众所周知http协议是明文传输的,所以当我们再互联网上发送一些敏感数据,特别是账号密码之类的数据时,就显得不那么安全,而http又是应用层协议中用的非常广泛的一种协议,所以此时想要使之更安全,可以借助于ssl来使用https协议。但ssl仅能支持基于IP的主机,所以想使用https,要么是使用中心主机,要么是使用多个基于主机名的虚拟主机中的一个。
环境准备:
httpd服务器地址:172.16.1.111
CA服务器地址:172.16.1.110
一、httpd服务器首先安装mod_ssl模块
[root@soysauce ~]# yum install -y "mod_ssl"Loaded plugins: fastestmirrorLoading mirror speeds from cached hostfile * epel: mirrors.ustc.edu.cnSetting up Install ProcessResolving Dependencies--> Running transaction check---> Package mod_ssl.x86_64 1:2.2.15-47.el6.centos.1 will be installed--> Processing Dependency: httpd = 2.2.15-47.el6.centos.1 for package: 1:mod_ssl-2.2.15-47.el6.centos.1.x86_64--> Running transaction check---> Package httpd.x86_64 0:2.2.15-47.el6.centos will be updated---> Package httpd.x86_64 0:2.2.15-47.el6.centos.1 will be an update--> Processing Dependency: httpd-tools = 2.2.15-47.el6.centos.1 for package: httpd-2.2.15-47.el6.centos.1.x86_64--> Running transaction check---> Package httpd-tools.x86_64 0:2.2.15-47.el6.centos will be updated---> Package httpd-tools.x86_64 0:2.2.15-47.el6.centos.1 will be an update--> Finished Dependency ResolutionDependencies Resolved======================================================================================================================================== Package Arch Version Repository Size========================================================================================================================================Installing: mod_ssl x86_64 1:2.2.15-47.el6.centos.1 updates 95 kUpdating for dependencies: httpd x86_64 2.2.15-47.el6.centos.1 updates 830 k httpd-tools x86_64 2.2.15-47.el6.centos.1 updates 77 kTransaction Summary========================================================================================================================================Install 1 Package(s)Upgrade 2 Package(s)Total download size: 1.0 MDownloading Packages:(1/3): httpd-2.2.15-47.el6.centos.1.x86_64.rpm | 830 kB 00:00 (2/3): httpd-tools-2.2.15-47.el6.centos.1.x86_64.rpm | 77 kB 00:00 (3/3): mod_ssl-2.2.15-47.el6.centos.1.x86_64.rpm | 95 kB 00:00 ----------------------------------------------------------------------------------------------------------------------------------------Total 974 kB/s | 1.0 MB 00:01 Running rpm_check_debugRunning Transaction TestTransaction Test SucceededRunning Transaction Updating : httpd-tools-2.2.15-47.el6.centos.1.x86_64 1/5 Updating : httpd-2.2.15-47.el6.centos.1.x86_64 2/5 Installing : 1:mod_ssl-2.2.15-47.el6.centos.1.x86_64 3/5 Cleanup : httpd-2.2.15-47.el6.centos.x86_64 4/5 Cleanup : httpd-tools-2.2.15-47.el6.centos.x86_64 5/5 Verifying : httpd-tools-2.2.15-47.el6.centos.1.x86_64 1/5 Verifying : httpd-2.2.15-47.el6.centos.1.x86_64 2/5 Verifying : 1:mod_ssl-2.2.15-47.el6.centos.1.x86_64 3/5 Verifying : httpd-2.2.15-47.el6.centos.x86_64 4/5 Verifying : httpd-tools-2.2.15-47.el6.centos.x86_64 5/5 Installed: mod_ssl.x86_64 1:2.2.15-47.el6.centos.1 Dependency Updated: httpd.x86_64 0:2.2.15-47.el6.centos.1 httpd-tools.x86_64 0:2.2.15-47.el6.centos.1 Complete!
