安全工具ssl
如何實現ssl 1、要想使我們的web服務器支持ssl的功能,第一步需要安裝ssl的模塊 ? yum?install?mod_ssl?-y???#安裝在172.16.50.5上 ? 2、提供CA,CA自簽證書讓我們的服務器生成一段密鑰,把公鑰發送給服務器端,讓服務器端實現簽名 ? 在這里我們使用兩臺主機來實現CA,它們的IP地址分別為 ? 172.16.50.5,172.16.50.4,讓172.16.50.4作為CA ? 3、生成一個私鑰(這是在172.16.50.4上生成的)?如圖1 4、生成自簽證書 ? #如圖2 在生成自簽證書時它會讓我們填很多的信息,填起來很煩人,但是他也有默認信息,我們只有修改 ? 一下它的默認選項,下次再用時就不用填了 ? vim?/etc/pki/tls/openssl.cnf???#編輯配置文件 ? [?req_distinguished_name?] ? countryName?????????????????????=?Country?Name?(2?letter?code) ? countryName_default?????????????=?CN???#默認國家名 ? countryName_min?????????????????=?2 ? countryName_max?????????????????=?2 ? ? stateOrProvinceName?????????????=?State?or?Province?Name?(full?name) ? stateOrProvinceName_default?????=?Henan???#默認省份 ? ? localityName????????????????????=?Locality?Name?(eg,?city) ? localityName_default????????????=?zhengzhou???#默認城市名 ? 0.organizationName??????????????=?Organization?Name(eg,?company) ? 0.organizationName_default??????=?Magedu???#組織名稱 ? #?we?can?do?this?but?it?isnotneeded?normally?:-) ? #1.organizationName?????????????=?SecondOrganization?Name(eg,?company) ? #1.organizationName_default?????=?World?Wide?Web?Pty?Ltd ? organizationalUnitName??????????=?Organizational?Unit?Name(eg,?section) ? organizationalUnitName_default??=?Tech???#部門名稱 ? 好了,現在我們來生成自簽證書? 圖2 5、這里我們還要改一下配置文件中我們生成自簽證書的路徑 ? vim?/etc/pki/tls/openssl.cnf? ? [?CA_default?] ? ? dir?????????????=?/etc/pki/CA??路徑位置?#?Where?everything?is?kept ? certs???????????=?$dir/certs?生成證書的位置?#?Where?the?issued?certs?are?kept ? crl_dir?????????=?$dir/crl??證書吊銷列表的位置??#?Where?the?issued?crl?are?kept ? database????????=?$dir/index.txt?簽訂的證書放在這個索引文件中#?database?index?file. ? #unique_subject?=?no????????????????????#?Set?to?'no'?to?allow?creation?of? ????????????????????????????????????????#?several?ctificates?with?same?subject. ? new_certs_dir???=?$dir/newcerts?新簽的證書的位置?#?default?place?for?new?certs. ? ? certificate?????=?$dir/cacert.pem?CA證書??????#?The?CA?certificate ? serial??????????=?$dir/serial?序列號??????????#?The?current?serial?number ? crlnumber???????=?$dir/crlnumber????????#?the?current?crl?number ? ????????????????????????????????????????#?must?be?commented?out?to?leave?a?V1?CRL ? crl?????????????=?$dir/crl.pem??????????#?The?current?CRL ? private_key?????=?$dir/private/cakey.pem生成的私鑰#?The?private?key? RANDFILE????????=?$dir/private/.rand????#?private?random?number?file ? ? x509_extensions?=?usr_cert??????????????#?The?extentions?to?add?to?the?cert ? 6、好了配置文件改好,接下來準備CA需要的目錄和文件(注意這些工作是在CA目錄下完成的) ? [root@server21?CA]#?mkdir?certs?crl?newcerts???#創建目錄 ? [root@server21?CA]#?touch?index.txt????#創建文件 ? [root@server21?CA]#?echo?01?>?serial????#序列號 ? [root@server21?CA]#?ls????#查看生成的目錄及文件 ? cacert.pem??certs??crl??index.txt??newcerts??private??serial ? 現在CA就可以用了,那么接下來如果有人需要用到證書,他只需要申請一對密鑰、并把他 ? 的申請放到我們這里,并生成一個證書簽署請求,把請求發到我們的服務器上來簽署就可以了 ? 7、回到我們的服務器端(172.16.50.5) ? 如果剛才那個證書就是給我們的web服務器用的,因此我們需要把證書放在/etc/httpd/ ? [root@station41?httpd]#?cd?