当前位置: 首页 > news >正文

21.Linux HTTPS服务

news 2025/8/13 12:00:20

Linux : HTTPS服务

协议传输方式端口安全性
HTTP明文传输80无加密,可被窃听
HTTPS加密传输443HTTP + SSL/TLS
  • 数据加密(防窃听)
  • 身份认证(防伪装)
  • 完整性校验(防篡改)
OpenSSL 证书操作核心命令
命令选项作用使用场景示例
-x509生成自签名证书创建私有CA根证书
-new生成证书签名请求(CSR)为服务器创建证书请求
-key指定私钥文件路径-key server.key
-out指定输出文件路径-out server.crt
-days设置证书有效期(天)-days 3650(10年有效期)

在这里插入图片描述

标准路径/etc/pki/CA/

/etc/pki/CA/
├── certs/       # 存放已签署的证书
├── crl/         # 证书吊销列表(CRL)
├── newcerts/    # 新签发证书备份
├── private/     # CA私钥目录(严格权限控制)
├── index.txt    # 证书数据库(记录所有签发证书)
└── serial       # 当前证书序列号文件

在dns服务器的正向解析数据库中添加ca.exanple.com的解析内容

cd /var/named/
vim xieyuhui.com

在这里插入图片描述

在主机CA上为主机CA生成私钥

[root@xieyuhui2 ~]# (umask 077;openssl genrsa -out /etc/pki/CA/private/cakey.pem)
Generating RSA private key, 2048 bit long modulus
..+++
......................+++
e is 65537 (0x10001)

在主机CA上为主机CA生成自签名证书

[root@xieyuhui2 ~]# openssl req -new -x509 -key /etc/pki/CA/private/cakey.pem -out /etc/pki/CA/cacert.pem -days 365
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [XX]:CN
State or Province Name (full name) []:HB
Locality Name (eg, city) [Default City]:WH
Organization Name (eg, company) [Default Company Ltd]:LQ
Organizational Unit Name (eg, section) []:IT
Common Name (eg, your name or your server's hostname) []:ca.example.com
Email Address []:

在主机CA上为CA提供所需的目录及文件

[root@xieyuhui2 ~]# touch /etc/pki/CA/serial
[root@xieyuhui2 ~]# touch /etc/pki/CA/index.txt
[root@xieyuhui2 ~]# echo 01 > /etc/pki/CA/serial
[root@xieyuhui2 CA]# ls
cacert.pem  certs  crl  index.txt  newcerts  private  serial

在主机WEB上为主机WEB生成私钥,并将私钥存放在/etc/httpd/ssl目录中

[root@xieyuhui ~]# mkdir /etc/httpd/ssl
[root@xieyuhui ~]# (umask 077;openssl genrsa -out /etc/httpd/ssl/httpd.key)
Generating RSA private key, 2048 bit long modulus
..........+++
.........................+++
e is 65537 (0x10001)

在主机WEB上为web.example.com站点生成签署请求文件

[root@xieyuhui ~]# openssl req -new -key /etc/httpd/ssl/httpd.key -out /etc/httpd/ssl/httpd.csr -days 365
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [XX]:CN
State or Province Name (full name) []:HB
Locality Name (eg, city) [Default City]:WH
Organization Name (eg, company) [Default Company Ltd]:LQ
Organizational Unit Name (eg, section) []:IT
Common Name (eg, your name or your server's hostname) []:xieyuhui.example.com
Email Address []:Please enter the following 'extra' attributes
to be sent with your certificate request
A challenge password []:
An optional company name []:

在主机web上将签署请求文件通过可靠方式发送给CA服务器

[root@xieyuhui ~]#scp /etc/httpd/ssl/httpd.csr                     root@ca.example.com:/etc/pki/CA/

