Step-by-step implementation of the Linux system Apache implementation HTTPS detailed

Source: Internet
Author: User
Tags install openssl

HTTPS provides secure web traffic
Principle part: http://stlong.blog.51cto.com/5144113/1730771

1) Configure the domain name support CA:
[Email protected] ~]# Vim/var/named/chroot/var/named/sggfu.com.zone # #添加ca主机记录
CA in A 192.18.100.151
: Wq
[Email protected] ~]#/etc/init.d/named Restart # #重启服务
[email protected] ~]# nslookup
> Server 192.168.100.100
Default server:192.168.100.100
address:192.168.100.100#53
> ca.sggfu.com
server:192.168.100.100
address:192.168.100.100#53

Name:ca.sggfu.com
address:192.18.100.151
> Exit

2) Configure CA server: (192.168.100.151)
A. Use the parent disk to clone the virtual machine, named the CA server, and modify the following:
[Email protected] ~]# Vim/etc/sysconfig/network-scripts/ifcfg-eth0
Device=eth0
Hwaddr=00:0c:29:75:e6:eb
Type=ethernet
Onboot=yes
Nm_controlled=no
Bootproto=static
ipaddr=192.168.100.151
netmask=255.255.255.0
dns1=192.168.100.100
gateway=192.168.100.100
: Wq

[Email protected] ~]# vim/etc/sysconfig/network
Hostname=ca.sggfu.com
: Wq

[[email protected] ~]# Vim/etc/udev/rules.d/70-persistent-net.rules # #删除eth0, modify eth1 to Eth0
[email protected] ~]# reboot
B. Configure the CA:
[Email protected] ~]# hostname
Ca.sggfu.com
[Email protected] ~]# yum-y install OpenSSL openssl-devel # #安装openssl
[Email protected] ~]# RPM-QL OpenSSL
/etc/pki/ca
/etc/pki/ca/certs # #证书存放目录
/ETC/PKI/CA/CRL # #吊销的证书存放的目录
/etc/pki/ca/newcerts# #新证书目录
/etc/pki/ca/private # #私钥存放目录
/ETC/PKI/TLS/OPENSSL.CNF # #主配置文件
/USR/BIN/OPENSSL # #主程序命令
[[email protected] ~]# vim/etc/pki/tls/openssl.cnf # #修改主配置文件使用 ": Set nu" Print line number
[Ca_default]
41
In dir =/etc/pki/ca # Where Everything is kept
Certs = $dir/certs # Where The issued certs is kept
Crl_dir = $dir/CRL # Where The issued CRL is kept
Database = $dir/index.txt # database index file.
#unique_subject = no # Set to-allow creation of
# several ctificates with same subject.
New_certs_dir = $dir/newcerts # Default place for new certs.
49
Certificate = $dir/cacert.pem # the CA certificate
Wuyi serial = $dir/serial # The current serial number
Crlnumber = $dir/crlnumber # The current CRL number
Must is commented out to leave a V1 CRL
/crl.pem CRL = $dir # The current CRL
Private_key = $dir/private/cakey.pem# the private key
[Req_distinguished_name]
129 countryname = Country Name (2 letter code)
Countryname_default = CN # #修国家
131 Countryname_min = 2
Countryname_max = 2
133
134 Stateorprovincename = State or province name (full name)
135 stateorprovincename_default = Beijing # #设置省
136
137 Localityname = Locality Name (eg, city)
138 localityname_default = Beijing # #设置城市
139
0.organizationName = Organization Name (eg, company)
141 0.organizationname_default = sggfu.com LTD # #设置组织名称
142
143 # We can do this but it's not needed normally:-)
144 #1. OrganizationName = Second Organization Name (eg, company)
145 #1. Organizationname_default = World Wide Web Pty LTD
146
147 Organizationalunitname = organizational Unit Name (eg, section)
148 Organizationalunitname_default = tech # #设置部门
: Wq
[Email protected] ~]# cd/etc/pki/ca/
[[email protected] ca]# ls private/
[Email protected] ca]# (umask 077;openssl genrsa-out private/cakey.pem 2048) # #生成私钥同时将权限设置为600
Generating RSA private key, 2048 bit long modulus
....................+++
...........................................................................................+++
E is 65537 (0x10001)
[Email protected] ca]# ls-l private/# #验证私钥
Total Dosage 4
-RW-------. 1 root root 1679 January 2 20:09 Cakey.pem
[Email protected] ca]#
[[email protected] ca]# OpenSSL req-new-x509-key private/cakey.pem-out cacert.pem-days 3650 # #生成自签证书 (Root certificate)
You is about-to is asked to-enter information that'll be incorporated
into your certificate request.
What's about-to-enter is called a distinguished Name or a DN.
There is quite a few fields but can leave some blank
For some fields there would be a default value,
If you enter '. ', the field would be a left blank.
-----
Country Name (2 letter code) [CN]:
State or province name (full name) [Beijing]:
Locality Name (eg, city) [Beijing]:
Organization Name (eg, company) [sggfu.com]:
Organizational Unit Name (eg, section) [Tech]:
Common name (eg, your name or your server ' s hostname) []:ca.sggfu.com # #主机名填写CA服务器的主机名
Email Address []:[email protected]
[Email protected] ca]# ls-l CACERT.PEM
-rw-r--r--. 1 root root 1419 January 2 20:13 Cacert.pem
[Email protected] ca]#

