服務(wù)器維護(hù)CentOS 7.3配置HTTPS服務(wù)

2020-06-10 16:27 作者：艾銻無(wú)限 瀏覽量：

服務(wù)器維護(hù)CentOS 7.3配置HTTPS服務(wù)

服務(wù)器維護(hù)小知識(shí)環(huán)境為CentOS 7.3、httpd2.4.6

服務(wù)器維護(hù)小知識(shí)一 搭建證書

說(shuō)明：

CA 主機(jī)為192.168.29.3

client主機(jī)為 192.168.29.100

服務(wù)器維護(hù)小知識(shí)1 生成私鑰

[root@centos7 ~]# (umask 077 ; openssl genrsa -out /etc/pki/CA/private/cakey.pem 4096)

Generating RSA private key, 4096 bit long modulus

.....................++

...........................................................................................................................................................................................++

e is 65537 (0x10001)

服務(wù)器維護(hù)小知識(shí)2 生成自簽證書

[root@centos7 ~]# openssl req -new -x509 -key /etc/pki/CA/private/cakey.pem  -out /etc/pki/CA/cacert.pem -days 365

You are about to be asked to enter information that will be incorporated

into your certificate request.

What you are about to enter is what is called a Distinguished Name or a DN.

There are quite a few fields but you can leave some blank

For some fields there will be a default value,

If you enter '.', the field will be left blank.

-----

Country Name (2 letter code) [XX]:CN

State or Province Name (full name) []:BeiJing

Locality Name (eg, city) [Default City]:BeiJing

Organization Name (eg, company) [Default Company Ltd]:Company

Organizational Unit Name (eg, section) []:OPS

Common Name (eg, your name or your server's hostname) []:www.test.com

Email Address []:

[root@centos7 ~]#

服務(wù)器維護(hù)小知識(shí)3 為CA提供所需的目錄及文件

（1）所需目錄，如果無(wú)，則創(chuàng)建

    /etc/pki/CA/certs/

    /etc/pki/CA/crl/

    /etc/pki/CA/newcerts/

（2）所需文件

[root@centos7 ~]# touch  /etc/pki/CA/serial #序列號(hào)文件

[root@centos7 ~]# touch  /etc/pki/CA/index.txt #數(shù)據(jù)庫(kù)文件

（3）

[root@centos7 ~]# echo 01 > /etc/pki/CA/serial #維護(hù)ca的序列號(hào)

服務(wù)器維護(hù)小知識(shí)4 在client上進(jìn)行如下操作

（1）創(chuàng)建放置公鑰私鑰的文件夾

[root@CentOS7 ~]# mkdir /etc/httpd/ssl

（2）生成自己的私鑰

[root@CentOS7 ~]# (umask 077; openssl genrsa -out /etc/httpd/ssl/httpd.key 2048)

Generating RSA private key, 2048 bit long modulus

.......................................+++

...................................+++

e is 65537 (0x10001)

[root@CentOS7 ~]#

服務(wù)器維護(hù)小知識(shí)（3）請(qǐng)CA為自己生成公鑰

[root@CentOS7 ~]# openssl req -new -key /etc/httpd/ssl/httpd.key -out /etc/httpd/ssl/httpd.csr -days 365

You are about to be asked to enter information that will be incorporated

into your certificate request.

What you are about to enter is what is called a Distinguished Name or a DN.

There are quite a few fields but you can leave some blank

For some fields there will be a default value,

If you enter '.', the field will be left blank.

-----

Country Name (2 letter code) [XX]:CN

State or Province Name (full name) []:BeiJing

Locality Name (eg, city) [Default City]:BeiJing

Organization Name (eg, company) [Default Company Ltd]:Company

Organizational Unit Name (eg, section) []:OPS

Common Name (eg, your name or your server's hostname) []:www.test.com

Email Address []:

Please enter the following 'extra' attributes

to be sent with your certificate request

A challenge password []:

An optional company name []:

服務(wù)器維護(hù)小知識(shí)（4）把生成的公鑰發(fā)送給CA

[root@CentOS7 ~]# scp  /etc/httpd/ssl/httpd.csr root@192.168.29.3:/tmp/

The authenticity of host '192.168.29.3 (192.168.29.3)' can't be established.

ECDSA key fingerprint is f2:2e:89:a2:8d:22:22:9c:a9:f8:c9:19:18:d3:b6:c4.

