HTTPD服务 openssl的https服务机制
环境:
环境:
httpd服务器:10.140.165.169
CA服务器:10.140.165.93
CA服务器配置:
1.安装openssl
[root@cnhzdhcp16593 ~]# yum -y install openssl
2.生成CA自己的私钥.
[root@cnhzdhcp16593 ~]# cd /etc/pki/CA/
[root@cnhzdhcp16593 CA]# (umask 077;openssl genrsa -out private/cakey.pem 2048)
Generating RSA private key, 2048 bit long modulus
................................+++
...........................+++
e is 65537 (0x10001)3.定义openssl.cnf文件
[root@cnhzdhcp16593 CA]# grep "_default" ../tls/openssl.cnf | tail -6
countryName_default = CN
stateOrProvinceName_default = ZheJiang
localityName_default = Hangzhou
0.organizationName_default = izyno
#1.organizationName_default = World Wide Web Pty Ltd
organizationalUnitName_default = TechCA目录定义:
####################################################################
[ CA_default ]dir = /etc/pki/CA # Where everything is kept
certs = $dir/certs # Where the issued certs are kept
crl_dir = $dir/crl # Where the issued crl are kept
database = $dir/index.txt # database index file.
#unique_subject = no # Set to 'no' to allow creation of
# several ctificates with same subject.
new_certs_dir = $dir/newcerts # default place for new certs.certificate = $dir/cacert.pem # The CA certificate
serial = $dir/serial # The current serial number
crlnumber = $dir/crlnumber # the current crl number
# must be commented out to leave a V1 CRL
crl = $dir/crl.pem # The current CRL
private_key = $dir/private/cakey.pem# The private key
RANDFILE = $dir/private/.rand # private random number file4.生成自签证书.
[root@cnhzdhcp16593 CA]# openssl req -new -x509 -key private/cakey.pem -out cacert.pem -days 3655
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [CN]: #设置国家
State or Province Name (full name) [ZheJiang]: #省份
Locality Name (eg, city) [Hangzhou]: #城市
Organization Name (eg, company) [izyno]: #公司名称
Organizational Unit Name (eg, section) [Tech]: #部门
www.izyno.com []: #主机名
glq126@126.com []:5.新建所需CA文件.
[root@localhost CA]# touch index.txt
[root@localhost CA]# echo 01 > serial
[root@localhost CA]# ls
certs crl index.txt newcerts private serial
[root@localhost CA]#
httpd服务配置:
[root@localhost ~]# mkdir /etc/httpd/ssl #新建一个密钥存放目录,此目录需要在ssl.conf文件配置.
1.生成httpd服务私有CA.
[root@localhost ssl]# (umask 077;openssl genrsa -out httpd.key 2048)
Generating RSA private key, 2048 bit long modulus
......+++
...............+++
e is 65537 (0x10001)
[root@localhost ssl]#2.生成证书签署请求.
[root@localhost ssl]# openssl req -new -key httpd.key -out httpd.csr
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [CN]:
State or Province Name (full name) [ZheJiang]:
Locality Name (eg, city) [Hangzhou]:
Organization Name (eg, company) [izyno]:
Organizational Unit Name (eg, section) [Tech]:
ca.izyno.com []:
glq126@126.com []:Please enter the following 'extra' attributes
to be sent with your certificate request
A challenge password []:
An optional company name []:3.CA服务器签署认证.
将生成的httpd.csr 文件传输到CA服务器,进行CA服务器签署认证.
