搭建APache http_ssl(https)


网站服务器(192.168.4.3)

1 网站服务器配置

运行网站服务 并编写网页文件 index.html

[root@WEB ~]# yum -y install httpd

[root@WEB ~]# echo www.test.com > /var/www/html/index.html

[root@WEB ~]# systemctl start httpd

[root@WEB ~]# systemctl stop firewalld

[root@WEB ~]# netstat -pantu | grep httpd

tcp6       0      0 :::80                   :::*                    LISTEN      6016/httpd    

客户端访问网站服务器

[root@test ~]# vim /etc/hosts

[root@test ~]# sed -n '3p' /etc/hosts

192.168.4.3 www.test.com

[root@test ~]# ping -c 2 www.test.com

PING www.test.com (192.168.4.3) 56(84) bytes of data.

64 bytes from www.test.com (192.168.4.3): icmp_seq=1 ttl=64 time=0.769 ms

64 bytes from www.test.com (192.168.4.3): icmp_seq=2 ttl=64 time=0.360 ms


客户端测试

[root@test ~]# firefox http://www.test.com


2 创建私钥文件 web.key

[root@WEB ~]# cd /etc/pki/tls/private/

[root@WEB private]# openssl genrsa 2048 > web.key


3 创建证书请求文件 web.csr

[root@WEB private]# openssl req -new -key web.key > /root/web.csr

You are about to be asked to enter information that will be incorporated

into your certificate request.

What you are about to enter is what is called a Distinguished Name or a DN.

There are quite a few fields but you can leave some blank

For some fields there will be a default value,

If you enter '.', the field will be left blank.

-----

Country Name (2 letter code) [XX]:CN

State or Province Name (full name) []:beijing

Locality Name (eg, city) [Default City]:beijing

Organization Name (eg, company) [Default Company Ltd]:Xuenqlve

Organizational Unit Name (eg, section) []:ope

Common Name (eg, your name or your server's hostname) []:www.test.com

Email Address []:Xuenqlve@163.com


Please enter the following 'extra' attributes

to be sent with your certificate request

A challenge password []:

An optional company name []:


4 上传证书请求文件给CA服务器 (192.168.4.1)

[root@WEB private]# scp /root/web.csr 192.168.4.1:/root/



CA服务器 (192.168.4.1)

            CA服务器具体配置 http://blog.51cto.com/13558754/2057718

5 审核证书请求文件,并签发数字证书

[root@CA certs]# openssl ca -in /root/web.csr > web.crt

Using configuration from /etc/pki/tls/openssl.cnf

Enter pass phrase for /etc/pki/CA/private/my-ca.key:

Check that the request matches the signature

Signature ok

Certificate Details:

        Serial Number: 2 (0x2)

        Validity

            Not Before: Jan  5 05:15:56 2018 GMT

            Not After : Jan  5 05:15:56 2019 GMT

        Subject:

            countryName               = CN

            stateOrProvinceName       = beijing

            organizationName          = Xuenqlve

            organizationalUnitName    = ope

            commonName                = www.test.com

            emailAddress              = Xuenqlve@163.com

        X509v3 extensions:

            X509v3 Basic Constraints: 

                CA:FALSE

            Netscape Comment: 

                OpenSSL Generated Certificate

            X509v3 Subject Key Identifier: 

                85:43:06:A3:7E:41:E5:15:AC:2C:ED:80:81:37:FE:BD:5F:5F:A1:8C

            X509v3 Authority Key Identifier: 

                keyid:87:06:18:98:79:53:0E:26:0A:91:2D:B9:93:8A:C3:86:2B:CC:DF:E7


Certificate is to be certified until Jan  5 05:15:56 2019 GMT (365 days)

Sign the certificate? [y/n]:y



1 out of 1 certificate requests certified, commit? [y/n]y

Write out database with 1 new entries

Data Base Updated



[root@CA certs]# cat ../index.txt

V190105051556Z01unknown/C=CN/ST=beijing/O=Xuenqlve/OU=ope/CN=www.test.com/emailAddress=Xuenqlve@163.com

[root@CA certs]# cat ../serial

02


6 下发证书给网站服务器(192.168.4.3)

[root@CA certs]# scp web.crt 192.168.4.3:/tmp/





7 配置服务运行时调用私钥文件和数字证书文件

[root@WEB ~]# yum -y install mod_ssl.x86_64

[root@WEB ~]# vim /etc/httpd/conf.d/ssl.conf 

[root@WEB ~]# sed -n '100p;107p' /etc/httpd/conf.d/ssl.conf

SSLCertificateFile /etc/pki/tls/certs/web.crt

SSLCertificateKeyFile /etc/pki/tls/private/web.key

[root@WEB ~]# cp /tmp/web.crt /etc/pki/tls/certs/web.crt

[root@WEB ~]# systemctl restart httpd

[root@WEB ~]# netstat -pantu | grep httpd

tcp6       0      0 :::80                   :::*                    LISTEN      6459/httpd          

tcp6       0      0 :::443                  :::*                    LISTEN      6459/httpd   

客户端进行测试

[root@test ~]# firefox https://www.test.com

Linux 搭建APache http_ssl(https)_Linux

单击'我已充分了解可能风险' ----> 单击 '添加例外' 


Linux 搭建APache http_ssl(https)_APache _02

单击'确认安全例外'

Linux 搭建APache http_ssl(https)_Linux _03


然后就可以看见网页可以正常访问

Linux 搭建APache http_ssl(https)_搭建_04

在证书管理 --- 服务器  会添加此次访问例外

Linux 搭建APache http_ssl(https)_APache _05

这是一种临时的方法 




8.下载并安装根证书

[root@test ~]# wget http://192.168.4.1/ca/my-ca.crt

--2018-01-05 01:15:07--  http://192.168.4.1/ca/my-ca.crt

正在连接 192.168.4.1:80... 已连接。

已发出 HTTP 请求,正在等待回应... 200 OK

长度:1424 (1.4K)

正在保存至: “my-ca.crt”


100%[===================================================================>] 1,424       --.-K/s 用时 0s      


2018-01-05 01:15:07 (66.0 MB/s) - 已保存 “my-ca.crt” [1424/1424])

在浏览器中添加证书可信  具体添加步骤见 http://blog.51cto.com/13558754/2057718

查看证书具体信息


Linux 搭建APache http_ssl(https)_搭建_06


Linux 搭建APache http_ssl(https)_APache _07



9.修改配置文件 使得当用户访问http时 自动跳转到https

[root@WEB certs]# vim /etc/httpd/conf/httpd.conf 

[root@WEB certs]# tail -7 /etc/httpd/conf/httpd.conf

<IfModule ssl_module>

    SSLRandomSeed  startup  builtin

    SSLRandomSeed  connect  builtin

</IfModule>

RewriteEngine  on#启用模块

RewriteCond  %{SERVER_PORT}  !^443$#当变量SERVER_PORT 不是 443时 

RewriteRule  (.*)  https://%{SERVER_NAME}/$1  [R]#将访问网站url 跳转为https: