Linux implements HTTPS access to the site

One: The simplification process of SSL session

(1) The client sends an alternative encryption method and requests a certificate from the server;

(2) The server side sends the certificate and the selected encryption method to the client;

(3) The client obtains the certificate and carries on the certificate verification:

If you trust the CA to which the certificate is issued:

(a) legality of the source of the verification certificate; The digital signature on the certificate is decrypted with the CA's public key;

(b) Legality of the content of the positive certificate: completeness of the verification

(c) Check the validity period of the certificate;

(d) Check whether the certificate has been revoked;

(e) The name of the owner of the certificate, consistent with the target host of the visit;

(4) The client generates a temporary session key (symmetric key) and uses the server-side public key to encrypt the data sent to the server to complete the key exchange;

(5) The service uses this key to encrypt the resource requested by the user, responding to the client;

Note: SSL sessions are created based on IP address, so only one HTTPS virtual host can be used on a single IP host

Two: Configure HTTPD to support HTTPS

(1) Apply for a digital certificate for the server;

Testing: Issuing a certificate through a privately built CA

(a) creating a private CA

(b) Create a certificate signing request on the server

(c) CA Visa

(2) Configure HTTPD to support the use of SSL, and the use of certificates;

# yum-y Install Mod_ssl

Configuration file:/etc/httpd/conf.d/ssl.conf

DocumentRoot

ServerName

Sslcertificatefile

Sslcertificatekeyfile

(3) The test is based on HTTPS access to the corresponding host;

# OpenSSL s_client [-connect host:port] [-cert filename] [-capath directory] [-cafile filename]

Three: The experimental process:

(1) Create a CA certificate

# (Umask 077;openssl GENRSA-OUT/ETC/PKI/CA/PRIVATE/CAKEY.PEM 2048)

#touch/etc/pki/ca/index.txt

#echo >/etc/pki/ca/serial

#openssl req-new-x509-key/etc/pki/ca/private/cakey.pem-out Cacert.pem-days 7300

Switch to HTTPD service host

#mkdir/etc/httpd/certs

# (Umask 077;openssl genrsa-out/etc/httpd/ssl/httpd.key 2048)

#openssl REQ-NEW-X509-KEY-OUT/ETC/HTTPD/SSL/HTTPD.CSR

The certificate file is sent to the CA host

#scp/ETC/HTTPD/SSL/HTTPD.CSR [Email protected]:/tmp

#openssl ca-in/tmp/httpd.csr-out/etc/pki/ca/certs/www.zenghui.wang.crt-days 365

#scp/ETC/PKI/CA/CERTS/WWW.ZENGHUI.WANG.CRT 199.100.77.135:/etc/httpd/certs

for Apache httpd Software default configuration:

httpd software does not use the SSL module by default , the corresponding module package needs to be installed

[email protected] certs]# Yum install mod_ssl-y

[Email protected] ~]# Rpm-qa mod_ssl

Mod_ssl-2.2.15-39.el6.centos.x86_64

after installation, the /etc/httpd/conf.d/ ssl.conf config file, We configured https Span style= "font-family: ' Microsoft Jas Black '; Line-height:24px;background-color:rgb (255,255,255);" > is configured in this file:

Configuration ssl.conf files, important configurations are in the following file:

[[email protected] CONF.D] #vim/etc/httpd/conf.d/ssl.conf

LoadModule Ssl_module modules/mod_ssl.so

Listen 443

< VirtualHost 172.16.31.31:443>

documentroot "/WEB/VHOSTS/WWW2"

ServerName www2.stu31.com:443

Sslengineon

sslcertificatefile/etc/httpd/certs/httpd.crt

Sslcertificatekeyfile/etc/httpd/certs/httpd.key

</ VirtualHost >

Test file Syntax:

[Email protected] conf.d]# httpd-t

Syntax OK

Restart httpd Service

[Email protected] conf.d]# service httpd restart

stopping httpd: [OK]

Starting httpd: [OK]

To view the service listening port:

[Email protected] conf.d]# SS-TUNL |grep 443

TCP LISTEN 0::: 443:::*

to test on the Windows side:

the first the certificate of the CA server is installed into windows, the Cacert.pem is sent to Windows , the CACERT.CRTis renamed, and the certificate is installed :

This article from the "Good study, day up" blog, please be sure to keep this source http://wangzenghui.blog.51cto.com/9702487/1696463

Linux implements HTTPS access to the site