httpd配置详解(四)
来源:互联网 发布:学生男鞋品牌 知乎 编辑:程序博客网 时间:2024/06/06 02:23
https的配置(httpd+mod_ssl)
1.安装Apache的mod_ssl模块
[root@miner_k ~]# yum -y install mod_ssl[root@miner_k html]# rpm -ql mod_ssl/etc/httpd/conf.d/ssl.conf/usr/lib64/httpd/modules/mod_ssl.so/var/cache/mod_ssl/var/cache/mod_ssl/scache.dir/var/cache/mod_ssl/scache.pag/var/cache/mod_ssl/scache.sem
2.配置CA服务端
修改配置文件:
[root@CA ~]# vim /etc/pki/tls/openssl.cnf[ ca ]default_ca = CA_default # The default ca section####################################################################[ CA_default ]dir = /etc/pki/CA # CA的默认路径certs = $dir/certs # 客户端证书crl_dir = $dir/crl # 证书吊销列表database = $dir/index.txt # 给那些人发过证书#unique_subject = no # Set to 'no' to allow creation of # several ctificates with same subject.new_certs_dir = $dir/newcerts # 新生成证书的存放位置certificate = $dir/cacert.pem # CA 的证书serial = $dir/serial # 序列号crlnumber = $dir/crlnumber # 证书吊销列表的工作号 # must be commented out to leave a V1 CRLcrl = $dir/crl.pem # 当前的证书吊销列表private_key = $dir/private/cakey.pem # CA的私钥RANDFILE = $dir/private/.rand # private random number filex509_extensions = usr_cert # The extentions to add to the certdefault_days = 365 # 默认的认证时间是365天default_crl_days= 30 # 吊销列表中内容的保存时间default_md = default # use public key default MDpreserve = no [ req_distinguished_name ]countryName = Country Name (2 letter code)countryName_default = CN # 设置默认的国家countryName_min = 2countryName_max = 2stateOrProvinceName = State or Province Name (full name)stateOrProvinceName_default = BeiJing #设置默认的省份localityName = Locality Name (eg, city)localityName_default = BeiJing #设置默认的城市0.organizationName = Organization Name (eg, company)0.organizationName_default = CA #设置公司(组织)名称# we can do this but it is not needed normally :-)#1.organizationName = Second Organization Name (eg, company)#1.organizationName_default = World Wide Web Pty LtdorganizationalUnitName = Organizational Unit Name (eg, section)organizationalUnitName_default = IT #设置部门(单位)
2.1 生成CA的私钥
[root@CA CA]# (umask 077;openssl genrsa -out private/cakey.pem 2048)Generating RSA private key, 2048 bit long modulus...........................................+++................................................................................................+++e is 65537 (0x10001)
2.2 生成CA的自签证书
[root@CA CA]# openssl req -new -x509 -key private/cakey.pem -out cacert.pem -days 365You are about to be asked to enter information that will be incorporatedinto your certificate request.What you are about to enter is what is called a Distinguished Name or a DN.There are quite a few fields but you can leave some blankFor some fields there will be a default value,If you enter '.', the field will be left blank.-----Country Name (2 letter code) [CN]:State or Province Name (full name) [BeiJing]:Locality Name (eg, city) [BeiJing]:Organization Name (eg, company) [CA]:Organizational Unit Name (eg, section) [IT]:Common Name (eg, your name or your server's hostname) []:ca.miner_k.comEmail Address []:admin@miner_k.com
2.3 将CA服务器下创建需要的文件
[root@CA CA]# touch index.txt[root@CA CA]# echo 01 > serial[root@CA CA]# lscacert.pem certs crl index.txt newcerts private serial
3.在Apache的服务器
3.1 生成密钥对
[root@miner_k ~]# cd /etc/httpd/[root@miner_k httpd]# lsconf conf.d logs modules run[root@miner_k httpd]# mkdir ssl[root@miner_k httpd]# cd ssl/[root@miner_k ssl]# (umask 077;openssl genrsa 1024 > httpd.key)Generating RSA private key, 1024 bit long modulus....................++++++.......................++++++e is 65537 (0x10001)
3.2 生成证书颁发请求(.csr)【Certificate signing request】
[root@miner_k ssl]# openssl req -new -key httpd.key -out httpd.csrYou are about to be asked to enter information that will be incorporatedinto your certificate request.What you are about to enter is what is called a Distinguished Name or a DN.There are quite a few fields but you can leave some blankFor some fields there will be a default value,If you enter '.', the field will be left blank.-----Country Name (2 letter code) [CN]:State or Province Name (full name) [BeiJing]:Locality Name (eg, city) [BeiJing]:Organization Name (eg, company) [CA]:Organizational Unit Name (eg, section) [IT]:Common Name (eg, your name or your server's hostname) []:www.miner_k.com #必须是这台web服务器的域名Email Address []:admin@miner_k.comPlease enter the following 'extra' attributesto be sent with your certificate requestA challenge password []:An optional company name []:
