linux下https的实现

部署HTTPS
本章网络规划构建私有证书颁发机构（CA）的主机是ca.example.com，其IP地址及子网掩码前缀长度是192.168.1.40/24，网关地址是192.168.1.1，DNS1地址是192.168.1.10。
web服务器主机是rhel7.example.com，IP是192.168.1.20/24，DNS1地址是192.168.1.10

安装Openssl

/usr/bin/openssl：CA服务器的主程序。

/etc/pki/tls/openssl.cnf：openssl的配置文件

/etc/pki/CA：CA服务器的主目录。

[root@ca ~]# yum -y install openssl

[root@ca ~]# vim /etc/pki/tls/openssl.cnf# OpenSSL example configuration file.# This is mostly being used for generation of certificate requests.##省略部分输出####################################################################[ ca ]default_ca      = CA_default            # The default ca section####################################################################[ CA_default ]dir             = /etc/pki/CA           # Where everything is kept      certs           = $dir/certs            # Where the issued certs are keptcrl_dir         = $dir/crl              # Where the issued crl are keptdatabase        = $dir/index.txt        # database index file.#unique_subject = no                    # Set to 'no' to allow creation of                                        # several ctificates with same subject.new_certs_dir   = $dir/newcerts         # default place for new certs.certificate     = $dir/cacert.pem       # The CA certificateserial          = $dir/serial           # The current serial numbercrlnumber       = $dir/crlnumber        # the current crl number                                        # must be commented out to leave a V1 CRLcrl             = $dir/crl.pem          # The current CRLprivate_key     = $dir/private/cakey.pem# The private keyRANDFILE        = $dir/private/.rand    # private random number file#省略部分输出

其中，/etc/pki/CA为CA机构的主目录，dir表示定义的变量，$dir的值为/etc/pki/CA,如配置文件中定义CA几个后的私钥存放路径为$dir/private/cakey.pem，即真正路径为/etc/pki/CA/private/cakey.pem

构建私有CA

为CA机构生成自签名证书，并为CA提供所需要的目录及文件。
使用的关键命令是"openssl"，其重要选项如下：
-new : 生成新证书的签署请求
-x509 ：生成自签名证书格式，专用于创建私有CA时
-key：生成请求时用到的私钥文件路径
-out：生成后的文件存放路径，如果是自签名操作，将直接生成签署过的证书
-days： 证书的有效期，单位为天，默认为365天
①生成私钥

[root@ca ~]# (umask 077;openssl genrsa -out /etc/pki/CA/private/cakey.pem)Generating RSA private key, 1024 bit long modulus.....++++++.......++++++e is 65537 (0x10001)[root@ca ~]# cd /etc/pki/CA/private/[root@ca private]# pwd/etc/pki/CA/private[root@ca private]# cat cakey.pem-----BEGIN RSA PRIVATE KEY-----MIICXAIBAAKBgQCstgIk2ZXLcwNDDNJYczZBCBaneWre2M+BwuJsN3IqIEQxGz3FRoDudbSnrxgqQnJKrOyIqGwUgg3JKd+ni3t2e5uM4I2Loo/TWNf5JX9mkBtBEu6m8iQvDBLZn/sehCG+BNxCDPu88KoOvy91tqjTCb2Uhn+5BT9E/SnQaHx/mQIDAQABAoGATEbWC5BNJ91Tw3kWLRo1C+OWncByApmei6CWf1S9hv1ZIJb3YPkSWD6D2srp0UAnWfOlQ3Wexi/qBr4HmOdxTthN16AHmEF7yUIBL2VDharmBvqz26ZFLRJV0iGncXmr7JjmdQGYEz9C8cSt/dpQ/fsadq+oO6WI3MJqgFo3IQECQQDkMPAyDbmgOay3FiqsCC06/FWnLD8vO0DDYAF4pLr4heZP6ZvfQb+h4O9s52ZGk9VC+DUTUWcFlGUJii+4AIMVAkEAwcI10b5L6hoNvqzZmNstmcsgV0kSMmqHVh4ucmWlDohmT5iqEd+7J9R41S9F2PRem2SPne2MUo4ghisi+4/7dQJAEQMtBS5MxotGOygl6kl5xcoGQL5lv4m1XFuOAIaXgevJre+GtXBbbx/focjmsSBYZ/PFUTliauITXlC1Ggy/uQJAKSUxwpmTi2H++ze/eYtJsrgE5SQ6PgSLOsleYmKdW2mxuENmEiedmcav5i2Eup6iHIONT+8q9jkCRRuR8TPRJQJBALal4fRE+m0Bl+AD/Oq2Tt6pdPqY8qe/aWBvjcHeXaQKf9HHMKDxby0TzpIx/FlVML9cAYbIpMcIAAoof24iKEU=-----END RSA PRIVATE KEY-----[root@ca private]#

