Liunx service usage (HTTP + SSL = HTTPS)

Source: Internet
Author: User

How to configure a secure http service to make the service more secure. You can also learn how ca works. 650) this. width = 650; "src =" http://www.bkjia.com/uploads/allimg/131228/055P4N91-0.gif "alt =" j_0003.gif "/>




HTTP + SSL = HTTPS

Configure the CA Server

========================================================== ======================

1. Configure CA 172.16.1.2 to generate the CA's own public key and private key CA to self-sign the certificate (generated by script)



CA Server Configuration



Make a certificate and verify it with CA


Vim/etc/pki/tls/openssl. cnf ----------- modify the path

45 dir =/etc/pki/CA


Vim/etc/pki/tls/misc/CA --------------- modify the script path

42 CATOP =/etc/pki/CA


Vim/etc/pki/tls/openssl. cnf ---------- self-signed certificates can be used

# BasicConstraints = CA: FALSE

BasicConstraints = CA: TRUE


/Etc/pki/tls/misc/CA-newca --------- create a new CA



CA certificate filename (or enter to create)


Making CA certificate...

Generating a 1024 bit RSA private key

...

...

Writing new private key to '/etc/pki/CA/private/./cakey. pem'

Enter PEM pass phrase: ------------------- set password 123456

Verifying-Enter PEM pass phrase: --------------- duplicate Password

-----

You are about to be asked to enter information that will be ininitialized

Into your certificate request.

What you are about to enter is what is called a Distinguished Name or a DN.

There are quite a few f some blank

For some fields there will be a default value,

If you enter '.', the field will be left blank.

-----

Country Name (2 letter code) [GB]: CN ------------------ Country

State or Province Name (full name) [Berkshire]: BEIJING ------------- State

Locality Name (eg, city) [Newbury]: BJ -------------------- Region

Organization Name (eg, company) [My Company Ltd]: UPLOOKING ------------ company

Organizational Unit Name (eg, section) []: IT ------------------ Department

Common Name (eg, your name or your server's hostname) []: SERVER113 --------- computer Name

Email Address []: ROOT@UPLOOKING.COM -------------- mailbox



Please enter the following 'extra 'attributes

To be sent with your certificate request

A challenge password []: ----------- do you want to re-enter the password?

An optional company name []: ------------ do you want to leave the company name empty?

Using configuration from/etc/pki/tls/openssl. cnf

Enter pass phrase for/etc/pki/CA/private/./cakey. pem: ---------- Enter the above password 123456.

Check that the request matches the signature

Signature OK

Certificate Details:

Serial Number: 0 (0x0)

Validity

Not Before: Mar 30 05:49:33 2013 GMT

Not After: Mar 29 05:49:33 2016 GMT

Subject:

CountryName = CN

StateOrProvinceName = BEIJING

OrganizationName = UPLOOKING

OrganizationalUnitName = IT

CommonName = SERVER113

EmailAddress = ROOT@UPLOOKING.COM

X509v3 extensions:

X509v3 Basic Constraints:

CA: TRUE

Netscape Comment:

OpenSSL Generated Certificate

X509v3 Subject Key Identifier:

3A: 85: EC: 6B: 00: D4: 3F: 91: F3: 6B: 14: 47: 4D: 3F: 02: 52: 6F: BC: 93: 85

X509v3 Authority Key Identifier:

Keyid: 3A: 85: EC: 6B: 00: D4: 3F: 91: F3: 6B: 14: 47: 4D: 3F: 02: 52: 6F: BC: 93: 85


Certificate is to be certified until Mar 29 05:49:33 2016 GMT (1095 days)


Write out database with 1 new entries

Data Base Updated



[Root @ localhost tls] # ls/etc/pki/CA/private/./cakey. pem ------- # private Key

[Root @ localhost tls] # ls/etc/pki/CA/cacert. pem ----------- # Certificate

[Root @ localhost tls] # ls/etc/pki/CA/careq. pem ---------- # certificate request




Configure web Servers

========================================================== ========================================================

Web generate your own private key

[Root @ node1 ~] # Openssl genrsa-des3-out/etc/httpd/conf. d/server. key (use des3 to protect the private key)

Generating RSA private key, 512 bit long modulus

...

...

