Linux : HTTPS服务
| 协议 | 传输方式 | 端口 | 安全性 |
|---|---|---|---|
| HTTP | 明文传输 | 80 | 无加密,可被窃听 |
| HTTPS | 加密传输 | 443 | HTTP + SSL/TLS |
- 数据加密(防窃听)
- 身份认证(防伪装)
- 完整性校验(防篡改)
OpenSSL 证书操作核心命令
| 命令选项 | 作用 | 使用场景示例 |
|---|---|---|
| -x509 | 生成自签名证书 | 创建私有CA根证书 |
| -new | 生成证书签名请求(CSR) | 为服务器创建证书请求 |
| -key | 指定私钥文件路径 | -key server.key |
| -out | 指定输出文件路径 | -out server.crt |
| -days | 设置证书有效期(天) | -days 3650(10年有效期) |
标准路径:/etc/pki/CA/
/etc/pki/CA/
├── certs/ # 存放已签署的证书
├── crl/ # 证书吊销列表(CRL)
├── newcerts/ # 新签发证书备份
├── private/ # CA私钥目录(严格权限控制)
├── index.txt # 证书数据库(记录所有签发证书)
└── serial # 当前证书序列号文件
在dns服务器的正向解析数据库中添加ca.exanple.com的解析内容
cd /var/named/
vim xieyuhui.com
在主机CA上为主机CA生成私钥
[root@xieyuhui2 ~]# (umask 077;openssl genrsa -out /etc/pki/CA/private/cakey.pem)
Generating RSA private key, 2048 bit long modulus
..+++
......................+++
e is 65537 (0x10001)
在主机CA上为主机CA生成自签名证书
[root@xieyuhui2 ~]# openssl req -new -x509 -key /etc/pki/CA/private/cakey.pem -out /etc/pki/CA/cacert.pem -days 365
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [XX]:CN
State or Province Name (full name) []:HB
Locality Name (eg, city) [Default City]:WH
Organization Name (eg, company) [Default Company Ltd]:LQ
Organizational Unit Name (eg, section) []:IT
Common Name (eg, your name or your server's hostname) []:ca.example.com
Email Address []:
在主机CA上为CA提供所需的目录及文件
[root@xieyuhui2 ~]# touch /etc/pki/CA/serial
[root@xieyuhui2 ~]# touch /etc/pki/CA/index.txt
[root@xieyuhui2 ~]# echo 01 > /etc/pki/CA/serial
[root@xieyuhui2 CA]# ls
cacert.pem certs crl index.txt newcerts private serial
在主机WEB上为主机WEB生成私钥,并将私钥存放在/etc/httpd/ssl目录中
[root@xieyuhui ~]# mkdir /etc/httpd/ssl
[root@xieyuhui ~]# (umask 077;openssl genrsa -out /etc/httpd/ssl/httpd.key)
Generating RSA private key, 2048 bit long modulus
..........+++
.........................+++
e is 65537 (0x10001)
在主机WEB上为web.example.com站点生成签署请求文件
[root@xieyuhui ~]# openssl req -new -key /etc/httpd/ssl/httpd.key -out /etc/httpd/ssl/httpd.csr -days 365
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [XX]:CN
State or Province Name (full name) []:HB
Locality Name (eg, city) [Default City]:WH
Organization Name (eg, company) [Default Company Ltd]:LQ
Organizational Unit Name (eg, section) []:IT
Common Name (eg, your name or your server's hostname) []:xieyuhui.example.com
Email Address []:
Please enter the following 'extra' attributes
to be sent with your certificate request
A challenge password []:
An optional company name []:
在主机web上将签署请求文件通过可靠方式发送给CA服务器
[root@xieyuhui ~]#scp /etc/httpd/ssl/httpd.csr root@ca.example.com:/etc/pki/CA/
在主机CA上 对签署请求进行数字签名,并指明所生成的Web证书的存放路径
[root@xieyuhui2 ~]#openssl ca -in /etc/pki/CA/httpd.csr -out /etc/pki/CA/certs/httpd.crt -days 365
Using configuration from /etc/pki/tls/openssl.cnf
Check that the request matches the signature
Signature ok
Certificate Details:
Serial Number: 1 (0x1)
Validity
Not Before: Aug 12 12:48:40 2025 GMT
Not After : Aug 12 12:48:40 2026 GMT
Subject:
countryName = CN
stateOrProvinceName = HB
organizationName = LQ
organizationalUnitName = IT
commonName = xieyuhui.example.com
X509v3 extensions:
X509v3 Basic Constraints:
CA:FALSE
Netscape Comment:
OpenSSL Generated Certificate
X509v3 Subject Key Identifier:
92:CB:55:33:05:4C:C0:AA:B8:4D:48:F4:59:F0:B2:FA:1B:89:06:A8
X509v3 Authority Key Identifier:
keyid:8E:1E:9E:87:60:0B:9C:53:C9:2C:65:A4:63:B4:01:36:7D:10:DC:C1
在主机WEB上将CA主机上已经数字签名后的Web证书下载下来
[root@xieyuhui ~]#scp root@ca.example.com:/etc/pki/CA/certs/httpd.crt /etc/httpd/ssl/
在主机WEB上安装apche http扩展模块mod_ssl
[root@xieyuhui ~]# yum install mod_ssl -y
[root@xieyuhui ~]# rpm -q mod_ssl
mod_ssl-2.4.6-88.el7.centos.x86_64 确认安装
修改主配置文件
[root@xieyuhui ~]# vim /etc/httpd/conf.d/ssl.conf
复制虚拟主机配置文件
[root@xieyuhui ~]# cp -p /usr/share/doc/httpd-2.4.6/httpd-vhosts.conf /etc/httpd/conf.d
部署https站点
[root@xieyuhui ~]# vim /etc/httpd/conf.d/httpd-vhosts.conf
重启http服务
[root@xieyuhui ~]# systemctl restart httpd
[root@xieyuhui ~]# systemctl enable httpd
关闭防火墙和selinux
在客户端上去下载CA服务器上的根证书
[root@xieyuhui3 ~]# scp root@ca.example.com:/etc/pki/CA/cacert.pem .
打开火狐浏览器,导入证书
设置–首选项–高级–证书–查看证书–导入–找到根证书,然后双击–把“信任使用此CA标识的网站”勾上–确定–确定
查看
