环境:

环境:

httpd服务器:10.140.165.169

CA服务器:10.140.165.93

CA服务器配置:

1.安装openssl

[root@cnhzdhcp16593 ~]# yum -y install openssl

2.生成CA自己的私钥.

[root@cnhzdhcp16593 ~]# cd /etc/pki/CA/

[root@cnhzdhcp16593 CA]# (umask 077;openssl genrsa -out private/cakey.pem 2048)
Generating RSA private key, 2048 bit long modulus
................................+++
...........................+++
e is 65537 (0x10001)

3.定义openssl.cnf文件

[root@cnhzdhcp16593 CA]# grep "_default" ../tls/openssl.cnf | tail -6
countryName_default        = CN
stateOrProvinceName_default    = ZheJiang
localityName_default    = Hangzhou
0.organizationName_default    = izyno
#1.organizationName_default    = World Wide Web Pty Ltd
organizationalUnitName_default    = Tech

CA目录定义:

####################################################################
[ CA_default ]

dir             = /etc/pki/CA           # Where everything is kept
certs           = $dir/certs            # Where the issued certs are kept
crl_dir         = $dir/crl              # Where the issued crl are kept
database        = $dir/index.txt        # database index file.
#unique_subject = no                    # Set to 'no' to allow creation of
                                        # several ctificates with same subject.
new_certs_dir   = $dir/newcerts         # default place for new certs.

certificate     = $dir/cacert.pem       # The CA certificate
serial          = $dir/serial           # The current serial number
crlnumber       = $dir/crlnumber        # the current crl number
                                        # must be commented out to leave a V1 CRL
crl             = $dir/crl.pem          # The current CRL
private_key     = $dir/private/cakey.pem# The private key
RANDFILE        = $dir/private/.rand    # private random number file

4.生成自签证书.

[root@cnhzdhcp16593 CA]# openssl req -new -x509 -key private/cakey.pem -out cacert.pem -days 3655
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [CN]:     #设置国家
State or Province Name (full name) [ZheJiang]:   #省份
Locality Name (eg, city) [Hangzhou]:  #城市
Organization Name (eg, company) [izyno]:   #公司名称
Organizational Unit Name (eg, section) [Tech]:    #部门
www.izyno.com []:   #主机名
glq126@126.com []:

5.新建所需CA文件.

[root@localhost CA]# touch index.txt
[root@localhost CA]# echo 01 > serial
[root@localhost CA]# ls
certs  crl  index.txt  newcerts  private  serial
[root@localhost CA]#

httpd服务配置:

[root@localhost ~]# mkdir /etc/httpd/ssl    #新建一个密钥存放目录,此目录需要在ssl.conf文件配置.

1.生成httpd服务私有CA.

[root@localhost ssl]# (umask 077;openssl genrsa -out httpd.key 2048)
Generating RSA private key, 2048 bit long modulus
......+++
...............+++
e is 65537 (0x10001)
[root@localhost ssl]#

2.生成证书签署请求.

[root@localhost ssl]# openssl req -new -key httpd.key -out httpd.csr
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [CN]:
State or Province Name (full name) [ZheJiang]:
Locality Name (eg, city) [Hangzhou]:
Organization Name (eg, company) [izyno]:
Organizational Unit Name (eg, section) [Tech]:
ca.izyno.com []:
glq126@126.com []:

Please enter the following 'extra' attributes
to be sent with your certificate request
A challenge password []:
An optional company name []:

3.CA服务器签署认证.

将生成的httpd.csr 文件传输到CA服务器,进行CA服务器签署认证.

在CA服务器进行签署认证:

[root@cnhzdhcp16593 CA]# openssl ca -in /tmp/httpd.csr -out /tmp/httpd.crt -days 3650
Using configuration from /etc/pki/tls/openssl.cnf
Check that the request matches the signature
Signature ok
Certificate Details:
        Serial Number: 1 (0x1)
        Validity
            Not Before: Oct 11 14:19:54 2016 GMT
            Not After : Oct  9 14:19:54 2026 GMT
        Subject:
            countryName               = CN
            stateOrProvinceName       = ZheJiang
            organizationName          = izyno
            organizationalUnitName    = Tech
            commonName                = www.izyno.com
        X509v3 extensions:
            X509v3 Basic Constraints:
                CA:FALSE
            Netscape Comment:
                OpenSSL Generated Certificate
            X509v3 Subject Key Identifier:
                FD:9F:4F:11:0C:83:8E:78:69:1A:C1:0C:EA:1D:17:73:27:91:02:20
            X509v3 Authority Key Identifier:
               keyid:26:61:3D:38:E5:88:0F:D4:93:FA:AB:40:FC:4F:04:78:43:A0:86:95

