Http2.2实现https

目录

目录
主要步骤

安装mod_ssl模块使其支持ssl
直接访问测试

问题如下

为服务器申请数字证书
创建私有CA

在服务器创建证书签署请求

CA签证

获取证书

搭建DNS

修改配置文件

测试
直接访问测试

将根证书导入到测试客户端中

再次测试

主要步骤

安装mod_ssl模块，使其支持ssl

为服务器申请数字证书

创建私有CA

在服务器创建证书签署请求

CA签证

搭建DNS

修改配置文件

测试基于https访问响应的主机

1. 安装mod_ssl模块，使其支持ssl

[root@centos6 ~]# yum install -y mod_ssl
[root@centos6 ~]# rpm -ql mod_ssl       # 生成了以下文件
/etc/httpd/conf.d/ssl.conf              # 新生成的配置文件
/usr/lib64/httpd/modules/mod_ssl.so
/var/cache/mod_ssl
/var/cache/mod_ssl/scache.dir
/var/cache/mod_ssl/scache.pag
/var/cache/mod_ssl/scache.sem

[root@centos6 ~]# service httpd reload          # 重新加载配置文件
Reloading httpd:

直接访问测试

现在我们已经可以访问了，还有两个问题：站点还未被信任和证书并不是自己的。

问题如下

2. 为服务器申请数字证书

创建私有CA

关于创建私有CA，可以参考我的另外一篇博客

[root@ce
4000
ntos7 ~]# touch /etc/pki/CA/index.txt
[root@centos7 ~]# echo 01 > /etc/pki/CA/serial
[root@centos7 ~]# cd /etc/pki/CA/
[root@centos7 CA]# (umask 066 ; openssl genrsa -out /etc/pki/CA/private/cakey.pem 2048)
Generating RSA private key, 2048 bit long modulus
...................+++
.....................................................................+++
e is 65537 (0x10001)
[root@centos7 CA]# openssl req -new -x509 -key /etc/pki/CA/private/cakey.pem -days 7300 -out /etc/pki/CA/cacert.pem
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [XX]:CN
State or Province Name (full name) []:beijing
Locality Name (eg, city) [Default City]:hlg
Organization Name (eg, company) [Default Company Ltd]:ihaiyun.com
Organizational Unit Name (eg, section) []:opt
Common Name (eg, your name or your server's hostname) []:ca.ihaiyun.com
Email Address []:

在服务器创建证书签署请求

[root@centos6 ~]# (umask 066 ; openssl genrsa -out /etc/pki/tls/private/test.key 2048)
Generating RSA private key, 2048 bit long modulus
..........................................................+++
.............................................................................................................................................................................+++
e is 65537 (0x10001)
[root@centos6 ~]# openssl req -new -key /etc/pki/tls/private/test.key -days 365 -out /etc/pki/tls/test.csr
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [XX]:CN
State or Province Name (full name) []:beijing
Locality Name (eg, city) [Default City]:caoyang
Organization Name (eg, company) [Default Company Ltd]:ihaiyun.com
Organizational Unit Name (eg, section) []:opt
Common Name (eg, your name or your server's hostname) []:www.ihaiyun.com
Email Address []:

Please enter the following 'extra' attributes
to be sent with your certificate request
A challenge password []:
An optional company name []:
[root@centos6 tls]# scp test.csr 192.168.8.135:/etc/pki/CA
root@192.168.8.135's password:
test.csr                                                       100% 1029     1.0KB/s   00:00

CA签证

[root@centos7 CA]# openssl ca -in /etc/pki/CA/test.csr -out /etc/pki/CA/certs/test.crt
Using configuration from /etc/pki/tls/openssl.cnf
Check that the request matches the signature
Signature ok
Certificate Details:
Serial Number: 1 (0x1)
Validity
Not Before: Oct  9 01:18:33 2017 GMT
Not After : Oct  9 01:18:33 2018 GMT
Subject:
countryName               = CN
stateOrProvinceName       = beijing
organizationName          = ihaiyun.com
organizationalUnitName    = www.ihaiyun.com
commonName                = www.ihaiyun.com
X509v3 extensions:
X509v3 Basic Constraints:
CA:FALSE
Netscape Comment:
OpenSSL Generated Certificate
X509v3 Subject Key Identifier:
A6:59:85:90:9D:84:C4:80:6B:27:E2:A2:57:44:58:FA:69:64:CB:00
X509v3 Authority Key Identifier:
keyid:43:65:C5:B5:03:8E:E9:2E:82:C9:0D:5F:87:72:2D:F1:81:5F:FB:CE

Certificate is to be certified until Oct  9 01:18:33 2018 GMT (365 days)
Sign the certificate? [y/n]:y

1 out of 1 certificate requests certified, commit? [y/n]y
Write out database with 1 new entries
Data Base Updated

获取证书

[root@centos6 ~]# mkdir /etc/httpd/ssl          # 新建目录用来存放证书文件
[root@centos7 CA]# scp certs/test.crt 192.168.8.128:/etc/httpd/ssl          # 将证书发送到192.168.8.128
root@192.168.8.128's password:
test.crt                                                       100% 4507     4.4KB/s   00:00
[root@centos7 CA]# scp cacert.pem 192.168.8.128:/etc/httpd/ssl              # 将根的证书发送给192.168.8.128
root@192.168.8.128's password:
cacert.pem                                                     100% 1326     1.3KB/s   00:00

3. 搭建DNS

[root@centos7 ~]# vim /etc/named.conf
options {
//  listen-on port 53 { 127.0.0.1; };
listen-on-v6 port 53 { ::1; };
directory   "/var/named";
dump-file   "/var/named/data/cache_dump.db";
statistics-file "/var/named/data/named_stats.txt";
memstatistics-file "/var/named/data/named_mem_stats.txt";
//  allow-query     { localhost; };

[root@centos7 ~]# tail -5 /etc/named.rfc1912.zones
zone "ihaiyun.com" IN {
type master;
file "ihaiyun.com.zone";
allow-update { none; };
};

[root@centos7 ~]# cp -p /var/named/named.localhost /var/named/ihaiyun.com.zone
[root@centos7 ~]# cat /var/named/ihaiyun.com.zone
$TTL 1D
@   IN SOA  dns1 admin.ihaiyun.com. (
0   ; serial
1D  ; refresh
1H  ; retry
1W  ; expire
3H )    ; minimum
NS  dns1
dns1 A  192.168.8.135
www  A  192.168.8.128

4. 修改配置文件

[root@centos6 ~]# cp /etc/pki/tls/private/test.key /etc/httpd/ssl/          # 将key文件cp到/etc/httpd/ssl目录下方便管理
[root@centos6 ~]# vim /etc/httpd/conf.d/ssl.conf
SSLCertificateFile /etc/httpd/ssl/test.crt
SSLCertificateKeyFile /etc/httpd/ssl/test.key
SSLCACertificateFile /etc/httpd/ssl/cacert.pem
[root@centos6 ~]# service httpd restart
Stopping httpd:                                            [  OK  ]
Starting httpd:                                            [  OK  ]

5. 测试

直接访问测试

还是提醒我们证书不安全

将根证书导入到测试客户端中

需要把根证书下载到客户端中，具体怎么下载，相信你们会有办法。导入方法如下：

再次测试

https已经实现