Use httpd + openssl to implement https for websites
CA Verification Center (issuing/revoking certificates)
/\\
CA certificate/send \ certificate request
/Certificate \\
Client <-------- digital certificate ------ WEB
1. Web server to generate asymmetric encryption key pairs (web public key and web private key)
2. The web server uses web identity information + web public key to generate a web server certificate request and send the certificate request to the CA server.
3. The CA server uses the private key of the CA to digitally sign the certificate request of the web server to obtain the digital certificate of the web server, and issues the digital certificate of the web server to the web server.
4. The client accesses the web server, requests https connection, and downloads the web Digital Certificate.
5. The client downloads the CA digital certificate (CA identity information + CA public key, issued by the upper-level CA, can also be issued by self-signed), verifies the web Digital Certificate (the CA digital certificate contains the CA public key, the web Digital Certificate is signed using the CA private key)
6. The client negotiates symmetric encryption algorithms with the web. The client generates symmetric encryption keys and uses the web public key to encrypt them and send them to the web server. The web server uses the web private key for decryption.
7. Transmit data using symmetric encryption keys and verify data integrity
Use httpd + openssl to implement https for websites
Next, let's take a look at the specific steps.
Configure the CA Server
========================================================== ======================
1. Configure CA 172.16.1.2 to generate the CA's own public key and private key CA to self-sign the certificate (generated by script)
[Root @ CA ~] # Vim/etc/pki/tls/openssl. cnf
Dir =/etc/CA # Where everything is kept row 45th
BasicConstraints = CA: TRUE # You can use 178th lines of Self-signed certificates.
[Root @ CA ~] # Vim/etc/pki/tls/misc/CA
CATOP =/etc/CA # 42nd rows
[Root @ CA ~] #/Etc/pki/tls/misc/CA-newca
CA certificate filename (or enter to create)
Making CA certificate...
Generating a 1024 bit RSA private key
... ++
...
Writing new private key to '.../CA/private/./cakey. pem' # private key
Enter PEM pass phrase: 123456 # Protect the CA private key
Verifying-Enter PEM pass phrase: 123456
-----
You are about to be asked to enter information that will be ininitialized into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [GB]: CN # identity information
State or Province Name (full name) [Berkshire]: BEIJING
Locality Name (eg, city) [Newbury]: HD
Organization Name (eg, company) [My Company Ltd]: UPLOOKING
Organizational Unit Name (eg, section) []: IT
Common Name (eg, your name or your server's hostname) []: CA.uplooking.com
Email Address []: CA@uplooking.com
Please enter the following 'extra 'attributes to be sent with your certificate request
A challenge password []:
An optional company name []:
Using configuration from/etc/pki/tls/openssl. cnf
Enter pass phrase for.../../CA/private/./cakey. pem: 123456 # use the private key to self-sign
Check that the request matches the signature
Signature OK
Certificate Details:
Serial Number: 0 (0x0)
Validity
Not Before: Mar 5 01:40:50 2012 GMT
Not After: Mar 5 01:40:50 2015 GMT
Subject:
CountryName = CN
StateOrProvinceName = BEIJING
OrganizationName = UPLOOKING
OrganizationalUnitName = IT
CommonName = CA.uplooking.com
EmailAddress = CA@uplooking.com
X509v3 extensions:
X509v3 Basic Constraints:
CA: TRUE
Netscape Comment:
OpenSSL Generated Certificate
X509v3 Subject Key Identifier:
61: D5: 3A: C7: 5C: 0F: 66: FE: D5: EF: 5D: A1: 94: 8F: FD: C2: E5: 94: 7D: D3
X509v3 Authority Key Identifier:
Keyid: 61: D5: 3A: C7: 5C: 0F: 66: FE: D5: EF: 5D: A1: 94: 8F: FD: C2: E5: 94: 7D: d3
Certificate is to be certified until Mar 5 01:40:50 2015 GMT (1095 days)
Write out database with 1 new entries
Data Base Updated
[Root @ CA ~] # Ls/etc/CA/private/cakey. pem # CA private key
[Root @ CA ~] # Ls/etc/CA/cacert. pem # CA certificate
[Root @ CA ~] # Ls/etc/CA/careq. pem # CA certificate request
Configure web Servers
========================================================== ======================================
Web generate your own private key
[Root @ www ~] # Openssl genrsa-des3-out/etc/httpd/conf. d/server. key # Use des3 to protect the private key
Generating RSA private key, 512 bit long modulus
...
