SSL
的实现过程
首先,客户端与服务器端进行三次握手。(因为http基于TCP/IP协议进行通信),然后他们建立SSL会话,协商要使用的加密算法,当协商完成之后。服务器端就会将自己的证书发送给客户端,客户端验证发现没有问题之后,就会生成一个对称密钥发送给服务器端,然后客户端就发送请求给服务器端,服务器端便会使用刚刚客户端发来的对称密钥加密将内容发送给客户端。这样ssl会话就建立起来了。
但是,客户端如何验证服务器的证书是否真实呢,那么便需要一个CA:第三方证书颁发机构给我们的服务器端颁发证书。所以客户端便可以到CA去验证服务器端的证书。
这时候的CA,应该自己有一份证书保存在客户端这边,并且这段证书是自签的。(用以客户端可以到CA去验证服务器端的证书。)
那么服务器端如何到CA让CA给自己搞一份证书呢:首先服务器端先生成一份密钥,将公钥交给CA,由CA对它签署并生成证书,保存一份并回送给服务器端。服务器对其进行配置使用,然后在通话过后就可以将证书发送给客户端,客户端询问CA在进行验证。
①前提:
要想使你的web服务器支持ssl功能,第一步得安装SSL模块
- [root@Cyz ~]# yum install mod_ssl
- //查看都安装了什么
- [root@Cyz ~]# rpm -ql mod_ssl
- /etc/httpd/conf.d/ssl.conf //说明是配置文件,更改配置需要重启
- /usr/lib/httpd/modules/mod_ssl.so
- /var/cache/mod_ssl //缓存目录
- /var/cache/mod_ssl/scache.dir
- /var/cache/mod_ssl/scache.pag
- /var/cache/mod_ssl/scache.sem
②提供CA
重新找台主机,用这台主机做我们的CA:这台主机的IP为111.9
要想做CA,首先得生成自签证书,:
- [root@localhost ~]# cd /etc/pki/CA/
- //生成私钥
- [root@localhost CA]# (umask 077; openssl genrsa -out private/cakey.pem 2048)
- //umask为了生成时权限其他用户无权限访问 –out表示路径)
- Generating RSA private key, 2048 bit long modulus
- .......................................+++
- ........................+++
- e is 65537 (0x10001)
- //查看权限
- [root@localhost CA]# ls -l private/
- total 8
- -rw------- 1 root root 1679 Apr 10 16:15 cakey.pem //600的权限
- //然后去修改配置文件中的默认信息,将其改为我们通常使用的
- [root@localhost CA]# vim ../tls/openssl.cnf
- //为自己生成自签证书
- [root@localhost CA]# openssl req -new -x509 -key private/cakey.pem -out cacert.pem -days 3655
- //然后继续编辑openssl.cnf找到
- [ CA_default ]
- dir = /etc/pki/CA//改为这样子
- //然后创建
- [root@localhost CA]# mkdir certs crl newcerts
- [root@localhost CA]# touch index.txt
- [root@localhost CA]# echo 01 > serial
- [root@localhost CA]# ls
- cacert.pem certs crl index.txt newcerts private serial
这个时候回到我们的客户端111.1
- [root@Cyz ~]# cd /etc/httpd/ //保存在这里
- [root@Cyz httpd]# mkdir ssl
- [root@Cyz httpd]# ls
- conf conf.d logs modules run ssl
- [root@Cyz httpd]# cd ssl/
- [root@Cyz ssl]# ls
- [root@Cyz ssl]# (umask 077; openssl genrsa 1024 > httpd.key) //生成密钥
- Generating RSA private key, 1024 bit long modulus
- ................................++++++
- .....................................................++++++
- e is 65537 (0x10001)
- [root@Cyz ssl]# ll
- total 8
- -rw------- 1 root root 887 Apr 10 16:33 httpd.key
- [root@Cyz ssl]# openssl req -new -key httpd.key -out httpd.csr //生成证书颁发请求
- You are about to be asked to enter information that will be incorporated
- into your certificate request.
- What you are about to enter is what is called a Distinguished Name or a DN.
- There are quite a few fields but you can leave some blank
- For some fields there will be a default value,
- If you enter '.', the field will be left blank.
- -----
- Country Name (2 letter code) [GB]:CN
- State or Province Name (full name) [Berkshire]:Henan
- Locality Name (eg, city) [Newbury]:Zhengzhou
- Organization Name (eg, company) [My Company Ltd]:MageEdu
- Organizational Unit Name (eg, section) []:Tech
- Common Name (eg, your name or your server's hostname) []:hello.magedu.com
- Email Address []:hello@magedu.com
- Please enter the following 'extra' attributes
- to be sent with your certificate request
- A challenge password []:
- An optional company name []:
- [root@Cyz ssl]# ls
- httpd.csr httpd.key
- [root@Cyz ssl]# scp httpd.csr 172.16.111.9:/tmp //将csr(证书签署请求)复制到CA
- The authenticity of host '172.16.111.9 (172.16.111.9)' can't be established.
