OpenSSH的应用和利用OpenSSL创建私有CA签证给httpd服务器开起https

| 分类 linux  | 标签 CA  ssh  ssl 

一、OpenSSH

OpenSSH与SSH协议是远程登录的首选连接工具。它加密所有流量,以消除窃听,连接劫持和其它攻击。OpenSSH常常被误认以为与OpenSSL有关系,但实际上这两个项目的有不同的目的,不同的发展团队,名称相近只是因为两者有同样的软件发展目标──提供开放源代码的加密通讯软件。

OpenSSH的套件包括以下工具:

远程操作使用 SSH, SCP,和 SFTP。
密钥管理 ssh-add, ssh-keysign, ssh-keyscan和ssh-keygen
服务端组成 sshd, SFTP服务器和 ssh-agent。

OpenSSH的功能:

具有完全的开源项目

OpenSSH的源代码是免费提供给通过互联网大家。这鼓励代码重用和代码审核。代码审查,以确保该漏洞可以被发现和被任何人纠正。这导致的安全密码。OpenSSH的不受任何限制的许可证。它可以用于任何和所有目的,并且明确包括商业用途。 该许可证包括在分布。我们觉得这个世界会更好,如果路由器,网络设备,操作系统,和所有其他的网络设备已经SSH集成到他们。限制性性质(即专利)的所有成分被从源代码移除。任何许可或专利的组件从外部库(如选择 LibreSSL)。

强大的加密(AES,ChaCha20,RSA,ECDSA,Ed25519 …)

加密身份验证之前启动,没有密码或其他信息以明文传输。加密也可用于防止欺骗的包。许多不同的密码和密钥类型可供选择,和传统的选项通常在合理时间内逐步淘汰。

X11转发(也加密X窗口系统的流量)

X11转发允许远程X窗口的流量进行加密,使没有人可以窥探您的远程xterm终端或插入恶意命令。该程序会自动设置服务器计算机上显示,并转发了安全通道的X11连接。假XAUTHORITY信息自动生成并转发到远程机器; 本地客户端会自动检查传入X11连接,并取代与真实数据(从不告诉远程计算机中的真实信息)假授权数据。

端口转发(对于传统协议加密频道)

端口转发允许通过加密通道TCP / IP连接到远程计算机上的转发。像POP不安全的互联网应用程序可以用此来保护。

强大的身份验证(公共密钥,一次性密码)

强大的身份验证可以防止一些安全问题:IP欺骗,伪造路线和DNS欺骗。一些身份验证方法包括公共密钥认证,具有S /键一次性密码和验证使用Kerberos(仅适用于 - 便携式)。

代理转发

一个认证代理,在用户的笔记本电脑或本地工作站上运行,可用于容纳用户的认证密钥。OpenSSH的自动转发过任何连接到验证代理的连接,并且也没有必要存储该网络(除了用户自己的本地机)中的任何计算机上的认证密钥。该认证协议绝不泄露密钥; 它们只能用于验证用户的代理具有一定的键。最终,该代理可依靠在智能卡上执行所有验证计算。

互通性

实施之间的互操作性是一个目标,但不是一个承诺。由于OpenSSH的开发的进展,对已知旧协议的弱点,加密算法,密钥类型和其他选项例行禁用。

SFTP客户端和服务器支持在这两个SSH1及SSH2协议

由于OpenSSH的2.5.0,完全支持SFTP包括,使用 SFTP 命令作为客户端。在 SFTP服务器 子系统自动工作在两个SSH1及SSH2协议。

可选的数据压缩

加密之前数据压缩提高低速网络链路的性能。

1、ssh客户端

ssh:Secure Shell创建在应用层和传输层基础上的安全协议

配置文件为:/etc/ssh/ssh_config

[root@localhost ssh]# vim /etc/ssh/ssh_config

#       $OpenBSD: ssh_config,v 1.28 2013/09/16 11:35:43 sthen Exp $

# This is the ssh client system-wide configuration file.  See
# ssh_config(5) for more information.  This file provides defaults for
# users, and the values can be changed in per-user configuration files
# or on the command line.

# Configuration data is parsed as follows:
#  1. command line options
#  2. user-specific file
#  3. system-wide file
# Any configuration value is only changed the first time it is set.
# Thus, host-specific definitions should be at the beginning of the
# configuration file, and defaults at the end.

