Establishing a private CA based on HTTPD for HTTPS encrypted connection

For more information on what HTTPS is, click Connect to view Baidu Encyclopedia: Https://baike.baidu.com/item/https/285356?fr=aladdin

First, the preparatory work

Before we start the experiment, we have to prepare at least two hosts and a computer, one as a server, and another as a private CA, to ensure that the two hosts can ping each other and ping the real computer, which means the three machines can communicate with each other.

Here I have two virtual machines, the operating system CentOS 7 and CentOS 6, and CentOS 7 using the IP address of 172.16.7.100,centos 6 with an IP address of 172.16.128.4. I use CentOS 7 as a server to provide HTTP services, CentOS 6 as a CA, three machine functions

650) this.width=650; "Src=" https://s5.51cto.com/wyfs02/M00/08/74/wKiom1nh7I3zKeV4AAA7pE9XUbo768.png-wh_500x0-wm_ 3-wmp_4-s_2730416924.png "title=" Tim20171014185159.png "alt=" Wkiom1nh7i3zkev4aaa7pe9xubo768.png-wh_50 "/>

Ii. establishment of a CA

    establishes the CA on the IP-172.16.128.4 host and writes its own information to authentication:

~]# cd /etc/pki/                                                                #切换工作目录CA]# touch index.txt                                   #然后再当前目录下创建两个文件CA]# echo 01  > serial                                 #在认证时会用到 If not created will error ca]#  (umask 077;openssl genrsa -out private/cakey.pem 2048)                        #创建私钥CA]#  Openssl req -new -x509 -key private/cakey.pem -out cacert.pem -days  7300    #认证自己

650) this.width=650; "Src=" https://s5.51cto.com/wyfs02/M02/08/75/wKiom1nh_-iANNelAAC6CciaKHw638.png-wh_500x0-wm_ 3-wmp_4-s_1575836799.png "title=" Tim20171014201509.png "alt=" Wkiom1nh_-iannelaac6cciakhw638.png-wh_50 "/>

Iii. creation of the application

CA established, we will start to establish their own certification, first back to the server as a host (172.16.7.100), find a directory to store authentication files, here I will "/myweb/wordpress/ssl" as a storage directory (casually put, Use the absolute path reference later, put it in a safe place, and then use the following command to create the private key:

ssl]# (umask 077;openssl genrsa-out httpd.key 1024x768) ssl]# OpenSSL req-new-key httpd.key-out HTTPD.CSR

When filling in the information note: The country requires two characters, the server fills in the domain name of the virtual host

650) this.width=650; "Src=" https://s4.51cto.com/wyfs02/M01/A7/29/wKioL1niAXTjw1UIAADX99UBd78874.png-wh_500x0-wm_ 3-wmp_4-s_2713828128.png "title=" Tim20171014203333.png "alt=" Wkiol1niaxtjw1uiaadx99ubd78874.png-wh_50 "/>

Iv. Application and approval

After the authentication file is created, you can send the request information generated on the server to the CA for authentication, and the following command can be used to upload the file conveniently:

ssl]# SCP HTTPD.CSR [email protected]:/tmp/#此命令在172.16.7.100 (performed on server)

After a period of waiting, you will be prompted to enter the password, after entering the password and wait for a period of time, the screen will show that the file upload success:

650) this.width=650; "Src=" https://s2.51cto.com/wyfs02/M02/A7/29/wKioL1niAquS3DsCAABCx4drXo4327.png-wh_500x0-wm_ 3-wmp_4-s_2567521466.png "title=" Tim20171014203746.png "alt=" Wkiol1niaqus3dscaabcx4drxo4327.png-wh_50 "/>

Switch to CA (172.16.128.4) and execute the following command to complete the authentication (select Yes if prompted):

ca]# OpenSSL ca-in/tmp/httpd.csr-out certs/myweb.wordpress.com.crt-days 365

After the authentication is complete, the file that is generated by the authentication completion is transferred back through the SCP command:

ca]# SCP CERTS/MYWEB.WORDPRESS.COM.CRT 172.16.7.100:/myweb/wordpress/ssl/

Back to the server (172.16.7.100), you can see the myweb.wordpress.com.crt file in "/myweb/wordpress/ssl", where the private CA and certificate issuance is complete.

Five, browser view

Certificate issuance is complete, but we still cannot see in the browser, if you want to use HTTPS in the browser, need "Mod_ssl", use the following command to install:

~]# Yum install-y mod_ssl

After the installation is complete, a configuration file is generated under "/etc/httpd/conf.d/": ssl.conf, edit this file:

~]# vim/etc/httpd/conf.d/ssl.conf

Change the following two options in the file (typically 101 lines and 108 lines) to the following (where the two files are changed):

sslcertificatefile/myweb/wordpress/ssl/myweb.wordpress.com.crtsslcertificatekeyfile/myweb/wordpress/ssl/ Httpd.key

Save exit after change, reload httpd configuration:

~]# systemctl Restart httpd

Using the command "SS-TNL", you can see that port 443 is already listening, which is the default HTTPS port:

650) this.width=650; "Src=" https://s3.51cto.com/wyfs02/M01/08/75/wKiom1niCLTxzvmbAACEpuEMUvo807.png-wh_500x0-wm_ 3-wmp_4-s_3091349854.png "title=" Tim20171014205210.png "alt=" Wkiom1nicltxzvmbaacepuemuvo807.png-wh_50 "/>

To this HTTPS configuration is complete, the following test, in "/etc/httpd/conf.d/" to create a virtual host:

ssl]# vim/etc/httpd/conf.d/vhost.conf

Write the following content:

<VirtualHost *:443>        ServerName  myweb.wordpress.com        documentroot /myweb/wordpress         ErrorLog logs/wordpress-error_log         CustomLog logs/wordpress-access_log combiend         DirectoryIndex index.html        <Directory  " /myweb/wordpress ">                 Options Indexes                 AllowOverride   None                 Require all granted         </directory></virtualHost> 

Then create the directory "/myweb/wordpress" and create a home page:

~]# mkdir/myweb/wordpress~]# echo "wordpress page" >/myweb/wordpress/index.html

Finally on the real computer using the browser to open "https://myweb.wordpress.com/" can see the following screen (to modify the Hosts file, refer to the previous blog):

650) this.width=650; "Src=" https://s3.51cto.com/wyfs02/M02/08/75/wKiom1niCzbAEJ2dAAC5cGRCENI861.png-wh_500x0-wm_ 3-wmp_4-s_3472679924.png "title=" Tim20171014210334.png "alt=" Wkiom1niczbaej2daac5cgrceni861.png-wh_50 "/>

You can see the information is just registered, the error is because the CA is private, can not be verified by it. However, this certificate can be used within the local area network to verify the reliability of the information source.

Establishing a private CA based on HTTPD for HTTPS encrypted connection