liunx服务使用(HTTP + SSL = HTTPS)
2013-09-13 20:37
651 查看
如何配置安全的http服务 让服务变得更加安全,正好大家也可以了解一下ca是怎么工作的,好好学吧。
HTTP + SSL = HTTPS
配置 CA 服务器
========================================================
1.配置 CA 172.16.1.2 生成 CA 自己的公钥 私钥 CA 对自己进行证书自签名 (用脚本生成)
CA服务器配置
制作证书 并且验证 最后用CA认证
vim /etc/pki/tls/openssl.cnf -----------修改路径位置
45 dir = /etc/pki/CA
vim /etc/pki/tls/misc/CA---------------修改脚本路径位置
42 CATOP=/etc/pki/CA
vim /etc/pki/tls/openssl.cnf ----------自签署的证书可以使用
#basicConstraints=CA:FALSE
basicConstraints=CA:TRUE
/etc/pki/tls/misc/CA -newca---------创建一个新的CA
CA certificate filename (or enter to create)
Making CA certificate ...
Generating a 1024 bit RSA private key
..........++++++
...........................++++++
writing new private key to '/etc/pki/CA/private/./cakey.pem'
Enter PEM pass phrase: -------------------设置密码123456
Verifying - Enter PEM pass phrase:---------------重复密码
-----
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few f some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [GB]:CN------------------国家
State or Province Name (full name) [Berkshire]:BEIJING---------------州
Locality Name (eg, city) [Newbury]:BJ--------------------地区
Organization Name (eg, company) [My Company Ltd]:UPLOOKING------------公司
Organizational Unit Name (eg, section) []:IT------------------部门
Common Name (eg, your name or your server's hostname) []:SERVER113---------计算机名字
Email Address []:ROOT@UPLOOKING.COM----------------邮箱
Please enter the following 'extra' attributes
to be sent with your certificate request
A challenge password []: -----------是不是要重新该密码 不写
An optional company name []: ------------要不要该公司名字 不写
Using configuration from /etc/pki/tls/openssl.cnf
Enter pass phrase for /etc/pki/CA/private/./cakey.pem: ----------输入上面的密码123456
Check that the request matches the signature
Signature ok
Certificate Details:
Serial Number: 0 (0x0)
Validity
Not Before: Mar 30 05:49:33 2013 GMT
Not After : Mar 29 05:49:33 2016 GMT
Subject:
countryName = CN
stateOrProvinceName = BEIJING
organizationName = UPLOOKING
organizationalUnitName = IT
commonName = SERVER113
emailAddress = ROOT@UPLOOKING.COM
X509v3 extensions:
X509v3 Basic Constraints:
CA:TRUE
Netscape Comment:
OpenSSL Generated Certificate
X509v3 Subject Key Identifier:
3A:85:EC:6B:00:D4:3F:91:F3:6B:14:47:4D:3F:02:52:6F:BC:93:85
X509v3 Authority Key Identifier:
keyid:3A:85:EC:6B:00:D4:3F:91:F3:6B:14:47:4D:3F:02:52:6F:BC:93:85
Certificate is to be certified until Mar 29 05:49:33 2016 GMT (1095 days)
Write out database with 1 new entries
Data Base Updated
[root@localhost tls]# ls /etc/pki/CA/private/./cakey.pem -------#私钥
[root@localhost tls]# ls /etc/pki/CA/cacert.pem -----------#证书
[root@localhost tls]# ls /etc/pki/CA/careq.pem ----------#证书请求
配置 web 服务器
===============================================================================
web 生成自己的私钥
[root@node1 ~]# openssl genrsa -des3 -out /etc/httpd/conf.d/server.key (使用 des3 保护私钥)
Generating RSA private key, 512 bit long modulus
............++++++++++++
...............++++++++++++
e is 65537 (0x10001)
Enter pass phrase for /etc/httpd/conf.d/server.key: ----------生成自己私匙的密码123456