# Site-wide defaults for some commonly used options.  For a comprehensive
# list of available options, their meanings and defaults, please see the
# ssh_config(5) man page.

Host *
#选项“Host”只对能够匹配后面字串的计算机有效。“*”表示所有的计算机。
ForwardAgent no
#“ForwardAgent”设置连接是否经过验证代理(如果存在)转发给远程计算机。
ForwardX11 no
#“ForwardX11”设置X11连接是否被自动重定向到安全的通道和显示集(DISPLAY set)。
RhostsAuthentication no
#“RhostsAuthentication”设置是否使用基于rhosts的安全验证。
RhostsRSAAuthentication no
#“RhostsRSAAuthentication”设置是否使用用RSA算法的基于rhosts的安全验证。
RSAAuthentication yes
#“RSAAuthentication”设置是否使用RSA算法进行安全验证。
PasswordAuthentication yes
#“PasswordAuthentication”设置是否使用口令验证。
FallBackToRsh no
#“FallBackToRsh”设置如果用ssh连接出现错误是否自动使用rsh。
UseRsh no
#“UseRsh”设置是否在这台计算机上使用“rlogin/rsh”。
BatchMode no
#“BatchMode”如果设为“yes”,passphrase/password(交互式输入口令)的提示将被禁止。当不能交互式输入口令的时候,这个选项对脚本文件和批处理任务十分有用。
CheckHostIP yes
#“CheckHostIP”设置ssh是否查看连接到服务器的主机的IP地址以防止DNS欺骗。建议设置为“yes”。
StrictHostKeyChecking no
#“StrictHostKeyChecking”如果设置成“yes”,ssh就不会自动把计算机的密匙加入“$HOME/.ssh/known_hosts”文件,并且一旦计算机的密匙发生了变化,就拒绝连接。
IdentityFile ~/.ssh/identity
#“IdentityFile”设置从哪个文件读取用户的RSA安全验证标识。
Port 22
#“Port”设置连接到远程主机的端口。
Cipher blowfish
#“Cipher”设置加密用的密码。
EscapeChar ~
#“EscapeChar”设置escape字符。

在这个配置文件中,我们一般只修port的端口,因为默认端口很容易受到攻击,ssh的默认端口为22号端口

如果我要登录某ssh服务器则直接使用ssh username@host然后按照提示输入密码即可

[root@localhost ssh]# ssh root@172.16.11.55
[root@localhost ssh]# ssh root@172.16.11.55
root@172.16.11.55's password: 
Last login: Thu Apr 14 02:04:55 2016 from 172.16.7.211

ssh密钥认证登录

#生成密钥对
[root@localhost ~]# ssh-keygen  -t rsa
Generating public/private rsa key pair.
#这里询问你要把生成的密钥文件保存在哪里,默认是在家目录下的.ssh文件夹中,回车保存默认目录
Enter file in which to save the key (/root/.ssh/id_rsa): 
Created directory '/root/.ssh'.
#这里是对密钥文件加密,不输入则表示不加密
Enter passphrase (empty for no passphrase): 
Your identification has been saved in /root/.ssh/id_rsa.
Your public key has been saved in /root/.ssh/id_rsa.pub.
The key fingerprint is:
04:9f:cb:9c:9d:1e:47:d7:e1:d4:c1:87:71:c3:a4:22 root@localhost.localdomain
The key's randomart image is:
+--[ RSA 2048]----+
|      .       =O+|
|       o .    ===|
|        +E .....o|
|       + +.o..   |
|        S + .    |
|         . o     |
|          .      |
|                 |
|                 |
+-----------------+
#已经成功生成了一对密钥
[root@localhost ~]# ls /root/.ssh
id_rsa  id_rsa.pub
#其中id_rsa为私钥,id_rsa.pub为公钥
#在生成完密钥对之后将公钥上传给服务器对应用户的家目录
[root@localhost ~]# ssh-copy-id -i .ssh/id_rsa.pub root@172.16.9.9
The authenticity of host '172.16.9.9 (172.16.9.9)' can't be established.
ECDSA key fingerprint is 63:b9:6d:20:f0:22:b2:21:44:26:91:03:97:21:ff:b7.
Are you sure you want to continue connecting (yes/no)? yes       
/usr/bin/ssh-copy-id: INFO: attempting to log in with the new key(s), to filter out any that are already installed
/usr/bin/ssh-copy-id: INFO: 1 key(s) remain to be installed -- if you are prompted now it is to install the new keys
root@172.16.9.9's password:

