The implementation process of HTTPS on the path of Linux learning

The implementation process of HTTPS

HTTPS (hypertext Transfer Protocol over Secure Socket Layer: is an encrypted HTTP protocol, but he and HTTP are two different protocols. It is based on the TCP protocol and works on port 443.

How HTTPS works, probably like this:

650) this.width=650; "title=" Ssl.png "alt=" wkiol1pvz8udsc6raahgzcg1uv0854.jpg "src=" http://s3.51cto.com/wyfs02/M02 /46/39/wkiol1pvz8udsc6raahgzcg1uv0854.jpg "/>

In implementing this process, you need to create a CA, then the CA issues a certificate for our Apache server, and then the CA sends its own self-visa book to the client so that the client can use the self-visa book to verify the legitimacy of the server-side certificate.

Description: The CA authority and Apache server can be created on the same host, where I created them on both hosts. The host on which the CA resides is the 192.168.0.104,apache host is 192.168.0.103

1. Create a private key CA (this is created on a separate machine, I separate the CA from the Apache server)

(1), generate a pair of keys

Generate private key

(Umask 770;openssl GENRSA-OUT/ETC/PKI/CA/PRIVATE/CAKEY.PEM 2048)

(2), generate self-signed certificate

OpenSSL REQ-NEW-X509-KEY/ETC/PKI/CA/PRIVATE/CAKEY.PEM-OUT/ETC/PKI/CA/CACERT.CRT

-days 3655

Of course, after the creation is done, some directories and files are created, cert,crl,newcerts,index.txt,serial these files are located in the/etc/pki/ca directory, so in order to prevent errors, it is recommended to modify the/etc/pki/tls/ Parameters in Openssl.cnf, default file path modified to Dir =/etc/pki/ca

This completes the creation of a CA self-signed certificate

2, after the completion of the creation, you can issue a certificate to the client (this is created on the Apache server, the equivalent of the client)

(1), generate a pair of keys on the client (create private key)

(umask 077;openssl genrsa-out/etc/pki/ca/private/httpd.key 1024)

(2), Generate certificate issuance request

OpenSSL REQ-NEW-KEY/ETC/PKI/CA/PRIVATE/HTTPD.KEY-OUT/ETC/PKI/CA/HTTPD.CSR

Note: An interactive information interface will appear during this creation, and the content of this interface will be consistent with the content created from the visa book. And when you fill in the Domain name to function, be sure to fill in the domain we want to visit, otherwise it will be wrong.

(3), send the request to the CA to sign

Using the command SCP/ETC/PKI/CA/HTTPD.CSR 192.168.0.104:/tmp/

OpenSSL ca-in/tmp/httpd.csr-out/tmp/httpd.crt-days 3650

The production certificate is sent to the client (Apache server)

Using the command SCP/TMP/HTTD.CRT 192.168.0.103:/etc/httpd/ssl/

This allows the client to produce a self-visa book, so the Index.txt and serial, newcerts files on the host where the CA resides will change.

Although a certificate is generated on the Apache server and you want to support HTTPS, you must install a module for mod_ssl. Once the installation is complete, a/etc/httpd/conf.d/ssl.conf file is generated that will be part of the master configuration file for httpd. In this file we need to modify several parameters:

<virtualhost 192.168.0.103:443> #这个就是我们要访问的虚拟主机中的域名所对应的ip地址
ServerName www.d.gov #指定域名
DocumentRoot '/www/d.gov ' #指定网页所在的位置, which is consistent with the DocumentRoot on Apache.

Sslengine on #这个表示开启ssl功能

It is added here that since SSL sessions are based on IP rather than host names, there is only one host name-based virtual host that can use the HTTPS feature for multiple host-name-based virtual hosts.

3. Finally, the CA-generated self-visa book is imported into the browser of window (you need to change the suffix from the visa book to. crt format)

This allows you to use HTTPS to access the page.

This article from the "Linux Learning Path" blog, declined reprint!

The implementation process of HTTPS on the path of Linux learning