在主机CA上 对签署请求进行数字签名,并指明所生成的Web证书的存放路径

[root@xieyuhui2 ~]#openssl ca -in /etc/pki/CA/httpd.csr -out /etc/pki/CA/certs/httpd.crt -days 365Using configuration from /etc/pki/tls/openssl.cnf
Check that the request matches the signature
Signature ok
Certificate Details:Serial Number: 1 (0x1)ValidityNot Before: Aug 12 12:48:40 2025 GMTNot After : Aug 12 12:48:40 2026 GMTSubject:countryName               = CNstateOrProvinceName       = HBorganizationName          = LQorganizationalUnitName    = ITcommonName                = xieyuhui.example.comX509v3 extensions:X509v3 Basic Constraints: CA:FALSENetscape Comment: OpenSSL Generated CertificateX509v3 Subject Key Identifier: 92:CB:55:33:05:4C:C0:AA:B8:4D:48:F4:59:F0:B2:FA:1B:89:06:A8X509v3 Authority Key Identifier: keyid:8E:1E:9E:87:60:0B:9C:53:C9:2C:65:A4:63:B4:01:36:7D:10:DC:C1

在主机WEB上将CA主机上已经数字签名后的Web证书下载下来

[root@xieyuhui ~]#scp root@ca.example.com:/etc/pki/CA/certs/httpd.crt /etc/httpd/ssl/

在主机WEB上安装apche http扩展模块mod_ssl

[root@xieyuhui ~]# yum install mod_ssl -y
[root@xieyuhui ~]# rpm -q mod_ssl 
mod_ssl-2.4.6-88.el7.centos.x86_64 确认安装

修改主配置文件

[root@xieyuhui ~]# vim /etc/httpd/conf.d/ssl.conf

在这里插入图片描述

复制虚拟主机配置文件

[root@xieyuhui ~]# cp -p /usr/share/doc/httpd-2.4.6/httpd-vhosts.conf /etc/httpd/conf.d

部署https站点

[root@xieyuhui ~]# vim /etc/httpd/conf.d/httpd-vhosts.conf

在这里插入图片描述

重启http服务

[root@xieyuhui ~]# systemctl restart httpd
[root@xieyuhui ~]# systemctl enable httpd

关闭防火墙和selinux

在客户端上去下载CA服务器上的根证书

[root@xieyuhui3 ~]# scp root@ca.example.com:/etc/pki/CA/cacert.pem .

打开火狐浏览器,导入证书
设置–首选项–高级–证书–查看证书–导入–找到根证书,然后双击–把“信任使用此CA标识的网站”勾上–确定–确定
查看
在这里插入图片描述

http://www.lryc.cn/news/618936.html

相关文章:

  • GitHub的简单使用方法----(5)
  • 文件IO的学习
  • 论文Review 激光动态物体剔除 Dynablox | RAL2023 ETH MIT出品!
  • web前端第二次作业
  • 5G专网项目外场常见业务测试指南(六)-PingInfoView
  • 衡石HENGSHI SENSE6.0亮点功能-应用创作
  • 衡量机器学习模型的指标
  • HDI 线路板,如何突破普通线路板局限?
  • 基恩士3D视觉用于ABB机器人的KeyenceRobotVisionSetup.sys系统模块程序解析(九、KeyAbsMove)
  • centos 7 如何安装 ZipArchive 扩展
  • 百胜软件×华为云联合赋能,“超级国民品牌”海澜之家新零售加速前行
  • C语言栈的实现
  • NY198NY203美光固态闪存NY215NY216
  • 计算机毕设不知道选什么题目?基于Spark的糖尿病数据分析系统【Hadoop+Spark+python】
  • 鲲鹏arm服务器安装neo4j社区版,实现图书库自然语言检索基础
  • 25C机场航班调度程序(JS 100)
  • Neo4j Cypher
  • RK3568 Linux驱动学习——Linux LED驱动开发
  • Linux NAPI 实现机制深度解析
  • 【Oracle APEX开发小技巧16】交互式网格操作内容根据是否启用进行隐藏/展示
  • 2025年渗透测试面试题总结-16(题目+回答)
  • 力扣(LeetCode) ——移除链表元素(C语言)
  • 飞算AI:企业智能化转型的新引擎
  • 【电子硬件】EMI中无源晶振的优势
  • SpringBoot项目部署
  • string 类运算符重载
  • Win10系统Ruby+Devkit3.4.5-1安装
  • qt界面优化--api绘图
  • SpringBoot项目限制带参数接口配置使用数量实现
  • php+apache+nginx 更换域名