当前位置: 首页 > news >正文

21.Linux HTTPS服务

news 2025/8/13 20:38:33

Linux : HTTPS服务

协议传输方式端口安全性
HTTP明文传输80无加密,可被窃听
HTTPS加密传输443HTTP + SSL/TLS
  • 数据加密(防窃听)
  • 身份认证(防伪装)
  • 完整性校验(防篡改)
OpenSSL 证书操作核心命令
命令选项作用使用场景示例
-x509生成自签名证书创建私有CA根证书
-new生成证书签名请求(CSR)为服务器创建证书请求
-key指定私钥文件路径-key server.key
-out指定输出文件路径-out server.crt
-days设置证书有效期(天)-days 3650(10年有效期)

在这里插入图片描述

标准路径/etc/pki/CA/

/etc/pki/CA/
├── certs/       # 存放已签署的证书
├── crl/         # 证书吊销列表(CRL)
├── newcerts/    # 新签发证书备份
├── private/     # CA私钥目录(严格权限控制)
├── index.txt    # 证书数据库(记录所有签发证书)
└── serial       # 当前证书序列号文件

在dns服务器的正向解析数据库中添加ca.exanple.com的解析内容

cd /var/named/
vim xieyuhui.com

在这里插入图片描述

在主机CA上为主机CA生成私钥

[root@xieyuhui2 ~]# (umask 077;openssl genrsa -out /etc/pki/CA/private/cakey.pem)
Generating RSA private key, 2048 bit long modulus
..+++
......................+++
e is 65537 (0x10001)

在主机CA上为主机CA生成自签名证书

[root@xieyuhui2 ~]# openssl req -new -x509 -key /etc/pki/CA/private/cakey.pem -out /etc/pki/CA/cacert.pem -days 365
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [XX]:CN
State or Province Name (full name) []:HB
Locality Name (eg, city) [Default City]:WH
Organization Name (eg, company) [Default Company Ltd]:LQ
Organizational Unit Name (eg, section) []:IT
Common Name (eg, your name or your server's hostname) []:ca.example.com
Email Address []:

在主机CA上为CA提供所需的目录及文件

[root@xieyuhui2 ~]# touch /etc/pki/CA/serial
[root@xieyuhui2 ~]# touch /etc/pki/CA/index.txt
[root@xieyuhui2 ~]# echo 01 > /etc/pki/CA/serial
[root@xieyuhui2 CA]# ls
cacert.pem  certs  crl  index.txt  newcerts  private  serial

在主机WEB上为主机WEB生成私钥,并将私钥存放在/etc/httpd/ssl目录中

[root@xieyuhui ~]# mkdir /etc/httpd/ssl
[root@xieyuhui ~]# (umask 077;openssl genrsa -out /etc/httpd/ssl/httpd.key)
Generating RSA private key, 2048 bit long modulus
..........+++
.........................+++
e is 65537 (0x10001)

在主机WEB上为web.example.com站点生成签署请求文件

[root@xieyuhui ~]# openssl req -new -key /etc/httpd/ssl/httpd.key -out /etc/httpd/ssl/httpd.csr -days 365
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [XX]:CN
State or Province Name (full name) []:HB
Locality Name (eg, city) [Default City]:WH
Organization Name (eg, company) [Default Company Ltd]:LQ
Organizational Unit Name (eg, section) []:IT
Common Name (eg, your name or your server's hostname) []:xieyuhui.example.com
Email Address []:Please enter the following 'extra' attributes
to be sent with your certificate request
A challenge password []:
An optional company name []:

在主机web上将签署请求文件通过可靠方式发送给CA服务器

[root@xieyuhui ~]#scp /etc/httpd/ssl/httpd.csr                     root@ca.example.com:/etc/pki/CA/