注意:由于是私有的CA服务器,关于默认的城市以及机构等都必须和CA的是一样的
3.3 将证书发送给CA的服务器
[root@miner_k ssl]# scp httpd.csr 101.200.87.99:/rootThe authenticity of host '101.200.87.99 (101.200.87.99)' can't be established.RSA key fingerprint is c8:bb:dc:fc:d0:27:4d:48:d2:0a:0f:db:a2:51:10:d2.Are you sure you want to continue connecting (yes/no)? yesWarning: Permanently added '101.200.87.99' (RSA) to the list of known hosts.root@101.200.87.99's password: httpd.csr 100% 696 0.7KB/s 00:00
4.在CA服务器上的操作
4.1 签署Apache发送的证书请求
[root@CA ~]# openssl ca -in httpd.csr -out httpd.crt -days 365Using configuration from /etc/pki/tls/openssl.cnfCheck that the request matches the signatureSignature okCertificate Details: Serial Number: 1 (0x1) Validity Not Before: May 24 06:12:47 2017 GMT Not After : May 24 06:12:47 2018 GMT Subject: countryName = CN stateOrProvinceName = BeiJing organizationName = CA organizationalUnitName = IT commonName = www.miner_k.com emailAddress = admin@miner_k.com X509v3 extensions: X509v3 Basic Constraints: CA:FALSE Netscape Comment: OpenSSL Generated Certificate X509v3 Subject Key Identifier: ED:E8:48:9D:30:0F:95:0B:19:63:D8:F9:9C:70:5C:7E:26:36:DA:30 X509v3 Authority Key Identifier: keyid:12:0E:C7:0F:0B:A6:06:3D:27:A1:5B:A7:EA:3D:C3:36:07:BE:77:13Certificate is to be certified until May 24 06:12:47 2018 GMT (365 days)Sign the certificate? [y/n]:y1 out of 1 certificate requests certified, commit? [y/n]yWrite out database with 1 new entriesData Base Updated
4.2 将签署的证书发送给Apache服务器
[root@CA ~]# scp httpd.crt 114.*.*.229:/etc/httpd/ssl/
5. 在Apache服务器上httpd的配置
[root@miner_k ssl]# cd /etc/httpd/conf.d/[root@miner_k conf.d]# lsREADME ssl.conf welcome.conf[root@miner_k conf.d]# cp ssl.conf{,.bak} [root@miner_k conf.d]# lsREADME ssl.conf ssl.conf.bak welcome.conf修改配置文件ssl.conf[root@miner_k conf.d]# grep -v "^#" ssl.conf | grep -v "^$"LoadModule ssl_module modules/mod_ssl.soListen 443SSLPassPhraseDialog builtinSSLSessionCache shmcb:/var/cache/mod_ssl/scache(512000)SSLSessionCacheTimeout 300SSLMutex defaultSSLRandomSeed startup file:/dev/urandom 256SSLRandomSeed connect builtinSSLCryptoDevice builtin<VirtualHost _default_:443> #默认主机,可以设置为IP地址ErrorLog logs/ssl_error_logTransferLog logs/ssl_access_logLogLevel warnSSLEngine onSSLProtocol all -SSLv2SSLCipherSuite DEFAULT:!EXP:!SSLv2:!DES:!IDEA:!SEED:+3DESSSLCertificateFile /etc/httpd/ssl/httpd.crt #修改内容,证书位置SSLCertificateKeyFile /etc/httpd/ssl/httpd.key #修改内容,私钥位置<Files ~ "\.(cgi|shtml|phtml|php3?)$"> SSLOptions +StdEnvVars</Files><Directory "/var/www/cgi-bin"> SSLOptions +StdEnvVars</Directory>SetEnvIf User-Agent ".*MSIE.*" \ nokeepalive ssl-unclean-shutdown \ downgrade-1.0 force-response-1.0CustomLog logs/ssl_request_log \ "%t %h %{SSL_PROTOCOL}x %{SSL_CIPHER}x \"%r\" %b"</VirtualHost>
6.测试
6.1 直接使用浏览器测试https的网页
重新启动httpd服务:
[root@miner_k conf.d]# service httpd restart
使用https协议访问,但是可以看出是不安全的。
6.2 在客户端加载CA的证书
- 1.将CA中的cacert.pem下载到本地然后改为为cacert.crt
- 2.将证书导入到浏览器中
阅读全文
0 0
- httpd配置详解(四)
- httpd的配置详解(一)
- httpd的配置详解(二)
- httpd.conf配置详解
- httpd.conf配置详解
- httpd配置详解
- httpd服务配置详解
- 负载均衡之Haproxy配置详解(及httpd配置)
- 负载均衡之Haproxy配置详解(及httpd配置)
- 负载均衡之Haproxy配置详解(及httpd配置)
- 负载均衡之Haproxy配置详解(及httpd配置)
- 负载均衡之Haproxy配置详解(及httpd配置)
- 负载均衡之Haproxy配置详解(及httpd配置)
- 负载均衡之Haproxy配置详解(及httpd配置)
- apache httpd.conf 配置详解
- httpd.conf文件配置详解
- Apache配置httpd.conf详解
- apache httpd.conf配置详解
- ListView显示当前选取的item
- 应为本机上的jdk版本低导致spring-tool-suite无法启动
- 多线程之等待通知机制
- C++线程传递多个参数demo
- OmniFocus for Mac的几个快捷键
- httpd配置详解(四)
- PHP环境搭建(9)----mongoDB安装
- MFC 获取当前系统的分辨率
- android sparseArray源码解析,比较hashmap
- 前端魔法堂:屏蔽Backspace导致页面回退
- mybatis 专场(未完待续...)
- python转换目录
- 安利jqueryForm:让文件上传更轻松
- HDU2084(DP)