搭建APache http_ssl(https)
网站服务器(192.168.4.3)
1 网站服务器配置
运行网站服务 并编写网页文件 index.html
[root@WEB ~]# yum -y install httpd
[root@WEB ~]# echo www.test.com > /var/www/html/index.html
[root@WEB ~]# systemctl start httpd
[root@WEB ~]# systemctl stop firewalld
[root@WEB ~]# netstat -pantu | grep httpd
tcp6 0 0 :::80 :::* LISTEN 6016/httpd
客户端访问网站服务器
[root@test ~]# vim /etc/hosts
[root@test ~]# sed -n '3p' /etc/hosts
192.168.4.3 www.test.com
[root@test ~]# ping -c 2 www.test.com
PING www.test.com (192.168.4.3) 56(84) bytes of data.
64 bytes from www.test.com (192.168.4.3): icmp_seq=1 ttl=64 time=0.769 ms
64 bytes from www.test.com (192.168.4.3): icmp_seq=2 ttl=64 time=0.360 ms
客户端测试
[root@test ~]# firefox http://www.test.com
2 创建私钥文件 web.key
[root@WEB ~]# cd /etc/pki/tls/private/
[root@WEB private]# openssl genrsa 2048 > web.key
3 创建证书请求文件 web.csr
[root@WEB private]# openssl req -new -key web.key > /root/web.csr
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [XX]:CN
State or Province Name (full name) []:beijing
Locality Name (eg, city) [Default City]:beijing
Organization Name (eg, company) [Default Company Ltd]:Xuenqlve
Organizational Unit Name (eg, section) []:ope
Common Name (eg, your name or your server's hostname) []:www.test.com
Email Address []:Xuenqlve@163.com
Please enter the following 'extra' attributes
to be sent with your certificate request
A challenge password []:
An optional company name []:
4 上传证书请求文件给CA服务器 (192.168.4.1)
[root@WEB private]# scp /root/web.csr 192.168.4.1:/root/
CA服务器 (192.168.4.1)
CA服务器具体配置 http://blog.51cto.com/13558754/2057718
5 审核证书请求文件,并签发数字证书
[root@CA certs]# openssl ca -in /root/web.csr > web.crt
Using configuration from /etc/pki/tls/openssl.cnf
Enter pass phrase for /etc/pki/CA/private/my-ca.key:
Check that the request matches the signature
Signature ok
Certificate Details:
Serial Number: 2 (0x2)
Validity
Not Before: Jan 5 05:15:56 2018 GMT
Not After : Jan 5 05:15:56 2019 GMT
Subject:
countryName = CN
stateOrProvinceName = beijing
organizationName = Xuenqlve
organizationalUnitName = ope
commonName = www.test.com
emailAddress = Xuenqlve@163.com
X509v3 extensions:
X509v3 Basic Constraints:
CA:FALSE
Netscape Comment:
OpenSSL Generated Certificate
X509v3 Subject Key Identifier:
85:43:06:A3:7E:41:E5:15:AC:2C:ED:80:81:37:FE:BD:5F:5F:A1:8C
X509v3 Authority Key Identifier:
keyid:87:06:18:98:79:53:0E:26:0A:91:2D:B9:93:8A:C3:86:2B:CC:DF:E7
Certificate is to be certified until Jan 5 05:15:56 2019 GMT (365 days)
Sign the certificate? [y/n]:y
1 out of 1 certificate requests certified, commit? [y/n]y
Write out database with 1 new entries
Data Base Updated
[root@CA certs]# cat ../index.txt
V190105051556Z01unknown/C=CN/ST=beijing/O=Xuenqlve/OU=ope/CN=www.test.com/emailAddress=Xuenqlve@163.com
[root@CA certs]# cat ../serial
02
6 下发证书给网站服务器(192.168.4.3)
[root@CA certs]# scp web.crt 192.168.4.3:/tmp/
7 配置服务运行时调用私钥文件和数字证书文件
[root@WEB ~]# yum -y install mod_ssl.x86_64
[root@WEB ~]# vim /etc/httpd/conf.d/ssl.conf
[root@WEB ~]# sed -n '100p;107p' /etc/httpd/conf.d/ssl.conf
SSLCertificateFile /etc/pki/tls/certs/web.crt
SSLCertificateKeyFile /etc/pki/tls/private/web.key
[root@WEB ~]# cp /tmp/web.crt /etc/pki/tls/certs/web.crt
[root@WEB ~]# systemctl restart httpd
[root@WEB ~]# netstat -pantu | grep httpd
tcp6 0 0 :::80 :::* LISTEN 6459/httpd
tcp6 0 0 :::443 :::* LISTEN 6459/httpd
客户端进行测试
[root@test ~]# firefox https://www.test.com
单击'我已充分了解可能风险' ----> 单击 '添加例外'
单击'确认安全例外'
然后就可以看见网页可以正常访问
在证书管理 --- 服务器 会添加此次访问例外
这是一种临时的方法
8.下载并安装根证书
[root@test ~]# wget http://192.168.4.1/ca/my-ca.crt
--2018-01-05 01:15:07-- http://192.168.4.1/ca/my-ca.crt
正在连接 192.168.4.1:80... 已连接。
已发出 HTTP 请求,正在等待回应... 200 OK
长度:1424 (1.4K)
正在保存至: “my-ca.crt”
100%[===================================================================>] 1,424 --.-K/s 用时 0s
2018-01-05 01:15:07 (66.0 MB/s) - 已保存 “my-ca.crt” [1424/1424])
在浏览器中添加证书可信 具体添加步骤见 http://blog.51cto.com/13558754/2057718
查看证书具体信息
9.修改配置文件 使得当用户访问http时 自动跳转到https
[root@WEB certs]# vim /etc/httpd/conf/httpd.conf
[root@WEB certs]# tail -7 /etc/httpd/conf/httpd.conf
<IfModule ssl_module>
SSLRandomSeed startup builtin
SSLRandomSeed connect builtin
</IfModule>
RewriteEngine on#启用模块
RewriteCond %{SERVER_PORT} !^443$#当变量SERVER_PORT 不是 443时
RewriteRule (.*) https://%{SERVER_NAME}/$1 [R]#将访问网站url 跳转为https: