自建CA实现HTTPS

说明:这里是Linux服务综合搭建文章的一部分,本文可以作为自建CA搭建https网站的参考。

注意:这里所有的标题都是根据主要的文章(Linux基础服务搭建综合)的顺序来做的。

如果需要查看相关软件版本和主机配置要求,请根据目录自行查看。

Linux服务综合搭建的文章目录

====================================================

Linux基础服务搭建综合

1、foundation创建yum仓库

2、部署DNS

3、将YUM源通过httpd发布出来

4、rhel7主机安装JDK

5、foundation通过Rsyslog搭建集中日志服务器

6、foundation LAMP环境搭建

7、foundation搭建NFS服务

8、rhel7 JAVA web环境搭建(使用Tomcat8整合httpd)

9、foundation自建CA实现HTTPS

10、foundation配置kerberos和NTP服务以及安全的NFS挂载

11、foundation提供SAMBA服务

12、rhel7 配置软ISCSI存储

13 rhel7主机配置端口转发和地址伪装

====================================================

主机角色说明

9、foundation自建CA实现HTTPS

自建CA,并且实现https网站,域名为www.mei.com。

注意,证书请求时要生成www.mei.com的证书。

9.1 自建CA并颁发证书给foundation主机

9.1.1 自建CA

[root@foundation CA]# touch /etc/pki/CA/index.txt

[root@foundation CA]# echo "01" >/etc/pki/CA/serial
#生成私钥
[root@foundation CA]# openssl genrsa -out /etc/pki/CA/private/cakey.pem 2048  

Generating RSA private key, 2048 bit long modulus
...................+++
..................+++
e is 65537 (0x10001)

#CA自签
[root@foundation CA]# openssl req -new -x509 -key /etc/pki/CA/private/cakey.pem -days 7300 -out /etc/pki/CA/cacert.pem
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [XX]:cn
State or Province Name (full name) []:chongqing
Locality Name (eg, city) [Default City]:yubei
Organization Name (eg, company) [Default Company Ltd]:mei
Organizational Unit Name (eg, section) []:ops
Common Name (eg, your name or your server's hostname) []:foundation.mei.com
Email Address []:mail.mei.com

9.1.2 生成证书请求并签发

#生成私钥
[root@foundation CA]# openssl genrsa -out /etc/pki/tls/private/server.key 2048
Generating RSA private key, 2048 bit long modulus
....................................+++
....................................+++
e is 65537 (0x10001)

#生成证书请求,注意我们要签发的是www.mei.com这个域名的证书
[root@foundation CA]# openssl req -new -key /etc/pki/tls/private/server.key -days 365 -out /etc/pki/tls/server.csr
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [XX]:cn
State or Province Name (full name) []:chongqing
Locality Name (eg, city) [Default City]:yubei
Organization Name (eg, company) [Default Company Ltd]:mei
Organizational Unit Name (eg, section) []:ops
Common Name (eg, your name or your server's hostname) []:www.mei.com
Email Address []:

Please enter the following 'extra' attributes
to be sent with your certificate request
A challenge password []:
An optional company name []: 

#签发证书
[root@foundation CA]# openssl ca -in  /etc/pki/tls/server.csr -out /etc/pki/tls/certs/server.crt -days 365
Check that the request matches the signature
Signature ok
Certificate Details:
        Serial Number: 2 (0x2)
        Validity
            Not Before: Jul  9 21:10:35 2019 GMT
            Not After : Jul  8 21:10:35 2020 GMT
        Subject:
            countryName               = cn
            stateOrProvinceName       = chongqing
            organizationName          = mei
            organizationalUnitName    = ops
            commonName                = www.mei.com
        X509v3 extensions:
            X509v3 Basic Constraints: 
                CA:FALSE
            Netscape Comment: 
                OpenSSL Generated Certificate
            X509v3 Subject Key Identifier: 
                DB:0D:93:04:A2:A4:F4:AC:3D:24:0C:FF:00:8C:3E:23:15:66:20:1E
            X509v3 Authority Key Identifier: 
                keyid:BB:E6:BE:EA:5A:9E:C6:1A:29:65:48:09:DB:4F:EE:36:AD:95:E5:2B

Certificate is to be certified until Jul  8 21:10:35 2020 GMT (365 days)
Sign the certificate? [y/n]:y


1 out of 1 certificate requests certified, commit? [y/n]y
Write out database with 1 new entries
Data Base Updated 

9.2 搭建HTTPS网站

这是使用8008端口作为网站端口,然后做网站重定向到https。

如果要做把PHP作为https发布,可以直接在打完LAMP环境后将PHP相关网页直接拷贝到https所在的站目录下,然后做重定向即可。

9.2.1 安装软件包和配置防火墙

1 [root@foundation CA]# yum install mod_ssl
2 
3 [root@foundation CA]# firewall-cmd --permanent --add-service=https && firewall-cmd --reload   
4  
5 [root@foundation html]# firewall-cmd --permanent --add-port=8008/tcp --add-port=8008/udp
6 success
7 [root@foundation html]# firewall-cmd --reload

9.2.2 创建网站目录和生成相应的网页内容

创建网站目录

至于网站目录SELinux相关的问题由于前面配置时讲过,这里就不赘述了。

下面的index.html中的内容为字串:test

所有有关PHP的文件都是我从以前配置LAMP时的测试文件。如果仅仅是自己搭建一个PHP网站,可以自己写PHP测试文件的内容。

9.2.3 创建虚拟主机并做好配置

[root@foundation /]# cat /etc/httpd/conf.d/httpswww.conf 
<VirtualHost *:443>
    DocumentRoot "/web/www/httpswww/html"
    ServerName www.mei.com
    SSLEngine on
    SSLProtocol all -SSLv2
    SSLCipherSuite HIGH:MEDIUM:!aNULL:!MD5
    SSLCertificateFile /etc/pki/tls/certs/server.crt
    SSLCertificateKeyFile /etc/pki/tls/private/server.key
    <Directory /web/www>
        AllowOverride None
        Require all granted
    </Directory>
    <Directory /web/www/httpswww/html>
        AllowOverride None
        Require all granted
    </Directory>
    ErrorLog "logs/httpswww_error.log"
    CustomLog "logs/httpswww_access.log" combined
</VirtualHost>
<VirtualHost *:8008>
    ServerName www.mei.com
    RewriteEngine  On #开启重写引擎
    #RewriteRule ^(/.*)$ https://%{HTTP_POST}$1 [redirect=301]
    RewriteCond %{SERVER_PORT} !^443$  #重写
    RewriteRule ^(.*)?$ https://%{SERVER_NAME}$1 [R=301,L]  #重写的策略
</VirtualHost>

.3 测试

拷贝foundation中的CA证书到rhel7主机,可以把证书放到网站上自由下载,这里就不做了,直接使用scp拷贝。

[root@foundation CA]# scp /etc/pki/CA/cacert.pem foundation@rhel7.mei.com:/home/foundation/

打开Firefox添加证书

选择import后找到刚才拷过来的证书文件双击,来到下面的界面,勾选一下选项。

输入http地址访问

看到下面的效果,并显示是https且证书安全,说明成功!

再测试一下我们的PHP内容:

能够跳到https,并且证书安全。

点击select能够正确查询到数据库中的内容,并显示证书是安全的,同时还是https

最后希望大家提意见、转发、评论和交流!!!

posted @ 2019-07-10 12:10  Repetition_Maximum  阅读(1564)  评论(0编辑  收藏  举报