Verifying - Enter pass phrase for /etc/httpd/conf.d/server.key:--------重复输入123456
[root@localhost conf.d]# openssl req -new -key /etc/httpd/conf.d/server.key -out /tmp/server.csr-----(使用身份标识+公钥)生成证书请求
Enter pass phrase for /etc/httpd/conf.d/server.key: -------------输入私钥密码
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----这部分信息要与 CA 一致
Country Name (2 letter code) [GB]:CN ---------------国家 和CA要一至
State or Province Name (full name) [Berkshire]:BEIJING--------和CA要一至
Locality Name (eg, city) [Newbury]:BJ-----------和CA要一至
Organization Name (eg, company) [My Company Ltd]:UPLOOKING-------和CA要一至
Organizational Unit Name (eg, section) []:IT--------
Common Name (eg, your name or your server's hostname) []:SERVER---------这里不要一样了
Email Address []:name@UPLOOKING.COM------这里不要一样了
Please enter the following 'extra' attributes
to be sent with your certificate request
A challenge password []:
An optional company name []:
[root@node1 ~]# scp /tmp/server.csr node2:/tmp/-----------将证书请求发送给 CA(如果是两台电脑就是复制一下)
CA 服务器对证书请求进行数字签名
=============================================================================
[root@localhost CA]# cp /etc/pki/CA/cacert.pem /etc/CA/---------ca证书复制一份
[root@localhost CA]# cp /etc/pki/CA/private/./cakey.pem /etc/CA/private/-------复制过去ca的私钥
[root@node2 CA]# openssl ca -keyfile /etc/CA/private/cakey.pem -cert /etc/CA/cacert.pem -in /tmp/server.csr -out /tmp/server.crt---------crt生成证书名字
/etc/CA/private/cakey.pem------(这是 ca 的私钥)
/tmp/server.csr -----------(httpserver 的证书请求文件)
/etc/CA/cacert.pem---------(ca 的证书)
/tmp/server.crt------------(生成的 httpserver 的证书的名字)
将签名后的数字证书颁发给 web
[root@node2 CA]# scp /tmp/server.crt node1:/etc/httpd/conf.d/
配置 web 支持 ssl 实现 https
===============================================================================
[root@node1 ~]# yum install mod_ssl
[root@node1 ~]# vim /etc/httpd/conf.d/ssl.conf
112 SSLCertificateFile /etc/httpd/conf.d/server.crt
119 SSLCertificateKeyFile /etc/httpd/conf.d/server.key
client 需要下载 CA 证书并导入浏览器,使用 https 访问 web,浏览器验证 web 数字证书是否
由 CA 颁发
打开 firefox,编辑------>首选项----->高级----> 加密----->查看证书------>导入 ---------这里是导入CA的证书/etc/CA/cacert.pem
[root@localhost mnt]# service httpd restart
Stopping httpd: [ OK ]
Starting httpd: Apache/2.2.3 mod_ssl/2.2.3 (Pass Phrase Dialog)
Some of your private key files are encrypted for security reasons.
In order to read them you have to provide the pass phrases.
Server localhost.localdomain:443 (RSA)
Enter pass phrase:--------------------输入私钥密码123456
OK: Pass Phrase Dialog successful.
[ OK ]
[root@localhost mnt]#
[root@node1 ~]# netstat -tunpl | grep 443
本文出自 “history_xcy” 博客,请务必保留此出处http://historys.blog.51cto.com/7903899/1296712
HTTP + SSL = HTTPS
配置 CA 服务器
========================================================
1.配置 CA 172.16.1.2 生成 CA 自己的公钥 私钥 CA 对自己进行证书自签名 (用脚本生成)
CA服务器配置
制作证书 并且验证 最后用CA认证
vim /etc/pki/tls/openssl.cnf -----------修改路径位置
45 dir = /etc/pki/CA
vim /etc/pki/tls/misc/CA---------------修改脚本路径位置
42 CATOP=/etc/pki/CA
vim /etc/pki/tls/openssl.cnf ----------自签署的证书可以使用
#basicConstraints=CA:FALSE
basicConstraints=CA:TRUE
/etc/pki/tls/misc/CA -newca---------创建一个新的CA
CA certificate filename (or enter to create)
Making CA certificate ...