二、建立CA服务器
(1)、生成CA自己的私钥
[root@CentOS5 ~]# cd /etc/pki/CA/[root@CentOS5 CA]# (umask 077;openssl genrsa -out private/cakey.pem 2048)Generating RSA private key, 2048 bit long modulus.................................................................................+++...+++e is 65537 (0x10001)[root@CentOS5 CA]# ll private/cakey.pem-rw------- 1 root root 1679 Dec 12 03:58 private/cakey.pem
(2)、修改openssl配置文件,定义各项默认属性以及CA目录
[root@CentOS5 CA]# vim ../tls/openssl.cnf [root@CentOS5 CA]# grep "_default" ../tls/openssl.cnf | tail -6countryName_default = CNstateOrProvinceName_default = HuBeilocalityName_default = HuangGang0.organizationName_default = Soysauce#1.organizationName_default = World Wide Web Pty LtdorganizationalUnitName_default = Tech[root@CentOS5 CA]# grep "^dir" ../tls/openssl.cnf dir = /etc/pki/CA # Where everything is kept
(3)、生成自签证书
[root@CentOS5 CA]# openssl req -new -x509 -key private/cakey.pem -out cacert.pem -days 3655You are about to be asked to enter information that will be incorporatedinto your certificate request.What you are about to enter is what is called a Distinguished Name or a DN.There are quite a few fields but you can leave some blankFor some fields there will be a default value,If you enter '.', the field will be left blank.-----Country Name (2 letter code) [CN]:State or Province Name (full name) [HuBei]:Locality Name (eg, city) [HuangGang]:Organization Name (eg, company) [Soysauce]:Organizational Unit Name (eg, section) [Tech]:Common Name (eg, your name or your server's hostname) []:ca.soysauce.comEmail Address []:admin@soysauce.com
(4)、准备几个目录及文件
[root@CentOS5 CA]# mkdir certs crl newcerts[root@CentOS5 CA]# touch index.txt[root@CentOS5 CA]# echo 01 > serial
三、httpd服务器生成密钥,并生成签署正式申请发送给CA服务器
(1)、httpd服务器生成一对密钥
[root@soysauce ~]# cd /etc/httpd/[root@soysauce httpd]# mkdir ssl[root@soysauce httpd]# cd ssl/[root@soysauce ssl]# (umask 077;openssl genrsa -out httpd.key 2048) Generating RSA private key, 2048 bit long modulus............+++.............................+++e is 65537 (0x10001)[root@soysauce ssl]# lltotal 4-rw------- 1 root root 1675 Dec 12 13:04 httpd.key
(2)、httpd服务器生成证书签署请求(hostname一定要保持一致)
[root@soysauce ssl]# scp 172.16.1.110:/etc/pki/tls/openssl.cnf /etc/pki/tls/openssl.cnf [root@soysauce ssl]# openssl req -new -key httpd.key -out httpd.csr You are about to be asked to enter information that will be incorporatedinto your certificate request.What you are about to enter is what is called a Distinguished Name or a DN.There are quite a few fields but you can leave some blankFor some fields there will be a default value,If you enter '.', the field will be left blank.-----Country Name (2 letter code) [CN]:State or Province Name (full name) [HuBei]:Locality Name (eg, city) [HuangGang]:Organization Name (eg, company) [NetWork]:Organizational Unit Name (eg, section) [Tech]:Common Name (eg, your name or your server's hostname) []:www.a.comEmail Address []:admin@a.comPlease enter the following 'extra' attributesto be sent with your certificate requestA challenge password []:An optional company name []:
(3)、将证书签署申请发送给CA服务器端
[root@soysauce ssl]# scp httpd.csr 172.16.1.110:/tmp/
四、CA签署此证书请求并回送给httpd服务器
(1)、CA服务器端签署证书申请
[root@CentOS5 CA]# openssl ca -in /tmp/httpd.csr -out /tmp/httpd.crt -days 3650Using configuration from /etc/pki/tls/openssl.cnfCheck that the request matches the signatureSignature okCertificate Details: Serial Number: 1 (0x1) Validity Not Before: Dec 11 20:23:59 2015 GMT Not After : Dec 8 20:23:59 2025 GMT Subject: countryName = CN stateOrProvinceName = HuBei organizationName = Soysauce organizationalUnitName = Tech commonName = www.soysauce.com emailAddress = admin@soysauce.com X509v3 extensions: X509v3 Basic Constraints: CA:FALSE Netscape Comment: OpenSSL Generated Certificate X509v3 Subject Key Identifier: 35:E0:03:B1:67:28:A9:A9:39:F0:DB:0D:26:0B:ED:AD:B2:F6:FA:4A X509v3 Authority Key Identifier: keyid:9D:DF:4E:04:DC:31:25:24:2B:F6:65:05:9C:B3:96:8E:DC:6A:FB:4BCertificate is to be certified until Dec 8 20:23:59 2025 GMT (3650 days)Sign the certificate? [y/n]:y1 out of 1 certificate requests certified, commit? [y/n]yWrite out database with 1 new entriesData Base Updated[root@CentOS5 ~]# cd /etc/pki/CA/[root@CentOS5 CA]# lscacert.pem certs crl index.txt index.txt.attr index.txt.old newcerts private serial serial.old[root@CentOS5 CA]# cat index.txtV 251208202359Z 01 unknown /C=CN/ST=HuBei/O=Soysauce/OU=Tech/CN=www.soysauce.com/emailAddress=admin@soysauce.com[root@CentOS5 CA]# cat serial02
(2)、将签署好的证书返回给httpd客户端
[root@CentOS5 CA]# scp /tmp/httpd.crt 172.16.1.111:/etc/httpd/ssl/httpd.crt
(3)、删除httpd服务器的证书
[root@CentOS5 tmp]# rm -f httpd.csr httpd.crt
五、httpd服务器端编辑ssl.conf文件配置使用https
(1)、编辑ssl.conf配置文件
[root@soysauce ssl]# cd /etc/httpd/conf.d/[root@soysauce conf.d]# lsREADME ssl.conf virtualhost.conf welcome.conf[root@soysauce conf.d]# cp ssl.conf{,.back}[root@soysauce conf.d]# vim ssl.conf[root@soysauce conf.d]# grep -A 4 " ServerName www.soysauce.comDocumentRoot "/data/www/soysauce.com"ErrorLog "/var/log/httpd/soysauce.com/ssl_error_log"TransferLog "/var/log/httpd/soysauce.com/ssl_access_log"[root@soysauce conf.d]# grep "^SSLCertificate" ssl.confSSLCertificateFile /etc/httpd/ssl/httpd.crtSSLCertificateKeyFile /etc/httpd/ssl/httpd.key (2)、然后重启httpd服务,客户端再访问即可
[root@soysauce conf.d]# vim /etc/hosts[root@soysauce conf.d]# tail -1 /etc/hosts # 修改的是客户端的hosts文件172.16.1.111 www.soysauce.com[root@soysauce conf.d]# httpd -tSyntax OK[root@soysauce conf.d]# service httpd restartStopping httpd: [ OK ]Starting httpd: [ OK ]
到此处一个支持https的Web服务器已然完成