在主机CA上 对签署请求进行数字签名,并指明所生成的Web证书的存放路径

[root@xieyuhui2 ~]#openssl ca -in /etc/pki/CA/httpd.csr -out /etc/pki/CA/certs/httpd.crt -days 365Using configuration from /etc/pki/tls/openssl.cnf
Check that the request matches the signature
Signature ok
Certificate Details:Serial Number: 1 (0x1)ValidityNot Before: Aug 12 12:48:40 2025 GMTNot After : Aug 12 12:48:40 2026 GMTSubject:countryName               = CNstateOrProvinceName       = HBorganizationName          = LQorganizationalUnitName    = ITcommonName                = xieyuhui.example.comX509v3 extensions:X509v3 Basic Constraints: CA:FALSENetscape Comment: OpenSSL Generated CertificateX509v3 Subject Key Identifier: 92:CB:55:33:05:4C:C0:AA:B8:4D:48:F4:59:F0:B2:FA:1B:89:06:A8X509v3 Authority Key Identifier: keyid:8E:1E:9E:87:60:0B:9C:53:C9:2C:65:A4:63:B4:01:36:7D:10:DC:C1

在主机WEB上将CA主机上已经数字签名后的Web证书下载下来

[root@xieyuhui ~]#scp root@ca.example.com:/etc/pki/CA/certs/httpd.crt /etc/httpd/ssl/

在主机WEB上安装apche http扩展模块mod_ssl

[root@xieyuhui ~]# yum install mod_ssl -y
[root@xieyuhui ~]# rpm -q mod_ssl 
mod_ssl-2.4.6-88.el7.centos.x86_64 确认安装

修改主配置文件

[root@xieyuhui ~]# vim /etc/httpd/conf.d/ssl.conf

在这里插入图片描述

复制虚拟主机配置文件

[root@xieyuhui ~]# cp -p /usr/share/doc/httpd-2.4.6/httpd-vhosts.conf /etc/httpd/conf.d

部署https站点

[root@xieyuhui ~]# vim /etc/httpd/conf.d/httpd-vhosts.conf

在这里插入图片描述

重启http服务

[root@xieyuhui ~]# systemctl restart httpd
[root@xieyuhui ~]# systemctl enable httpd

关闭防火墙和selinux

在客户端上去下载CA服务器上的根证书

[root@xieyuhui3 ~]# scp root@ca.example.com:/etc/pki/CA/cacert.pem .

打开火狐浏览器,导入证书
设置–首选项–高级–证书–查看证书–导入–找到根证书,然后双击–把“信任使用此CA标识的网站”勾上–确定–确定
查看
在这里插入图片描述

http://www.xdnf.cn/news/1290025.html

相关文章:

  • 【GESP】C++一级知识点之【集成开发环境】
  • 备战国赛算法讲解——马尔科夫链,2025国赛数学建模B题详细思路模型更新
  • UE5.3 C++ 动态多播实战总结
  • SQL 生成日期与产品的所有组合:CROSS JOIN(笛卡尔积)
  • JVM宝典
  • 每日五个pyecharts可视化图表-line:从入门到精通 (4)
  • 什么时候用WS(WebSocket),什么使用用SSE(Server-Sent Events)?
  • Pytest项目_day13(usefixture方法、params、ids)
  • 机器学习处理文本数据
  • linux 开机进入initramfs无法开机
  • 串口通信学习
  • 数据分析专栏记录之 -基础数学与统计知识
  • Spring-Cache 缓存数据
  • windows git安装步骤
  • XGBoost 的适用场景以及与 CNN、LSTM 的区别
  • 网络协议——HTTP协议
  • Linux服务:Apache 虚拟主机配置指南:多站点部署三种方式详解
  • 【超详细!题解|两种做法】洛谷P3196 [HNOI2008] 神奇的国度[MCS算法]
  • 深入剖析 React 合成事件:透过 onClick 看本质
  • 过程设计工具深度解析-软件工程之详细设计(补充篇)
  • Nginx 高级配置
  • 【后端】Spring @Resource和@Autowired的用法和区别
  • 通用同步/异步收发器USART串口
  • excel-随笔记
  • [ 数据结构 ] 时间和空间复杂度
  • Python初学者笔记第二十二期 -- (JSON数据解析)
  • VGG改进(2):基于Local Attention的模型优化
  • 【图像算法 - 13】基于 YOLO12 与 OpenCV 的实时目标点击跟踪系统(系统介绍 + 源码详细)
  • 获取数组,字符串,集合的长度
  • C++——高性能组件