• 自建CA实现HTTPS


    说明:这里是Linux服务综合搭建文章的一部分,本文可以作为自建CA搭建https网站的参考。

    注意:这里所有的标题都是根据主要的文章(Linux基础服务搭建综合)的顺序来做的。

    如果需要查看相关软件版本和主机配置要求,请根据目录自行查看。

    Linux服务综合搭建的文章目录

    ====================================================

    Linux基础服务搭建综合

    1、foundation创建yum仓库

    2、部署DNS

    3、将YUM源通过httpd发布出来

    4、rhel7主机安装JDK

    5、foundation通过Rsyslog搭建集中日志服务器

    6、foundation LAMP环境搭建

    7、foundation搭建NFS服务

    8、rhel7 JAVA web环境搭建(使用Tomcat8整合httpd)

    9、foundation自建CA实现HTTPS

    10、foundation配置kerberos和NTP服务以及安全的NFS挂载

    11、foundation提供SAMBA服务

    12、rhel7 配置软ISCSI存储

    13 rhel7主机配置端口转发和地址伪装

    ====================================================

    主机角色说明

    9、foundation自建CA实现HTTPS

    自建CA,并且实现https网站,域名为www.mei.com。

    注意,证书请求时要生成www.mei.com的证书。

    9.1 自建CA并颁发证书给foundation主机

    9.1.1 自建CA

    [root@foundation CA]# touch /etc/pki/CA/index.txt
    
    [root@foundation CA]# echo "01" >/etc/pki/CA/serial
    #生成私钥
    [root@foundation CA]# openssl genrsa -out /etc/pki/CA/private/cakey.pem 2048  
    
    Generating RSA private key, 2048 bit long modulus
    ...................+++
    ..................+++
    e is 65537 (0x10001)
    
    #CA自签
    [root@foundation CA]# openssl req -new -x509 -key /etc/pki/CA/private/cakey.pem -days 7300 -out /etc/pki/CA/cacert.pem
    You are about to be asked to enter information that will be incorporated
    into your certificate request.
    What you are about to enter is what is called a Distinguished Name or a DN.
    There are quite a few fields but you can leave some blank
    For some fields there will be a default value,
    If you enter '.', the field will be left blank.
    -----
    Country Name (2 letter code) [XX]:cn
    State or Province Name (full name) []:chongqing
    Locality Name (eg, city) [Default City]:yubei
    Organization Name (eg, company) [Default Company Ltd]:mei
    Organizational Unit Name (eg, section) []:ops
    Common Name (eg, your name or your server's hostname) []:foundation.mei.com
    Email Address []:mail.mei.com

    9.1.2 生成证书请求并签发

    #生成私钥
    [root@foundation CA]# openssl genrsa -out /etc/pki/tls/private/server.key 2048
    Generating RSA private key, 2048 bit long modulus
    ....................................+++
    ....................................+++
    e is 65537 (0x10001)
    
    #生成证书请求,注意我们要签发的是www.mei.com这个域名的证书
    [root@foundation CA]# openssl req -new -key /etc/pki/tls/private/server.key -days 365 -out /etc/pki/tls/server.csr
    You are about to be asked to enter information that will be incorporated
    into your certificate request.
    What you are about to enter is what is called a Distinguished Name or a DN.
    There are quite a few fields but you can leave some blank
    For some fields there will be a default value,
    If you enter '.', the field will be left blank.
    -----
    Country Name (2 letter code) [XX]:cn
    State or Province Name (full name) []:chongqing
    Locality Name (eg, city) [Default City]:yubei
    Organization Name (eg, company) [Default Company Ltd]:mei
    Organizational Unit Name (eg, section) []:ops
    Common Name (eg, your name or your server's hostname) []:www.mei.com
    Email Address []:
    
    Please enter the following 'extra' attributes
    to be sent with your certificate request
    A challenge password []:
    An optional company name []: 
    
    #签发证书
    [root@foundation CA]# openssl ca -in  /etc/pki/tls/server.csr -out /etc/pki/tls/certs/server.crt -days 365
    Check that the request matches the signature
    Signature ok
    Certificate Details:
            Serial Number: 2 (0x2)
            Validity
                Not Before: Jul  9 21:10:35 2019 GMT
                Not After : Jul  8 21:10:35 2020 GMT
            Subject:
                countryName               = cn
                stateOrProvinceName       = chongqing
                organizationName          = mei
                organizationalUnitName    = ops
                commonName                = www.mei.com
            X509v3 extensions:
                X509v3 Basic Constraints: 
                    CA:FALSE
                Netscape Comment: 
                    OpenSSL Generated Certificate
                X509v3 Subject Key Identifier: 
                    DB:0D:93:04:A2:A4:F4:AC:3D:24:0C:FF:00:8C:3E:23:15:66:20:1E
                X509v3 Authority Key Identifier: 
                    keyid:BB:E6:BE:EA:5A:9E:C6:1A:29:65:48:09:DB:4F:EE:36:AD:95:E5:2B
    