Number of key(s) added: 1

Now try logging into the machine, with:   "ssh 'root@172.16.9.9'"
and check to make sure that only the key(s) you wanted were added.
#第一次输入密码后回车就上传成功了
然后尝试登录
[root@localhost ~]# ssh 172.16.9.9
Last login: Tue Mar 22 10:01:02 2016 from 172.16.7.211
[root@localhost ~]# ip addr
1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN 
    link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
    inet 127.0.0.1/8 scope host lo
       valid_lft forever preferred_lft forever
    inet6 ::1/128 scope host 
       valid_lft forever preferred_lft forever
2: eno16777728: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast state UP qlen 1000
    link/ether 00:0c:29:83:15:cb brd ff:ff:ff:ff:ff:ff
    inet 172.16.9.9/16 brd 172.16.255.255 scope global eno16777728
       valid_lft forever preferred_lft forever
#可以看出不需要密钥就成功登录到了172.16.9.9这台服务器上了

在windows中使用密钥登录对应的服务器

这里我使用Xshlle

1

2

3

4

这里的密码是对密钥加密的,不加密直接点下一步

5

这里显示的就是公钥,点保存为文件,也可以直接复制

6

之后关闭

然后登录对应服务器,进入家目录下的.ssh/文件

[root@localhost ~]# cd /root/.ssh/
[root@localhost .ssh]# ls
authorized_keys  known_hosts

编辑authorized_keys文件

[root@localhost .ssh]# vim authorized_keys
ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQCoYslgClb39L0aPM8II18VBMG/pBHOR5kMKBAq6+9MQFCvOsIqS0tNEFPkbCQaIkKyZahRpdOP4FSgWOmX18uuLqG1MZT/FoAKGV4tJzKwcGpMjfTJVxhMVW+mUi4sxzF2atl8q0SmvzqnJHD5Sg6T2mlV0TC+xdbB5Q/ucFZAiflLkVfSEMBjzvJZTHe8QCLFS358xHKOzv4jfnaZVnsIpZ/LArzy/Y/hvPoamWSg794XlqEuascwPGkLq6VYbltT24gEy89/lAJfK4vXRrZjVmCvfkU98X8oe5wQRxNrPDWPsWO0tBYCt2/LTx+1na5WOYPIxeo3tAZ5LYbRD5Kn root@localhost.localdomain
#这是之前的公钥,可以将刚才的公钥复制粘贴在这之后
ssh-rsa AAAAB3NzaC1yc2EAAAABIwAAAQEAr44c56Hx0dGCj1RTm7JoQkJn1P77y89IHG1S34onqmq/M0RpFn/rzjmxPgXiGS4FUr7LuPl0wLzczm29tTDGv8vkaeLcUeT9yz5pPh1NFNJKyBGNZ+6XQzx8dRw5Ez6bGOSN68kJ4uhZWyCVJl2KintCUWm9D/9ldvV0n8AvmfKsqZvPLEkxxE4zyxUy247AC7wtgd51pl0eRU+MqZ4JHZJ6xhJYgiYtxPR++D+VSeaGnlO7ihv19B3edEmltEs09BOd/Tgl9OuXy+q+fCz5WQekGO0ZkX6y6sSOd7qG11mR188Eccf/dlfymDeF+duKFvgLYATUu5ISCrulQEXfVw==

保存之后就可以在本地面密码登录了,只需要在登录时选择对应的密钥即可

7

直接点确定

生成的密钥文件也可以带走,在不同的主机上使用

scp:远程复制命令

常用选项:
-r: 递归复制;
-p: 保持原文件的属性信息;
-q: 静默模式
-P PORT: 指明remote host的监听的端口;