Certificate is to be certified until Oct  9 14:19:54 2026 GMT (3650 days)
Sign the certificate? [y/n]:y
1 out of 1 certificate requests certified, commit? [y/n]y
Write out database with 1 new entries
Data Base Updated
[root@cnhzdhcp16593 CA]#

4.在CA服务器生成的httpd.crt文件传输到httpd服务器.

[root@cnhzdhcp16593 CA]# scp /tmp/httpd.crt 10.140.165.169:/etc/httpd/ssl/httpd.crt

配置ssl.conf文件在httpd服务器:

1.[root@localhost ssl]# vim /etc/httpd/conf.d/ssl.conf

<VirtualHost 10.140.165.169:443>    #设置虚拟主机IP

# General setup for the virtual host, inherited from global configuration
#DocumentRoot "/var/www/html"

ServerName www.izyno.com     #主机名
DocumentRoot "/www/izyno.com"  #主机根目录

# Use separate log files for the SSL virtual host; note that LogLevel
# is not inherited from httpd.conf.
ErrorLog logs/ssl_error_log   #错误日志
TransferLog logs/ssl_access_log  #访问日志定义
LogLevel warn

#   SSL Engine Switch:
#   Enable/Disable SSL for this virtual host.
SSLEngine on

#   SSL Protocol support:
# List the enable protocol levels with which clients will be able to
# connect.  Disable SSLv2 access by default:
SSLProtocol all -SSLv2

#   SSL Cipher Suite:
# List the ciphers that the client is permitted to negotiate.
# See the mod_ssl documentation for a complete list.
SSLCipherSuite DEFAULT:!EXP:!SSLv2:!DES:!IDEA:!SEED:+3DES

#   Server Certificate:
# Point SSLCertificateFile at a PEM encoded certificate.  If
# the certificate is encrypted, then you will be prompted for a
# pass phrase.  Note that a kill -HUP will prompt again.  A new
# certificate can be generated using the genkey(1) command.
SSLCertificateFile /etc/httpd/ssl/httpd.crt     #定义证书

#   Server Private Key:
#   If the key is not combined with the certificate, use this
#   directive to point at the key file.  Keep in mind that if
#   you've both a RSA and a DSA private key you can configure
#   both in parallel (to also allow the use of DSA ciphers, etc.)
SSLCertificateKeyFile /etc/httpd/ssl/httpd.key  #定义密钥

重启httpd服务.

在windos端访问:

导入CA服务器证书:

证书导入:

导入从CA服务器导出的crt格式文件.

访问:

HTTPD服务 openssl的https服务机制的更多相关文章

  1. 基于openssl的https服务配置

    环境: CA服务器:192.168.1.121 WEB服务器: 192.168.1.107 一.在CA服务器上生成自签证书 1.生成根私钥 (umask 077;openssl genrsa -out ...

  2. Nginx详解二十一:Nginx深度学习篇之配置苹果要求的openssl后台HTTPS服务

    配置苹果要求的证书: 1.服务器所有的连接使用TLS1.2以上的版本(openssl 1.0.2) 2.HTTPS证书必须使用SHA256以上哈希算法签名 3.HTTPS证书必须使用RSA2048位或 ...

  3. 如何通过Openssl实现私有CA,并为HTTP服务提供TLS/SLL安全机制

    原文链接:http://guodayong.blog.51cto.com/263451/1181059 Openssl是SSL的开源实现(可以免费下载应用程序),是一种安全机密程序,主要用于提高远程登 ...

  4. centos httpd开启https服务并申请免费https

    安装httpd yum -y install httpd httpd配置文件路径  /etc/httpd/conf/httpd.conf 安装OpenSSL yum install mod_ssl o ...

  5. Httpd服务入门知识-https(http over ssl)安全配置

    Httpd服务入门知识-https(http over ssl)安全配置 作者:尹正杰 版权声明:原创作品,谢绝转载!否则将追究法律责任. 一.SSL会话的简化过程 ()客户端发送可供选择的加密方式, ...