/etc/httpd/ ? [root@station41?httpd]#?cd ? [root@station41?~]#?cd?/etc/httpd/ ? [root@station41?httpd]#?ls ? conf??conf.d??logs??modules??run ? [root@station41?httpd]#?mkdir?ssl?-pv ? mkdir:?created?directory?`ssl' ? [root@station41?httpd]#?cd?ssl/ ? #生成一對密鑰,把公鑰包裝成證書簽署請求發送給服務器 ? [root@station41?ssl]#?(umask?077;?openssl?genrsa?1024?>?httpd.key) ? Generating?RSA?private?key,?1024?bit?long?modulus??????? ? ..........................++++++ ? ..............................++++++ ? e?is?65537?(0x10001) ? #生成證書頒發請求 ? [root@station41?ssl]#?openssl?req?-new?-key?httpd.key?-out?httpd.csr ? You?are?about?to?be?asked?to?enter?information?that?will?be?incorporated ? into?your?certificate?request. ? What?you?are?about?to?enter?is?what?is?called?a?Distinguished?Name?or?a?DN. ? There?are?quite?a?few?fields?but?you?can?leave?some?blank ? For?some?fields?there?will?be?a?default?value, ? If?you?enter?'.',?the?field?will?be?left?blank. ? ----- ? Country?Name?(2?letter?code)?[CN]:國家 ? State?or?Province?Name?(full?name)?[Henan]:省份 ? Locality?Name?(eg,?city)?[Zhengzhou]:zhengzhou城市 ? Organization?Name?(eg,?company)?[MagEdu]:Magedu組織機構 ? Organizational?Unit?Name?(eg,?section)?[Tech]:?部門 ? Common?Name?(eg,?your?name?or?your?server's?hostname)?[]:www.jll.com?主機名,你給誰用就寫誰 ? Email?Address?[]:www@jll.com????#郵件 ? ? Pleaseenter?the?following?'extra'?attributes ? to?be?sent?with?your?certificate?request ? A?challenge?password?[]: ? An?optional?company?name?[]: ? [root@station41?ssl]#?ls ? httpd.csr??httpd.key? 8、返回CA主機,把剛才的復制過來,或者直接在服務器端傳送,都可以 ? [root@server21?tmp]#?scp?172.16.50.5:/etc/httpd/ssl/httpd.csr?./ ? root@172.16.50.5's?password:? ? httpd.csr?????????????????????????????????????????????????????100%??688?????0.7KB/s???00:00???? ? [root@server21?tmp]#?ll ? total?8 ? -rw-r--r--?1?root?root?688?Apr?10?02:15?httpd.csr ? 9、CA簽署 ? [root@server21?~]#?openssl?ca?-in?/tmp/httpd.csr?-out?/tmp/httpd.crt?-days?3650 ? Using?configuration?from?/etc/pki/tls/openssl.cnf ? Check?that?the?request?matches?the?signature ? Signature?ok ? Certificate?Details: ? ????????Serial?Number:?1?(0x1) ? ????????Validity ? ????????????Not?Before:?Apr??9?18:20:00?2013?GMT ? ????????????Not?After?:?Apr??7?18:20:00?2023?GMT ? ????????Subject: ? ????????????countryName???????????????=?CN ? ????????????stateOrProvinceName???????=?Henan ? ????????????organizationName??????????=?Magedu ? ????????????organizationalUnitName????=?Tech ? ????????????commonName????????????????=?www.jll.com ? ????????????emailAddress??????????????=?www@jll.com ? ????????X509v3?extensions: ? ????????????X509v3?Basic?Constraints:? ? ????????????????CA:FALSE? ????????????Netscape?Comment:? ? ????????????????OpenSSL?Generated?Certificate ? ????????????X509v3?Subject?Key?Identifier:? ? ????????????????C2:94:C8:E7:A1:70:36:09:92:4F:0D:BD:42:8A:F9:5D:1F:64:32:DC ? ????????????X509v3?Authority?Key?Identifier:? ? ????????????????keyid:27:71:DB:56:8E:33:29:76:1B:D6:92:BC:5E:57:D0:AE:70:5F:BB:8A ? Certificate?is?to?be?certified?until?Apr??7?18:20:00?2023?GMT?