利用https实现站点访问
2012-08-21 20:06
531 查看
HTTPS原理
HTTPS(全称:Hypertext Transfer Protocol over Secure Socket Layer),是以安全为目标的HTTP通道,简单讲是HTTP的安全版。即HTTP下加入SSL层,HTTPS的安全基础是SSL。它是一个URI scheme(抽象标识符体系),句法类同http:体系。用于安全的HTTP数据传输。https:URL表明它使用了HTTP,但HTTPS存在不同于HTTP的默认端口及一个加密/身份验证层(在HTTP与TCP之间)。这个系统的最初研发由网景公司进行,提供了身份验证与加密通讯方法,现在它被广泛用于万维网上安全敏感的通讯,例如交易支付方面。它是由Netscape开发并内置于其浏览器中,用于对数据进行压缩和解压操作,并返回网络上传送回的结果。HTTPS实际上应用了Netscape的安全套接字层(SSL)作为HTTP应用层的子层。(HTTPS使用端口443,而不是象HTTP那样使用端口80来和TCP/IP进行通信。)SSL使用40 位关键字作为RC4流加密算法,这对于商业信息的加密是合适的。HTTPS和SSL支持使用X.509数字认证,如果需要的话用户可以确认发送者是谁。
HTTPS的主要作用可以分为两种:一种是建立一个信息安全通道,来保证数据传输的安全;另一种就是确认网站的真实性。
案例
实验目的:通过CA证书来实现https对站点的访问
实验步骤:
一.根证书
1.[root@localhost ~]# mount /dev/cdrom /mnt/cdrom //挂载光盘
2.[root@localhost ~]# cd /mnt/cdrom/Server
[root@localhost Server]# ll httpd*
-r--r--r-- 55 root root 1270589 2008-12-11 httpd-2.2.3-22.el5.i386.rpm
-r--r--r-- 63 root root 151651 2008-12-11 httpd-devel-2.2.3-22.el5.i386.rpm
-r--r--r-- 55 root root 852783 2008-12-11 httpd-manual-2.2.3-22.el5.i386.rpm
[root@localhost Server]# rpm -ivh httpd-2.2.3-22.el5.i386.rpm //安装httpd软件包
warning: httpd-2.2.3-22.el5.i386.rpm: Header V3 DSA signature: NOKEY, key ID 37017186
Preparing... ########################################### [100%]
1:httpd ########################################### [100%]
3.vim /etc/pki/tls/openssl.cnf
4. vim /etc/pki/tls/openssl.cnf
命令模式下:
:88,90 s/match/optional/g
5. vim /etc/pki/tls/openssl.cnf //修改注册证书时的默认值
6.创建相应的目录和文件
先产生钥匙,才能有证书
7.[root@localhost CA]# openssl genrsa 1024 >private/cakey.pem //产生钥匙
(命令解释:其中 genrsa 的gen 表示产生, rsa表示非对称算法(512-4096位),而 对称(40-256位)。1024表示钥匙长度。)
[root@localhost CA]# cd private/
[root@localhost private]# chmod 600 cakey.pem //修改私钥权限
8.[root@localhost CA]# openssl req -new -key private/cakey.pem -x509 -out cacert.pem -days 3650 //产生证书
(命令解释:-x509表示证书格式 –out表示产生证书 –days 3650 有效期限)
Country Name (2 letter code) [CN]:
State or Province Name (full name) [BEIJING]:
Locality Name (eg, city) [BEIJING]:
Organization Name (eg, company) [My Company Ltd]:yang
Organizational Unit Name (eg, section) []:tec
Common Name (eg, your name or your server's hostname) []:rootca.net.net
Email Address []:
二.Web服务器
1. 私有钥匙
[root@localhost CA]# mkdir -pv /etc/httpd/certs //创建一个目录
[root@localhost CA]# cd /etc/httpd/certs
[root@localhost certs]# openssl genrsa 1024 >httpd.key
2.证书请求
[root@localhost certs]# openssl req -new -key httpd.key -out httpd.csr
