实现https 搭建CA 颁发证书
实现https 搭建CA 颁发证书
加密模块默认没有安装,需要安装加密模块
[root@localhost ~]# httpd -M | grep ssl
Syntax OK
安装模块
[root@localhost ~]# yum install mod_ssl
安装后查看模块
[root@localhost ~]# httpd -M | grep ssl
ssl_module (shared)
加载支持加密的模块的配置文件
[root@localhost ~]# rpm -ql mod_ssl
/etc/httpd/conf.d/ssl.conf
[root@localhost ~]# grep mod_ssl /etc/httpd/conf.d/ssl.conf
# directives see <URL:http://httpd.apache.org/docs/2.2/mod/mod_ssl.html>
LoadModule ssl_module modules/mod_ssl.so 从配置文件中加载了支持加密的模块
重启服务
[root@localhost ~]# service httpd restart
SSL加密只支持一个网站,不支持多虚拟主机,删除创建的虚拟主机
[root@localhost ~]# rm -rf /etc/httpd/conf.d/vhosts.conf
修改主配置文件,使用安装好httpd时使用的站点目录
DocumentRoot “/var/www/html”
复制创建一个用于被访问的文件
[root@localhost ~]# cp /var/log/messages /var/www/html/m.html
添加apache的权限
[root@localhost ~]# chmod +r /var/www/html/m.html
重启服务
[root@localhost ~]# service httpd restart
访问
查看证书 [ 自签名的证书 ]
配置文件中定义了加载证书文件的路径
[root@localhost ~]# rpm -ql mod_ssl
/etc/httpd/conf.d/ssl.conf 配置文件
[root@localhost ~]# cat /etc/httpd/conf.d/ssl.conf
SSLCertificateKeyFile /etc/pki/tls/private/localhost.key 私钥文件路径
SSLCertificateFile /etc/pki/tls/certs/localhost.crt 证书文件路径
#SSLCertificateChainFile /etc/httpd/conf.d/ssl/cacert.pem 根证书文件路径(已经修改过)
查看证书文件
[root@localhost ~]# cat /etc/pki/tls/certs/localhost.crt
—–BEGIN CERTIFICATE—–
[root@localhost ~]# openssl x509 -in /etc/pki/tls/certs/localhost.crt -noout -text
Certificate:
Data:
Version: 3 (0x2)
Serial Number: 2088 (0x828)
Signature Algorithm: sha256WithRSAEncryption
Issuer: C=–, ST=SomeState, L=SomeCity, O=SomeOrganization, OU=SomeOrganizationalUnit, CN=localhost/emailAddress=root@localhost 发布者
Validity
Not Before: Jan 27 08:44:14 2018 GMT
Not After : Jan 27 08:44:14 2019 GMT
Subject: C=–, ST=SomeState, L=SomeCity, O=SomeOrganization, OU=SomeOrganizationalUnit, CN=localhost/emailAddress=root@localhost 颁发给谁
Subject Public Key Info:
/etc/pki/tls/certs/localhost.crt文件是在安装mod_ssl 时,通过安装脚本生成的,不属于任何包
[root@localhost ~]# rpm -ql /etc/pki/tls/certs/localhost.crt
package /etc/pki/tls/certs/localhost.crt is not installed
搭建CA
CA 192.168.119.159
CA服务器
[root@localhost ~]# hostname ca
[root@localhost ~]# exec bash
[root@ca ~]#
Web服务器
[root@localhost ~]# hostname websrv
[root@localhost ~]# exec bash
[root@websrv ~]#
搭建CA
[root@ca ~]# cd /etc/pki/CA/
[root@ca /etc/pki/CA]# tree
.
├── certs
├── crl
├── newcerts
└── private
4 directories, 0 files
[root@ca /etc/pki/CA]#
[root@ca /etc/pki/CA]# touch index.txt
[root@ca /etc/pki/CA]# echo 01 > serial
[root@ca /etc/pki/CA]# (umask 077; openssl genrsa -out private/cakey.pem 2048)
[root@ca /etc/pki/CA]# tree
.
├── certs
├── crl
├── index.txt
├── newcerts
├── private
│ └── cakey.pem
└── serial
4 directories, 3 files
[root@ca /etc/pki/CA]#
自签名证书
[root@ca /etc/pki/CA]# openssl req -new -x509 -key private/cakey.pem -out cacert.pem -days 3650
Country Name (2 letter code) [XX]:CN
State or Province Name (full name) []:beijing
Locality Name (eg, city) [Default City]:beijing
Organization Name (eg, company) [Default Company Ltd]:magedu.com
Organizational Unit Name (eg, section) []:opt
Common Name (eg, your name or your server’s hostname) []:ca.magedu.com
Email Address []:
[root@ca /etc/pki/CA]#
[root@ca /etc/pki/CA]# tree
.
├── cacert.pem
├── certs
├── crl
├── index.txt
├── newcerts
├── private
│ └── cakey.pem
└── serial
4 directories, 4 files
[root@ca /etc/pki/CA]#
Web服务器申请证书
[root@websrv ~]# mkdir /etc/httpd/conf.d/ssl
[root@websrv ~]# cd /etc/httpd/conf.d/ssl
创建证书申请文件
[root@websrv /etc/httpd/conf.d/ssl]# (umask 077; openssl genrsa -out httpd.key)
Generating RSA private key, 1024 bit long modulus
…………++++++
…………………++++++
e is 65537 (0x10001)
[root@websrv /etc/httpd/conf.d/ssl]#
生成证书申请
[root@websrv /etc/httpd/conf.d/ssl]# openssl req -new -key httpd.key -out httpd.csr
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter ‘.’, the field will be left blank.