下载:scp 远程主机上的账户@远程主机:远程主机对应的文件 本机目录

[root@localhost ~]# scp -r root@172.16.9.9:/root/tmp /root

上传:scp 本机文件 远程主机上的账户@远程主机:远程主机对应的目录

[root@localhost ~]# scp -r /root root@172.16.9.9:/root/tmp

sftp:远程文件管理

sftp可进行远程的文件的下载,目录的删除和建立等

sftp [user@]host

使用help查看可用命令

[root@localhost tmp]# sftp root@172.16.9.9
root@172.16.9.9's password: 
Connected to 172.16.9.9.
sftp> help
Available commands:
bye                                Quit sftp#退出
cd path                            Change remote directory to 'path'#复制
chgrp grp path                     Change group of file 'path' to 'grp'#改变属组
chmod mode path                    Change permissions of file 'path' to 'mode'#改变权限
chown own path                     Change owner of file 'path' to 'own'#改变属主
df [-hi] [path]                    Display statistics for current directory or#查看磁盘使用量
                                   filesystem containing 'path'
exit                               Quit sftp#退出
get [-Ppr] remote [local]          Download file#下载文件
reget remote [local]		Resume download file
help                               Display this help text
lcd path                           Change local directory to 'path'
lls [ls-options [path]]            Display local directory listing#查看本地目录下的文件
lmkdir path                        Create local directory#创建本地目录
ln [-s] oldpath newpath            Link remote file (-s for symlink)
lpwd                               Print local working directory查看本地目录路径
ls [-1afhlnrSt] [path]             Display remote directory listing查看远端目录文件
lumask umask                       Set local umask to 'umask'
mkdir path                         Create remote directory创建远端目录
progress                           Toggle display of progress meter
put [-Ppr] local [remote]          Upload file
pwd                                Display remote working directory查看远端目录路径
quit                               Quit sftp退出
rename oldpath newpath             Rename remote file
rm path                            Delete remote file删除远端文件
rmdir path                         Remove remote directory删除远端目录
symlink oldpath newpath            Symlink remote file
version                            Show SFTP version
!command                           Execute 'command' in local shell
!                                  Escape to local shell
?                                  Synonym for help

2、服务器端

服务器端的配置文件为/etc/ssh/sshd_config,注意和客户端对比多了一个d

配置文件中以#开头后面带空格的是注释,不带空格的是可选项

[root@localhost ~]# vim /etc/ssh/sshd_config 
#       $OpenBSD: sshd_config,v 1.93 2014/01/10 05:59:19 djm Exp $

# This is the sshd server system-wide configuration file.  See
# sshd_config(5) for more information.

# This sshd was compiled with PATH=/usr/local/bin:/usr/bin

# The strategy used for options in the default sshd_config shipped with
# OpenSSH is to specify options with their default value where
# possible, but leave them commented.  Uncommented options override the
# default value.

# If you want to change the port on a SELinux system, you have to tell
# SELinux about this change.
# semanage port -a -t ssh_port_t -p tcp #PORTNUMBER
#
Port 22
#这里默认端口是22,可以改成其他端口,在作为服务器使用事建议改为其他端口,不要监听默认端口,不要监听默认端口,不要监听默认端口
#AddressFamily any
ListenAddress 0.0.0.0
#这里0.0.0.0代表监听在本机的所有地址上
#ListenAddress ::

# The default requires explicit activation of protocol 1
#Protocol 2

# HostKey for protocol version 1
#HostKey /etc/ssh/ssh_host_key
# HostKeys for protocol version 2
#这里是主机密钥的位置
HostKey /etc/ssh/ssh_host_rsa_key
#HostKey /etc/ssh/ssh_host_dsa_key
HostKey /etc/ssh/ssh_host_ecdsa_key
HostKey /etc/ssh/ssh_host_ed25519_key

# Lifetime and size of ephemeral version 1 server key
#KeyRegenerationInterval 1h
#ServerKeyBits 1024

# Ciphers and keying
#RekeyLimit default none

# Logging
# obsoletes QuietMode and FascistLogging
#SyslogFacility AUTH

#这是主机日志的记录方式。主机登录日志的位置在 /var/log/secure 
SyslogFacility AUTHPRIV

#LogLevel INFO

# Authentication:

#LoginGraceTime 2m

#PermitRootLogin yes
#这里表示是否允许管理员登录,改成no之后就只能允许普通用户登录

#StrictModes yes
#MaxAuthTries 6
#这是最大认证尝试次数,默认为6次
#MaxSessions 10
#这是最大会话数,默认10个

#RSAAuthentication yes
#PubkeyAuthentication yes

# The default is to check both .ssh/authorized_keys and .ssh/authorized_keys2
# but this is overridden so installations will only check .ssh/authorized_keys

