自建CA实现HTTPS
说明:这里是Linux服务综合搭建文章的一部分,本文可以作为自建CA搭建https网站的参考。
注意:这里所有的标题都是根据主要的文章(Linux基础服务搭建综合)的顺序来做的。
如果需要查看相关软件版本和主机配置要求,请根据目录自行查看。
Linux服务综合搭建的文章目录
====================================================
5、foundation通过Rsyslog搭建集中日志服务器
8、rhel7 JAVA web环境搭建(使用Tomcat8整合httpd)
10、foundation配置kerberos和NTP服务以及安全的NFS挂载
====================================================
主机角色说明
9、foundation自建CA实现HTTPS
自建CA,并且实现https网站,域名为www.mei.com。
注意,证书请求时要生成www.mei.com的证书。
9.1 自建CA并颁发证书给foundation主机
9.1.1 自建CA
[root@foundation CA]# touch /etc/pki/CA/index.txt [root@foundation CA]# echo "01" >/etc/pki/CA/serial #生成私钥 [root@foundation CA]# openssl genrsa -out /etc/pki/CA/private/cakey.pem 2048 Generating RSA private key, 2048 bit long modulus ...................+++ ..................+++ e is 65537 (0x10001) #CA自签 [root@foundation CA]# openssl req -new -x509 -key /etc/pki/CA/private/cakey.pem -days 7300 -out /etc/pki/CA/cacert.pem You are about to be asked to enter information that will be incorporated into your certificate request. What you are about to enter is what is called a Distinguished Name or a DN. There are quite a few fields but you can leave some blank For some fields there will be a default value, If you enter '.', the field will be left blank. ----- Country Name (2 letter code) [XX]:cn State or Province Name (full name) []:chongqing Locality Name (eg, city) [Default City]:yubei Organization Name (eg, company) [Default Company Ltd]:mei Organizational Unit Name (eg, section) []:ops Common Name (eg, your name or your server's hostname) []:foundation.mei.com Email Address []:mail.mei.com
9.1.2 生成证书请求并签发
#生成私钥 [root@foundation CA]# openssl genrsa -out /etc/pki/tls/private/server.key 2048 Generating RSA private key, 2048 bit long modulus ....................................+++ ....................................+++ e is 65537 (0x10001) #生成证书请求,注意我们要签发的是www.mei.com这个域名的证书 [root@foundation CA]# openssl req -new -key /etc/pki/tls/private/server.key -days 365 -out /etc/pki/tls/server.csr You are about to be asked to enter information that will be incorporated into your certificate request. What you are about to enter is what is called a Distinguished Name or a DN. There are quite a few fields but you can leave some blank For some fields there will be a default value, If you enter '.', the field will be left blank. ----- Country Name (2 letter code) [XX]:cn State or Province Name (full name) []:chongqing Locality Name (eg, city) [Default City]:yubei Organization Name (eg, company) [Default Company Ltd]:mei Organizational Unit Name (eg, section) []:ops Common Name (eg, your name or your server's hostname) []:www.mei.com Email Address []: Please enter the following 'extra' attributes to be sent with your certificate request A challenge password []: An optional company name []: #签发证书 [root@foundation CA]# openssl ca -in /etc/pki/tls/server.csr -out /etc/pki/tls/certs/server.crt -days 365 Check that the request matches the signature Signature ok Certificate Details: Serial Number: 2 (0x2) Validity Not Before: Jul 9 21:10:35 2019 GMT Not After : Jul 8 21:10:35 2020 GMT Subject: countryName = cn stateOrProvinceName = chongqing organizationName = mei organizationalUnitName = ops commonName = www.mei.com X509v3 extensions: X509v3 Basic Constraints: CA:FALSE Netscape Comment: OpenSSL Generated Certificate X509v3 Subject Key Identifier: DB:0D:93:04:A2:A4:F4:AC:3D:24:0C:FF:00:8C:3E:23:15:66:20:1E X509v3 Authority Key Identifier: keyid:BB:E6:BE:EA:5A:9E:C6:1A:29:65:48:09:DB:4F:EE:36:AD:95:E5:2B Certificate is to be certified until Jul 8 21:10:35 2020 GMT (365 days) Sign the certificate? [y/n]:y 1 out of 1 certificate requests certified, commit? [y/n]y Write out database with 1 new entries Data Base Updated
9.2 搭建HTTPS网站
这是使用8008端口作为网站端口,然后做网站重定向到https。
如果要做把PHP作为https发布,可以直接在打完LAMP环境后将PHP相关网页直接拷贝到https所在的站目录下,然后做重定向即可。
9.2.1 安装软件包和配置防火墙
1 [root@foundation CA]# yum install mod_ssl 2 3 [root@foundation CA]# firewall-cmd --permanent --add-service=https && firewall-cmd --reload 4 5 [root@foundation html]# firewall-cmd --permanent --add-port=8008/tcp --add-port=8008/udp 6 success 7 [root@foundation html]# firewall-cmd --reload
9.2.2 创建网站目录和生成相应的网页内容
创建网站目录
至于网站目录SELinux相关的问题由于前面配置时讲过,这里就不赘述了。
下面的index.html中的内容为字串:test
所有有关PHP的文件都是我从以前配置LAMP时的测试文件。如果仅仅是自己搭建一个PHP网站,可以自己写PHP测试文件的内容。
9.2.3 创建虚拟主机并做好配置
[root@foundation /]# cat /etc/httpd/conf.d/httpswww.conf <VirtualHost *:443> DocumentRoot "/web/www/httpswww/html" ServerName www.mei.com SSLEngine on SSLProtocol all -SSLv2 SSLCipherSuite HIGH:MEDIUM:!aNULL:!MD5 SSLCertificateFile /etc/pki/tls/certs/server.crt SSLCertificateKeyFile /etc/pki/tls/private/server.key <Directory /web/www> AllowOverride None Require all granted </Directory> <Directory /web/www/httpswww/html> AllowOverride None Require all granted </Directory> ErrorLog "logs/httpswww_error.log" CustomLog "logs/httpswww_access.log" combined </VirtualHost> <VirtualHost *:8008> ServerName www.mei.com RewriteEngine On #开启重写引擎 #RewriteRule ^(/.*)$ https://%{HTTP_POST}$1 [redirect=301] RewriteCond %{SERVER_PORT} !^443$ #重写 RewriteRule ^(.*)?$ https://%{SERVER_NAME}$1 [R=301,L] #重写的策略 </VirtualHost>
.3 测试
拷贝foundation中的CA证书到rhel7主机,可以把证书放到网站上自由下载,这里就不做了,直接使用scp拷贝。
[root@foundation CA]# scp /etc/pki/CA/cacert.pem foundation@rhel7.mei.com:/home/foundation/
打开Firefox添加证书
选择import后找到刚才拷过来的证书文件双击,来到下面的界面,勾选一下选项。
输入http地址访问
看到下面的效果,并显示是https且证书安全,说明成功!
再测试一下我们的PHP内容:
能够跳到https,并且证书安全。
点击select能够正确查询到数据库中的内容,并显示证书是安全的,同时还是https
最后希望大家提意见、转发、评论和交流!!!