不知道我們平時上網有沒有留意過,我們輸網址時有時候直接輸名字(比如:www.baidu.com),有時候輸入http(比如:http://www.taobao.com),等等,但在瀏覽器上會自動給我們調到https:。。。。上面(有些瀏覽器顯示有些不顯示),如下圖所示,用火狐瀏覽器打開倆個網頁,回車後,會出現帶鎖的https的網址,
所以,現在好多網頁不管你直接輸入名字,還是輸入http的網址,都會自動跳轉到加密的較安全的https的網址上,所以,接下來我們就簡單的模擬一下如何從http跳到https上;
在實驗的最後出現我的證書過期錯誤,沒能解決,希望哪位大神看到後,能幫忙解決一下,感謝!!!
一:實驗背景;
1、https工作機制:1)、客戶端(A)向服務器端(B)發送請求;2)、B向A發送帶有CA簽名並用CA的私鑰加密後的B公鑰的證書;3)、客戶端(A)一般是信任CA的,所以有CA的公鑰,通過CA的公鑰將其解開,驗證其證書是否合法,驗證合法後,客戶端得到B的公鑰;4)、客戶端(A)生成臨時的會話祕鑰(session key),用服務器(B)的公鑰加密後發給服務器;5)、服務器(B)通過會話祕鑰加密用戶請求的資源再響應給客戶端,完成加密的數據傳送;
2、注意會話祕鑰是對稱的;
3、準備三臺機器:A:客戶端192.168.242.202(;B:服務器192.168.242.206(172.17.0.108);C:CA192.168.242.248(我這裏三臺機器的名字分別設成client、server、ca)
4、https其實是http協議和ssl/tls協議的組合;即用ssl/tls對http協議的文本數據進行加密處理後,成爲二進制形式傳輸;
二:實驗步驟;
一:在C機器上先生成根CA;
1、創建所需要的文件;
[root@ca ~]# cd /etc/pki/CA/ #先進入到CA的目錄下(創建祕鑰都要在此文件下或其子文件下)
[root@ca /etc/pki/CA]# tree #先查看一下目前是否機器是否乾淨(即是否有別的其他不需要的文件的干擾)
.
├── certs
├── crl
├── newcerts
└── private
4 directories, 0 files
[root@ca /etc/pki/CA]# touch index.txt #生成證書索引數據庫文件
[root@ca /etc/pki/CA]# echo 01 > serial #指定第一個頒發證書的序列號
#注意,這兩個文件若是不事先創建好,在頒發證書時會報錯,到時候再創建也行(你可以都試一下,我這裏是先創建的)
2、生成私鑰;
[root@ca /etc/pki/CA]# umask 066;openssl genrsa -out private/cakey.pem -des3 2048 #umask設定權限;名字必須叫cakey.pem,-des3加密類型和2048位數位置不能反。(若是懶得輸密碼,就不用加密即不加-des3選項)
Generating RSA private key, 2048 bit long modulus
...+++
.............................+++
e is 65537 (0x10001)
Enter pass phrase for private/cakey.pem: #設置口令密碼
Verifying - Enter pass phrase for private/cakey.pem: #再次輸入密碼
[root@ca /etc/pki/CA]# tree
.
├── certs
├── crl
├── index.txt #創建的數據庫文件
├── newcerts
├── private
│ └── cakey.pem #創建的私鑰
└── serial #存放證書序列號的文件3、自簽名證書(自己頒發給自己的證書);
[root@ca /etc/pki/CA]# openssl req -new -x509 -key private/cakey.pem -out cacert.pem -days 7500 #其中:-new: 生成新證書籤署請求、-x509: 專用於CA生成自簽證書、-key: 生成請求時用到的私鑰文件、-days n:證書的有效期限、-out /PATH/TO/SOMECERTFILE: 證書的保存路徑
Enter pass phrase for private/cakey.pem: #因爲我們創建私鑰時有加密,所以這裏要輸入密碼
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [XX]:CN #國家;在申請證書時,申請發和被申請方按照配置文件要求,國家、省、公司三項必須相同(當然也可以改配置文件使其不要相同)
State or Province Name (full name) []:henan #省;
Locality Name (eg, city) [Default City]:zhengzhou #市;
Organization Name (eg, company) [Default Company Ltd]:magedu.com #公司;
Organizational Unit Name (eg, section) []:opt #部門;
Common Name (eg, your name or your server's hostname) []:www.magedu.com #申請方的明字
Email Address []: #郵箱(可寫可不寫)
[root@ca /etc/pki/CA]#二:服務器B向CA申請證書;
1、先裝一個包mod_ssl;
[root@server ~]# yum install mod_ssl此包的配置文件/etc/httpd/conf.d/ssl.conf;
2、建立自己的私鑰;
[root@server ~]# mkdir /etc/httpd/conf.d/ssl/ #因爲要做的是跟http有關,所以可以放在它的配置文件下
[root@server ~]# umask 066;openssl genrsa -out /etc/httpd/conf.d/ssl/httpd.key 2048 #生成自己的私鑰文件
Generating RSA private key, 2048 bit long modulus
................................................+++
.........+++
e is 65537 (0x10001)
[root@server ~]#3、生成證書申請文件;
[root@server ~]# openssl req -new -key /etc/httpd/conf.d/ssl/httpd.key -out /etc/httpd/conf.d/ssl/httpd.csr #申請文件必須以.csr結尾