E is 65537 (0x10001)

Enter pass phrase for/etc/httpd/conf. d/server. key: ---------- generate your own private key password 123456

Verifying-Enter pass phrase for/etc/httpd/conf. d/server. key: -------- Enter 123456 again



[Root @ localhost conf. d] # openssl req-new-key/etc/httpd/conf. d/server. key-out/tmp/server. csr ----- use ID + Public Key) to generate a certificate request


Enter pass phrase for/etc/httpd/conf. d/server. key: ------------- Enter the private key and password

You are about to be asked to enter information that will be ininitialized

Into your certificate request.

What you are about to enter is what is called a Distinguished Name or a DN.

There are quite a few fields but you can leave some blank

For some fields there will be a default value,

If you enter '.', the field will be left blank.

----- This part of information must be consistent with that of CA.

Country Name (2 letter code) [GB]: CN --------------- one

State or Province Name (full name) [Berkshire]: BEIJING -------- and ca must be one

Locality Name (eg, city) [Newbury]: BJ ----------- one

Organization Name (eg, company) [My Company Ltd]: UPLOOKING ------- and ca must be one

Organizational Unit Name (eg, section) []: IT --------

Common Name (eg, your name or your server's hostname) []: SERVER --------- do not change here

Email Address []: name@UPLOOKING.COM ------ it's not the same here


Please enter the following 'extra 'attributes

To be sent with your certificate request

A challenge password []:

An optional company name []:



[Root @ node1 ~] # Scp/tmp/server. csr node2:/tmp/----------- send the certificate request to the CA. If there are two computers, copy the request)




The CA Server digitally signs the certificate request

========================================================== ============================================

[Root @ localhost CA] # copy the CA certificate to cp/etc/pki/CA/cacert. pem/etc/ca /---------

[Root @ localhost CA] # cp/etc/pki/CA/private/./cakey. pem/etc/CA/private/------- copy the private key of the past ca


[Root @ node2 CA] # openssl ca-keyfile/etc/CA/private/cakey. pem-cert/etc/CA/cacert. pem-in/tmp/server. csr-out/tmp/server. crt --------- Certificate Name generated by crt


/Etc/CA/private/cakey. pem ------ this is the private key of ca)

/Tmp/server. csr ----------- certificate request file of httpserver)

/Etc/CA/cacert. pem --------- (ca certificate)

/Tmp/server. crt ------------ the Certificate Name of the generated httpserver)









Issue the signed digital certificate to web

[Root @ node2 CA] # scp/tmp/server. crt node1:/etc/httpd/conf. d/


Configure web to support ssl for https

========================================================== ========================================================

[Root @ node1 ~] # Yum install mod_ssl

[Root @ node1 ~] # Vim/etc/httpd/conf. d/ssl. conf


112 SSLCertificateFile/etc/httpd/conf. d/server. crt

119 SSLCertificateKeyFile/etc/httpd/conf. d/server. key



The client needs to download the CA certificate and import the certificate to the browser. Use https to access the web. The browser verifies whether the web Digital Certificate is

Issued by CA

Open firefox, edit ------> preferences -----> advanced ----> encryption -----> View certificate ------> Import --------- import CA certificate/etc/CA/cacert. pem



[Root @ localhost mnt] # service httpd restart

Stopping httpd: [OK]

Starting httpd: Apache/2.2.3 mod_ssl/2.2.3 (Pass Phrase Dialog)

Some of your private key files are encrypted for security reasons.

In order to read them you have to provide the pass phrases.


Server localhost. localdomain: 443 (RSA)

Enter pass phrase: ------------------ Enter the private key password 123456


OK: Pass Phrase Dialog successful.

[OK]

[Root @ localhost mnt] #





[Root @ node1 ~] # Netstat-tunpl | grep 443


This article is from the "history_xcy" blog, please be sure to keep this http://historys.blog.51cto.com/7903899/1296712

Contact Us

The content source of this page is from Internet, which doesn't represent Alibaba Cloud's opinion; products and services mentioned on that page don't have any relationship with Alibaba Cloud. If the content of the page makes you feel confusing, please write us an email, we will handle the problem within 5 days after receiving your email.

If you find any instances of plagiarism from the community, please send an email to: info-contact@alibabacloud.com and provide relevant evidence. A staff member will contact you within 5 working days.

A Free Trial That Lets You Build Big!

Start building with 50+ products and up to 12 months usage for Elastic Compute Service

  • Sales Support

    1 on 1 presale consultation

  • After-Sales Support

    24/7 Technical Support 6 Free Tickets per Quarter Faster Response

  • Alibaba Cloud offers highly flexible support services tailored to meet your exact needs.