—–
Country Name (2 letter code) [XX]:CN
State or Province Name (full name) []:beijing
Locality Name (eg, city) [Default City]:bj
Organization Name (eg, company) [Default Company Ltd]:magedu.com
Organizational Unit Name (eg, section) []:opt
Common Name (eg, your name or your server’s hostname) []:*.magedu.com
Email Address []:
Please enter the following ‘extra’ attributes
to be sent with your certificate request
A challenge password []:
An optional company name []:
[root@websrv /etc/httpd/conf.d/ssl]# ll
total 8
-rw-r–r– 1 root root 647 Jan 27 17:19 httpd.csr 证书申请文件
-rw——- 1 root root 891 Jan 27 17:16 httpd.key
把证书申请传到CA进行签名
[root@websrv /etc/httpd/conf.d/ssl]# scp httpd.csr 192.168.119.159:/etc/pki/CA
CA服务器查看并签名证书申请
[root@ca /etc/pki/CA]# ls
cacert.pem certs crl httpd.csr index.txt newcerts private serial
[root@ca /etc/pki/CA]# openssl ca -in httpd.csr -out certs/httpd.crt -days 712
Using configuration from /etc/pki/tls/openssl.cnf
Check that the request matches the signature
Signature ok
Certificate Details:
Serial Number: 1 (0x1)
Validity
Not Before: Jan 27 09:22:18 2018 GMT
Not After : Jan 9 09:22:18 2020 GMT
Subject:
countryName = CN
stateOrProvinceName = beijing
organizationName = magedu.com
organizationalUnitName = opt
commonName = *.magedu.com
X509v3 extensions:
X509v3 Basic Constraints:
CA:FALSE
Netscape Comment:
OpenSSL Generated Certificate
X509v3 Subject Key Identifier:
69:1C:DF:9F:18:D9:2F:98:1D:EF:71:D0:6D:DB:A3:35:CE:A3:1F:41
X509v3 Authority Key Identifier:
keyid:1E:A3:A2:DF:3E:17:6A:4E:F1:37:F5:4E:AA:E4:61:A8:D4:B5:4A:31
Certificate is to be certified until Jan 9 09:22:18 2020 GMT (712 days)
Sign the certificate? [y/n]:y
1 out of 1 certificate requests certified, commit? [y/n]y
Write out database with 1 new entries
Data Base Updated
[root@ca /etc/pki/CA]#
生成的证书文件
[root@ca /etc/pki/CA]# tree
.
├── cacert.pem
├── certs
│ └── httpd.crt
├── crl
├── httpd.csr
├── index.txt
├── index.txt.attr
├── index.txt.old
├── newcerts
│ └── 01.pem
├── private
│ └── cakey.pem
├── serial
└── serial.old
4 directories, 10 files
[root@ca /etc/pki/CA]#
httpd.crt 和 01.pem是同一个文件
把签过名的证书文件发送和申请的服务器
[root@ca /etc/pki/CA]# scp certs/httpd.crt 192.168.119.129:/etc/httpd/conf.d/ssl/
查看文件
[root@websrv /etc/httpd/conf.d/ssl]# ll
total 12
-rw-r–r– 1 root root 3721 Jan 27 17:24 httpd.crt
-rw-r–r– 1 root root 647 Jan 27 17:19 httpd.csr 请求文件
-rw——- 1 root root 891 Jan 27 17:16 httpd.key
修改配置文件
[root@websrv /etc/httpd/conf.d]# vim ssl.conf
ServerName www.magedu.com:443
SSLCertificateFile /etc/httpd/conf.d/ssl/httpd.crt
SSLCertificateKeyFile /etc/httpd/conf.d/ssl/httpd.key
重新启动服务
[root@websrv /etc/httpd/conf.d]# service httpd restart
把上级CA的证书传输给下级CA,否则会导致证书不被信任
[root@ca /etc/pki/CA]# scp cacert.pem 192.168.119.129:/etc/httpd/conf.d/ssl/
查看
[root@websrv /etc/httpd/conf.d/ssl]# ls
cacert.pem httpd.crt httpd.csr httpd.key
修改配置文件
[root@websrv /etc/httpd/conf.d/ssl]# vim /etc/httpd/conf.d/ssl.conf
SSLCertificateChainFile /etc/httpd/conf.d/ssl/cacert.pem CA的证书文件
重启服务
[root@websrv /etc/httpd/conf.d/ssl]# service httpd restart
访问测试
根CA不受信任,需要把CA的证书导入到计算机的受信任的CA证书列表中
[root@websrv /etc/httpd/conf.d/ssl]# ll
total 16
-rw-r–r– 1 root root 1334 Jan 27 17:33 cacert.pem
cacert.pem CA服务器的证书文件,需要导入到计算机的列表中
导出的文件后缀不对无法打开,所以需要修改文件的后缀
安装证书
因为签名的证书是www.magedu.com,所以需要使用FQDN访问,修改本地的/hosts文件,访问测试
C:\Windows\System32\drivers\etc\hosts
192.168.119.129 www.magedu.com
本文来自投稿,不代表Linux运维部落立场,如若转载,请注明出处:http://www.178linux.com/91330
无言胜千言 