当前位置: 首页 > news >正文

21.Linux HTTPS服务

news 2025/8/13 8:52:07

Linux : HTTPS服务

协议传输方式端口安全性
HTTP明文传输80无加密,可被窃听
HTTPS加密传输443HTTP + SSL/TLS
  • 数据加密(防窃听)
  • 身份认证(防伪装)
  • 完整性校验(防篡改)
OpenSSL 证书操作核心命令
命令选项作用使用场景示例
-x509生成自签名证书创建私有CA根证书
-new生成证书签名请求(CSR)为服务器创建证书请求
-key指定私钥文件路径-key server.key
-out指定输出文件路径-out server.crt
-days设置证书有效期(天)-days 3650(10年有效期)

在这里插入图片描述

标准路径/etc/pki/CA/

/etc/pki/CA/
├── certs/       # 存放已签署的证书
├── crl/         # 证书吊销列表(CRL)
├── newcerts/    # 新签发证书备份
├── private/     # CA私钥目录(严格权限控制)
├── index.txt    # 证书数据库(记录所有签发证书)
└── serial       # 当前证书序列号文件

在dns服务器的正向解析数据库中添加ca.exanple.com的解析内容

cd /var/named/
vim xieyuhui.com

在这里插入图片描述

在主机CA上为主机CA生成私钥

[root@xieyuhui2 ~]# (umask 077;openssl genrsa -out /etc/pki/CA/private/cakey.pem)
Generating RSA private key, 2048 bit long modulus
..+++
......................+++
e is 65537 (0x10001)

在主机CA上为主机CA生成自签名证书

[root@xieyuhui2 ~]# openssl req -new -x509 -key /etc/pki/CA/private/cakey.pem -out /etc/pki/CA/cacert.pem -days 365
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [XX]:CN
State or Province Name (full name) []:HB
Locality Name (eg, city) [Default City]:WH
Organization Name (eg, company) [Default Company Ltd]:LQ
Organizational Unit Name (eg, section) []:IT
Common Name (eg, your name or your server's hostname) []:ca.example.com
Email Address []:

在主机CA上为CA提供所需的目录及文件

[root@xieyuhui2 ~]# touch /etc/pki/CA/serial
[root@xieyuhui2 ~]# touch /etc/pki/CA/index.txt
[root@xieyuhui2 ~]# echo 01 > /etc/pki/CA/serial
[root@xieyuhui2 CA]# ls
cacert.pem  certs  crl  index.txt  newcerts  private  serial

在主机WEB上为主机WEB生成私钥,并将私钥存放在/etc/httpd/ssl目录中

[root@xieyuhui ~]# mkdir /etc/httpd/ssl
[root@xieyuhui ~]# (umask 077;openssl genrsa -out /etc/httpd/ssl/httpd.key)
Generating RSA private key, 2048 bit long modulus
..........+++
.........................+++
e is 65537 (0x10001)

在主机WEB上为web.example.com站点生成签署请求文件

[root@xieyuhui ~]# openssl req -new -key /etc/httpd/ssl/httpd.key -out /etc/httpd/ssl/httpd.csr -days 365
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [XX]:CN
State or Province Name (full name) []:HB
Locality Name (eg, city) [Default City]:WH
Organization Name (eg, company) [Default Company Ltd]:LQ
Organizational Unit Name (eg, section) []:IT
Common Name (eg, your name or your server's hostname) []:xieyuhui.example.com
Email Address []:Please enter the following 'extra' attributes
to be sent with your certificate request
A challenge password []:
An optional company name []:

在主机web上将签署请求文件通过可靠方式发送给CA服务器

[root@xieyuhui ~]#scp /etc/httpd/ssl/httpd.csr                     root@ca.example.com:/etc/pki/CA/