AuthorizedKeysFile      .ssh/authorized_keys
#这是公钥默认的保存位置

#AuthorizedPrincipalsFile none

#AuthorizedKeysCommand none
#AuthorizedKeysCommandUser nobody

# For this to work you will also need host keys in /etc/ssh/ssh_known_hosts
#RhostsRSAAuthentication no
# similar for protocol version 2
#HostbasedAuthentication no
# Change to yes if you don't trust ~/.ssh/known_hosts for
# RhostsRSAAuthentication and HostbasedAuthentication
#IgnoreUserKnownHosts no
# Don't read the user's ~/.rhosts and ~/.shosts files
#IgnoreRhosts yes

# To disable tunneled clear text passwords, change to no here!
#PasswordAuthentication yes
#PermitEmptyPasswords no

#这里表示是否支持口令认证
PasswordAuthentication yes

# Change to no to disable s/key passwords
#ChallengeResponseAuthentication yes
ChallengeResponseAuthentication no

# Kerberos options
#KerberosAuthentication no
#KerberosOrLocalPasswd yes
#KerberosTicketCleanup yes
#KerberosGetAFSToken no
#KerberosUseKuserok yes

# GSSAPI options
GSSAPIAuthentication yes
GSSAPICleanupCredentials no
#GSSAPIStrictAcceptorCheck yes
#GSSAPIKeyExchange no
#GSSAPIEnablek5users no

# Set this to 'yes' to enable PAM authentication, account processing,
# and session processing. If this is enabled, PAM authentication will
# be allowed through the ChallengeResponseAuthentication and
# PasswordAuthentication.  Depending on your PAM configuration,
# PAM authentication via ChallengeResponseAuthentication may bypass
# the setting of "PermitRootLogin without-password".
# If you just want the PAM account and session checks to run without
# PAM authentication, then enable this but set PasswordAuthentication
# and ChallengeResponseAuthentication to 'no'.
# WARNING: 'UsePAM no' is not supported in Red Hat Enterprise Linux and may cause several
# problems.
UsePAM yes

#AllowAgentForwarding yes
#AllowTcpForwarding yes
#GatewayPorts no
X11Forwarding yes
#X11DisplayOffset 10
#X11UseLocalhost yes
#PermitTTY yes
#PrintMotd yes
#PrintLastLog yes
#TCPKeepAlive yes
#UseLogin no
UsePrivilegeSeparation sandbox          # Default for new installations.
#PermitUserEnvironment no
#Compression delayed
#ClientAliveInterval 0
#ClientAliveCountMax 3
#ShowPatchLevel no

#UseDNS no
#这里表示是否反解DNS,建议改为no

#PidFile /var/run/sshd.pid
#MaxStartups 10:30:100
#PermitTunnel no
#ChrootDirectory none
#VersionAddendum none

# no default banner path
#Banner none

# Accept locale-related environment variables
AcceptEnv LANG LC_CTYPE LC_NUMERIC LC_TIME LC_COLLATE LC_MONETARY LC_MESSAGES
AcceptEnv LC_PAPER LC_NAME LC_ADDRESS LC_TELEPHONE LC_MEASUREMENT
AcceptEnv LC_IDENTIFICATION LC_ALL LANGUAGE
AcceptEnv XMODIFIERS


# override default of no subsystems
#支持sftp远程连接
Subsystem       sftp    /usr/libexec/openssh/sftp-server

# Example of overriding settings on a per-user basis
#Match User anoncvs
#       X11Forwarding no
#       AllowTcpForwarding no
#       PermitTTY no
#       ForceCommand cvs server

改完端口记得重启sshd服务

二、创建私有CA并签证给httpd服务器

CA:证书办法机构

私有CA的ip地址:192.168.1.13

请求证书的主机,这里我使用的是一台httpd主机:192.168.1.107

打开CA的openssl配置文件:/etc/pki/tls/openssl.cnf并查看和CA相关的配置

[root@localhost tls]# vim /etc/pki/tls/openssl.cnf 
####################################################################
[ CA_default ]

dir             = /etc/pki/CA           # Where everything is kept#CA的工作目录
certs           = $dir/certs            # Where the issued certs are kept#已签发证书位置也就是/etc/pki/CA/certs
crl_dir         = $dir/crl              # Where the issued crl are kept#证书吊销列表的位置/etc/pki/CA/crl
database        = $dir/index.txt        # database index file.#数据库索引文件位置
#unique_subject = no                    # Set to 'no' to allow creation of
                                        # several ctificates with same subject.
new_certs_dir   = $dir/newcerts         # default place for new certs.

