HTTPS provides secure web traffic
Principle part: http://stlong.blog.51cto.com/5144113/1730771
1) Configure the domain name support CA:
[Email protected] ~]# Vim/var/named/chroot/var/named/sggfu.com.zone # #添加ca主机记录
CA in A 192.18.100.151
: Wq
[Email protected] ~]#/etc/init.d/named Restart # #重启服务
[email protected] ~]# nslookup
> Server 192.168.100.100
Default server:192.168.100.100
address:192.168.100.100#53
> ca.sggfu.com
server:192.168.100.100
address:192.168.100.100#53
Name:ca.sggfu.com
address:192.18.100.151
> Exit
2) Configure CA server: (192.168.100.151)
A. Use the parent disk to clone the virtual machine, named the CA server, and modify the following:
[Email protected] ~]# Vim/etc/sysconfig/network-scripts/ifcfg-eth0
Device=eth0
Hwaddr=00:0c:29:75:e6:eb
Type=ethernet
Onboot=yes
Nm_controlled=no
Bootproto=static
ipaddr=192.168.100.151
netmask=255.255.255.0
dns1=192.168.100.100
gateway=192.168.100.100
: Wq
[Email protected] ~]# vim/etc/sysconfig/network
Hostname=ca.sggfu.com
: Wq
[[email protected] ~]# Vim/etc/udev/rules.d/70-persistent-net.rules # #删除eth0, modify eth1 to Eth0
[email protected] ~]# reboot
B. Configure the CA:
[Email protected] ~]# hostname
Ca.sggfu.com
[Email protected] ~]# yum-y install OpenSSL openssl-devel # #安装openssl
[Email protected] ~]# RPM-QL OpenSSL
/etc/pki/ca
/etc/pki/ca/certs # #证书存放目录
/ETC/PKI/CA/CRL # #吊销的证书存放的目录
/etc/pki/ca/newcerts# #新证书目录
/etc/pki/ca/private # #私钥存放目录
/ETC/PKI/TLS/OPENSSL.CNF # #主配置文件
/USR/BIN/OPENSSL # #主程序命令
[[email protected] ~]# vim/etc/pki/tls/openssl.cnf # #修改主配置文件使用 ": Set nu" Print line number
[Ca_default]
41
In dir =/etc/pki/ca # Where Everything is kept
Certs = $dir/certs # Where The issued certs is kept
Crl_dir = $dir/CRL # Where The issued CRL is kept
Database = $dir/index.txt # database index file.
#unique_subject = no # Set to-allow creation of
# several ctificates with same subject.
New_certs_dir = $dir/newcerts # Default place for new certs.
49
Certificate = $dir/cacert.pem # the CA certificate
Wuyi serial = $dir/serial # The current serial number
Crlnumber = $dir/crlnumber # The current CRL number
Must is commented out to leave a V1 CRL
/crl.pem CRL = $dir # The current CRL
Private_key = $dir/private/cakey.pem# the private key
[Req_distinguished_name]
129 countryname = Country Name (2 letter code)
Countryname_default = CN # #修国家
131 Countryname_min = 2
Countryname_max = 2
133
134 Stateorprovincename = State or province name (full name)
135 stateorprovincename_default = Beijing # #设置省
136
137 Localityname = Locality Name (eg, city)
138 localityname_default = Beijing # #设置城市
139
0.organizationName = Organization Name (eg, company)
141 0.organizationname_default = sggfu.com LTD # #设置组织名称
142
143 # We can do this but it's not needed normally:-)
144 #1. OrganizationName = Second Organization Name (eg, company)
145 #1. Organizationname_default = World Wide Web Pty LTD
146
147 Organizationalunitname = organizational Unit Name (eg, section)
148 Organizationalunitname_default = tech # #设置部门
: Wq
[Email protected] ~]# cd/etc/pki/ca/
[[email protected] ca]# ls private/
[Email protected] ca]# (umask 077;openssl genrsa-out private/cakey.pem 2048) # #生成私钥同时将权限设置为600
Generating RSA private key, 2048 bit long modulus
....................+++
...........................................................................................+++
E is 65537 (0x10001)
[Email protected] ca]# ls-l private/# #验证私钥
Total Dosage 4
-RW-------. 1 root root 1679 January 2 20:09 Cakey.pem
[Email protected] ca]#
[[email protected] ca]# OpenSSL req-new-x509-key private/cakey.pem-out cacert.pem-days 3650 # #生成自签证书 (Root certificate)
You is about-to is asked to-enter information that'll be incorporated
into your certificate request.
What's about-to-enter is called a distinguished Name or a DN.
There is quite a few fields but can leave some blank
For some fields there would be a default value,
If you enter '. ', the field would be a left blank.