Country Name (2 letter code) [CN]:
State or Province Name (full name) [BEIJING]:henan
Locality Name (eg, city) [BEIJING]:zhengzhou
Organization Name (eg, company) [My Company Ltd]:tec
Organizational Unit Name (eg, section) []:tec
Common Name (eg, your name or your server's hostname) []:www.tec.com
Email Address []:
Please enter the following 'extra' attributes
to be sent with your certificate request
A challenge password []:
An optional company name []:
3.申请证书
[root@localhost certs]# openssl ca -in httpd.csr -out httpd.cert
Using configuration from /etc/pki/tls/openssl.cnf
Check that the request matches the signature
Signature ok
Certificate Details:
Serial Number: 1 (0x1)
Validity
Not Before: Aug 21 08:57:07 2012 GMT
Not After : Aug 21 08:57:07 2013 GMT
Subject:
countryName = CN
stateOrProvinceName = henan
organizationName = tec
organizationalUnitName = tec
commonName = www.tec.com
X509v3 extensions:
X509v3 Basic Constraints:
CA:FALSE
Netscape Comment:
OpenSSL Generated Certificate
X509v3 Subject Key Identifier:
35:4C:5F:D7:E6:D5:35:D2:C9:B4:03:3B:21:35:F9:B3:70:DD:40:76
X509v3 Authority Key Identifier:
keyid:23:FB:61:B4:E8:27:0E:09:58:B6:11:60:61:D6:37:90:70:F5:62:5C
Certificate is to be certified until Aug 21 08:57:07 2013 GMT (365 days)
Sign the certificate? [y/n]:y
1 out of 1 certificate requests certified, commit? [y/n]y
Write out database with 1 new entries
Data Base Updated
4.[root@localhost certs]# chmod 600 * //修改权限,为了安全
三.httpd和ssl的结合靠模块
1.安装模块
[root@localhost certs]# cd /mnt/cdrom/Server
[root@localhost Server]# rpm -qa |grep ssl //查看模块是否被安装
[root@localhost Server]# yum –y install mod_ssl
[root@localhost Server]# cd /etc/httpd/conf.d
2.vim ssl.conf //指明证书和私钥所在的位置
112 SSLCertificateFile /etc/httpd/certs/httpd.cert
119 SSLCertificateKeyFile /etc/httpd/certs/httpd.key
3.[root@localhost conf.d]# service httpd configtest
Syntax OK
[root@localhost conf.d]# service httpd start
启动 httpd: [确定]
[root@localhost conf.d]# netstat -tupln |grep http
四:创建网页
[root@localhost ~]# echo "hello" >/var/www/html/index.html
[root@localhost ~]# service httpd restart
停止 httpd: [确定]
启动 httpd: [确定]
五:客户端访问站点
6.打开证书链,并在客户端安装根证书
vim /etc/httpd/conf.d/ssl.conf
128 SSLCertificateChainFile /etc/pki/CA/cacert.pem
7.客户端编辑host文件,并访问
8.关闭http访问
vim /etc/httpd/conf/httpd.conf
#Listen 80 //关闭80端口
[root@localhost ~]# service httpd restart
本文出自 “1” 博客,转载请与作者联系!