  6. 使用OpenSSL自建一个HTTPS服务

    1. 理论知识 1.1 什么是https 传统的 HTTP 协议以明文方式进行通信,不提供任何方式的数据加密,很容易被中间攻击者破解通信内容或者伪装成服务器与客户端通信,在安全性上存在很大问题. HT ...

  7. 使用poco 的NetSSL_OpenSSL 搭建https 服务端,使用C++客户端,java 客户端访问,python访问(python还没找到带证书访问的代码.)

    V20161028 由于项目原因,需要用到https去做一些事情. 这儿做了一些相应的研究. 这个https 用起来也是折腾人,还是研究了一周多+之前的一些积累. 目录 1,java client 通 ...

  8. 网络服务器之HTTPS服务

    import ssl, socket, time if __name__ == "__main__": context = ssl.SSLContext(ssl.PROTOCOL_ ...

  9. 本地开启https服务

    ### ##自签名证书 ##配置Apache服务器SSL ##自己作为CA签发证书 ###这里是OpenSSL和HTTPS的介绍 OpenSSL HTTPS 开启HTTPS配置前提是已在Mac上搭建A ...

随机推荐

  1. (译)详解javascript立即执行函数表达式(IIFE)

    写在前面 这是一篇译文,原文:Immediately-Invoked Function Expression (IIFE) 原文是一篇很经典的讲解IIFE的文章,很适合收藏.本文虽然是译文,但是直译的 ...

  2. Android IOS WebRTC 音视频开发总结(七二)-- 看到Google Duo,你想到了什么?

    本文主要介绍在线教育这个行业,文章最早发表在我们的微信公众号上,支持原创,详见这里, 欢迎关注微信公众号blackerteam,更多详见www.rtc.help 在昨天的Google I/O大会上Go ...

  3. 【转载】OpenGL超级宝典笔记——GLSL语言基础

    变量 GLSL的变量命名方式与C语言类似.变量的名称可以使用字母,数字以及下划线,但变量名不能以数字开头,还有变量名不能以gl_作为前缀,这个是GLSL保留的前缀,用于GLSL的内部变量.当然还有一些 ...

  4. Dobbo的继任者?试用微博RPC框架Motan

    从14年开始就陆续看到新浪微博RPC框架Motan的介绍,时隔两年后,微博团队终于宣布开源轻量级RPC框架Motan,项目地址: https://github.com/weibocom/motan/ ...

  5. 三星framebuffer驱动代码分析

    一.驱动总体概述 本次的驱动代码是Samsung公司为s5pv210这款SoC编写的framebuffer驱动,对应于s5pv210中的内部外设Display Controller (FIMD)模块. ...

  6. 实现MFC菜单画笔画圆,并且打钩

    这个是用最简单的方法,移动客户区,圆会不见,所以下一篇我还要改进. 首先新建一个MFC单文件,在资源那里的菜单下,建立画笔,可以弹出红画笔,蓝画笔和绿画笔,,给出ID_RED,ID_BLUE,ID_G ...

  7. git服务器的搭建

    http://blog.jobbole.com/25944/ 1,概念 git服务器:就是一个仓储,一个大家都可以访问的公共仓储,大家可以从这个仓储中拉取和推送数据. 协议: 与gist服务通讯的仓储 ...

  8. 亚马逊开放机器学习系统源代码:挑战谷歌TensorFlow

    北京时间5月17日上午消息,亚马逊在开源技术领域迈出了更大的步伐,宣布开放该公司的机器学习软件DSSTNE的源代码.这个最新项目将与谷歌的TensorFlow竞争,后者已于去年开源.亚马逊表示,在缺乏 ...

  9. Raspberry Pi(树莓派)国内软件源

    树莓派自带的软件源是 deb http://mirrordirector.raspbian.org/raspbian/ wheezy main contrib non-free rpi 由于网站在国外 ...

  10. POJ 3352-Road Construction (图论-双边联通分支算法)

    题目大意:一个图,要求你加入最少的边,使得最后得到的图为一个边双连通分支.所谓的边双连通分支,即不存在桥的连通分支(题目保证数据中任意两点都联通). 解题思路:先用tarjan算法进行缩点建立DAG图 ...