Are you sure you want to continue connecting (yes/no)? yes

Warning: Permanently added '192.168.29.3' (ECDSA) to the list of known hosts.

root@192.168.29.3's password: 

httpd.csr                               100% 1005     1.0KB/s   00:00  

服務(wù)器維護(hù)小知識(shí)5 在CA主機(jī)上為client簽證

[root@centos7 ~]# openssl ca -in /tmp/httpd.csr  -out /etc/pki/CA/certs/httpd.crt -days 365

Using configuration from /etc/pki/tls/openssl.cnf

Check that the request matches the signature

Signature ok

Certificate Details:

        Serial Number: 1 (0x1)

        Validity

            Not Before: Jun  3 02:54:23 2017 GMT

            Not After : Jun  3 02:54:23 2018 GMT

        Subject:

            countryName               = CN

            stateOrProvinceName       = BeiJing

            organizationName          = Company

            organizationalUnitName    = OPS

            commonName                = www.test.com

        X509v3 extensions:

            X509v3 Basic Constraints: 

                CA:FALSE

            Netscape Comment: 

                OpenSSL Generated Certificate

            X509v3 Subject Key Identifier: 

                5D:A9:5A:90:29:F3:3A:7F:76:BE:21:78:14:80:E5:FB:5E:03:D8:D9

            X509v3 Authority Key Identifier: 

                keyid:9E:1E:F3:84:4D:D0:79:E2:BD:DD:A8:50:29:6C:BA:0C:21:60:CA:96

Certificate is to be certified until Jun  3 02:54:23 2018 GMT (365 days)

Sign the certificate? [y/n]:y

1 out of 1 certificate requests certified, commit? [y/n]y

Write out database with 1 new entries

Data Base Updated

服務(wù)器維護(hù)小知識(shí)6 把簽署的證書發(fā)給client

[root@centos7 ~]# scp  /etc/pki/CA/certs/httpd.crt   root@192.168.29.100:/etc/httpd/ssl/

The authenticity of host '192.168.29.100 (192.168.29.100)' can't be established.

ECDSA key fingerprint is 32:16:f3:2d:78:65:9f:a0:31:6c:dc:b9:24:e7:5a:8f.

Are you sure you want to continue connecting (yes/no)? yes

Warning: Permanently added '192.168.29.100' (ECDSA) to the list of known hosts.

root@192.168.29.100's password: 

httpd.crt                               100% 5711     5.6KB/s   00:00    

服務(wù)器維護(hù)小知識(shí)二 HTTPS配置

服務(wù)器維護(hù)小知識(shí)7 安裝mod_ssl模塊

[root@CentOS7 ~]# yum install mod_ssl -y

8 修改配置文件/etc/httpd/conf.d/ssl.conf

DocumentRoot "/data/https"

ServerName www.test.com:443

    <Directory "data/https">

         AllowOverride None

         Require all granted

        </Directory>

SSLCertificateFile /etc/httpd/ssl/httpd.crt

SSLCertificateKeyFile  /etc/httpd/ssl/httpd.crt

注意：

并修該/etc/httpd/ssl/httpd.crt、/etc/httpd/ssl/httpd.crt兩個(gè)文件的屬性，確保apach為可讀就行，當(dāng)然也可放在默認(rèn)文件夾下，就不需要修改權(quán)限了。

[root@CentOS7 ~]#chmod  +r  /etc/httpd/ssl/httpd.key

服務(wù)器維護(hù)小知識(shí)9 檢查語(yǔ)法

[root@CentOS7 ~]# httpd -t

Syntax OK

服務(wù)器維護(hù)小知識(shí)10 修給默認(rèn)頁(yè)面

[root@CentOS7 ~]# echo "www.test.com" > /data/https/index.html

服務(wù)器維護(hù)小知識(shí)11 啟動(dòng)http服務(wù)

[root@CentOS7 ~]# systemctl start httpd.service

服務(wù)器維護(hù)小知識(shí)12 把CA 的自簽證書傳到桌面

[root@centos7 ~]# sz /etc/pki/CA/cacert.pem
改名為cacert.crt
 
雙擊導(dǎo)入IE瀏覽器

服務(wù)器維護(hù)小知識(shí)13 配置DNS解析

 www.test.com 為192.168.29.100

或者 修改windows 下的C:\Windows\Systeme32\drivers\etc\hosts文件

192.168.29.100  www.test.com    

服務(wù)器維護(hù)小知識(shí)14 打開IE瀏覽器測(cè)試

輸入https://www.test.com

 
好了 成功了 好用成就感呀！！
IT運(yùn)維  我們選擇北京艾銻無(wú)限