部署HTTPS
本章网络规划构建私有证书颁发机构(CA)的主机是ca.example.com,其IP地址及子网掩码前缀长度是192.168.1.40/24,网关地址是192.168.1.1,DNS1地址是192.168.1.10。
web服务器主机是rhel7.example.com,IP是192.168.1.20/24,DNS1地址是192.168.1.10
本章网络规划构建私有证书颁发机构(CA)的主机是ca.example.com,其IP地址及子网掩码前缀长度是192.168.1.40/24,网关地址是192.168.1.1,DNS1地址是192.168.1.10。
web服务器主机是rhel7.example.com,IP是192.168.1.20/24,DNS1地址是192.168.1.10
安装Openssl
/usr/bin/openssl:CA服务器的主程序。
/etc/pki/tls/openssl.cnf:openssl的配置文件
/etc/pki/CA:CA服务器的主目录。
[[email protected] ~]# yum -y install openssl
[[email protected] ~]# vim /etc/pki/tls/openssl.cnf # OpenSSL example configuration file. # This is mostly being used for generation of certificate requests. # #省略部分输出 #################################################################### [ ca ] default_ca = CA_default # The default ca section #################################################################### [ CA_default ] dir = /etc/pki/CA # Where everything is kept certs = $dir/certs # Where the issued certs are kept crl_dir = $dir/crl # Where the issued crl are kept database = $dir/index.txt # database index file. #unique_subject = no # Set to ‘no‘ to allow creation of # several ctificates with same subject. new_certs_dir = $dir/newcerts # default place for new certs. certificate = $dir/cacert.pem # The CA certificate serial = $dir/serial # The current serial number crlnumber = $dir/crlnumber # the current crl number # must be commented out to leave a V1 CRL crl = $dir/crl.pem # The current CRL private_key = $dir/private/cakey.pem# The private key RANDFILE = $dir/private/.rand # private random number file #省略部分输出
其中,/etc/pki/CA为CA机构的主目录,dir表示定义的变量,$dir的值为/etc/pki/CA,如配置文件中定义CA几个后的私钥存放路径为$dir/private/cakey.pem,即真正路径为/etc/pki/CA/private/cakey.pem
构建私有CA
为CA机构生成自签名证书,并为CA提供所需要的目录及文件。
使用的关键命令是”openssl“,其重要选项如下:
-new : 生成新证书的签署请求
-x509 :生成自签名证书格式,专用于创建私有CA时
-key:生成请求时用到的私钥文件路径
-out:生成后的文件存放路径,如果是自签名操作,将直接生成签署过的证书
-days: 证书的有效期,单位为天,默认为365天
①生成私钥
[[email protected] ~]# (umask 077;openssl genrsa -out /etc/pki/CA/private/cakey.pem) Generating RSA private key,1024 bit long modulus .....++++++ .......++++++ e is 65537 (0x10001) [[email protected] ~]# cd /etc/pki/CA/private/ [[email protected] private]# pwd /etc/pki/CA/private [[email protected] private]# cat cakey.pem -----BEGIN RSA PRIVATE KEY----- MIICXAIBAAKBgQCstgIk2ZXLcwNDDNJYczZBCBaneWre2M+BwuJsN3IqIEQxGz3F RoDudbSnrxgqQnJKrOyIqGwUgg3JKd+ni3t2e5uM4I2Loo/TWNf5Jx9mkBtBEu6m 8iQvDBLZn/sehCG+BNxCDPu88KoOvy91tqjTCb2Uhn+5BT9E/SnQaHx/mQIDAQAB AoGATEbWC5BNJ91Tw3kWLRo1C+OWncByApmei6CWf1S9hv1ZIJb3YPkSWD6D2srp 0UAnWfOlQ3Wexi/qBr4HmOdxTthN16AHmEF7yUIBL2VDharmBvqz26ZFLRJV0iGn cXmr7JjmdQGYEz9C8cSt/dpQ/fsadq+oO6WI3MJqgFo3IQECQQDkMPAyDbmgOay3 FiqsCC06/FWnLD8vO0DDYAF4pLr4heZP6ZvfQb+h3O9s52ZGk9VC+DUTUWcFlGUJ ii+4aimVAkEAwcI10b5L6hoNvqzZmNstmcsgV0kSMmqHVh3ucmWlDohmT5iqEd+7 J9R41S9F2PRem2SPne2MUo4ghisi+4/7dQJAEQMtBS5MxotGOygl6kl5xcoGQL5l v4m1XFuOAIaXgevJre+GtXBbbx/focjmsSBYZ/PFUTliauITXlC1Ggy/uQJAKSUx wpmTi2H++ze/eYtJsrgE5SQ6PgSLOsleYmKdW2mxuENmEiedmcav5i2Eup6iHION T+8q9jkCRRuR8TPRJQJBALal4fRE+m0Bl+AD/Oq2Tt6pdPqY8qe/aWBvjcHeXaQK f9HHMKDxby0TzpIx/FlVML9cAYbIpMcIAAoof24iKEU= -----END RSA PRIVATE KEY----- [[email protected] private]#
