https pki

What is HTTPS? HTTP is called Hypertext Transfer Protocol, using TCP port 80, by default the data is transmitted in clear text, the data can be captured through the capture tool, so on Interner, some of the more important sites of the HTTP server need to use PKI (Public Key Infrastructure) technology to encrypt data! This is also the HTTPS;

1. DescriptionBefore deployment, give an example to facilitate understanding.For example, I want to rent a house, so I search on a website, the results of contact found that many are false.Have a fancy house, and worry about the landlord is a liar. This time, I to rent, found a house intermediary company, although charges, but can rest assured that the rental of the house.650) this.width=650; "Src=" https://s3.51cto.com/wyfs02/M01/97/A3/wKiom1kwz6SxV5

1 HTTPS Protocol OverviewHTTPS can be thought of as HTTP + TLS. The HTTP protocol is familiar, and most Web applications and websites are now transmitted using the HTTP protocol. TLS is the Transport Layer encryption protocol, its predecessor is the SSL protocol, was first released by Netscape Company in 1995, 1999 after IETF Discussion and specification, renamed TLS. If not specifically stated, SSL and TLS are all the same protocol. The location of H

configuration file, adding LoadModule ssl_module modules/mod_ssl.so in the httpd sub-configuration file/etc/httpd/conf.d/ The ssl.conf also opens port 443 and specifies the storage path for the certificate.The reason is that when the installation, the installation package will have a script to generate the private key file/etc/pki/tls/private/localhost.key, but also generate a certificate file/etc/pki/tls/

Simple configuration of HTTPSNote: SSL sessions are created based on IP address, so only one HTTPS virtual host can be used on a single IP host;Configure HTTPD to support https:(1) Apply for a digital certificate for the server;Testing: Issuing a certificate through a privately built CA(a) Create a private CA:Create a private Ca:openssl profile:/etc/pki/tls/opens

Httpd self-built CA authentication for HTTPS service Required Software: httpd mod_ssl OpenSSL [[Email protected] CA] # httpd-V # httpd version: Apache/2.2.15 (UNIX) server built: jul 23 2014 14:15:00 [[email protected] CA] # uname-R # kernel version 2.6.32-431. el6.i686 [[email protected] CA] # uname-A # hairstyle version Linux jinyongri.com 2.6.32-431. el6.i686 #1 SMP Fri Nov 22 00:26:36 UTC 2013 i686 i686 i386 GNU/Linux ######################## ##

that the server does not believe that all clients can provide a full random number, if a client provides random number is not random, it greatly increases the "dialogue key" is the risk of being cracked, so the random number of three groups to form the final random number, to ensure the randomness of the stochastic number, This ensures that the dialog key security is generated for each build.Digital certificatesA digital certificate is an electronic document that contains information about the

1.HTTPS FoundationHTTPS (Secure hypertext Transfer Protocol) Secure Hypertext Transfer Protocol It is a secure communication channel that is based on HTTP development and is used to exchange information between client computers and servers. It uses Secure Sockets Layer (SSL) for information exchange, which is simply a secure version of HTTP and an HTTP protocol that uses TLS/SSL encryption.The HTTP protocol transmits the information in clear text, the

is obligated to protect the privacy and security of user data.The first is the network security, the OSI model each layer will face the corresponding network security issues, involving a broad, and network security is also the area of security development of the most prosperous areas. In this article, we are simply explaining the knowledge of HTTPS core concepts and the implementation on the iOS platform in the simplest possible way from the perspect

1. Install the ssl module # Yum-y install mod_ssl 2. Tell apache which website is to Use https, that is, to build a website. It can also be the same as what was previously set up in http. # Vi/etc/httpd/conf. d/ssl. conf DocumentRoot/var/www/test/html Servername www.bkjia.com 3. Create a certificate file # Cd/etc/pki/tls/certs [Root@www.bkjia.com] # make server. key ### generate a key file [Root@www.bkjia.c

make the Protocol operate normally, at least the server must have a PKI certificate, while the client is not necessarily.Its encryption strength depends on the correct implementation of the software and the support of encryption algorithms on both sides of the server client.Even if HTTPS is correctly implemented, there are still the following factors:Impersonate a websitePhishing AttacksCreate a fake websi

the SSL/TLS design, it is assumed that the server does not believe that all clients can provide a full random number, if a client provides random number is not random, it greatly increases the "dialogue key" is the risk of being cracked, so the random number of three groups to form the final random number, to ensure the randomness of the stochastic number, This ensures that the dialog key security is generated for each build.Digital certificatesA digital certificate is an electronic document th

