
Certificate is to be certified until Jun 3 02:54:23 2018 GMT (365 days)
Sign the certificate? [y/n]:y

1 out of 1 certificate requests certified, commit? [y/n]y
Write out database with 1 new entries
Data Base Updated

6 把签署的证书发给client

[root@centos7 ~]# scp /etc/pki/CA/certs/httpd.crt root@192.168.29.100:/etc/httpd/ssl/
The authenticity of host '192.168.29.100 (192.168.29.100)' can't be established.
ECDSA key fingerprint is 32:16:f3:2d:78:65:9f:a0:31:6c:dc:b9:24:e7:5a:8f.
Are you sure you want to continue connecting (yes/no)? yes
Warning: Permanently added '192.168.29.100' (ECDSA) to the list of known hosts.
root@192.168.29.100's password:
httpd.crt 100% 5711 5.6KB/s 00:00

二 HTTPS配置

7 安装mod_ssl模块

[root@CentOS7 ~]# yum install mod_ssl -y

8 修改配置文件/etc/httpd/conf.d/ssl.conf

DocumentRoot "/data/https"
ServerName www.test.com:443
<Directory "data/https">
AllowOverride None
Require all granted
</Directory>
SSLCertificateFile /etc/httpd/ssl/httpd.crt

SSLCertificateKeyFile /etc/httpd/ssl/httpd.crt

注意:

并修该/etc/httpd/ssl/httpd.crt、/etc/httpd/ssl/httpd.crt两个文件的属性,确保apach为可读就行,当然也可放在默认文件夹下,就不需要修改权限了。

[root@CentOS7 ~]#chmod +r /etc/httpd/ssl/httpd.key

9 检查语法

[root@CentOS7 ~]# httpd -t

Syntax OK

10 修给默认页面

[root@CentOS7 ~]# echo “www.test.com” > /data/https/index.html

11 启动http服务

[root@CentOS7 ~]# systemctl start httpd.service

12 把CA 的自签证书传到桌面

[root@centos7 ~]# sz /etc/pki/CA/cacert.pem

改名为cacert.crt

配置HTTPS

双击导入IE浏览器

13 配置DNS解析

www.test.com 为192.168.29.100

或者 修改windows 下的C:WindowsSysteme32driversetchosts文件

192.168.29.100    www.test.com

14 打开IE浏览器测试

输入https://www.test.com

配置HTTPS

好了 成功了 好用成就感呀!!

原创文章,作者:linux is not unix,如若转载,请注明出处:http://www.178linux.com/77675

(1)
linux is not unixlinux is not unix
上一篇 2017-06-06 19:03
下一篇 2017-06-06 20:15

相关推荐

  • Linux运维实战之2-2:bash的工作特性

    这次博文我们主要来谈谈bash的工作特性哈。 主要内容: bash是一种shell解释程序     bash工作特性之命令状态返回值 bash工作特性之命令行展开 bash工作特性之命令补全 bash工作特性之路径补齐 bash工作特性之命令引用 bash工作特性之命令别名 bash工作特性之文件名通配 bash工作特性之命令hash 问…

    Linux干货 2016-11-06
  • 一个简单小例子来说一下Rescue营救模式

    昨天不小心将/lib64下的一个动态库文件libc.so.6(很多命令都依赖的)给移动到了/root下,然后除了一些内部命令可用外,其余命令都不能用了,然后就想着看看重启可不可以修复,结果重启后就再也开不了机了,心想着这可咋整,要不用最快的方式进行快照恢复吧,结果老师就说了,不能使用快照,让我们使用Rescue营救模式进行恢复,然后在恢复的过程中就发现一个问…

    Linux干货 2017-08-21
  • 实时文件查找工具–find

    find [option] …[查找路径] [查找条件] [处理动作] 起始路径:指定具体的目标路径,默认为当前目录 查找条件:指定查找标准,可以根据文件名,权限,文件大小等标准进行。默认为指定路径下的所有文件 处理动作:对符合条件的文件做什么操作 1 查找条件: (1)根据文件名查找:  -name “文件名称” 支持使用glob -iname…

    Linux干货 2017-07-02
  • http协议简介

        http:Hyper Text Transfer Protocol,超文本传输协议。是互联网上应用最为广泛的一种网络协议。所有的WWW文件都必须遵守这个标准。设计HTTP最初的目的是为了提供一种发布和接收HTML页面的方法。1960年美国人Ted Nelson构思了一种通过计算机处理文本信息的方法,并称之为超文本(hyp…

    Linux干货 2015-11-18
  • 基于nginx实现7层http的负载均衡

    一、实验环境实验环境为三台服务器:1. nginx负载均衡器1. 内网ip:192.168.11.1002. 外网ip:172.16.251.892. 提供网页服务的RS-1服务器:192.168.11.2013. 提供网页服务的RS-2服务器:192.168.11.2024. 拓扑如下:二、实验配置后台服务器配置:1. 后台提供网页服务的两台服务器配置:y…

    Linux干货 2017-06-29
  • 马哥教育网络版21班第四周作业

    1、复制/etc/skel目录为/home/tuser1,要求/home/tuser1及其内部文件的属组和其他用户均没有任何访问权限 [root@localhost ~]# cp -rf /etc/skel/ /home/tuser1 [root@localhost ~]# chmod&n…

    Linux干货 2016-08-05