②生成自签名证书
[[email protected] private]# openssl req -new -x509 -key /etc/pki/CA/private/cakey.pem -out /etc/pki/CA/cacert.pem -days 365 You are about to be asked to enter information that will be incorporated into your certificate request. What you are about to enter is what is called a distinguished Name or a DN. There are quite a few fields but you can leave some blank For some fields there will be a default value,If you enter ‘.‘,the field will be left blank. ----- Country Name (2 letter code) [XX]:CN State or Province Name (full name) []:HN Locality Name (eg,city) [Default City]:ZZ Organization Name (eg,company) [Default Company Ltd]:GL Organizational Unit Name (eg,section) []:xitong Common Name (eg,your name or your server‘s hostname) []:ca.example.com Email Address []:[email protected]
③为CA提供所需要的目录及文件
[[email protected] private]# cd ../ [[email protected] CA]# touch serial [[email protected] CA]# touch index.txt [[email protected] CA]# echo 01 > /etc/pki/CA/serial
在DNS服务器上添加关于ca.example.com的A记录
④为web站点请求web证书(需要在web服务器上操作)
本节为web服务器上的主站点rhel7.example.com申请web证书
生成私钥,并将私钥存放在/etc/httpd/ssl目录,此目录可以自定义
[[email protected] ~]# mkdir /etc/httpd/ssl [[email protected] ~]# cd /etc/httpd/ssl/ [[email protected] ssl]# (umask 077;openssl genrsa -out httpd.key) Generating RSA private key,1024 bit long modulus ............++++++ ...................................++++++ e is 65537 (0x10001)
[[email protected] ~]# openssl req -new -key /etc/httpd/ssl/httpd.key -out /etc/httpd/ssl/httpd.csr -days 365 You are about to be asked to enter information that will be incorporated into your certificate request. What you are about to enter is what is called a distinguished Name or a DN. There are quite a few fields but you can leave some blank For some fields there will be a default value,your name or your server‘s hostname) []:rhel7.example.com Email Address []:[email protected] Please enter the following ‘extra‘ attributes to be sent with your certificate request A challenge password []: An optional company name []:
⑥将签署请求文件通过可靠的方式发送给CA服务器
[[email protected] ~]# scp /etc/httpd/ssl/httpd.csr [email protected]:/etc/pki/CA/ The authenticity of host ‘ca.example.com (172.16.30.40)‘ can‘t be established. ECDSA key fingerprint is 4e:38:22:c7:5d:1a:ed:1c:ab:54:4f:7e:b2:84:6b:b5. Are you sure you want to continue connecting (yes/no)? yes Warning: Permanently added ‘ca.example.com,172.16.30.40‘ (ECDSA) to the list of kNown hosts. [email protected]‘s password: httpd.csr 100% 688 0.7KB/s 00:00