- RSA key fingerprint is 44:0a:1f:77:7f:cb:df:09:a8:8d:ac:23:47:b3:a8:99.
- Are you sure you want to continue connecting (yes/no)? yes
- Warning: Permanently added '172.16.111.9' (RSA) to the list of known hosts.
- root@172.16.111.9's password:
- httpd.csr 100% 704 0.7KB/s 00:00
然后回到CA进行签署
- [root@localhost CA]# openssl ca -in /tmp/httpd.csr -out /tmp/httpd.crt -days 3650
- Using configuration from /etc/pki/tls/openssl.cnf
- Check that the request matches the signature
- Signature ok
- Certificate Details:
- Serial Number: 1 (0x1)
- Validity
- Not Before: Apr 10 08:41:24 2013 GMT
- Not After : Apr 8 08:41:24 2023 GMT
- Subject:
- countryName = CN
- stateOrProvinceName = Henan
- organizationName = MageEdu
- organizationalUnitName = Tech
- commonName = hello.magedu.com
- emailAddress = hello@magedu.com
- X509v3 extensions:
- X509v3 Basic Constraints:
- CA:FALSE
- Netscape Comment:
- OpenSSL Generated Certificate
- X509v3 Subject Key Identifier:
- 10:B1:D2:C5:48:58:66:7B:35:71:BD:62:1D:77:85:12:EB:36:DF:63
- X509v3 Authority Key Identifier:
- keyid:30:86:2F:D5:DC:10:09:DA:38:19:E5:72:34:05:D5:5D:CE:83:B2:86
- Certificate is to be certified until Apr 8 08:41:24 2023 GMT (3650 days)
- Sign the certificate? [y/n]:y
- 1 out of 1 certificate requests certified, commit? [y/n]y
- Write out database with 1 new entries
- Data Base Updated //颁发成功
- //去查看生成的证书
- [root@localhost CA]# cd /etc/pki/CA/
- [root@localhost CA]# ls
- cacert.pem crl index.txt.attr newcerts serial
- certs index.txt index.txt.old private serial.old
- [root@localhost CA]# cat index.txt //查看内容
- V 230408084124Z 01 unknown /C=CN/ST=Henan/O=MageEdu/OU=Tech/CN=hello.magedu.com/emailAddress=hello@magedu.com
- [root@localhost CA]# cat serial //已经自动排序
- 02
- //然后把证书发送给请求者。这里我们到客户端去复制证书
- [root@Cyz ssl]# scp 172.16.111.9:/tmp/httpd.crt ./
- root@172.16.111.9's password:
- httpd.crt 100% 3864 3.8KB/s 00:00
- 这个时候要记得返回CA中将tmp下的临时文件给删除掉以免别人获取
- [root@localhost CA]# cd /tmp/
- [root@localhost tmp]# ls
- busybox grub-install.log.s11228 httpd.csr whatis.Fa3163
- grub-install.img.o11227 httpd.crt initrd
- [root@localhost tmp]# rm httpd.c*
- rm: remove regular file `httpd.crt'? y
- rm: remove regular file `httpd.csr'? y
这个时候证书已经签署成功了,我们应该如何配置使用它呢:
- [root@Cyz ssl]# cd /etc/httpd/conf.d/
- [root@Cyz conf.d]# ls
- manual.conf php.conf proxy_ajp.conf README ssl.conf virtual.conf welcome.con1
- [root@Cyz conf.d]# vim ssl.conf
- //将里面的内容作如下修改:
- <VirtualHost 172.16.111.1:443>
- #ServerName www.example.com:443
- ServerName hello.magedu.com
- DocumentRoot "/www/magedu.com"
- SSLCertificateFile /etc/httpd/ssl/httpd.crt //证书文件
- SSLCertificateKeyFile /etc/httpd/ssl/httpd.key //密钥文件
- //检查语法
- [root@Cyz conf.d]# httpd -t
- Syntax OK
- //重启服务
- [root@Cyz conf.d]# service httpd restart
然后继续修改物理机的HOSTS文件
//添加如下
172.16.111.1 hello.magedu.com
然后我们来访问下:(我们这里的是https://)系统提示我们这个网站安全证书有问题,原因是因为我们CA不受信任,解决方法自然是我们手动导入证书了:
我们来到CA,将CA的证书发送给物理主机一份
点击这里的绿色按钮
将其扩展名改为crt 会发现变了样子
然后双击进行安装
完成之后就可以打来IE来验证啦
本文转自 陈延宗 51CTO博客,原文链接:http://blog.51cto.com/407711169/1175701,如需转载请自行联系原作者