    Certificate is to be certified until Jul  8 21:10:35 2020 GMT (365 days)
    Sign the certificate? [y/n]:y
    
    
    1 out of 1 certificate requests certified, commit? [y/n]y
    Write out database with 1 new entries
    Data Base Updated 

    9.2 搭建HTTPS网站

    这是使用8008端口作为网站端口,然后做网站重定向到https。

    如果要做把PHP作为https发布,可以直接在打完LAMP环境后将PHP相关网页直接拷贝到https所在的站目录下,然后做重定向即可。

    9.2.1 安装软件包和配置防火墙

    1 [root@foundation CA]# yum install mod_ssl
    2 
    3 [root@foundation CA]# firewall-cmd --permanent --add-service=https && firewall-cmd --reload   
    4  
    5 [root@foundation html]# firewall-cmd --permanent --add-port=8008/tcp --add-port=8008/udp
    6 success
    7 [root@foundation html]# firewall-cmd --reload

    9.2.2 创建网站目录和生成相应的网页内容

    创建网站目录

    至于网站目录SELinux相关的问题由于前面配置时讲过,这里就不赘述了。

    下面的index.html中的内容为字串:test

    所有有关PHP的文件都是我从以前配置LAMP时的测试文件。如果仅仅是自己搭建一个PHP网站,可以自己写PHP测试文件的内容。

    9.2.3 创建虚拟主机并做好配置

    [root@foundation /]# cat /etc/httpd/conf.d/httpswww.conf 
    <VirtualHost *:443>
        DocumentRoot "/web/www/httpswww/html"
        ServerName www.mei.com
        SSLEngine on
        SSLProtocol all -SSLv2
        SSLCipherSuite HIGH:MEDIUM:!aNULL:!MD5
        SSLCertificateFile /etc/pki/tls/certs/server.crt
        SSLCertificateKeyFile /etc/pki/tls/private/server.key
        <Directory /web/www>
            AllowOverride None
            Require all granted
        </Directory>
        <Directory /web/www/httpswww/html>
            AllowOverride None
            Require all granted
        </Directory>
        ErrorLog "logs/httpswww_error.log"
        CustomLog "logs/httpswww_access.log" combined
    </VirtualHost>
    <VirtualHost *:8008>
        ServerName www.mei.com
        RewriteEngine  On #开启重写引擎
        #RewriteRule ^(/.*)$ https://%{HTTP_POST}$1 [redirect=301]
        RewriteCond %{SERVER_PORT} !^443$  #重写
        RewriteRule ^(.*)?$ https://%{SERVER_NAME}$1 [R=301,L]  #重写的策略
    </VirtualHost>

    .3 测试

    拷贝foundation中的CA证书到rhel7主机,可以把证书放到网站上自由下载,这里就不做了,直接使用scp拷贝。

    [root@foundation CA]# scp /etc/pki/CA/cacert.pem foundation@rhel7.mei.com:/home/foundation/

    打开Firefox添加证书

    选择import后找到刚才拷过来的证书文件双击,来到下面的界面,勾选一下选项。

    输入http地址访问

    看到下面的效果,并显示是https且证书安全,说明成功!

    再测试一下我们的PHP内容:

    能够跳到https,并且证书安全。

    点击select能够正确查询到数据库中的内容,并显示证书是安全的,同时还是https

    最后希望大家提意见、转发、评论和交流!!!

  • 相关阅读:
    如何快速、低成本构建一套稳定、高效、可靠的互联网主播直播/商业直播(推流/分发/播放)方案
    EasyNVR H5无插件RTSP直播方案在Windows server 2012上修复无法定位GetNumaNodeProcessorMaskEx的问题
    EasyNVR H5无插件RTSP直播方案在Windows server 2012上修复无法定位GetNumaNodeProcessorMaskEx的问题
    EasyPusher RTSP推流/EasyRTMP RTMP推流Android安卓摄像头视频偏暗的问题解决方案
    EasyPusher RTSP推流/EasyRTMP RTMP推流Android安卓摄像头视频偏暗的问题解决方案
    EasyPlayer RTSP Android安卓播放器修复播放画面卡在第一帧bug
    Ubuntu14.04下安装eclipse
    UBuntu14.04下安装和卸载Qt5.3.1
    ubuntu创建、删除文件及文件夹,强制清空回收站方法
    Ubuntu下安装JDK1.7
  • 原文地址:https://www.cnblogs.com/meizy/p/ca_https.html
Copyright © 2020-2023  润新知