⑦在CA服务器主机上对签署请求进行数字签名,并指明所生成的web证书的存放路径
[[email protected] ~]# openssl ca -in /etc/pki/CA/httpd.csr -out /etc/pki/CA/certs/httpd.crt -days 365 Using configuration from /etc/pki/tls/openssl.cnf Check that the request matches the signature Signature ok Certificate Details: Serial Number: 1 (0x1) Validity Not Before: Oct 9 16:58:42 2019 GMT Not After : Oct 8 16:58:42 2020 GMT Subject: countryName = CN stateOrProvinceName = HN organizationName = GL organizationalUnitName = xitong commonName = rhel7.example.com emailAddress = [email protected] X509v3 extensions: X509v3 Basic Constraints: CA:FALSE netscape Comment: OpenSSL Generated Certificate X509v3 Subject Key Identifier: B5:E9:B1:1E:D7:9F:3B:DC:97:D4:40:CE:7E:4A:2E:06:0D:15:08:5D X509v3 Authority Key Identifier: keyid:5F:68:24:75:05:1E:8C:C2:ED:34:CF:FF:B7:04:47:1A:83:E0:BC:F3 Certificate is to be certified until Oct 8 16:58:42 2020 GMT (365 days) Sign the certificate? [y/n]:y 1 out of 1 certificate requests certified,commit? [y/n]y Write out database with 1 new entries Data Base Updated [[email protected] ~]#
⑧在web服务器主机上将CA服务器上已经数字签名后的web证书通过scp命令下载到/etc/httpd/ssl目录下
[[email protected] ~]# scp [email protected]:/etc/pki/CA/certs/httpd.crt /etc/httpd/ssl/ [email protected]‘s password: httpd.crt 100% 3198 3.1KB/s 00:00 [[email protected] ~]# [[email protected] ~]# cd /etc/httpd/ssl/ [[email protected] ssl]# ls httpd.crt httpd.csr httpd.key [[email protected] ssl]# cat httpd.crt Certificate: Data: Version: 3 (0x2) Serial Number: 1 (0x1) Signature Algorithm: sha256WithRSAEncryption Issuer: C=CN,ST=HN,L=ZZ,O=GL,OU=xitong,CN=ca.example.com/[email protected] Validity Not Before: Oct 9 16:58:42 2019 GMT Not After : Oct 8 16:58:42 2020 GMT Subject: C=CN,CN=rhel7.example.com/[email protected] Subject Public Key Info: Public Key Algorithm: rSAEncryption Public-Key: (1024 bit) Modulus: 00:d3:60:22:af:b5:4f:85:05:44:42:4f:ad:a2:71: b7:a4:74:88:fb:76:c0:89:91:c8:f1:87:c6:a0:f6: 92:52:51:ff:3d:c8:fa:0e:3b:9f:68:77:6b:f9:77: 11:aa:96:d7:53:50:cb:40:72:54:3d:89:08:8e:51: 22:3c:b9:f3:a0:fb:3d:a4:09:58:22:80:2e:4b:4a: b2:b7:7e:84:c6:29:0c:97:2e:d2:cf:d0:b1:93:53: 82:7d:e7:99:a9:79:ee:f5:c8:d8:9b:8f:6e:5e:2a: 61:47:56:c7:a0:dc:1f:7c:ad:75:6e:4e:bb:a9:33: 92:37:fd:01:d4:92:81:44:c9 Exponent: 65537 (0x10001) X509v3 extensions: X509v3 Basic Constraints: CA:FALSE netscape Comment: OpenSSL Generated Certificate X509v3 Subject Key Identifier: B5:E9:B1:1E:D7:9F:3B:DC:97:D4:40:CE:7E:4A:2E:06:0D:15:08:5D X509v3 Authority Key Identifier: keyid:5F:68:24:75:05:1E:8C:C2:ED:34:CF:FF:B7:04:47:1A:83:E0:BC:F3 Signature Algorithm: sha256WithRSAEncryption 03:a8:b2:ef:1a:3c:08:71:36:79:e8:0c:24:41:2a:dc:63:7b: 12:36:62:75:04:e6:5a:85:5d:a4:99:9a:be:69:35:19:0e:26: fb:4e:b0:75:59:98:94:3f:03:7c:5e:97:ea:fe:eb:66:d9:9b: 