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [XX]:CN #國家;
State or Province Name (full name) []:henan #省;
Locality Name (eg, city) [Default City]:luoyang
Organization Name (eg, company) [Default Company Ltd]:magedu.com #公司;這三項必須一致外,其餘不要求
Organizational Unit Name (eg, section) []:opt
Common Name (eg, your name or your server's hostname) []:www.sjj.com
Email Address []:[email protected]
Please enter the following 'extra' attributes
to be sent with your certificate request
A challenge password []: #這裏讓你設密碼;可以設也可以不設;設過後,每次執行和祕鑰有關的都要輸入密碼;這裏我沒有設;
An optional company name []:
[root@server ~]# [root@server ~]# scp /etc/httpd/conf.d/ssl/httpd.csr 192.168.242.248:/etc/pki/CA/ #傳到CA所在機器上,並放在/etc/pki/CA 下
The authenticity of host '192.168.242.248 (192.168.242.248)' can't be established.
RSA key fingerprint is d9:7b:df:54:60:ae:b0:f9:d2:b2:64:5c:39:8e:69:e4.
Are you sure you want to continue connecting (yes/no)? yes #因爲之前沒有連過纔出現這個詢問
Warning: Permanently added '192.168.242.248' (RSA) to the list of known hosts.
[email protected]'s password: #輸入CA主機的密碼
httpd.csr 100% 1045 1.0KB/s 00:00
[root@server ~]# 三:頒發證書;
1、在CA機器上生成證書;
[root@ca /etc/pki/CA]# openssl ca -in httpd.csr -out certs/httpd.crt -days 300 #頒發證書並設置有效期300天
Using configuration from /etc/pki/tls/openssl.cnf
Enter pass phrase for /etc/pki/CA/private/cakey.pem: #每次都要輸入口令密碼,所以在做測試時可以考慮不加密;
Check that the request matches the signature
Signature ok
Certificate Details:
Serial Number: 1 (0x1)
Validity
Not Before: Oct 22 03:08:16 2017 GMT
Not After : Aug 18 03:08:16 2018 GMT
Subject: #申請方信息
countryName = CN
stateOrProvinceName = henan
organizationName = magedu.com
organizationalUnitName = opt
commonName = www.sjj.com
emailAddress = [email protected]
X509v3 extensions:
X509v3 Basic Constraints:
CA:FALSE
Netscape Comment:
OpenSSL Generated Certificate
X509v3 Subject Key Identifier:
2B:83:77:0F:57:7F:B9:49:EA:00:00:A7:B2:C3:70:11:1D:5B:8F:A7
X509v3 Authority Key Identifier:
keyid:2F:6B:1D:F4:78:8C:DF:1A:17:2E:66:C9:EB:BF:EB:9C:D7:2A:B1:9D
Certificate is to be certified until Aug 18 03:08:16 2018 GMT (300 days)
Sign the certificate? [y/n]:y
1 out of 1 certificate requests certified, commit? [y/n]y
Write out database with 1 new entries
Data Base Updated#注意:若是沒有事先創建index.txt和serial兩個文件,在頒發證書時是會報錯的,所以就根據其錯誤提示,去創建文件就可以了
[root@ca /etc/pki/CA]# tree
.
├── cacert.pem
├── certs
│ └── httpd.crt #生成證書文件
├── crl
├── httpd.csr #B機器發來的申請證書文件
├── index.txt #頒發證書後生成的新的數據庫文件
├── index.txt.attr
├── index.txt.old
├── newcerts
│ └── 01.pem
├── private
│ └── cakey.pem #根CA自己的私鑰文件
├── serial
└── serial.old
[root@ca /etc/pki/CA]# cat index.txt # 頒發證書後生成的新的數據庫文件,裏面有申請方信息;而之前的數據庫文件裏面仍爲空,並重命名爲index.txt.old
V 180818030816Z 01 unknown /C=CN/ST=henan/O=magedu.com/OU=opt/CN=www.sjj.com/[email protected]
[root@ca /etc/pki/CA]#2、將生成的證書傳回申請方B機器;
[root@ca /etc/pki/CA]# scp certs/httpd.crt 192.168.242.206:/etc/httpd/conf.d/ssl/ #都統一放在一個目錄下
The authenticity of host '192.168.242.206 (192.168.242.206)' can't be established.
