OpenSSL configures the HTTPS capabilities of Apache

Source: Internet
Author: User
Tags modulus

HTTPS: Session creation Process
1. Client and server-side first handshake three times
2. The client initiates the request, requesting 443 ports on the server side.
3. Both sides negotiate to establish SSL session
4. After the negotiation is complete, the server sends its own certificate to the client.
5. After the client has received the certificate, the view certificate is not issued by a trusted certification authority, and the certificate is not complete.
6. The client passes the encrypted symmetric password to the server side.
Connection Setup Complete


CA issues certificate Procedures to clients
1. Create a CA
Generate a pair of keys yourself
Generate a self-signed certificate
2. Client
Generate a pair of keys
Generate a certificate issuance request,. CSR
Send request to CA
3.CA Terminal
Sign this certificate
Transfer to Client

Note: SSL can only be based on IP address, if there is more than one virtual host, then only one of the encryption

Experimental section

Check the httpd module to make sure there is SSL and if not, install it manually
[Email protected] ~]# httpd-m
Ssl_module
view SSL-generated files
[Email protected] ~]# RPM-QL mod_ssl
/etc/httpd/conf.d/ssl.conf #ssl主配置文件
/usr/lib/httpd/modules/mod_ssl.so #安装了一个ssl模块
/var/cache/mod_ssl #ssl缓存目录

Establish a private certification authority
generate the private key of the CA
[Email protected] ~]# cd/etc/pki/ca/
[[Email protected] ca]# (umask 077; OpenSSL genrsa-out Private/cakey.pem 2048)
Generating RSA private key, 2048 bit long modulus
.....................................+++
.........................+++
E is 65537 (0x10001)
[Email protected] ca]#


producing a self-signed certificate using the private key
[email protected] ca]# OpenSSL req-new-x509-key private/cakey.pem-out cacert.pem-days 365
You is about-to is asked to-enter information that'll be incorporated
into your certificate request.
What's about-to-enter is called a distinguished Name or a DN.
There is quite a few fields but can leave some blank
For some fields there would be a default value,
If you enter '. ', the field would be a left blank.
-----
Country Name (2 letter code) [GB]:CN #设置国家名称
State or province name (full name) [BERKSHIRE]:HB #设置省份名称
Locality Name (eg, city) [Newbury]:sjg #设置市名称
Organization Name (eg, company) [My company Ltd]:benet #设置组织名称
Organizational Unit Name (eg, section) []:lb #设置部门名称
Common name (eg, your name or your server ' s hostname) []:www.benet.com #setting the hostname needs to be the same as the issued hostname, or it will be reported that the certificate does not trust
Email Address []:[email protected] #设置电子邮件地址



where to edit the configuration file * * *
[Email protected] ~]# VIM/ETC/PKI/TLS/OPENSSL.CNF
DIR =/etc/pki/ca


prepare three directories, certificate issuance directory (certs), certificate revocation (CRL), newly generated certificate (newcerts), and issue the certificate's serial number file Index.txt and write the first certificate serial number to
[[email protected] ca]# mkdir certs CRL Newcerts
[email protected] ca]# Touch index.txt
[Email protected] ca]# echo > serial


this time, the CA will be able to use

Web Server Configuration
Prepare a directory store certificate
[Email protected] ca]# cd/etc/httpd/
[[email protected] httpd]# mkdir SSL
[Email protected] httpd]# CD ssl/


generate a private key certificate for the Web
[Email protected] ssl]# (umask 077;openssl genrsa > Httpd.key)
Generating RSA private key, 1024x768 bit long modulus
............++++++
..........................++++++
E is 65537 (0x10001)

generate a Certificate signing request
[email protected] ssl]# OpenSSL req-new-key httpd.key-out HTTPD.CSR
You is about-to is asked to-enter information that'll be incorporated
into your certificate request.
What's about-to-enter is called a distinguished Name or a DN.
There is quite a few fields but can leave some blank
For some fields there would be a default value,
If you enter '. ', the field would be a left blank.
-----
Country Name (2 letter code) [GB]:CN
State or province name (full name) [BERKSHIRE]:HB
Locality Name (eg, city) [NEWBURY]:SJZ
Organization Name (eg, company) [My company Ltd]:benet
Organizational Unit Name (eg, section) []:lb
Common name (eg, your name or your server ' s hostname) []:www.benet.com #and the domain name of the website must be kept in full agreement
Email Address []:[email protected]