[[email protected] ca]# mkdir-p certs CRL Newcerts
[email protected] ca]# Touch Index.txt # #证书索引
[Email protected] ca]# echo >serial # #证书序列号
[[email protected] ca]# ls
CACERT.PEM certs CRL index.txt newcerts private serial
[Email protected] ca]#

3) Configure the Web server to support https:
A. Generate a key and certificate request for the Web server:
[Email protected] ~]# Mkdir/usr/local/httpd/conf/ssl
[Email protected] ~]# cd/usr/local/httpd/conf/ssl/
[Email protected] ssl]# (umask 077;openssl genrsa 2048 >httpd.key)
[Email protected] ssl]# SCP [email protected]:/etc/pki/tls/openssl.cnf/etc/pki/tls/openssl.cnf # #复制openssl配置文件
[email protected] ssl]# OpenSSL req-new-key httpd.key-out HTTPD.CSR
You is about-to is asked to-enter information that'll be incorporated
into your certificate request.
What's about-to-enter is called a distinguished Name or a DN.
There is quite a few fields but can leave some blank
For some fields there would be a default value,
If you enter '. ', the field would be a left blank.
-----
Country Name (2 letter code) [CN]:
State or province name (full name) [Beijing]:
Locality Name (eg, city) [Beijing]:
Organization Name (eg, company) [sggfu.com]:
Organizational Unit Name (eg, section) [Tech]:
Common name (eg, your name or your server ' s hostname) []:www.sggfu.com # #必须填写web服务器的主机名, note Web virtual master
Only one site can be set to HTTPS
Email Address []:[email protected]

Please enter the following ' extra ' attributes
To is sent with your certificate request
A Challenge Password []: # #证书保护的密码短语, Direct enter
An optional company name []:
[Email protected] ssl]#
[Email protected] ssl]# SCP HTTPD.CSR [email protected]:/tmp # #将证书认证请求复制给CA服务器

B. Sign in to 192.168.100.151 to issue a certificate for the Web server:
[email protected] ca]# OpenSSL ca-in/tmp/httpd.csr-out/tmp/httpd.crt-days 3650 # #签发证书httpd. CRT, execute y Enter
[Email protected] ca]# ls/tmp/httpd.c* # #验证
/tmp/httpd.crt/tmp/httpd.csr
[Email protected] ca]# SCP/TMP/HTTPD.CRT [email protected]:/usr/local/httpd/conf/ssl # #复制证书给web服务器
[[email protected] ca]# rm-rf/tmp/httpd.* # #删除证书 to avoid illegal users obtaining certificates

C. Modify the Web server configuration file: Login 192.168.100.150
[Email protected] ~]# cd/usr/local/httpd/conf/extra/
[email protected] extra]# CP httpd-ssl.conf Httpd-ssl.conf.bak # #备份证书
[Email protected] extra]# Vim httpd-ssl.conf # #修改如下
<virtualhost 192.168.100.150:443>
DocumentRoot "/usr/local/httpd/htdocs/sggfu/" # #注意和http的网页根目录一致
ServerName www.sggfu.com:443
ServerAdmin [email protected]
Errorlog "/usr/local/httpd/logs/error_log"
Bayi Transferlog "/usr/local/httpd/logs/access_log"
Sslengine on # #确认为on, which means HTTPS is turned on
Sslcertificatefile "/USR/LOCAL/HTTPD/CONF/SSL/HTTPD.CRT" # #指定证书路径
107 Sslcertificatekeyfile "/usr/local/httpd/conf/ssl/httpd.key" # #指定私钥路径, note that the private key must be carefully kept
: Wq
[[email protected] extra]# vim/usr/local/httpd/conf/httpd.conf # #修改主配置文件, call httpd-ssl.conf
399 Include conf/extra/httpd-ssl.conf
: Wq
[Email protected] extra]#/etc/init.d/httpd Restart # #重启服务器

4) Share the root certificate:
[Email protected] ~]# cd/usr/local/httpd/htdocs/sggfu/
[[email protected] sggfu]# SCP [email Protected]:/etc/pki/ca/cacert.pem cacert.crt # #复制CA服务器的证书 (Root certificate)
[Email protected] sggfu]# Vim index.html # #通过首页共享根证书
<meta http-equiv= "Content-type" content= "text/html; Charset=utf-8 "/>
<title>www.sggfu.com</title>
<body>
For your better access to the website, please download install <a href= "cacert.crt" target= "_blank" > Root certificate </a>
</body>
: Wq

5) Test:
Http://www.sggfu.com # #下载证书并导入证书
Https://www.sggfu.com # #访问测试

This article is from the "Concealing delicated" blog, be sure to keep this source http://stlong.blog.51cto.com/5144113/1730844

Step-by-step implementation of the Linux system Apache implementation HTTPS detailed

Contact Us

The content source of this page is from Internet, which doesn't represent Alibaba Cloud's opinion; products and services mentioned on that page don't have any relationship with Alibaba Cloud. If the content of the page makes you feel confusing, please write us an email, we will handle the problem within 5 days after receiving your email.

If you find any instances of plagiarism from the community, please send an email to: info-contact@alibabacloud.com and provide relevant evidence. A staff member will contact you within 5 working days.

A Free Trial That Lets You Build Big!

Start building with 50+ products and up to 12 months usage for Elastic Compute Service

  • Sales Support

    1 on 1 presale consultation

  • After-Sales Support

    24/7 Technical Support 6 Free Tickets per Quarter Faster Response

  • Alibaba Cloud offers highly flexible support services tailored to meet your exact needs.