HTTPS(全称:Hypertext Transfer Protocol over Secure Socket Layer),是以安全为目标的HTTP通道,简单讲是HTTP的安全版。即HTTP下加入SSL层,HTTPS的安全基础是SSL。它是一个URI scheme(抽象标识符体系),句法类同http:体系。用于安全的HTTP数据传输。https:URL表明它使用了HTTP,但HTTPS存在不同于HTTP的默认端口及一个加密/身份验证层(在HTTP与TCP之间)。这个系统的最初研发由网景公司进行,提供了身份验证与加密通讯方法,现在它被广泛用于万维网上安全敏感的通讯,例如交易支付方面。它是由Netscape开发并内置于其浏览器中,用于对数据进行压缩和解压操作,并返回网络上传送回的结果。HTTPS实际上应用了Netscape的安全套接字层(SSL)作为HTTP应用层的子层。(HTTPS使用端口443,而不是象HTTP那样使用端口80来和TCP/IP进行通信。)SSL使用40 位关键字作为RC4流加密算法,这对于商业信息的加密是合适的。HTTPS和SSL支持使用X.509数字认证,如果需要的话用户可以确认发送者是谁。
HTTPS的主要作用可以分为两种:一种是建立一个信息安全通道,来保证数据传输的安全;另一种就是确认网站的真实性。
案例
实验目的:通过CA证书来实现https对站点的访问
实验步骤:
一.根证书
1.[root@localhost ~]# mount /dev/cdrom /mnt/cdrom //挂载光盘
2.[root@localhost ~]# cd /mnt/cdrom/Server
[root@localhost Server]# ll httpd*
-r--r--r-- 55 root root 1270589 2008-12-11 httpd-2.2.3-22.el5.i386.rpm
-r--r--r-- 63 root root 151651 2008-12-11 httpd-devel-2.2.3-22.el5.i386.rpm
-r--r--r-- 55 root root 852783 2008-12-11 httpd-manual-2.2.3-22.el5.i386.rpm
[root@localhost Server]# rpm -ivh httpd-2.2.3-22.el5.i386.rpm //安装httpd软件包
warning: httpd-2.2.3-22.el5.i386.rpm: Header V3 DSA signature: NOKEY, key ID 37017186
Preparing... ########################################### [100%]
1:httpd ########################################### [100%]
3.vim /etc/pki/tls/openssl.cnf
45 dir = /etc/pki/CA //放置和CA相关文件 46 certs = $dir/certs //已经发行的证书,需要手工创建目录 47 crl_dir = $dir/crl //证书吊销列表,需要手工创建目录 48 database = $dir/index.txt //数据库索引文件,需要手工创建文件 51 new_certs_dir = $dir/newcerts //新发行的证书,需要手工创建目录 53 certificate = $dir/cacert.pem//发证机关的证书 54 serial = $dir/serial //第一份证书发布的序列号,需要手工创建文件 58 private_key = $dir/private/cakey.pem//私钥文件
4. vim /etc/pki/tls/openssl.cnf
命令模式下:
:88,90 s/match/optional/g
88 countryName = optional 89 stateOrProvinceName = optional 90 organizationName = optional 修改后证书能对外服务,因为这三项都需要是相同的
5. vim /etc/pki/tls/openssl.cnf //修改注册证书时的默认值
136 countryName_default = CN 141 stateOrProvinceName_default = BEIJING 144 localityName_default = BEIJING
6.创建相应的目录和文件
[root@localhost CA]# cd /etc/pki/CA [root@localhost CA]# mkdir crl certs newcerts [root@localhost CA]# touch index.txt serial [root@localhost CA]# echo "01" >serial //给serial一个初始序列号
先产生钥匙,才能有证书
7.[root@localhost CA]# openssl genrsa 1024 >private/cakey.pem //产生钥匙
(命令解释:其中 genrsa 的gen 表示产生, rsa表示非对称算法(512-4096位),而 对称(40-256位)。1024表示钥匙长度。)
[root@localhost CA]# cd private/
[root@localhost private]# chmod 600 cakey.pem //修改私钥权限
8.[root@localhost CA]# openssl req -new -key private/cakey.pem -x509 -out cacert.pem -days 3650 //产生证书
(命令解释:-x509表示证书格式 –out表示产生证书 –days 3650 有效期限)
Country Name (2 letter code) [CN]:
State or Province Name (full name) [BEIJING]:
Locality Name (eg, city) [BEIJING]:
Organization Name (eg, company) [My Company Ltd]:yang
Organizational Unit Name (eg, section) []:tec