Please enter the following ' extra ' attributes
To is sent with your certificate request
A Challenge Password []:
An optional company name []:


the CA server signs the Web server's certificate
[email protected] ~]# OpenSSL ca-in/etc/httpd/ssl/httpd.csr-out/etc/httpd/ssl/httpd.crt-days 365
Using Configuration From/etc/pki/tls/openssl.cnf
Check that the request matches the signature
Signature OK
Certificate Details:
Serial number:1 (0x1)
Validity
Not Before:nov 10:42:56 GMT
Not After:nov 10:42:56 GMT
Subject:
CountryName = CN
Stateorprovincename = HB
OrganizationName = Benet
Organizationalunitname = LB
CommonName = www.benet.com
EmailAddress = [email protected]
X509v3 Extensions:
X509v3 Basic Constraints:
Ca:false
Netscape Comment:
OpenSSL Generated Certificate
X509v3 Subject Key Identifier:
35:f3:ee:62:1f:64:d5:06:db:5c:60:77:0b:19:33:c2:6a:8b:2d:b4
X509v3 Authority Key Identifier:
Keyid:57:72:4c:91:1c:9b:f2:b0:e8:4a:e1:34:ab:03:e6:e6:31:2a:1d:c3

Certificate is to be certified until Nov 10:42:56 GMT (365 days)
Sign the certificate? [Y/n]:y


1 out of 1 certificate requests certified, commit? [Y/n]y
Write out database with 1 new entries
Data Base Updated


View Issuance Status
[email protected] ca]# cat Index.txt
V 151126104256Z Unknown/c=cn/st=hb/o=benet/ou=lb/cn=www.benet.com/[email protected]
View the serial number for the next request
[email protected] ca]# cat serial
02


Certificate Request Complete

Client Configuration SSL
backup configuration files before configuration
[Email protected] ssl]# cd/etc/httpd/conf.d/
[email protected] conf.d]# CP ssl.conf Ssl.conf.bak

Edit the SSL configuration file, in addition to the required settings listed, all other
<virtualhost 192.168.0.108:443>
ServerName www.benet.com #设置网站域名
DocumentRoot "/www/benet.com" #设置网站存放位置
Errorlog Logs/ssl_error_log #设置网站错误日志
Transferlog Logs/ssl_access_log #设置网站访问日志
LogLevel warn #设置警告级别
Sslengine on #是否开启ssl功能
Sslprotocol All-sslv2 #支持的协议为, does not support SSLV2, and then supports all
SSLCERTIFICATEFILE/ETC/HTTPD/SSL/HTTPD.CRT #设置证书文件位置
Sslcertificatekeyfile/etc/httpd/ssl/httpd.key #设置私钥文件位置
</VirtualHost>


Restart the httpd service after editing is complete, and then check that port 443 is already started
[Email protected] conf.d]# service httpd restart
[Email protected] conf.d]# NETSTAT-TNLP
TCP 0 0::: 443:::* LISTEN 6436/httpd



At this point, the client accesses Www.benet.com's 443 port still error, because the client does not trust the CA authority
You need to copy the/etc/pki/ca/cacert.pem file to the client

And the client is renamed CACERT.CRT, and then the certificate is installed and placed in the root authority

650) this.width=650; "src=" http://s3.51cto.com/wyfs02/M00/54/10/wKiom1R200Hz0h17AAFlzMRoEqs724.jpg "style=" float: none; "title=" Installation certificate. png "alt=" wkiom1r200hz0h17aaflzmroeqs724.jpg "/>


At this point, the client will not be able to error the access, and access is encrypted access to the
650) this.width=650; "src=" Http://s3.51cto.com/wyfs02/M01/54/0F/wKioL1R20-SQFi2XAACGRxskrQo991.jpg "title=" HTTPS access succeeded. png "alt=" wkiol1r20-sqfi2xaacgrxskrqo991.jpg "/>

This article from "Plum blossom fragrance from bitter cold" blog, please be sure to keep this source http://wangjunkang.blog.51cto.com/8809812/1583306

OpenSSL configures the HTTPS capabilities of Apache

Contact Us

The content source of this page is from Internet, which doesn't represent Alibaba Cloud's opinion; products and services mentioned on that page don't have any relationship with Alibaba Cloud. If the content of the page makes you feel confusing, please write us an email, we will handle the problem within 5 days after receiving your email.

If you find any instances of plagiarism from the community, please send an email to: info-contact@alibabacloud.com and provide relevant evidence. A staff member will contact you within 5 working days.

A Free Trial That Lets You Build Big!

Start building with 50+ products and up to 12 months usage for Elastic Compute Service

  • Sales Support

    1 on 1 presale consultation

  • After-Sales Support

    24/7 Technical Support 6 Free Tickets per Quarter Faster Response

  • Alibaba Cloud offers highly flexible support services tailored to meet your exact needs.