] ~]# OpenSSL x509-req-days 365-in siyao.csr-ca ca.crt-cakey ca.key-set_serial 01-out SIYAO.CRT (certificate issued to clients) Signature Oksubject=/c=cn/st=shanghai/l=shanghai/o=boke/ou=boke-cainiao/cn=www.abc.com/[emailprotected]getting CA Private Keyenter pass phrase for ca.key:[[emailprotected] ~]# lsanaconda-ks.cfg ca.crt ca.key siyao.crt Siyao.cs R[[emailprotected] ~]# SCP siyao.crt 192.168.1.3:/etc/pki/ca/keyes (back to client) the authenticity

To configure httpd, follow these steps: the IP address of the httpd server used is 192.168.1.132. (1) install the mod_ssl module # Yum install-y mod_ssl The main files generated after the module is installed are: # Rpm-QL mod_ssl 650) This. width = 650; "src =" http://s3.51cto.com/wyfs02/M02/45/54/wKiom1PnZbnxIajLAAD7K7nGTDs686.jpg "Title =" 2014-08-10 20_28_18-root @ localhost _~ -Xshell 4.jpg" alt = "wkiom1pnzbnxiajlaad7k7ngtds686.jpg"/> /Etc/httpd/CONF. d/SSL. conf is the configuration file.

Certificate FormatCertificate Format version number certificate serial number Certificate Signature Algorithm Certificate Issuer validity period holder's name holder's public key ca id holder's ID other extended information basic constraints certificate policy Key Usage Restrictions CA Signature PKI (Public Key Infrastructure) Client entity (Applicant) Registration Institution (RC) Visa institution (CA) --> visa institution (CA) Certificate Revoca

* Eev:centos 6.5#建议先删除相关信息find/etc/pki/-name "*.pem"-exec rm-f {} \;find/etc/pki/-name "Index.txt"-exec rm-f {} \;Touch/etc/pki/ca/index.txt#生成新的ca/etc/pki/tls/misc/ca-newcaOpenSSL genrsa-des3-out Clinet.key 2048OpenSSL Req-new-key clinet.key-out CLINET.CSROpenSSL ca-in clinet.csr-out clinet.crtOpenSSL pkcs12-export-cl

/LOCALHOST.KEYSSLCERTIFICATEFILE/ETC/HTTPD/CONF/SERVER.CRT sslcertificatekeyfile/etc/httpd/conf/server.key# server Certificate chain:# point sslcertificatechainfile at a file Containing the# concatenation of PEM encoded CA certificates which form the# certificate chain for the server certificate. alternatively# the referenced file can be a same as sslcertificatefile# when the CA certificates is directly appended To the server# certificate for convinience. #SSLCertificateChainFile/etc/

ConceptHTTP(Hypertext Transfer Protocol Hypertext Transfer Protocol)Sending content in clear text, without any data encryption, is a standard (TCP) for client and server-side requests and responses that transmits hypertext to the local browser's transport protocol from the WWW serverHTTPS ( Hyper Text Transfer Protocol over Secure Socket Layer Hypertext Transfer Protocol based on Secure sockets)is the security version of HTTP, that is, HTTP under the SSL layer,

HTTPD self-built CA authentication implements HTTPS serviceRequired Software: httpd mod_ssl OpenSSLThis article implements the CA Certificate Server and the HTTPD server on a physical machine, which can be used as a reference for learning.This article tests host IP192.168.1.100/24[[emailprotected] ca]# httpd-v #httpd版本Server version:apache/2.2.15 (Unix) Server Built:jul 14:15:00[[em Ailprotected] ca]# uname-r #内核版本2.6.32-431.el6.i686[[emailprotected]

/web/vhosts/www{1,2} mkdir/var/log/httpd cd/var/log/httpd touch www{1,2}. {err,access}2) Create a home page file and write its corresponding content to it separately/web/vhosts/www1/index.html content is as follows:/web/vhosts/www2/index.html content is as follows:3) Configure/etc/httpd/conf/httpd.conf with the following contents:namevirtualhost192.168.1.179:80Two.1) Establish a private CACd/etc/pki/ca (umask 077; OpenSSL genrsa-out pirvate/cakey.pem