②生成自签名证书

[root@ca private]# openssl req -new -x509 -key /etc/pki/CA/private/cakey.pem -out /etc/pki/CA/cacert.pem -days 365You are about to be asked to enter information that will be incorporatedinto your certificate request.What you are about to enter is what is called a Distinguished Name or a DN.There are quite a few fields but you can leave some blankFor some fields there will be a default value,If you enter '.', the field will be left blank.-----Country Name (2 letter code) [XX]:CNState or Province Name (full name) []:HNLocality Name (eg, city) [Default City]:ZZOrganization Name (eg, company) [Default Company Ltd]:GLOrganizational Unit Name (eg, section) []:xitongCommon Name (eg, your name or your server's hostname) []:ca.example.comEmail Address []:root@example.com

③为CA提供所需要的目录及文件

[root@ca private]# cd ../[root@ca CA]# touch serial[root@ca CA]# touch index.txt[root@ca CA]# echo 01 > /etc/pki/CA/serial

在DNS服务器上添加关于ca.example.com的A记录
④为web站点请求web证书（需要在web服务器上操作）
本节为web服务器上的主站点rhel7.example.com申请web证书
生成私钥，并将私钥存放在/etc/httpd/ssl目录，此目录可以自定义

[root@rhel7 ~]# mkdir /etc/httpd/ssl[root@rhel7 ~]# cd /etc/httpd/ssl/[root@rhel7 ssl]# (umask 077;openssl genrsa -out httpd.key)Generating RSA private key, 1024 bit long modulus............++++++...................................++++++e is 65537 (0x10001)

⑤为rhel7.example.com站点生成签署请求文件

[root@rhel7 ~]# openssl req -new -key /etc/httpd/ssl/httpd.key -out /etc/httpd/ssl/httpd.csr -days 365You are about to be asked to enter information that will be incorporatedinto your certificate request.What you are about to enter is what is called a Distinguished Name or a DN.There are quite a few fields but you can leave some blankFor some fields there will be a default value,If you enter '.', the field will be left blank.-----Country Name (2 letter code) [XX]:CNState or Province Name (full name) []:HNLocality Name (eg, city) [Default City]:ZZOrganization Name (eg, company) [Default Company Ltd]:GLOrganizational Unit Name (eg, section) []:xitongCommon Name (eg, your name or your server's hostname) []:rhel7.example.comEmail Address []:root@example.comPlease enter the following 'extra' attributesto be sent with your certificate requestA challenge password []:An optional company name []:

⑥将签署请求文件通过可靠的方式发送给CA服务器

[root@rhel7 ~]# scp /etc/httpd/ssl/httpd.csr root@ca.example.com:/etc/pki/CA/The authenticity of host 'ca.example.com (172.16.30.40)' can't be established.ECDSA key fingerprint is 4e:38:22:c7:5d:1a:ed:1c:ab:54:4f:7e:b2:84:6b:b5.Are you sure you want to continue connecting (yes/no)? yesWarning: Permanently added 'ca.example.com,172.16.30.40' (ECDSA) to the list of known hosts.root@ca.example.com's password:httpd.csr                                                                                100%  688     0.7KB/s   00:00