certificate     = $dir/cacert.pem       # The CA certificate#CA自己的证书的位置
serial          = $dir/serial           # The current serial number#证书序列号
crlnumber       = $dir/crlnumber        # the current crl number#已吊销证书序列号
                                        # must be commented out to leave a V1 CRL
crl             = $dir/crl.pem          # The current CRL
private_key     = $dir/private/cakey.pem# The private key#CA自己私钥的位置
RANDFILE        = $dir/private/.rand    # private random number file

########################################################################
default_days    = 365                   # how long to certify for#证书有效期
default_crl_days= 30                    # how long before next CRL#吊销列表有效期

1、CA【192.168.1.13】创建需要的文件

[root@localhost ~]# cd /etc/pki/CA/
#创建index.txt文件
[root@localhost CA]# touch index.txt
#创建序列号文件,这里用的01作第一个序列号
[root@localhost CA]# echo 01 > serial

2、给私有CA自签证书

#生成密钥对保存在/etc/pki/CA/private/cakey.pem中
[root@localhost CA]# (umask 077; openssl genrsa -out /etc/pki/CA/private/cakey.pem 2048)
Generating RSA private key, 2048 bit long modulus
..............................................+++
...........................................................+++
e is 65537 (0x10001)
[root@localhost CA]# ll private/
总用量 4
-rw------- 1 root root 1675 3月  22 14:20 cakey.pem
#自签证书
[root@localhost CA]# openssl req -new -x509 -key /etc/pki/CA/private/cakey.pem -days 7300 -out /etc/pki/CA/cacert.pem
Country Name (2 letter code) [XX]:cn    #国家缩写,只有2位
State or Province Name (full name) []:chongqing    #地区名称,全称
Locality Name (eg, city) [Default City]:chongqing    #城市名称
Organization Name (eg, company) [Default Company Ltd]:xinfeng    #组织名称或公司名称
Organizational Unit Name (eg, section) []:xxoo    #部门名称
Common Name (eg, your name or your server's hostname) []:ca.xinfeng.com    #主机名,这里是CA主机通过DNS解析出来的名称,请不要填错
Email Address []:caadmin@xinfeng.com    #邮箱地址

openssl req命令中各选项的含义:

-new:生成新证书签署请求;
-x509:专用于CA生成自签证书;
-key:生成请求时用到的私钥文件;
-days:证书的有效期限;
-out:证书的保存路径;

3、发证

请求证书的主机【192.168.1.107】生成请求

[root@localhost httpd]# mkdir /etc/httpd/ssl
[root@localhost httpd]# cd /etc/httpd/ssl/
#给httpd服务器生产私钥文件
[root@localhost ssl]# (umask 077;openssl genrsa -out httpd.key 2048)
Generating RSA private key, 2048 bit long modulus
....................+++
...+++
e is 65537 (0x10001)
#用私钥中提取的公钥生成证书签署请求,其中的信息要与自签的CA保持一致
[root@localhost ssl]# openssl req -new -key httpd.key -days 365 -out /etc/httpd/ssl/httpd.csr
Country Name (2 letter code) [XX]:cn
State or Province Name (full name) []:chongqing
Locality Name (eg, city) [Default City]:chongqing
Organization Name (eg, company) [Default Company Ltd]:xinfeng
Organizational Unit Name (eg, section) []:xxoo
Common Name (eg, your name or your server's hostname) []:www.xinfeng.com#这里一定得是你httpd服务器的主机名
Email Address []:caadmin@xinfeng.com

Please enter the following 'extra' attributes
to be sent with your certificate request
A challenge password []:    #加密证书签署请求
An optional company name []:
[root@localhost ssl]# scp httpd.csr root@192.168.1.13:/root    #将证书请求上传到CA的/root目录下