Generating a 1024 bit RSA private key
..........++++++
...........................++++++
writing new private key to '/etc/pki/CA/private/./cakey.pem'
Enter PEM pass phrase: -------------------设置密码123456
Verifying - Enter PEM pass phrase:---------------重复密码
-----
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few f some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [GB]:CN------------------国家
State or Province Name (full name) [Berkshire]:BEIJING---------------州
Locality Name (eg, city) [Newbury]:BJ--------------------地区
Organization Name (eg, company) [My Company Ltd]:UPLOOKING------------公司
Organizational Unit Name (eg, section) []:IT------------------部门
Common Name (eg, your name or your server's hostname) []:SERVER113---------计算机名字
Email Address []:ROOT@UPLOOKING.COM----------------邮箱
Please enter the following 'extra' attributes
to be sent with your certificate request
A challenge password []: -----------是不是要重新该密码 不写
An optional company name []: ------------要不要该公司名字 不写
Using configuration from /etc/pki/tls/openssl.cnf
Enter pass phrase for /etc/pki/CA/private/./cakey.pem: ----------输入上面的密码123456
Check that the request matches the signature
Signature ok
Certificate Details:
Serial Number: 0 (0x0)
Validity
Not Before: Mar 30 05:49:33 2013 GMT
Not After : Mar 29 05:49:33 2016 GMT
Subject:
countryName = CN
stateOrProvinceName = BEIJING
organizationName = UPLOOKING
organizationalUnitName = IT
commonName = SERVER113
emailAddress = ROOT@UPLOOKING.COM
X509v3 extensions:
X509v3 Basic Constraints:
CA:TRUE
Netscape Comment:
OpenSSL Generated Certificate
X509v3 Subject Key Identifier:
3A:85:EC:6B:00:D4:3F:91:F3:6B:14:47:4D:3F:02:52:6F:BC:93:85
X509v3 Authority Key Identifier:
keyid:3A:85:EC:6B:00:D4:3F:91:F3:6B:14:47:4D:3F:02:52:6F:BC:93:85
Certificate is to be certified until Mar 29 05:49:33 2016 GMT (1095 days)
Write out database with 1 new entries
Data Base Updated
[root@localhost tls]# ls /etc/pki/CA/private/./cakey.pem -------#私钥
[root@localhost tls]# ls /etc/pki/CA/cacert.pem -----------#证书
[root@localhost tls]# ls /etc/pki/CA/careq.pem ----------#证书请求
配置 web 服务器
===============================================================================
web 生成自己的私钥
[root@node1 ~]# openssl genrsa -des3 -out /etc/httpd/conf.d/server.key (使用 des3 保护私钥)
Generating RSA private key, 512 bit long modulus
............++++++++++++
...............++++++++++++
e is 65537 (0x10001)
Enter pass phrase for /etc/httpd/conf.d/server.key: ----------生成自己私匙的密码123456
Verifying - Enter pass phrase for /etc/httpd/conf.d/server.key:--------重复输入123456
[root@localhost conf.d]# openssl req -new -key /etc/httpd/conf.d/server.key -out /tmp/server.csr-----(使用身份标识+公钥)生成证书请求
Enter pass phrase for /etc/httpd/conf.d/server.key: -------------输入私钥密码
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----这部分信息要与 CA 一致
Country Name (2 letter code) [GB]:CN ---------------国家 和CA要一至
State or Province Name (full name) [Berkshire]:BEIJING--------和CA要一至
Locality Name (eg, city) [Newbury]:BJ-----------和CA要一至