61:91:e2:9d:9d:b5:9e:a2:f1:c5:db:bd:da:25:65:f1:68:69: 2d:13:b0:b4:1c:77:64:75:39:2a:ca:0e:91:89:4c:94:42:4d: aa:77:69:33:ce:7e:4d:3d:a0:a8:0d:e2:6a:b7:b5:33:e7:e9: d6:1b:ea:a5:92:5f:e9:cf:7e:7f:58:fe:cf:8b:1e:19:ac:17: cc:fc -----BEGIN CERTIFICATE----- MIIC5TCCAk6gAwIBAgIBatanBgkqhkiG9w0BAQsFADB/MQswCQYDVQQGEwJDTjEL MAkGA1UECAwCSE4xCzAJBgNVBAcMAlpaMQswCQYDVQQKDAJHTDEPMA0GA1UECwwG eGl0b25nMRcwFQYDVQQDDA5jYS5leGFtcGxlLmNvbTEfMB0GCSqGSIb3DQEJARYQ cmvdEBleGFtcGxlLmNvbTAeFw0xOTEwMDkxNjU4NDJaFw0yMDEwMDgxNjU4NDJa MHUxCzAJBgNVBAYTAkNOMQswCQYDVQQIDAJITjELMAkGA1UECgwCR0wxDzANBgNV BAsMBnhpdG9uZzEaMBgGA1UEAwwRcmhlbDcuZXhhbXBsZS5jb20xHzAdBgkqhkiG 9w0BCQEWEHJvb3RAZXhhbXBsZS5jb20wgZ8wDQYJKoZIhvcNAQEBBQADgY0AMIGJ AoGBANNgIq+1T4UFREJPraJxt6R0iPt2wImRyPGHxqD2klJR/z3I+g47n2h3a/l3 EaqW11NQy0ByVD2JCI5RIjy586D7PaQJWCKALktKsrd+hMYpDJcu0s/QsZNTgn3n mal57vXI2JuPbl4qYUdWx6DcH3ytdW5Ou6kzkjf9AdSSgUTJAgMBAAGjezB5MAkG A1UdEwQCMAAwLAYJYIZIAYb4QgENBB8WHU9wZW5TU0wgR2VuZXJhdGVkIENlcnRp ZmljYXRlMB0GA1UdDgQWBBS16bEe15873JfUQM5+Si4GDRUIXTAfBgNVHSMEGDAW gBRfaCR1BR6Mwu00z/+3BEcag+C88zANBgkqhkiG9w0BAQsFAAOBgQADqLLvGjwI cTZ56AwkQSrcY3sSNmJ1BOZahV2kmZq+aTUZDib7TrB1WZiUPwN8Xpfq/utm2Zth keKdnbWeovHF273aJWXxaGktE7C0HHdkdTkqyg6RiUyUQk2qd2kzzn5NPaCoDeJq t7Uz5+nWG+qlkl/pz35/WP7Pix4ZrBfM/A== -----END CERTIFICATE----- [[email protected] ssl]#
⑨安装apache HTTP扩展模块mod_ssl,以支持TLS
[[email protected] ~]# yum -y install mod_ssl
安装完毕后,在/etc/httpd/conf.d目录下会生成配置文件ssl.conf,编辑配置文件ssl.conf。将rhel7.example.com站点部署成HTTPS
# # When we also provide SSL we have to listen to the # the HTTPS port in addition. # Listen 443 https #省略部分输出 # General setup for the virtual host,inherited from global configuration DocumentRoot "/var/www/html" ServerName www.example.com:443 # Use separate log files for the SSL virtual host; note that LogLevel # is not inherited from httpd.conf. ErrorLog logs/ssl_error_log TransferLog logs/ssl_access_log LogLevel warn # SSL Engine Switch: # Enable/disable SSL for this virtual host. SSLEngine on #省略部分输出 # Server Certificate: # Point SSLCertificateFile at a PEM encoded certificate. If # the certificate is encrypted,then you will be prompted for a # pass phrase. Note that a kill -HUP will prompt again. A new # certificate can be generated using the genkey(1) command. SSLCertificateFile /etc/httpd/ssl/httpd.crt # Server Private Key: # If the key is not combined with the certificate,use this # directive to point at the key file. Keep in mind that if # you‘ve both a RSA and a DSA private key you can configure # both in parallel (to also allow the use of DSA ciphers,etc.) SSLCertificateKeyFile /etc/httpd/ssl/httpd.key # Server Certificate Chain: #省略部分输出
重启服务,设置防火墙
[[email protected] ~]# systemctl restart httpd [[email protected] ~]# firewall-cmd --add-service=https --permanent success [[email protected] ~]# firewall-cmd --reload