4、CA对证书请求进行签证【192.168.1.13】

#对刚才上传的/root/htppd.csr进行签证,有效期356天,生成的证书是/root/httpd.crt
[root@localhost ~]# openssl ca -in /root/httpd.csr -out /root/httpd.crt -days 365
Using configuration from /etc/pki/tls/openssl.cnf
Check that the request matches the signature
Signature ok
Certificate Details:
        Serial Number: 1 (0x1)
        Validity
            Not Before: Mar 22 06:58:31 2016 GMT
            Not After : Mar 22 06:58:31 2017 GMT
        Subject:
            countryName               = cn
            stateOrProvinceName       = chongqing
            organizationName          = xinfeng
            organizationalUnitName    = xxoo
            commonName                = www.xinfeng.com
            emailAddress              = caadmin@xinfeng.com
        X509v3 extensions:
            X509v3 Basic Constraints: 
                CA:FALSE
            Netscape Comment: 
                OpenSSL Generated Certificate
            X509v3 Subject Key Identifier: 
                42:07:4F:68:C6:05:0D:40:C8:A0:32:BE:53:DC:01:DA:DC:E6:81:9D
            X509v3 Authority Key Identifier: 
                keyid:D1:91:5E:B5:A4:06:9B:DF:4B:0A:54:6B:A9:15:35:36:56:A5:F9:38

Certificate is to be certified until Mar 22 06:58:31 2017 GMT (365 days)
Sign the certificate? [y/n]:y


1 out of 1 certificate requests certified, commit? [y/n]y
Write out database with 1 new entries
Data Base Updated
#可以在/etc/pki/CA/index.txt看到刚才签署的01号证书
[root@localhost ~]# cat /etc/pki/CA/index.txt
V	170322065831Z		01	unknown	/C=cn/ST=chongqing/O=xinfeng/OU=xxoo/CN=
# 将证书保存一份在/etc/pki/CA/certs/这个证书存取库中
[root@localhost ~]# cp /root/httpd.crt /etc/pki/CA/certs/
#发回请求证书的主机下的的/etc/httpd/ssl/目录下
[root@localhost ~]# scp /root/httpd.crt root@192.168.1.107:/etc/httpd/ssl/

5、httpd【192.168.1.107】打开https

#先安装ssl模块
[root@localhost ssl]#yum -y install mod_ssl
[root@localhost ssl]# rpm -ql mod_ssl
/etc/httpd/conf.d/ssl.conf
/etc/httpd/conf.modules.d/00-ssl.conf
/usr/lib64/httpd/modules/mod_ssl.so
/usr/libexec/httpd-ssl-pass-dialog
/var/cache/httpd/ssl
#打开/etc/httpd/conf.d/ssl.conf进行配置
[root@localhost ssl]# vim /etc/httpd/conf.d/ssl.conf
ServerName www.xinfeng.com
DocumentRoot "/var/www/html"
SSLCertificateFile /etc/httpd/ssl
SSLCertificateKeyFile /etc/httpd/ssl/httpd.key
#将<VirtualHost _default_:443>改为
<VirtualHost *:443>

#编辑httpd主配置文件
[root@localhost conf]# vim /etc/httpd/conf/httpd.conf
ServerName www.xinfeng.com
DocumentRoot "/var/www/html"
Loadmodule ssl_module modules/mod_ssl.so

6、启动https

[root@localhost conf.d]# systemctl start httpd
[root@localhost conf.d]# ss -tunl
Netid  State      Recv-Q Send-Q         Local Address:Port                        Peer Address:Port              
udp    UNCONN     0      0                          *:20644                                  *:*                  
udp    UNCONN     0      0                          *:68                                     *:*                  
udp    UNCONN     0      0                         :::50143                                 :::*                  
tcp    LISTEN     0      128                        *:22                                     *:*                  
tcp    LISTEN     0      100                127.0.0.1:25                                     *:*                  
tcp    LISTEN     0      128                       :::80                                    :::*                  
tcp    LISTEN     0      128                       :::22                                    :::*                  
tcp    LISTEN     0      100                      ::1:25                                    :::*                  
tcp    LISTEN     0      128                       :::443                                   :::*

可以看到80和443端口都启动了

7、访问测试

因为我这里的ip对应的网站都是我假设的,所以要通过网址访问Ip需要修改host文件

8

在host文件中加入

192.168.1.107 www.xinfeng.com

然后打开https://www.xinfeng.com

9

将刚才的证书下载到本地

10

然后导入

11

12

可以看到其实已经成功了,但是因为我们自建的私有CA不是公认的证书办法机构,所以不受信任


上一篇     下一篇