在CA服务器进行签署认证:
[root@cnhzdhcp16593 CA]# openssl ca -in /tmp/httpd.csr -out /tmp/httpd.crt -days 3650
Using configuration from /etc/pki/tls/openssl.cnf
Check that the request matches the signature
Signature ok
Certificate Details:
Serial Number: 1 (0x1)
Validity
Not Before: Oct 11 14:19:54 2016 GMT
Not After : Oct 9 14:19:54 2026 GMT
Subject:
countryName = CN
stateOrProvinceName = ZheJiang
organizationName = izyno
organizationalUnitName = Tech
commonName = www.izyno.com
X509v3 extensions:
X509v3 Basic Constraints:
CA:FALSE
Netscape Comment:
OpenSSL Generated Certificate
X509v3 Subject Key Identifier:
FD:9F:4F:11:0C:83:8E:78:69:1A:C1:0C:EA:1D:17:73:27:91:02:20
X509v3 Authority Key Identifier:
keyid:26:61:3D:38:E5:88:0F:D4:93:FA:AB:40:FC:4F:04:78:43:A0:86:95Certificate is to be certified until Oct 9 14:19:54 2026 GMT (3650 days)
Sign the certificate? [y/n]:y
1 out of 1 certificate requests certified, commit? [y/n]y
Write out database with 1 new entries
Data Base Updated
[root@cnhzdhcp16593 CA]#
4.在CA服务器生成的httpd.crt文件传输到httpd服务器.
[root@cnhzdhcp16593 CA]# scp /tmp/httpd.crt 10.140.165.169:/etc/httpd/ssl/httpd.crt
配置ssl.conf文件在httpd服务器:
1.[root@localhost ssl]# vim /etc/httpd/conf.d/ssl.conf
<VirtualHost 10.140.165.169:443> #设置虚拟主机IP
# General setup for the virtual host, inherited from global configuration
#DocumentRoot "/var/www/html"ServerName www.izyno.com #主机名
DocumentRoot "/www/izyno.com" #主机根目录# Use separate log files for the SSL virtual host; note that LogLevel
# is not inherited from httpd.conf.
ErrorLog logs/ssl_error_log #错误日志
TransferLog logs/ssl_access_log #访问日志定义
LogLevel warn# SSL Engine Switch:
# Enable/Disable SSL for this virtual host.
SSLEngine on# SSL Protocol support:
# List the enable protocol levels with which clients will be able to
# connect. Disable SSLv2 access by default:
SSLProtocol all -SSLv2# SSL Cipher Suite:
# List the ciphers that the client is permitted to negotiate.
# See the mod_ssl documentation for a complete list.
SSLCipherSuite DEFAULT:!EXP:!SSLv2:!DES:!IDEA:!SEED:+3DES# Server Certificate:
# Point SSLCertificateFile at a PEM encoded certificate. If
# the certificate is encrypted, then you will be prompted for a
# pass phrase. Note that a kill -HUP will prompt again. A new
# certificate can be generated using the genkey(1) command.
SSLCertificateFile /etc/httpd/ssl/httpd.crt #定义证书# Server Private Key:
# If the key is not combined with the certificate, use this
# directive to point at the key file. Keep in mind that if
# you've both a RSA and a DSA private key you can configure
# both in parallel (to also allow the use of DSA ciphers, etc.)
SSLCertificateKeyFile /etc/httpd/ssl/httpd.key #定义密钥重启httpd服务.
在windos端访问:
导入CA服务器证书:
证书导入:
导入从CA服务器导出的crt格式文件.
访问:
HTTPD服务 openssl的https服务机制的更多相关文章
- 基于openssl的https服务配置
环境: CA服务器:192.168.1.121 WEB服务器: 192.168.1.107 一.在CA服务器上生成自签证书 1.生成根私钥 (umask 077;openssl genrsa -out ...
- Nginx详解二十一:Nginx深度学习篇之配置苹果要求的openssl后台HTTPS服务
配置苹果要求的证书: 1.服务器所有的连接使用TLS1.2以上的版本(openssl 1.0.2) 2.HTTPS证书必须使用SHA256以上哈希算法签名 3.HTTPS证书必须使用RSA2048位或 ...
- 如何通过Openssl实现私有CA,并为HTTP服务提供TLS/SLL安全机制
原文链接:http://guodayong.blog.51cto.com/263451/1181059 Openssl是SSL的开源实现(可以免费下载应用程序),是一种安全机密程序,主要用于提高远程登 ...
- centos httpd开启https服务并申请免费https
安装httpd yum -y install httpd httpd配置文件路径 /etc/httpd/conf/httpd.conf 安装OpenSSL yum install mod_ssl o ...
