Http2.2实现https
2017-10-09 11:07
281 查看
目录
目录主要步骤
安装mod_ssl模块使其支持ssl
直接访问测试
问题如下
为服务器申请数字证书
创建私有CA
在服务器创建证书签署请求
CA签证
获取证书
搭建DNS
修改配置文件
测试
直接访问测试
将根证书导入到测试客户端中
再次测试
主要步骤
安装mod_ssl模块,使其支持ssl为服务器申请数字证书
创建私有CA
在服务器创建证书签署请求
CA签证
搭建DNS
修改配置文件
测试基于https访问响应的主机
1. 安装mod_ssl模块,使其支持ssl
[root@centos6 ~]# yum install -y mod_ssl [root@centos6 ~]# rpm -ql mod_ssl # 生成了以下文件 /etc/httpd/conf.d/ssl.conf # 新生成的配置文件 /usr/lib64/httpd/modules/mod_ssl.so /var/cache/mod_ssl /var/cache/mod_ssl/scache.dir /var/cache/mod_ssl/scache.pag /var/cache/mod_ssl/scache.sem [root@centos6 ~]# service httpd reload # 重新加载配置文件 Reloading httpd:
直接访问测试
现在我们已经可以访问了,还有两个问题:站点还未被信任和证书并不是自己的。问题如下
2. 为服务器申请数字证书
创建私有CA
关于创建私有CA,可以参考我的另外一篇博客[root@ce 4000 ntos7 ~]# touch /etc/pki/CA/index.txt [root@centos7 ~]# echo 01 > /etc/pki/CA/serial [root@centos7 ~]# cd /etc/pki/CA/ [root@centos7 CA]# (umask 066 ; openssl genrsa -out /etc/pki/CA/private/cakey.pem 2048) Generating RSA private key, 2048 bit long modulus ...................+++ .....................................................................+++ e is 65537 (0x10001) [root@centos7 CA]# openssl req -new -x509 -key /etc/pki/CA/private/cakey.pem -days 7300 -out /etc/pki/CA/cacert.pem You are about to be asked to enter information that will be incorporated into your certificate request. What you are about to enter is what is called a Distinguished Name or a DN. There are quite a few fields but you can leave some blank For some fields there will be a default value, If you enter '.', the field will be left blank. ----- Country Name (2 letter code) [XX]:CN State or Province Name (full name) []:beijing Locality Name (eg, city) [Default City]:hlg Organization Name (eg, company) [Default Company Ltd]:ihaiyun.com Organizational Unit Name (eg, section) []:opt Common Name (eg, your name or your server's hostname) []:ca.ihaiyun.com Email Address []:
在服务器创建证书签署请求
[root@centos6 ~]# (umask 066 ; openssl genrsa -out /etc/pki/tls/private/test.key 2048) Generating RSA private key, 2048 bit long modulus ..........................................................+++ .............................................................................................................................................................................+++ e is 65537 (0x10001) [root@centos6 ~]# openssl req -new -key /etc/pki/tls/private/test.key -days 365 -out /etc/pki/tls/test.csr You are about to be asked to enter information that will be incorporated into your certificate request. What you are about to enter is what is called a Distinguished Name or a DN. There are quite a few fields but you can leave some blank For some fields there will be a default value, If you enter '.', the field will be left blank. ----- Country Name (2 letter code) [XX]:CN State or Province Name (full name) []:beijing Locality Name (eg, city) [Default City]:caoyang Organization Name (eg, company) [Default Company Ltd]:ihaiyun.com Organizational Unit Name (eg, section) []:opt Common Name (eg, your name or your server's hostname) []:www.ihaiyun.com Email Address []: Please enter the following 'extra' attributes to be sent with your certificate request A challenge password []: An optional company name []: [root@centos6 tls]# scp test.csr 192.168.8.135:/etc/pki/CA root@192.168.8.135's password: test.csr 100% 1029 1.0KB/s 00:00
