实验:实现https 安全网站
1安装ssl模块
yum install mod_ssl 或
systemctl restart httpd
2.查看自签名证书,ssl模块安装后会自动创建一个自签名证书localhost.crt,一般不用。
openssl x509 -in /etc/pki/tls/certs/localhost.crt -noout -text
实验:利用私有CA,实现HTTPS
1. 建立CA发证书,为服务器申请数字证书
cd /etc/pki/CA/
#CA服务器申请自己的私钥。
(umask 077;openssl genrsa -out private/cakey.pem 4096)
#生成自签名证书
openssl req -new -x509 -key /etc/pki/CA/private/cakey.pem -out /etc/pki/CA/cacert.pem -days 3650 <<EOF
CN
beijing
beijing
magedu
devops
ca.magedu.com
admin@magedu.com
EOF
touch /etc/pki/CA/index.txt 生成证书索引数据库文件
echo 01 > /etc/pki/CA/serial 指定第一个颁发证书的序列号
2 .http服务器向CA申请证书
mkdir /etc/httpd/conf.d/ssl
cd /etc/httpd/conf.d/ssl
#http服务器生成私钥
(umask 066;openssl genrsa -out httpd.key 1024 )
#生成证书申请文件 (提示输入相关证书的信息)注意:默认国家,省,公司名称三项必须和CA一致
openssl req -new -key httpd.key -out httpd.csr
#提交申请文件,请求文件传输给CA
scp /etc/httpd/conf.d/ssl/httpd.csr CAServer:/etc/pki/CA
3 .颁发证书,CA签署证书,并将证书颁发给请求者
openssl ca -in /etc/pki/CA/httpd.csr -out /etc/pki/CA/certs/httpd.crt -days 100
scp /etc/pki/CA/certs/httpd.crt 192.168.37.7:/etc/httpd/conf.d/ssl/
scp /etc/pki/CA/cacert.pem 192.168.37.7:/etc/httpd/conf.d/ssl
4 配置httpd支持使用ssl,及使用的证书
LoadModule ssl_module modules/mod_ssl.so
listen 83
vim /etc/httpd/conf.d/test.conf
<virtualhost *:443>
documentroot /data/asite
<Directory "/data/asite">
Require all granted
</Directory>
SSLCertificateFile /etc/httpd/conf.d/ssl/httpd.crt
SSLCertificateKeyFile /etc/httpd/conf.d/ssl/httpd.key
SSLCACertificateFile /etc/httpd/conf.d/ssl/cacert.pem
</virtualhost>
#其它格式后缀设置
SSLCertificateFile /etc/pki/CA/certs/zjol.com.cn_public.crt
SSLCertificateKeyFile /etc/pki/CA/certs/zjol.com.cn.key
SSLCertificateChainFile /etc/pki/CA/certs/zjol.com.cn_chain.crt
5.客户端验证
1.浏览器客户端访问要导入证书到颁发机构验证。
2.openssl s_client [-connect host:port] [-cert filename] [-CApath directory] [-CAfile filename]
openssl s_client -connect https://www.baidu.com:443
3.curl --cacert xxx.crt https://www.baidu.com