...
E is 65537 (0x10001)
Enter pass phrase for/etc/httpd/conf. d/server. key: 123456
Verifying-Enter pass phrase for/etc/httpd/conf. d/server. key: 123456
Generate a certificate request (using ID + Public Key)
[Root @ www ~] # Openssl req-new-key/etc/httpd/conf. d/server. key-out/tmp/server. csr
Enter pass phrase for/etc/httpd/conf. d/server. key: 123456
You are about to be asked to enter information that will be ininitialized into your certificate
Request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
-------------------------------------------------------------------------------
Country Name (2 letter code) [GB]: CN # This part of information must be consistent with the CA !!!
State or Province Name (full name) [Berkshire]: BEIJING
Locality Name (eg, city) [Newbury]: HD
Organization Name (eg, company) [My Company Ltd]: UPLOOKING
Organizational Unit Name (eg, section) []: IT
-------------------------------------------------------------------------------
Common Name (eg, your name or your server's hostname) []: www.uplooking.com
Email Address []: www@uplooking.com
Please enter the following 'extra 'attributes to be sent with your certificate request
A challenge password []:
An optional company name []:
Send the certificate request to the CA
[Root @ www ~] # Scp/tmp/server. csr CA.uplooking.com:/tmp/
The CA Server digitally signs the certificate request
========================================================== ============================================
[Root @ CA ~] # Openssl ca-keyfile/etc/CA/private/cakey. pem-cert/etc/CA/cacert. pem-in/tmp/server. csr-out/tmp/server. crt
/Etc/CA/private/cakey. pem (this is the private key of ca)
/Tmp/server. csr (certificate request file of httpserver)
/Etc/CA/cacert. pem (ca certificate)
/Tmp/server. crt (name of the generated httpserver Certificate)
Using configuration from/etc/pki/tls/openssl. cnf
Enter pass phrase for/etc/CA/private/cakey. pem:
Check that the request matches the signature
Signature OK
Certificate Details:
Serial Number: 1 (0x1)
Validity
Not Before: Mar 5 02:20:56 2012 GMT
Not After: Mar 5 02:20:56 2013 GMT
Subject:
CountryName = CN
StateOrProvinceName = BEIJING
OrganizationName = UPLOOKING
OrganizationalUnitName = IT
CommonName = www.uplooking.com
EmailAddress = www@uplooking.com
X509v3 extensions:
X509v3 Basic Constraints:
CA: TRUE
Netscape Comment:
OpenSSL Generated Certificate
X509v3 Subject Key Identifier:
D0: 6E: C7: 7D: FC: BE: 0D: 62: CA: B9: A2: E0: 2A: 9A: 27: 32: 39: 0B: 91: F8
X509v3 Authority Key Identifier:
Keyid: 61: D5: 3A: C7: 5C: 0F: 66: FE: D5: EF: 5D: A1: 94: 8F: FD: C2: E5: 94: 7D: d3
Certificate is to be certified until Mar 5 02:20:56 2013 GMT (365 days)
Sign the certificate? [Y/n]: y
1 out of 1 certificate requests certified, commit? [Y/n] y
Write out database with 1 new entries
Data Base Updated
Issue the signed digital certificate to web
[Root @ CA ~] # Scp/tmp/server. crt www.uplooking.com:/etc/httpd/conf. d/
Configure web to support ssl for https
========================================================== ============================
[Root @ www ~] # Yum install httpd mod_ssl
[Root @ www ~] # Vim/etc/httpd/conf. d/ssl. conf
SSLCertificateFile/etc/httpd/conf. d/server. crt
SSLCertificateKeyFile/etc/httpd/conf. d/server. key
[Root @ www ~] # Netstat-tunpl | grep 443
Tcp 0 0: 443: * LISTEN 2000/httpd
The Client downloads the CA certificate and imports it to the browser, and then accesses the www server.
========================================================== ========================================================== =
The client needs to download the CA certificate and import it into the browser to access the web using https. the browser verifies whether the web Digital Certificate is issued by the CA to open firefox, edit ------> preferences -----> advanced ----> encryption -----> View certificate ------> Import
If you still don't understand how to produce openssl certificates, read this article:
Http://sangh.blog.51cto.com/6892345/1355878