21.Linux HTTPS服务

Linux : HTTPS服务

协议	传输方式	端口	安全性
HTTP	明文传输	80	无加密，可被窃听
HTTPS	加密传输	443	HTTP + SSL/TLS

数据加密（防窃听）
身份认证（防伪装）
完整性校验（防篡改）

OpenSSL 证书操作核心命令

命令选项	作用	使用场景示例
-x509	生成自签名证书	创建私有CA根证书
-new	生成证书签名请求(CSR)	为服务器创建证书请求
-key	指定私钥文件路径	`-key server.key`
-out	指定输出文件路径	`-out server.crt`
-days	设置证书有效期（天）	`-days 3650`（10年有效期）

在这里插入图片描述

标准路径：/etc/pki/CA/

/etc/pki/CA/
├── certs/       # 存放已签署的证书
├── crl/         # 证书吊销列表(CRL)
├── newcerts/    # 新签发证书备份
├── private/     # CA私钥目录（严格权限控制）
├── index.txt    # 证书数据库（记录所有签发证书）
└── serial       # 当前证书序列号文件

在dns服务器的正向解析数据库中添加ca.exanple.com的解析内容

cd /var/named/
vim xieyuhui.com

在这里插入图片描述

在主机CA上为主机CA生成私钥

[root@xieyuhui2 ~]# (umask 077;openssl genrsa -out /etc/pki/CA/private/cakey.pem)
Generating RSA private key, 2048 bit long modulus
..+++
......................+++
e is 65537 (0x10001)

在主机CA上为主机CA生成自签名证书

[root@xieyuhui2 ~]# openssl req -new -x509 -key /etc/pki/CA/private/cakey.pem -out /etc/pki/CA/cacert.pem -days 365
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [XX]:CN
State or Province Name (full name) []:HB
Locality Name (eg, city) [Default City]:WH
Organization Name (eg, company) [Default Company Ltd]:LQ
Organizational Unit Name (eg, section) []:IT
Common Name (eg, your name or your server's hostname) []:ca.example.com
Email Address []:

在主机CA上为CA提供所需的目录及文件

[root@xieyuhui2 ~]# touch /etc/pki/CA/serial
[root@xieyuhui2 ~]# touch /etc/pki/CA/index.txt
[root@xieyuhui2 ~]# echo 01 > /etc/pki/CA/serial
[root@xieyuhui2 CA]# ls
cacert.pem  certs  crl  index.txt  newcerts  private  serial

在主机WEB上为主机WEB生成私钥，并将私钥存放在/etc/httpd/ssl目录中

[root@xieyuhui ~]# mkdir /etc/httpd/ssl
[root@xieyuhui ~]# (umask 077;openssl genrsa -out /etc/httpd/ssl/httpd.key)
Generating RSA private key, 2048 bit long modulus
..........+++
.........................+++
e is 65537 (0x10001)

在主机WEB上为web.example.com站点生成签署请求文件

[root@xieyuhui ~]# openssl req -new -key /etc/httpd/ssl/httpd.key -out /etc/httpd/ssl/httpd.csr -days 365
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [XX]:CN
State or Province Name (full name) []:HB
Locality Name (eg, city) [Default City]:WH
Organization Name (eg, company) [Default Company Ltd]:LQ
Organizational Unit Name (eg, section) []:IT
Common Name (eg, your name or your server's hostname) []:xieyuhui.example.com
Email Address []:Please enter the following 'extra' attributes
to be sent with your certificate request
A challenge password []:
An optional company name []:

在主机web上将签署请求文件通过可靠方式发送给CA服务器

[root@xieyuhui ~]#scp /etc/httpd/ssl/httpd.csr                     root@ca.example.com:/etc/pki/CA/

在主机CA上对签署请求进行数字签名，并指明所生成的Web证书的存放路径

[root@xieyuhui2 ~]#openssl ca -in /etc/pki/CA/httpd.csr -out /etc/pki/CA/certs/httpd.crt -days 365Using configuration from /etc/pki/tls/openssl.cnf
Check that the request matches the signature
Signature ok
Certificate Details:Serial Number: 1 (0x1)ValidityNot Before: Aug 12 12:48:40 2025 GMTNot After : Aug 12 12:48:40 2026 GMTSubject:countryName               = CNstateOrProvinceName       = HBorganizationName          = LQorganizationalUnitName    = ITcommonName                = xieyuhui.example.comX509v3 extensions:X509v3 Basic Constraints: CA:FALSENetscape Comment: OpenSSL Generated CertificateX509v3 Subject Key Identifier: 92:CB:55:33:05:4C:C0:AA:B8:4D:48:F4:59:F0:B2:FA:1B:89:06:A8X509v3 Authority Key Identifier: keyid:8E:1E:9E:87:60:0B:9C:53:C9:2C:65:A4:63:B4:01:36:7D:10:DC:C1

在主机WEB上将CA主机上已经数字签名后的Web证书下载下来

[root@xieyuhui ~]#scp root@ca.example.com:/etc/pki/CA/certs/httpd.crt /etc/httpd/ssl/

在主机WEB上安装apche http扩展模块mod_ssl

[root@xieyuhui ~]# yum install mod_ssl -y
[root@xieyuhui ~]# rpm -q mod_ssl 
mod_ssl-2.4.6-88.el7.centos.x86_64 确认安装

修改主配置文件

[root@xieyuhui ~]# vim /etc/httpd/conf.d/ssl.conf

在这里插入图片描述

复制虚拟主机配置文件

[root@xieyuhui ~]# cp -p /usr/share/doc/httpd-2.4.6/httpd-vhosts.conf /etc/httpd/conf.d

部署https站点

[root@xieyuhui ~]# vim /etc/httpd/conf.d/httpd-vhosts.conf

在这里插入图片描述

重启http服务

[root@xieyuhui ~]# systemctl restart httpd
[root@xieyuhui ~]# systemctl enable httpd

关闭防火墙和selinux

在客户端上去下载CA服务器上的根证书

[root@xieyuhui3 ~]# scp root@ca.example.com:/etc/pki/CA/cacert.pem .

打开火狐浏览器，导入证书
设置–首选项–高级–证书–查看证书–导入–找到根证书，然后双击–把“信任使用此CA标识的网站”勾上–确定–确定
查看
在这里插入图片描述

本文来自互联网用户投稿，该文观点仅代表作者本人，不代表本站立场。本站仅提供信息存储空间服务，不拥有所有权，不承担相关法律责任。
如若转载，请注明出处：http://www.pswp.cn/bicheng/93054.shtml
繁体地址，请注明出处：http://hk.pswp.cn/bicheng/93054.shtml

如若内容造成侵权/违法违规/事实不符，请联系多彩编程网进行投诉反馈email:809451989@qq.com，一经查实，立即删除！