Common Name (eg, your name or your server's hostname) []:rootca.net.net
Email Address []:
二.Web服务器
1. 私有钥匙
[root@localhost CA]# mkdir -pv /etc/httpd/certs //创建一个目录
[root@localhost CA]# cd /etc/httpd/certs
[root@localhost certs]# openssl genrsa 1024 >httpd.key
2.证书请求
[root@localhost certs]# openssl req -new -key httpd.key -out httpd.csr
Country Name (2 letter code) [CN]:
State or Province Name (full name) [BEIJING]:henan
Locality Name (eg, city) [BEIJING]:zhengzhou
Organization Name (eg, company) [My Company Ltd]:tec
Organizational Unit Name (eg, section) []:tec
Common Name (eg, your name or your server's hostname) []:www.tec.com
Email Address []:
Please enter the following 'extra' attributes
to be sent with your certificate request
A challenge password []:
An optional company name []:
3.申请证书
[root@localhost certs]# openssl ca -in httpd.csr -out httpd.cert
Using configuration from /etc/pki/tls/openssl.cnf
Check that the request matches the signature
Signature ok
Certificate Details:
Serial Number: 1 (0x1)
Validity
Not Before: Aug 21 08:57:07 2012 GMT
Not After : Aug 21 08:57:07 2013 GMT
Subject:
countryName = CN
stateOrProvinceName = henan
organizationName = tec
organizationalUnitName = tec
commonName = www.tec.com
X509v3 extensions:
X509v3 Basic Constraints:
CA:FALSE
Netscape Comment:
OpenSSL Generated Certificate
X509v3 Subject Key Identifier:
35:4C:5F:D7:E6:D5:35:D2:C9:B4:03:3B:21:35:F9:B3:70:DD:40:76
X509v3 Authority Key Identifier:
keyid:23:FB:61:B4:E8:27:0E:09:58:B6:11:60:61:D6:37:90:70:F5:62:5C
Certificate is to be certified until Aug 21 08:57:07 2013 GMT (365 days)
Sign the certificate? [y/n]:y
1 out of 1 certificate requests certified, commit? [y/n]y
Write out database with 1 new entries
Data Base Updated
4.[root@localhost certs]# chmod 600 * //修改权限,为了安全
三.httpd和ssl的结合靠模块
1.安装模块
[root@localhost certs]# cd /mnt/cdrom/Server
[root@localhost Server]# rpm -qa |grep ssl //查看模块是否被安装
[root@localhost Server]# yum –y install mod_ssl
[root@localhost Server]# cd /etc/httpd/conf.d
2.vim ssl.conf //指明证书和私钥所在的位置
112 SSLCertificateFile /etc/httpd/certs/httpd.cert
119 SSLCertificateKeyFile /etc/httpd/certs/httpd.key
3.[root@localhost conf.d]# service httpd configtest
Syntax OK
[root@localhost conf.d]# service httpd start
启动 httpd: [确定]
[root@localhost conf.d]# netstat -tupln |grep http
tcp 0 0 :::80 :::* LISTEN 3573/httpd tcp 0 0 :::443 :::* LISTEN 3573/httpd
四:创建网页
[root@localhost ~]# echo "hello" >/var/www/html/index.html
[root@localhost ~]# service httpd restart
停止 httpd: [确定]
启动 httpd: [确定]
五:客户端访问站点
6.打开证书链,并在客户端安装根证书
vim /etc/httpd/conf.d/ssl.conf
128 SSLCertificateChainFile /etc/pki/CA/cacert.pem
7.客户端编辑host文件,并访问
8.关闭http访问
vim /etc/httpd/conf/httpd.conf
#Listen 80 //关闭80端口
[root@localhost ~]# service httpd restart
本文出自 “1” 博客,转载请与作者联系!
内容来自用户分享和网络整理,不保证内容的准确性,如有侵权内容,可联系管理员处理 