一步一步實現linux系統apache實現https詳解

https提供安全的web通訊
原理部分：http://stlong.blog.51cto.com/5144113/1730771

1)配置域名支持ca：
[root@ns ~]# vim /var/named/chroot/var/named/sggfu.com.zone  ##添加ca主機記錄
ca    IN    A    192.18.100.151
:wq
[root@ns ~]# /etc/init.d/named restart  ##重啓服務
[root@ns ~]# nslookup
> server 192.168.100.100
Default server: 192.168.100.100
Address: 192.168.100.100#53
> ca.sggfu.com
Server:        192.168.100.100
Address:    192.168.100.100#53

Name:    ca.sggfu.com
Address: 192.18.100.151
> exit

2)配置CA服務器：(192.168.100.151)
a.使用母盤克隆虛擬機，命名爲ca服務器，修改如下：
[root@localhost ~]# vim /etc/sysconfig/network-scripts/ifcfg-eth0
DEVICE=eth0
HWADDR=00:0C:29:75:e6:eb
TYPE=Ethernet
ONBOOT=yes
NM_CONTROLLED=no
BOOTPROTO=static
IPADDR=192.168.100.151
NETMASK=255.255.255.0
DNS1=192.168.100.100
GATEWAY=192.168.100.100
:wq

[root@localhost ~]# vim /etc/sysconfig/network
HOSTNAME=ca.sggfu.com
:wq

[root@localhost ~]#  vim /etc/udev/rules.d/70-persistent-net.rules   ##刪除eth0，修改eth1爲eth0
[root@localhost ~]#  reboot
b.配置CA:
[root@ca ~]# hostname
ca.sggfu.com
[root@ca ~]# yum -y install openssl openssl-devel   ##安裝openssl
[root@ca ~]# rpm -ql openssl
/etc/pki/CA
/etc/pki/CA/certs   ##證書存放目錄
/etc/pki/CA/crl     ##吊銷的證書存放的目錄
/etc/pki/CA/newcerts##新證書目錄
/etc/pki/CA/private ##私鑰存放目錄
/etc/pki/tls/openssl.cnf   ##主配置文件
/usr/bin/openssl     ##主程序命令
[root@ca ~]# vim /etc/pki/tls/openssl.cnf   ##修改主配置文件使用“:set nu”打印行號
 40 [ CA_default ]
 41
 42 dir             = /etc/pki/CA           # Where everything is kept
 43 certs           = $dir/certs            # Where the issued certs are kept
 44 crl_dir         = $dir/crl              # Where the issued crl are kept
 45 database        = $dir/index.txt        # database index file.
 46 #unique_subject = no                    # Set to 'no' to allow creation of
 47                                         # several ctificates with same subject.
 48 new_certs_dir   = $dir/newcerts         # default place for new certs.
 49
 50 certificate     = $dir/cacert.pem       # The CA certificate
 51 serial          = $dir/serial           # The current serial number
 52 crlnumber       = $dir/crlnumber        # the current crl number
 53                                         # must be commented out to leave a V1 CRL
 54 crl             = $dir/crl.pem          # The current CRL
 55 private_key     = $dir/private/cakey.pem# The private key
128 [ req_distinguished_name ]
129 countryName                     = Country Name (2 letter code)
130 countryName_default             = CN    ##修國家
131 countryName_min                 = 2
132 countryName_max                 = 2
133
134 stateOrProvinceName             = State or Province Name (full name)
135 stateOrProvinceName_default     = beijing   ##設置省
136
137 localityName                    = Locality Name (eg, city)
138 localityName_default            = beijing   ##設置城市
139
140 0.organizationName              = Organization Name (eg, company)
141 0.organizationName_default      = sggfu.com Ltd   ##設置組織名稱
142
143 # we can do this but it is not needed normally :-)
144 #1.organizationName             = Second Organization Name (eg, company)
145 #1.organizationName_default     = World Wide Web Pty Ltd
146
147 organizationalUnitName          = Organizational Unit Name (eg, section)
148 organizationalUnitName_default  = tech  ##設置部門
:wq
[root@ca ~]# cd /etc/pki/CA/
[root@ca CA]# ls private/
[root@ca CA]# (umask 077;openssl genrsa -out private/cakey.pem 2048)  ##生成私鑰同時將權限設置爲600
Generating RSA private key, 2048 bit long modulus
....................+++
...........................................................................................+++
e is 65537 (0x10001)
[root@ca CA]# ls -l private/  ##驗證私鑰
總用量 4
-rw-------. 1 root root 1679 1月   2 20:09 cakey.pem
[root@ca CA]#
[root@ca CA]# openssl req -new -x509 -key private/cakey.pem -out cacert.pem -days 3650  ##生成自簽證書（根證書）
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [CN]:
State or Province Name (full name) [BeiJing]:
Locality Name (eg, city) [BeiJing]:
Organization Name (eg, company) [sggfu.com]:
Organizational Unit Name (eg, section) [tech]:
Common Name (eg, your name or your server's hostname) []:ca.sggfu.com   ##主機名填寫CA服務器的主機名
Email Address []:[email protected]
[root@ca CA]# ls -l cacert.pem
-rw-r--r--. 1 root root 1419 1月   2 20:13 cacert.pem
[root@ca CA]#