-----
Country Name (2 letter code) [CN]:
State or province name (full name) [Beijing]:
Locality Name (eg, city) [Beijing]:
Organization Name (eg, company) [sggfu.com]:
Organizational Unit Name (eg, section) [Tech]:
Common name (eg, your name or your server ' s hostname) []:ca.sggfu.com # #主机名填写CA服务器的主机名
Email Address []:[email protected]
[Email protected] ca]# ls-l CACERT.PEM
-rw-r--r--. 1 root root 1419 January 2 20:13 Cacert.pem
[Email protected] ca]#
[[email protected] ca]# mkdir-p certs CRL Newcerts
[email protected] ca]# Touch Index.txt # #证书索引
[Email protected] ca]# echo >serial # #证书序列号
[[email protected] ca]# ls
CACERT.PEM certs CRL index.txt newcerts private serial
[Email protected] ca]#
3) Configure the Web server to support https:
A. Generate a key and certificate request for the Web server:
[Email protected] ~]# Mkdir/usr/local/httpd/conf/ssl
[Email protected] ~]# cd/usr/local/httpd/conf/ssl/
[Email protected] ssl]# (umask 077;openssl genrsa 2048 >httpd.key)
[Email protected] ssl]# SCP [email protected]:/etc/pki/tls/openssl.cnf/etc/pki/tls/openssl.cnf # #复制openssl配置文件
[email protected] ssl]# OpenSSL req-new-key httpd.key-out HTTPD.CSR
You is about-to is asked to-enter information that'll be incorporated
into your certificate request.
What's about-to-enter is called a distinguished Name or a DN.
There is quite a few fields but can leave some blank
For some fields there would be a default value,
If you enter '. ', the field would be a left blank.
-----
Country Name (2 letter code) [CN]:
State or province name (full name) [Beijing]:
Locality Name (eg, city) [Beijing]:
Organization Name (eg, company) [sggfu.com]:
Organizational Unit Name (eg, section) [Tech]:
Common name (eg, your name or your server ' s hostname) []:www.sggfu.com # #必须填写web服务器的主机名, note Web virtual master
Only one site can be set to HTTPS
Email Address []:[email protected]
Please enter the following ' extra ' attributes
To is sent with your certificate request
A Challenge Password []: # #证书保护的密码短语, Direct enter
An optional company name []:
[Email protected] ssl]#
[Email protected] ssl]# SCP HTTPD.CSR [email protected]:/tmp # #将证书认证请求复制给CA服务器
B. Sign in to 192.168.100.151 to issue a certificate for the Web server:
[email protected] ca]# OpenSSL ca-in/tmp/httpd.csr-out/tmp/httpd.crt-days 3650 # #签发证书httpd. CRT, execute y Enter
[Email protected] ca]# ls/tmp/httpd.c* # #验证
/tmp/httpd.crt/tmp/httpd.csr
[Email protected] ca]# SCP/TMP/HTTPD.CRT [email protected]:/usr/local/httpd/conf/ssl # #复制证书给web服务器
[[email protected] ca]# rm-rf/tmp/httpd.* # #删除证书 to avoid illegal users obtaining certificates
C. Modify the Web server configuration file: Login 192.168.100.150
[Email protected] ~]# cd/usr/local/httpd/conf/extra/
[email protected] extra]# CP httpd-ssl.conf Httpd-ssl.conf.bak # #备份证书
[Email protected] extra]# Vim httpd-ssl.conf # #修改如下
<virtualhost 192.168.100.150:443>
DocumentRoot "/usr/local/httpd/htdocs/sggfu/" # #注意和http的网页根目录一致
ServerName www.sggfu.com:443
ServerAdmin [email protected]
Errorlog "/usr/local/httpd/logs/error_log"
Bayi Transferlog "/usr/local/httpd/logs/access_log"
Sslengine on # #确认为on, which means HTTPS is turned on
Sslcertificatefile "/USR/LOCAL/HTTPD/CONF/SSL/HTTPD.CRT" # #指定证书路径
107 Sslcertificatekeyfile "/usr/local/httpd/conf/ssl/httpd.key" # #指定私钥路径, note that the private key must be carefully kept
: Wq
[[email protected] extra]# vim/usr/local/httpd/conf/httpd.conf # #修改主配置文件, call httpd-ssl.conf
399 Include conf/extra/httpd-ssl.conf
: Wq
[Email protected] extra]#/etc/init.d/httpd Restart # #重启服务器
4) Share the root certificate:
[Email protected] ~]# cd/usr/local/httpd/htdocs/sggfu/
[[email protected] sggfu]# SCP [email Protected]:/etc/pki/ca/cacert.pem cacert.crt # #复制CA服务器的证书 (Root certificate)
[Email protected] sggfu]# Vim index.html # #通过首页共享根证书
<meta http-equiv= "Content-type" content= "text/html; Charset=utf-8 "/>
<title>www.sggfu.com</title>
<body>
For your better access to the website, please download install <a href= "cacert.crt" target= "_blank" > Root certificate </a>
</body>
: Wq
5) Test:
Http://www.sggfu.com # #下载证书并导入证书
Https://www.sggfu.com # #访问测试
This article is from the "Concealing delicated" blog, be sure to keep this source http://stlong.blog.51cto.com/5144113/1730844
Step-by-step implementation of the Linux system Apache implementation HTTPS detailed