(3650?days) ? Sign?the?certificate??[y/n]:y??#確定 ? 1?out?of?1?certificate?requests?certified,?commit??[y/n]y??#確定 ? Write?out?database?with?1?new?entries ? Data?Base?Updated ? [root@server21?~]#?cd?/etc/pki/CA/??#驗證 ? [root@server21?CA]#?ls ? cacert.pem??crl????????index.txt.attr??newcerts??serial ? certs???????index.txt??index.txt.old???private???serial.old ? [root@server21?CA]#?cat?index.txt??#查看 ? V???230407182000Z???????01??unknown?/C=CN/ST=Henan/O=Magedu/OU=Tech/CN=www.jll.com/emailAddress=www@jll.com ? [root@server21?CA]#?cat?serial???#查看序列號 ? 02 ? 10、簽署完成,把證書復制給172.16.50.4即可 ? root@server21?CA]#?scp?/tmp/httpd.crt?172.16.50.5:/etc/httpd/ssl/ ? root@172.16.50.5's?password:? ? httpd.crt?????????????????????????????????????????????????????100%?3822?????3.7KB/s?? ? 11、回到172.16.50.5 ? 查看是否復制成功 ? [root@station41?ssl]#?ls ? httpd.crt??httpd.csr??httpd.key? 12、再回到172.16.50.4 ? 此時為了安全起見我們應該刪除tmp下安全性文件,以防別人獲取你的安全信息 ? [root@server21?CA]#?cd?/tmp/ ? [root@server21?tmp]#?ls ? httpd.crt??httpd.csr ? [root@server21?tmp]#?rm?-rf?httpd.c* ? [root@server21?tmp]#?ls ? [root@server21?tmp]#? ? 13、創建工作環境 ? [root@station41?~]#?cd?/etc/httpd/conf.d/ ? [root@station41?conf.d]#?ls ? manual.conf??proxy_ajp.conf??README??ssl.conf??welcome.conf ? [root@station41?conf.d]#?cp?ssl.conf?ssl.conf.bak??#修改配置文件前先備份一份 ? [root@station41?conf.d]#?vim?ssl.conf???#修改配置文件,如圖,修改完成后在進行下面的工作 ? ? ? [root@station41?conf.d]#?httpd?-t ? Warning:?DocumentRoot?[/www/jll.com]?does?not?exist???#目錄不存在,創建一下即可 ? Syntax?OK ? 創建虛擬主機 ? vim?/etc/httpd/conf.d/virtual.conf ? ?NameVirtualHost?172.16.50.5:80 ? <VirtualHost?172.16.50.5:80> ? ?ServerName?www.jll.com ? ?DocumentRoot?"/www/jll.com"? </VirtualHost>?????#這部分知識在博文apache的配置中有詳細介紹 ? 取消中心主機 ? vim?/etc/httpd/conf/httpd.conf ? DocumentRoot?"/var/www/html"????#將此行注釋掉 ? ? [root@station41?conf.d]#?mkdir?/www/jll.com?-pv??#創建目錄 ? mkdir:?created?directory?`/www' ? mkdir:?created?directory?`/www/jll.com' ? [root@station41?conf.d]#?httpd?-t ? Syntax?OK ? [root@station41?conf.d]#?vim?/www/jll.com/index.html???#編輯一下文檔 ? <h1>jll.com</h1> ? [root@station41?conf.d]#?service?httpd?restart???#重啟服務 ? Stopping?httpd:????????????????????????????????????????????[??OK??] ? Starting?httpd:????????????????????????????????????????????[??OK??] ? [root@station41?conf.d]#?netstat?-tnlp???#查看監聽的443端口是否啟動 ? tcp????????0??????0?0.0.0.0:443?????????????????0.0.0.0:*???????????????????LISTEN??????7901/httpd?????????? ? 14、在windows上使用主機名解析 ? 首先在hosts文件中添加 ? 172.16.50.5?www.jll.com ? [root@server21?~]#?cd?/etc/pki/CA/????#在172.16.50.4上完成的操作 ? 將此/etc/pki/httpd/cacert.pem導出到物理主機上,并重命名為cacert.crt ? 雙擊并安裝 ? 此時在訪問www.jll.com就可以了 ? https://www.jll.com?如圖? 到此我們的CA認證就做好了? 這就是簡單的CA認證,你會了嗎?可能會有一種暈的感覺,嘿嘿,多做幾遍就可以了,不要急哦!
圖1
轉載于:https://blog.51cto.com/jilili/1175316
總結
- 上一篇: Eucalyptus系统部署
- 下一篇: linux下set和eval的使用小案例