[root@ca CA]# mkdir -p certs crl newcerts
[root@ca CA]# touch index.txt  ##證書索引
[root@ca CA]# echo 00 >serial  ##證書序列號
[root@ca CA]# ls
cacert.pem  certs  crl  index.txt  newcerts  private  serial
[root@ca CA]#

3)配置web服務器支持https：
a.爲web服務器生成密鑰和證書請求：
[root@www ~]# mkdir /usr/local/httpd/conf/ssl
[root@www ~]# cd /usr/local/httpd/conf/ssl/
[root@www ssl]# (umask 077;openssl genrsa 2048 >httpd.key)
[root@www ssl]# scp [email protected]:/etc/pki/tls/openssl.cnf /etc/pki/tls/openssl.cnf  ##複製openssl配置文件
[root@www ssl]# openssl req -new -key httpd.key -out httpd.csr
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [CN]:
State or Province Name (full name) [BeiJing]:
Locality Name (eg, city) [BeiJing]:
Organization Name (eg, company) [sggfu.com]:
Organizational Unit Name (eg, section) [tech]:
Common Name (eg, your name or your server's hostname) []:www.sggfu.com  ##必須填寫web服務器的主機名，注意web虛擬主
機只能有唯一一個站點可以設置爲https
Email Address []:[email protected]

Please enter the following 'extra' attributes
to be sent with your certificate request
A challenge password []:   ##證書保護的密碼短語，直接回車
An optional company name []:
[root@www ssl]#
[root@www ssl]# scp httpd.csr [email protected]:/tmp  ##將證書認證請求複製給CA服務器

b.登錄到192.168.100.151，爲web服務器簽發證書：
[root@ca CA]# openssl ca -in /tmp/httpd.csr -out /tmp/httpd.crt -days 3650  ##簽發證書httpd.crt，執行中y回車即可
[root@ca CA]# ls /tmp/httpd.c*  ##驗證
/tmp/httpd.crt  /tmp/httpd.csr
[root@ca CA]# scp /tmp/httpd.crt [email protected]:/usr/local/httpd/conf/ssl   ##複製證書給web服務器
[root@ca CA]# rm -rf /tmp/httpd.*  ##刪除證書，避免非法用戶獲取證書

c.修改web服務器配置文件：登錄192.168.100.150
[root@www ~]# cd /usr/local/httpd/conf/extra/
[root@www extra]# cp httpd-ssl.conf httpd-ssl.conf.bak  ##備份證書
[root@www extra]# vim httpd-ssl.conf  ##修改如下
74 <VirtualHost 192.168.100.150:443>
77 DocumentRoot "/usr/local/httpd/htdocs/sggfu/"   ##注意和http的網頁根目錄一致
78 ServerName www.sggfu.com:443
79 ServerAdmin [email protected]
80 ErrorLog "/usr/local/httpd/logs/error_log"
81 TransferLog "/usr/local/httpd/logs/access_log"
85 SSLEngine on   ##確認爲on，表示開啓https
99 SSLCertificateFile "/usr/local/httpd/conf/ssl/httpd.crt"  ##指定證書路徑
107 SSLCertificateKeyFile "/usr/local/httpd/conf/ssl/httpd.key"  ##指定私鑰路徑，注意私鑰必須小心保管
:wq
[root@www extra]# vim /usr/local/httpd/conf/httpd.conf  ##修改主配置文件，調用httpd-ssl.conf
399 Include conf/extra/httpd-ssl.conf
:wq
[root@www extra]# /etc/init.d/httpd restart  ##重啓服務器

4)共享根證書：
[root@www ~]# cd /usr/local/httpd/htdocs/sggfu/
[root@www sggfu]# scp [email protected]:/etc/pki/CA/cacert.pem cacert.crt  ##複製CA服務器的證書（根證書）
[root@www sggfu]# vim index.html   ##通過首頁共享根證書
<html>
<head>
  <meta http-equiv="content-type" content="text/html; charset=utf-8" />
  <title>www.sggfu.com</title>
</head>
<body>
  <h1>www.sggfu.com</h1>
  爲了你更好的訪問網站，請下載安裝<a href="cacert.crt" target="_blank">根證書</a>
</body>
</html>
:wq

5)測試：
http://www.sggfu.com  ##下載證書並導入證書
https://www.sggfu.com  ##訪問測試