- Httpd服务入门知识-https(http over ssl)安全配置
Httpd服务入门知识-https(http over ssl)安全配置 作者:尹正杰 版权声明:原创作品,谢绝转载!否则将追究法律责任. 一.SSL会话的简化过程 ()客户端发送可供选择的加密方式, ...
- 使用OpenSSL自建一个HTTPS服务
1. 理论知识 1.1 什么是https 传统的 HTTP 协议以明文方式进行通信,不提供任何方式的数据加密,很容易被中间攻击者破解通信内容或者伪装成服务器与客户端通信,在安全性上存在很大问题. HT ...
- 使用poco 的NetSSL_OpenSSL 搭建https 服务端,使用C++客户端,java 客户端访问,python访问(python还没找到带证书访问的代码.)
V20161028 由于项目原因,需要用到https去做一些事情. 这儿做了一些相应的研究. 这个https 用起来也是折腾人,还是研究了一周多+之前的一些积累. 目录 1,java client 通 ...
- 网络服务器之HTTPS服务
import ssl, socket, time if __name__ == "__main__": context = ssl.SSLContext(ssl.PROTOCOL_ ...
- 本地开启https服务
### ##自签名证书 ##配置Apache服务器SSL ##自己作为CA签发证书 ###这里是OpenSSL和HTTPS的介绍 OpenSSL HTTPS 开启HTTPS配置前提是已在Mac上搭建A ...
随机推荐
- VBS定时关闭的弹窗
'类似msgbox '定时停留弹出框函数 Sub Print(text,timeout,title) Dim WshShell Set WshShell = CreateObject( ...
- HTML中常用meta整理
< meta > 元素 定义 meta标签提供关于HTML文档的元数据.元数据不会显示在页面上,但是对于机器是可读的.它可用于浏览器(如何显示内容或重新加载页面),搜索引擎(关键词),或其 ...
- angular笔记
/** * Created by Administrator on 2016/5/3 0003. */ ng-app是告诉angularjs编译器把该元素当作编译的根 //定义模块 var myApp ...
- c 数据拼接
char buf1[] = {0x31,0x32,0x33,0x00,0x51,0x52,0x53,0xaa,0xbb,0xcc,0x00}; int a=0xabcd6799; int b=0x88 ...
- VC++ 控制外部程序,向外部程序发送一个消息的方法
这里需要考虑两部分的内容: 发送端: 查找对应的窗体,找到CWnd的值 向窗体发送消息 举例: CWnd* wnd = FindWindow(NULL, _T("选择题做题过程中" ...
- 上传文件(单文件)(FormData)(前端代码+.NET服务器端)
由于样式需要不能直接用file,只能用文本框+按钮 <form class="form-horizontal form-bordered form-row-strippe" ...
- Win7 64位系统 VS2010连接Oracle报错的问题
1,异常现象: TNS无法识别 2,异常分析:VS2010启动调试的时候,出现异常.但是使用IIS作为服务器的时候,是不会出现异常,也就是可以正常访问到数据库,后来分析是由于VS自带服务器ASP.NE ...
- SQL Server 阻止了对组件 'Ad Hoc Distributed Queries' 的 STATEMENT 'OpenRowset/OpenDatasource' 的访问,因为此组件已作为此服务器安全配置的一部分而被关闭。系统管理员可以通过使用 sp_configure 启用 'Ad Hoc Distributed Queries'。
今天单位一ASP.NET网站,里面有个功能是导出数据,发现一导出就报错,报错内容是:SQL Server 阻止了对组件 'Ad Hoc Distributed Queries' 的 STATEMENT ...
- 【BZOJ1812】riv(多叉树转二叉树,树形DP)
题意:给定一棵树,每个点有权值,每条边有边权(单向边).你可以选取K个黑点,使得从每个点移动到距离他最近的黑点的花费(距离*点权)的总和最小. n<=100 k<=50 w[i],a[i] ...
- getpid 与 gettid 与 pthread_self
获取进程的PID(process ID) #include <unistd.h> pid_t getpid(void); 获取线程的TID(thread ID) 1)gettid或者类似g ...