CA签证
[root@centos7 CA]# openssl ca -in /etc/pki/CA/test.csr -out /etc/pki/CA/certs/test.crt Using configuration from /etc/pki/tls/openssl.cnf Check that the request matches the signature Signature ok Certificate Details: Serial Number: 1 (0x1) Validity Not Before: Oct 9 01:18:33 2017 GMT Not After : Oct 9 01:18:33 2018 GMT Subject: countryName = CN stateOrProvinceName = beijing organizationName = ihaiyun.com organizationalUnitName = www.ihaiyun.com commonName = www.ihaiyun.com X509v3 extensions: X509v3 Basic Constraints: CA:FALSE Netscape Comment: OpenSSL Generated Certificate X509v3 Subject Key Identifier: A6:59:85:90:9D:84:C4:80:6B:27:E2:A2:57:44:58:FA:69:64:CB:00 X509v3 Authority Key Identifier: keyid:43:65:C5:B5:03:8E:E9:2E:82:C9:0D:5F:87:72:2D:F1:81:5F:FB:CE Certificate is to be certified until Oct 9 01:18:33 2018 GMT (365 days) Sign the certificate? [y/n]:y 1 out of 1 certificate requests certified, commit? [y/n]y Write out database with 1 new entries Data Base Updated
获取证书
[root@centos6 ~]# mkdir /etc/httpd/ssl # 新建目录用来存放证书文件 [root@centos7 CA]# scp certs/test.crt 192.168.8.128:/etc/httpd/ssl # 将证书发送到192.168.8.128 root@192.168.8.128's password: test.crt 100% 4507 4.4KB/s 00:00 [root@centos7 CA]# scp cacert.pem 192.168.8.128:/etc/httpd/ssl # 将根的证书发送给192.168.8.128 root@192.168.8.128's password: cacert.pem 100% 1326 1.3KB/s 00:00
3. 搭建DNS
[root@centos7 ~]# vim /etc/named.conf options { // listen-on port 53 { 127.0.0.1; }; listen-on-v6 port 53 { ::1; }; directory "/var/named"; dump-file "/var/named/data/cache_dump.db"; statistics-file "/var/named/data/named_stats.txt"; memstatistics-file "/var/named/data/named_mem_stats.txt"; // allow-query { localhost; }; [root@centos7 ~]# tail -5 /etc/named.rfc1912.zones zone "ihaiyun.com" IN { type master; file "ihaiyun.com.zone"; allow-update { none; }; }; [root@centos7 ~]# cp -p /var/named/named.localhost /var/named/ihaiyun.com.zone [root@centos7 ~]# cat /var/named/ihaiyun.com.zone $TTL 1D @ IN SOA dns1 admin.ihaiyun.com. ( 0 ; serial 1D ; refresh 1H ; retry 1W ; expire 3H ) ; minimum NS dns1 dns1 A 192.168.8.135 www A 192.168.8.128
4. 修改配置文件
[root@centos6 ~]# cp /etc/pki/tls/private/test.key /etc/httpd/ssl/ # 将key文件cp到/etc/httpd/ssl目录下方便管理 [root@centos6 ~]# vim /etc/httpd/conf.d/ssl.conf SSLCertificateFile /etc/httpd/ssl/test.crt SSLCertificateKeyFile /etc/httpd/ssl/test.key SSLCACertificateFile /etc/httpd/ssl/cacert.pem [root@centos6 ~]# service httpd restart Stopping httpd: [ OK ] Starting httpd: [ OK ]
5. 测试
直接访问测试
还是提醒我们证书不安全将根证书导入到测试客户端中
需要把根证书下载到客户端中,具体怎么下载,相信你们会有办法。导入方法如下:再次测试
https已经实现
相关文章推荐
- Centos 6.9中 http-2.2 中的一些基本操作和 https 的实现
- httpclient 实现https请求
- PHP + curl 实现 http 或 https 抓取数据:
- Apache mod_rewrite实现HTTP和HTTPS重定向跳转
- C#、VB.NET使用HttpWebRequest访问https地址(SSL)的实现
- php之curl实现http与https请求的方法
- 用 Nginx 实现 https 转 http
- 实现HTTPS系列第一弹之【http,https,www,web等概念简介】
- [转]C#、VB.NET使用HttpWebRequest访问https地址(SSL)的实现
- charles实现http与https抓包
- Apache从HTTP到HTTPS的实现
- Linux+Apache2.2+openssl实现https验证
- .htaccess重写URL 实现http自动跳转https
- 关于Https协议和HttpClient的实现详解
- IIS 7如何实现http重定向https
- php之curl实现http与https请求的方法
- GOLANG实现的HTTP转HTTPS的代理
- 在项目中配置ssl实现http-https的切换
- Java实现http与https切换
- tomcat 配置实现http跳转至https