⑦在CA服务器主机上对签署请求进行数字签名，并指明所生成的web证书的存放路径

[root@ca ~]# openssl ca -in /etc/pki/CA/httpd.csr -out /etc/pki/CA/certs/httpd.crt -days 365Using configuration from /etc/pki/tls/openssl.cnfCheck that the request matches the signatureSignature okCertificate Details:        Serial Number: 1 (0x1)        Validity            Not Before: Oct  9 16:58:42 2019 GMT            Not After : Oct  8 16:58:42 2020 GMT        Subject:            countryName               = CN            stateOrProvinceName       = HN            organizationName          = GL            organizationalUnitName    = xitong            commonName                = rhel7.example.com            emailAddress              = root@example.com        X509v3 extensions:            X509v3 Basic Constraints:                CA:FALSE            Netscape Comment:                OpenSSL Generated Certificate            X509v3 Subject Key Identifier:                B5:E9:B1:1E:D7:9F:3B:DC:97:D4:40:CE:7E:4A:2E:06:0D:15:08:5D            X509v3 Authority Key Identifier:                keyid:5F:68:24:75:05:1E:8C:C2:ED:34:CF:FF:B7:04:47:1A:83:E0:BC:F3Certificate is to be certified until Oct  8 16:58:42 2020 GMT (365 days)Sign the certificate? [y/n]:y1 out of 1 certificate requests certified, commit? [y/n]yWrite out database with 1 new entriesData Base Updated[root@ca ~]#

⑧在web服务器主机上将CA服务器上已经数字签名后的web证书通过scp命令下载到/etc/httpd/ssl目录下

[root@rhel7 ~]# scp root@ca.example.com:/etc/pki/CA/certs/httpd.crt /etc/httpd/ssl/root@ca.example.com's password:httpd.crt                                                                                100% 3198     3.1KB/s   00:00    [root@rhel7 ~]#[root@rhel7 ~]# cd /etc/httpd/ssl/[root@rhel7 ssl]# lshttpd.crt  httpd.csr  httpd.key[root@rhel7 ssl]# cat httpd.crtCertificate:    Data:        Version: 3 (0x2)        Serial Number: 1 (0x1)    Signature Algorithm: sha256WithRSAEncryption        Issuer: C=CN, ST=HN, L=ZZ, O=GL, OU=xitong, CN=ca.example.com/emailAddress=root@example.com        Validity            Not Before: Oct  9 16:58:42 2019 GMT            Not After : Oct  8 16:58:42 2020 GMT        Subject: C=CN, ST=HN, O=GL, OU=xitong, CN=rhel7.example.com/emailAddress=root@example.com        Subject Public Key Info:            Public Key Algorithm: rsaEncryption                Public-Key: (1024 bit)                Modulus:                    00:d3:60:22:af:b5:4f:85:05:44:42:4f:ad:a2:71:                    b7:a4:74:88:fb:76:c0:89:91:c8:f1:87:c6:a0:f6:                    92:52:51:ff:3d:c8:fa:0e:3b:9f:68:77:6b:f9:77:                    11:aa:96:d7:53:50:cb:40:72:54:3d:89:08:8e:51:                    22:3c:b9:f3:a0:fb:3d:a4:09:58:22:80:2e:4b:4a:                    b2:b7:7e:84:c6:29:0c:97:2e:d2:cf:d0:b1:93:53:                    82:7d:e7:99:a9:79:ee:f5:c8:d8:9b:8f:6e:5e:2a:                    61:47:56:c7:a0:dc:1f:7c:ad:75:6e:4e:bb:a9:33:                    92:37:fd:01:d4:92:81:44:c9                Exponent: 65537 (0x10001)        X509v3 extensions:            X509v3 Basic Constraints:                CA:FALSE            Netscape Comment:                OpenSSL Generated Certificate            X509v3 Subject Key Identifier:                B5:E9:B1:1E:D7:9F:3B:DC:97:D4:40:CE:7E:4A:2E:06:0D:15:08:5D            X509v3 Authority Key Identifier:                keyid:5F:68:24:75:05:1E:8C:C2:ED:34:CF:FF:B7:04:47:1A:83:E0:BC:F3    Signature Algorithm: sha256WithRSAEncryption         03:a8:b2:ef:1a:3c:08:71:36:79:e8:0c:24:41:2a:dc:63:7b:         12:36:62:75:04:e6:5a:85:5d:a4:99:9a:be:69:35:19:0e:26:         fb:4e:b0:75:59:98:94:3f:03:7c:5e:97:ea:fe:eb:66:d9:9b:         61:91:e2:9d:9d:b5:9e:a2:f1:c5:db:bd:da:25:65:f1:68:69:         2d:13:b0:b4:1c:77:64:75:39:2a:ca:0e:91:89:4c:94:42:4d:         aa:77:69:33:ce:7e:4d:3d:a0:a8:0d:e2:6a:b7:b5:33:e7:e9:         d6:1b:ea:a5:92:5f:e9:cf:7e:7f:58:fe:cf:8b:1e:19:ac:17:         cc:fc-----BEGIN CERTIFICATE-----MIIC5TCCAk6gAwIBAgIBATANBgkqhkiG9w0BAQsFADB/MQswCQYDVQQGEwJDTjELMAkGA1UECAwCSE4xCzAJBgNVBAcMAlpaMQswCQYDVQQKDAJHTDEPMA0GA1UECwwGeGl0b25nMRcwFQYDVQQDDA5jYS5leGFtcGxlLmNvbTEfMB0GCSqGSIb3DQEJARYQcmvdEBleGFtcGxlLmNvbTAeFw0xOTEwMDkxNjU4NDJaFw0yMDEwMDgxNjU4NDJaMHUxCzAJBgNVBAYTAkNOMQswCQYDVQQIDAJITjELMAkGA1UECgwCR0wxDzANBgNVBAsMBnhpdG9uZzEaMBgGA1UEAwwRcmhlbDcuZXhhbXBsZS5jb20xHzAdBgkqhkiG9w0BCQEWEHJvb3RAZXhhbXBsZS5jb20wgZ8wDQYJKoZIhvcNAQEBBQADgY0AMIGJAoGBANNgIq+1T4UFREJPraJxt6R0iPt2wImRyPGHxqD2klJR/z3I+g47n2h4a/l3EaqW11NQy0ByVD2JCI5RIjy586D7PaQJWCKALktKsrd+hMYpDJcu0s/QsZNTgn3nmal57vXI2JuPbl4qYUdWx6DcH3ytdW5Ou6kzkjf9AdSSgUTJAgMBAAGjezB5MAkGA1UdEwQCMAAwLAYJYIZIAYb4QgENBB8WHU9wZW5TU0wgR2VuZXJhdGVkIENlcnRpZmljYXRlMB0GA1UdDgQWBBS16bEe15873JfUQM5+Si4GDRUIXTAfBgNVHSMEGDAWgBRfaCR1BR6Mwu00z/+3BEcag+C88zANBgkqhkiG9w0BAQsFAAOBgQADqLLvGjwIcTZ56AwkQSrcY3sSNmJ1BOZahV2kmZq+aTUZDib7TrB1WZiUPwN8Xpfq/utm2ZthkeKdnbWeovHF273aJWXxaGktE7C0HHdkdTkqyg6RiUyUQk2qd2kzzn5NPaCoDeJqt7Uz5+nWG+qlkl/pz35/WP7Pix4ZrBfM/A==-----END CERTIFICATE-----[root@rhel7 ssl]#