RSA key fingerprint is 30:49:c8:65:14:10:12:ba:93:8c:da:97:23:03:b1:88.
Are you sure you want to continue connecting (yes/no)? yes
Warning: Permanently added '192.168.242.206' (RSA) to the list of known hosts.
[email protected]'s password:
httpd.crt 100% 4533 4.4KB/s 00:00
[root@ca /etc/pki/CA]# [root@ca /etc/pki/CA]# scp cacert.pem 192.168.242.206:/etc/httpd/conf.d/ssl/
[email protected]'s password:
cacert.pem 100% 1334 1.3KB/s 00:00
[root@ca /etc/pki/CA]#
四:定義服務器配置文件;
在服務器B機器上的/etc/httpd/conf.d/ssl.conf裏有三項需要改;其原來的內容是在裝mod_ssl包是自動生成並創建了相關的證書文件;
SSLCertificateFile /etc/pki/tls/certs/localhost.crt #證書路徑
SSLCertificateKeyFile /etc/pki/tls/private/localhost.key #key路徑
#SSLCertificateChainFile /etc/pki/tls/certs/server-chain.crt #CA的路徑---》本來是被註釋掉的,這樣在查看證書時,就看不到根CA了,
改爲:
SSLCertificateFile /etc/httpd/conf.d/ssl/httpd.crt
SSLCertificateKeyFile /etc/httpd/conf.d/ssl/httpd.key
SSLCACertificateFile /etc/httpd/conf.d/ssl/cacert.pem #我們可以啓動,在證書裏就可以看到根CA了;
五、檢查環境;
1、先看一下80端口是否開着:ss-ntl;若沒有80端口,就證明httpd服務沒有開:service httpd start開啓服務;如果端口開着:service httpdrestart重啓一下;
2、檢查一下防火牆:最好直接用 iptables -F關閉防火牆;
3、檢查SElinux狀態:[root@client /etc/pki/CA]# getenforce #查詢狀態
Enforcing
[root@client /etc/pki/CA]# setenforce 0
[root@client /etc/pki/CA]# getenforce
Permissive #要處於禁止狀態,所以用setenforce 0設置一下;
三:實驗測試;
服務器端B機器默認主站點網頁放在/var/www/html/index.html裏
[root@server ~]# cat /var/www/html/index.html
Centos 6
[root@client /etc/pki/CA]# curl http://192.168.242.206/ #直接用http可以連接
Centos 6
[root@client /etc/pki/CA]# curl https://192.168.242.206/ #用https連接需要證書
curl: (60) Peer certificate cannot be authenticated with known CA certificates
More details here: http://curl.haxx.se/docs/sslcerts.html
curl performs SSL certificate verification by default, using a "bundle"
of Certificate Authority (CA) public keys (CA certs). If the default
bundle file isn't adequate, you can specify an alternate file
using the --cacert option.
If this HTTPS server uses a certificate signed by a CA represented in
the bundle, the certificate verification probably failed due to a
problem with the certificate (it might be expired, or the name might
not match the domain name in the URL).
If you'd like to turn off curl's verification of the certificate, use
the -k (or --insecure) option.
[root@client /etc/pki/CA]#curl -k https://192.168.242.206/ #因爲CA證書目前在A上是不安全的,所以加上-k(忽略證書)之後就可以顯示頁面了
Centos 6
然後我們可以在網頁瀏覽器上看,效果比較明顯;
1、我們在windows下的“c:\Windows\System32\drivers\etc”裏的hosts文件裏添加上:192.168.242.206 www.sjj.com ; 172.17.0.108 www.sjj.com;
2、我們使用名字去訪問站點;
下面用的是火狐瀏覽器
看一下證書信息;
“確認安全例外”後,頁面可以訪問,但是,帶有警告;
接下來,用IE瀏覽器看一下;
“繼續瀏覽瓷王站”;
報出“證書錯誤”,然後點擊此處,出現“查看證書”,點擊進去;
說不受信任的證書機構,所以,就信任一下,安裝證書;
按照提示,一步一步走;
最後出現如下界面;表示安裝成功;
但是,導入證書之後,我的證書變成過期的證書了;如下圖所示,我又重新申請證書,試了好幾次,還是這樣,不知道什麼原因;