在主机CA上 对签署请求进行数字签名,并指明所生成的Web证书的存放路径

[root@xieyuhui2 ~]#openssl ca -in /etc/pki/CA/httpd.csr -out /etc/pki/CA/certs/httpd.crt -days 365Using configuration from /etc/pki/tls/openssl.cnf
Check that the request matches the signature
Signature ok
Certificate Details:Serial Number: 1 (0x1)ValidityNot Before: Aug 12 12:48:40 2025 GMTNot After : Aug 12 12:48:40 2026 GMTSubject:countryName               = CNstateOrProvinceName       = HBorganizationName          = LQorganizationalUnitName    = ITcommonName                = xieyuhui.example.comX509v3 extensions:X509v3 Basic Constraints: CA:FALSENetscape Comment: OpenSSL Generated CertificateX509v3 Subject Key Identifier: 92:CB:55:33:05:4C:C0:AA:B8:4D:48:F4:59:F0:B2:FA:1B:89:06:A8X509v3 Authority Key Identifier: keyid:8E:1E:9E:87:60:0B:9C:53:C9:2C:65:A4:63:B4:01:36:7D:10:DC:C1

在主机WEB上将CA主机上已经数字签名后的Web证书下载下来

[root@xieyuhui ~]#scp root@ca.example.com:/etc/pki/CA/certs/httpd.crt /etc/httpd/ssl/

在主机WEB上安装apche http扩展模块mod_ssl

[root@xieyuhui ~]# yum install mod_ssl -y
[root@xieyuhui ~]# rpm -q mod_ssl 
mod_ssl-2.4.6-88.el7.centos.x86_64 确认安装

修改主配置文件

[root@xieyuhui ~]# vim /etc/httpd/conf.d/ssl.conf

在这里插入图片描述

复制虚拟主机配置文件

[root@xieyuhui ~]# cp -p /usr/share/doc/httpd-2.4.6/httpd-vhosts.conf /etc/httpd/conf.d

部署https站点

[root@xieyuhui ~]# vim /etc/httpd/conf.d/httpd-vhosts.conf

在这里插入图片描述

重启http服务

[root@xieyuhui ~]# systemctl restart httpd
[root@xieyuhui ~]# systemctl enable httpd

关闭防火墙和selinux

在客户端上去下载CA服务器上的根证书

[root@xieyuhui3 ~]# scp root@ca.example.com:/etc/pki/CA/cacert.pem .

打开火狐浏览器,导入证书
设置–首选项–高级–证书–查看证书–导入–找到根证书,然后双击–把“信任使用此CA标识的网站”勾上–确定–确定
查看
在这里插入图片描述

http://www.dtcms.com/a/327930.html

相关文章:

  • imx6ull-驱动开发篇20——linux互斥体实验
  • mimiconda+vscode
  • Ceph的FileStore存储引擎详解
  • Ceph放置组(PG)详解
  • 石头剪刀布手势识别数据集-3,100 张图片 智能游戏系统 人机交互界面 教育娱乐应用 手势识别技术研究 实时视频分析 移动端AI应用
  • 8 反向引用
  • cartographer 后端优化流程
  • 渗透测试现已成为 CISO 战略的核心
  • @RequestMapping接收文件格式的形参(方法参数)
  • 数字孪生赋能全场景智慧化:从水利工厂到城市治理的综合解决方案
  • Akamai字符串解混淆
  • RSA各种密钥格式
  • C++ Rust与Go
  • 【taro react】 ---- 实现 RuiPaging 滚动到底部加载更多数据
  • 使用 Docker 一键部署火山引擎 Sandbox-Fusion,并开放 8182 端口
  • QT6 如何在Linux Wayland 桌面系统抓屏和分享屏幕
  • 力扣hot100 | 双指针 | 283. 移动零、11. 盛最多水的容器、42. 接雨水
  • 2787. 将一个数字表示成幂的和的方案数
  • 三维工厂设计软件 AutoCAD Plant 3D 安装图文教程
  • 3DTiles转OSGB格式逆向转换方法研究
  • 国产3D大型装配设计新突破②:装配约束智能推断 | 中望3D 2026
  • Go之封装Http请求和日志
  • 【新启航】飞机起落架减震筒的深孔测量方法探究 - 激光频率梳 3D 轮廓检测
  • 简单认识CSRF
  • 常见认证信息的传递方式
  • 深入理解数据库架构:从原理到实践的完整指南
  • 【QT】QT6下载安装
  • @(AJAX)
  • JS 模块化与打包工具
  • 基于Hadoop的农产品价格数据分析与可视化【Springboot】