⑨安装apache HTTP扩展模块mod_ssl，以支持TLS

[root@rhel7 ~]# yum -y install mod_ssl

安装完毕后，在/etc/httpd/conf.d目录下会生成配置文件ssl.conf,编辑配置文件ssl.conf。将rhel7.example.com站点部署成HTTPS

## When we also provide SSL we have to listen to the# the HTTPS port in addition.#Listen 443 https#省略部分输出# General setup for the virtual host, inherited from global configurationDocumentRoot "/var/www/html"ServerName www.example.com:443# Use separate log files for the SSL virtual host; note that LogLevel# is not inherited from httpd.conf.ErrorLog logs/ssl_error_logTransferLog logs/ssl_access_logLogLevel warn#   SSL Engine Switch:#   Enable/Disable SSL for this virtual host.SSLEngine on#省略部分输出#   Server Certificate:# Point SSLCertificateFile at a PEM encoded certificate.  If# the certificate is encrypted, then you will be prompted for a# pass phrase.  Note that a kill -HUP will prompt again.  A new# certificate can be generated using the genkey(1) command.SSLCertificateFile /etc/httpd/ssl/httpd.crt#   Server Private Key:#   If the key is not combined with the certificate, use this#   directive to point at the key file.  Keep in mind that if#   you've both a RSA and a DSA private key you can configure#   both in parallel (to also allow the use of DSA ciphers, etc.)SSLCertificateKeyFile /etc/httpd/ssl/httpd.key#   Server Certificate Chain:#省略部分输出

重启服务，设置防火墙

[root@rhel7 ~]# systemctl restart httpd[root@rhel7 ~]# firewall-cmd --add-service=https --permanentsuccess[root@rhel7 ~]# firewall-cmd --reload

访问测试：
https://rhel7.example.com