How to configure a secure http service to make the service more secure. You can also learn how ca works. 650) this. width = 650; "src =" http://www.bkjia.com/uploads/allimg/131228/055P4N91-0.gif "alt =" j_0003.gif "/>
HTTP + SSL = HTTPS
Configure the CA Server
========================================================== ======================
1. Configure CA 172.16.1.2 to generate the CA's own public key and private key CA to self-sign the certificate (generated by script)
CA Server Configuration
Make a certificate and verify it with CA
Vim/etc/pki/tls/openssl. cnf ----------- modify the path
45 dir =/etc/pki/CA
Vim/etc/pki/tls/misc/CA --------------- modify the script path
42 CATOP =/etc/pki/CA
Vim/etc/pki/tls/openssl. cnf ---------- self-signed certificates can be used
# BasicConstraints = CA: FALSE
BasicConstraints = CA: TRUE
/Etc/pki/tls/misc/CA-newca --------- create a new CA
CA certificate filename (or enter to create)
Making CA certificate...
Generating a 1024 bit RSA private key
...
...
Writing new private key to '/etc/pki/CA/private/./cakey. pem'
Enter PEM pass phrase: ------------------- set password 123456
Verifying-Enter PEM pass phrase: --------------- duplicate Password
-----
You are about to be asked to enter information that will be ininitialized
Into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few f some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [GB]: CN ------------------ Country
State or Province Name (full name) [Berkshire]: BEIJING ------------- State
Locality Name (eg, city) [Newbury]: BJ -------------------- Region
Organization Name (eg, company) [My Company Ltd]: UPLOOKING ------------ company
Organizational Unit Name (eg, section) []: IT ------------------ Department
Common Name (eg, your name or your server's hostname) []: SERVER113 --------- computer Name
Email Address []: ROOT@UPLOOKING.COM -------------- mailbox
Please enter the following 'extra 'attributes
To be sent with your certificate request
A challenge password []: ----------- do you want to re-enter the password?
An optional company name []: ------------ do you want to leave the company name empty?
Using configuration from/etc/pki/tls/openssl. cnf
Enter pass phrase for/etc/pki/CA/private/./cakey. pem: ---------- Enter the above password 123456.
Check that the request matches the signature
Signature OK
Certificate Details:
Serial Number: 0 (0x0)
Validity
Not Before: Mar 30 05:49:33 2013 GMT
Not After: Mar 29 05:49:33 2016 GMT
Subject:
CountryName = CN
StateOrProvinceName = BEIJING
OrganizationName = UPLOOKING
OrganizationalUnitName = IT
CommonName = SERVER113
EmailAddress = ROOT@UPLOOKING.COM
X509v3 extensions:
X509v3 Basic Constraints:
CA: TRUE
Netscape Comment:
OpenSSL Generated Certificate
X509v3 Subject Key Identifier:
3A: 85: EC: 6B: 00: D4: 3F: 91: F3: 6B: 14: 47: 4D: 3F: 02: 52: 6F: BC: 93: 85
X509v3 Authority Key Identifier:
Keyid: 3A: 85: EC: 6B: 00: D4: 3F: 91: F3: 6B: 14: 47: 4D: 3F: 02: 52: 6F: BC: 93: 85
Certificate is to be certified until Mar 29 05:49:33 2016 GMT (1095 days)
Write out database with 1 new entries
Data Base Updated
[Root @ localhost tls] # ls/etc/pki/CA/private/./cakey. pem ------- # private Key
[Root @ localhost tls] # ls/etc/pki/CA/cacert. pem ----------- # Certificate
[Root @ localhost tls] # ls/etc/pki/CA/careq. pem ---------- # certificate request
Configure web Servers
========================================================== ========================================================
Web generate your own private key
[Root @ node1 ~] # Openssl genrsa-des3-out/etc/httpd/conf. d/server. key (use des3 to protect the private key)
Generating RSA private key, 512 bit long modulus
...
...
E is 65537 (0x10001)
Enter pass phrase for/etc/httpd/conf. d/server. key: ---------- generate your own private key password 123456
Verifying-Enter pass phrase for/etc/httpd/conf. d/server. key: -------- Enter 123456 again
[Root @ localhost conf. d] # openssl req-new-key/etc/httpd/conf. d/server. key-out/tmp/server. csr ----- use ID + Public Key) to generate a certificate request
Enter pass phrase for/etc/httpd/conf. d/server. key: ------------- Enter the private key and password
You are about to be asked to enter information that will be ininitialized
Into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
----- This part of information must be consistent with that of CA.
Country Name (2 letter code) [GB]: CN --------------- one
State or Province Name (full name) [Berkshire]: BEIJING -------- and ca must be one
Locality Name (eg, city) [Newbury]: BJ ----------- one
Organization Name (eg, company) [My Company Ltd]: UPLOOKING ------- and ca must be one
Organizational Unit Name (eg, section) []: IT --------
Common Name (eg, your name or your server's hostname) []: SERVER --------- do not change here
Email Address []: name@UPLOOKING.COM ------ it's not the same here
Please enter the following 'extra 'attributes
To be sent with your certificate request
A challenge password []:
An optional company name []:
[Root @ node1 ~] # Scp/tmp/server. csr node2:/tmp/----------- send the certificate request to the CA. If there are two computers, copy the request)
The CA Server digitally signs the certificate request
========================================================== ============================================
[Root @ localhost CA] # copy the CA certificate to cp/etc/pki/CA/cacert. pem/etc/ca /---------
[Root @ localhost CA] # cp/etc/pki/CA/private/./cakey. pem/etc/CA/private/------- copy the private key of the past ca
[Root @ node2 CA] # openssl ca-keyfile/etc/CA/private/cakey. pem-cert/etc/CA/cacert. pem-in/tmp/server. csr-out/tmp/server. crt --------- Certificate Name generated by crt
/Etc/CA/private/cakey. pem ------ this is the private key of ca)
/Tmp/server. csr ----------- certificate request file of httpserver)
/Etc/CA/cacert. pem --------- (ca certificate)
/Tmp/server. crt ------------ the Certificate Name of the generated httpserver)
Issue the signed digital certificate to web
[Root @ node2 CA] # scp/tmp/server. crt node1:/etc/httpd/conf. d/
Configure web to support ssl for https
========================================================== ========================================================
[Root @ node1 ~] # Yum install mod_ssl
[Root @ node1 ~] # Vim/etc/httpd/conf. d/ssl. conf
112 SSLCertificateFile/etc/httpd/conf. d/server. crt
119 SSLCertificateKeyFile/etc/httpd/conf. d/server. key
The client needs to download the CA certificate and import the certificate to the browser. Use https to access the web. The browser verifies whether the web Digital Certificate is
Issued by CA
Open firefox, edit ------> preferences -----> advanced ----> encryption -----> View certificate ------> Import --------- import CA certificate/etc/CA/cacert. pem
[Root @ localhost mnt] # service httpd restart
Stopping httpd: [OK]
Starting httpd: Apache/2.2.3 mod_ssl/2.2.3 (Pass Phrase Dialog)
Some of your private key files are encrypted for security reasons.
In order to read them you have to provide the pass phrases.
Server localhost. localdomain: 443 (RSA)
Enter pass phrase: ------------------ Enter the private key password 123456
OK: Pass Phrase Dialog successful.
[OK]
[Root @ localhost mnt] #
[Root @ node1 ~] # Netstat-tunpl | grep 443
This article is from the "history_xcy" blog, please be sure to keep this http://historys.blog.51cto.com/7903899/1296712