HTTPD self-built CA authentication implements HTTPS service
Required Software: httpd mod_ssl OpenSSL
This article implements the CA Certificate Server and the HTTPD server on a physical machine, which can be used as a reference for learning.
This article tests host IP192.168.1.100/24
[[email protected] ca]# httpd-v #httpd版本Server version:apache/2.2.15 (Unix) Server Built:jul 14:15:00[[em Ail protected] ca]# uname-r #内核版本2.6.32-431.el6.i686[[email protected] ca]# uname-a #发型版本Linux jinyongri.com 2.6.32-431.el6.i686 #1 SMP Fri Nov 00:26:36 UTC i686 i686 i386 gnu/linux ############## #################### #开始干活 ##############################################[[email protected] ~]# cd/etc/pki/ca /#切换到证书目录之下 [[email protected] ca]# (umask 077; OpenSSL genrsa-out PRIVATE/CAKEY.PEM 2048) #生成自建CA用私钥 generating RS A private key, 2048 bit long modulus......+++.....+++e is 65537 (0x10001) [[email protected] ca]# OpenSSL req-new- X509-key private/cakey.pem-days 3655-out Cacert.pem #提交自签证书申请You is about to being asked to enter information that would b e Incorporatedinto your certificate request. What's about-to-enter is called a distinguished Name or a DN. There is quite a few fields but can leave some Blankfor Some fields there is a default value,if you enter '. ', the field would be a blank.-----Country Name (2 le tter code) [XX]:CN #国家State or province name (full name) []:shanghai #省份Locality name (eg, city) [Default City]:shanghai # City organization name (eg, company) [Default Company Ltd]:jinyongri Ltd. #公司名Organizational Unit Name (eg, section) []:sa #部门 Name Common name (eg, your name or your server ' s hostname) []:ca.jinyongri.com #主机名Email Address []:[email protected] #管 Manager email [[email protected] ca]# mkdir/etc/httpd/conf/ssl-p #建立存放httpd服务器私钥和证书的目录 [[email protected] ca]# (umas K 077; OpenSSL genrsa >/etc/httpd/conf/ssl/httpd.key) #创建httpd私钥 generating RSA private key, 1024x768 bit long modulus ..... ++++++............++++++e is 65537 (0x10001) [[email protected] ca]# cd/etc/httpd/conf/ssl/#切换到存放httpd私钥目录下 [ [email protected] ssl]# OpenSSL req-new-key/httpd.key-out./HTTPD.CSR #提交httpd证书申请 Enter information thAt'll be incorporatedinto your certificate request. What's about-to-enter is called a distinguished Name or a DN. There is quite a few fields but can leave some blankfor some fields there would be a default value,if you enter '. ', t He field would be a left blank.-----Country Name (2 letter code) [XX]:CN State or province name (full name) []:shanghailocali Ty name [eg, city] [default City]:shanghaiorganization Name (eg, company) [Default company Ltd]:jinyongri Ltdorganizationa L Unit name (eg, section) []:sacommon name (eg, your name or your server ' s hostname) []:www.jinyongri.comemail Address []: Please enter the following ' extra ' attributesto is sent with your certificate Requesta challenge password []:an optional Company name []:jinyongri LTD [[email protected] ssl]# touch/etc/pki/ca/{index.txt,crlnumber}[[email Protected] ssl]# echo >/etc/pki/ca/serial[[email protected] ssl]# OpenSSL ca-in httpd.csr-out httpd.crt-day s 3655 #生成httpd证书Using conFiguration From/etc/pki/tls/openssl.cnfcheck that the request matches the Signaturesignature okcertificate Details: Serial number:1 (0x1) validity not before:sep 12:16:18 GMT not after:oct 1 12: 16:18 2024 GMT subject:countryname = CN Stateorprovincename = Shanghai OrganizationName = Jinyongri Ltd organizationalunitname = SA commonname = www.jinyongri.com X509v3 extensions:x509v3 Basic Constraints:CA:FALSE Netscape comment:openssl Generated Certificate x509v3 Subject Key Identifier: BB:A2:68:13:FB:EA:BB:A8:52:D9:6A:AB:02:43:94:40:28:74:72:2A x509v3 Authority Key Identifier: KEYID:5A:68:9C:F6:D1:5D:51:36:A5:95:3C:28:B1:7F:76:F9:9E:69:48:56 Certificate is certified until OCT 1 12:16:1 8 2024 GMT (3655 days) SiGN the certificate? [Y/n]:y 1 out of 1 certificate requests certified, commit? [Y/n]ywrite out database with 1 new entriesdata Base Updated [[email protected] ssl]# yum install-y mod_ssl #安装http d mod_ssl module [[email protected] ssl]# rpm-ql mod_ssl #看一下都生成了哪些文件/etc/httpd/conf.d/ssl.conf/usr/lib/httpd/ Modules/mod_ssl.so/var/cache/mod_ssl/var/cache/mod_ssl/scache.dir/var/cache/mod_ssl/scache.pag/var/cache/mod_ Ssl/scache.sem [[email protected] ssl]# vim/etc/httpd/conf.d/ssl.conf# #配置实用ssl的虚拟主机 # servername# DocumentRoot# Configure the certificate and private key # Sslcertificatfile certificate file # sslcertificatkeyfile key file <virtualhost _default_:443>documentroot "/var/www/ht ML "#网页根目录ServerName [[email protected] ssl]# httpd-t #检测配置文件语法错误Syntax ok[[email protected] ssl]# service h TTPD Restart #重启httpd服务Stopping httpd: [OK]starting httpd: [OK] [[email protected] ca]# Cp/etc/pki/ca/cacert.pem/etc/pki/ca/cacert.crt# Copy a CA Server authentication certificate for Windows to install
Use the WINDOW7 client to detect
Modify C:\Windows\System32\drivers\etc\hosts Add the following content, your own Web server IP and test domain name
# Copyright (c) 1993-2009 Microsoft corp.## This was a sample HOSTS file used by Microsoft TCP/IP for windows.## the This file Contains the mappings of IP addresses to host names. each# entry should is kept on a individual line. The IP address should# is placed in the first column followed by the corresponding host name.# the IP address and the host Name should is separated by at least one# space.## Additionally, comments (such as these) may is inserted on individual# Lines or following the machine name denoted by a ' # ' symbol.## for example:## 102.54.94.97 rhino.acme.com # so Urce server# 38.25.63.10 x.acme.com # x client host # localhost name resolution is handled within DNS itself.# 127.0.0.1 localhost#::1 localhost192.168.1.100www.jinyongri.com #添加这一行, configure it according to your IP and domain name
Note: This domain name should be the same as the domain name of the registered CA certificate, or it will go wrong.
If it cannot be modified, configure the current user's write permission to the file.
Download the/ETC/PKI/CA/CACERT.CRT CA server certificate that you just copied on the Windows client
[Linux] CentOS 6.5 httpd self-built CA authentication implements HTTPS service