Organization Name (eg, company) [My Company Ltd]:UPLOOKING-------和CA要一至
Organizational Unit Name (eg, section) []:IT--------
Common Name (eg, your name or your server's hostname) []:SERVER---------这里不要一样了
Email Address []:name@UPLOOKING.COM------这里不要一样了
Please enter the following 'extra' attributes
to be sent with your certificate request
A challenge password []:
An optional company name []:
[root@node1 ~]# scp /tmp/server.csr node2:/tmp/-----------将证书请求发送给 CA(如果是两台电脑就是复制一下)
CA 服务器对证书请求进行数字签名
=============================================================================
[root@localhost CA]# cp /etc/pki/CA/cacert.pem /etc/CA/---------ca证书复制一份
[root@localhost CA]# cp /etc/pki/CA/private/./cakey.pem /etc/CA/private/-------复制过去ca的私钥
[root@node2 CA]# openssl ca -keyfile /etc/CA/private/cakey.pem -cert /etc/CA/cacert.pem -in /tmp/server.csr -out /tmp/server.crt---------crt生成证书名字
/etc/CA/private/cakey.pem------(这是 ca 的私钥)
/tmp/server.csr -----------(httpserver 的证书请求文件)
/etc/CA/cacert.pem---------(ca 的证书)
/tmp/server.crt------------(生成的 httpserver 的证书的名字)
将签名后的数字证书颁发给 web
[root@node2 CA]# scp /tmp/server.crt node1:/etc/httpd/conf.d/
配置 web 支持 ssl 实现 https
===============================================================================
[root@node1 ~]# yum install mod_ssl
[root@node1 ~]# vim /etc/httpd/conf.d/ssl.conf
112 SSLCertificateFile /etc/httpd/conf.d/server.crt
119 SSLCertificateKeyFile /etc/httpd/conf.d/server.key
client 需要下载 CA 证书并导入浏览器,使用 https 访问 web,浏览器验证 web 数字证书是否
由 CA 颁发
打开 firefox,编辑------>首选项----->高级----> 加密----->查看证书------>导入 ---------这里是导入CA的证书/etc/CA/cacert.pem
[root@localhost mnt]# service httpd restart
Stopping httpd: [ OK ]
Starting httpd: Apache/2.2.3 mod_ssl/2.2.3 (Pass Phrase Dialog)
Some of your private key files are encrypted for security reasons.
In order to read them you have to provide the pass phrases.
Server localhost.localdomain:443 (RSA)
Enter pass phrase:--------------------输入私钥密码123456
OK: Pass Phrase Dialog successful.
[ OK ]
[root@localhost mnt]#
[root@node1 ~]# netstat -tunpl | grep 443
本文出自 “history_xcy” 博客,请务必保留此出处http://historys.blog.51cto.com/7903899/1296712
相关文章推荐
- Java调用使用SSL/HTTPS协议来传输的axis webservice服务
- 在Spring Boot中,使用Https提供服务,并将Http请求自动重定向到Https
- 【环境配置】申请StartSSL免费CA证书,配置Nginx使用https访问,强制http跳转到https
- 使用ssl模块配置同时支持http和https并存
- 使用免费的startssl服务启用https
- 使用 gSOAP 通过 HTTP 和 HTTPS 调用由 WSAD 创建的 J2EE Web 服务
- C#、VB.NET使用HttpWebRequest访问https地址(SSL)的实现
- Http,Https(SSL)的Url绝对路径,相对路径解决方案Security Switch 4.2的配置和使用
- 使用 gSOAP 通过 HTTP 和 HTTPS 调用由 WSAD 创建的 J2EE Web 服务
- 使用 gSOAP 通过 HTTP 和 HTTPS 调用由 WSAD 创建的 J2EE Web 服务
- C#、VB.NET使用HttpWebRequest访问https地址(SSL)的实现
- Java调用使用SSL/HTTPS协议来传输的axis webservice服务
- 使用 gSOAP 通过 HTTP 和 HTTPS 调用由 WSAD 创建的 J2EE Web 服务
- 小工具-使用java SSL通过url获得访问转为String-http/https
- 在iOS9 中,苹果将原http协议改成了https协议,使用 TLS1.2 SSL加密请求数据。要使用HTTP要修改PTLIST
- C#、VB.NET使用HttpWebRequest访问https地址(SSL)的实现方法
- 使用SSL/HTTPS协议来建立安全的AXIS服务传输
- Android中使用https(HTTP+SSL)访问服务器
- 如何在Spring Boot中,使用Https提供服务,并将Http请求自动重定向到Https。
- 在iOS9中,苹果将原http协议改成了https协议,使用 TLS1.2 SSL加密请求数据。如何解决报错