Linux ❀ RHCE自研教学笔记 - Redhat 8.2 HTTPS服务教研笔记

Posted 2021-10-11 国家级干饭型选手°

文章目录

• 1、安装服务
• 2、制作证书
• 3、服务配置
• 附件

---

HTTPS - Hyper Text Transfer Protocol over SecureSocket Layer，是以安全为目标的HTTP通道，在HTTP的基础上通过传输加密和身份认证保证了传输过程的安全性；HTTPS在HTTP的基础下加入SSL层，HTTPS的安全基础是SSL，因此加密的详细内容就需要SSL；HTTPS存在不同于HTTP的默认端口及一个加密/身份验证层（在HTTP与TCP之间）这个系统提供了身份验证与加密通讯方法，它被广泛用于万维网上安全敏感的通讯；
服务端口：TCP 443；

加密算法
对称加密算法：使用一个秘钥进行数据加密和解密；
非对称加密算法：加密和解密使用不同的秘钥，分为公钥和私钥，两个秘钥之间有着相互依存的关系，公钥和私钥成比例存在，公钥可以传输于公网，私钥不可外传；用其中一个加密的信息只能用其对应的另一个秘钥进行解密；

身份认证 - 数字签名
通过标识和鉴别用户的身份，防止假冒合法的用户来获取访问权限；

PKI - Public Key Infrastructure 公开秘钥体系
遵循标准的利用非对称加密技术为电子商务的开展提供一套安全基础平台的技术和规范；PKI就是利用公钥理论和技术建立的提供安全服务的基础设施，PKI采用证书管理公钥，通过第三方的可信任机构 - CA认证中心把用户的公钥和用户的其他标识信息（数字签名）捆绑在一起放在用户证书中，在互联网上验证用户的真实身份；

CA - 证书颁发机构
签发证书、规定证书的有效期和通过发布证书废除列表确保必要时可以废除证书、以及对证书和秘钥进行管理，CA为每个使用公钥的用户发放一个数字证书，数字证书内包括了用户的数字签名与其公钥，CA中心的数字签名使得攻击者不能伪造和篡改，具有一定的安全性；

1、安装服务

---

[root@localhost ~]# dnf install -y mod_ssl
Complete!
[root@localhost certs]# dnf install -y make
Complete!

[root@localhost ~]# rpm -qc mod_ssl
/etc/httpd/conf.d/ssl.conf									/主配置文件
/etc/httpd/conf.modules.d/00-ssl.conf

[root@localhost ~]# vim /etc/httpd/conf.d/ssl.conf 
Listen 443 https											/监听端口
SSLEngine on												/SSL功能是否打开
SSLCertificateFile /etc/pki/tls/certs/localhost.crt			/证书文件路径
SSLCertificateKeyFile /etc/pki/tls/private/localhost.key	/私钥文件路径

导入制作证书文件

[root@localhost ~]# cd /etc/pki/tls/certs/
[root@localhost certs]# ls
ca-bundle.crt  ca-bundle.trust.crt
#在RHEL 8.2中是没有Makefile文件的，我们需要外部导入该文件来制作证书，此实验我从RHEL 7虚拟机中找到此文件发送到RHEL 8中，传输命令可以参考scp的使用方法；
本地保存文件路径：D:\\文件概览\\学习资料\\Linux\\TLS制作证书\\Makefile
[root@localhost certs]# ls
ca-bundle.crt  ca-bundle.trust.crt  Makefile

2、制作证书

---

[root@localhost certs]# make zhengshu.crt		/必须在/etc/pki/tls/certs/该目录下创建；
umask 77 ; \\
/usr/bin/openssl genrsa -aes128 2048 > zhengshu.key
Generating RSA private key, 2048 bit long modulus (2 primes)
...............................................+++++
.......+++++
e is 65537 (0x010001)
Enter pass phrase:redhat
Verifying - Enter pass phrase:redhat
umask 77 ; \\
/usr/bin/openssl req -utf8 -new -key zhengshu.key -x509 -days 365 -out zhengshu.crt -set_serial 0
Enter pass phrase for zhengshu.key:redhat
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [XX]:CN
State or Province Name (full name) []:shanxi
Locality Name (eg, city) [Default City]:xian
Organization Name (eg, company) [Default Company Ltd]:nsfocus
Organizational Unit Name (eg, section) []:gongcheng
Common Name (eg, your name or your server's hostname) []:zxc
Email Address []:qq.com

[root@localhost certs]# ls
ca-bundle.crt  ca-bundle.trust.crt  Makefile  zhengshu.crt  zhengshu.key

3、服务配置

---

[root@localhost ~]# cat /etc/httpd/conf.d/vhost.conf 
<virtualhost 192.168.14.131:443>
        servername 192.168.14.131
        documentroot /var/www/jiami
        SSLEngine on
        SSLCertificateFile /etc/pki/tls/certs/zhengshu.crt
        SSLCertificateKeyFile /etc/pki/tls/certs/zhengshu.key
</virtualhost>
<directory /var/www>
	allowoverride none
	require all granted
</directory>

[root@localhost ~]# ls /etc/pki/tls/certs/
ca-bundle.crt  ca-bundle.trust.crt  localhost.crt  Makefile  zhengshu.crt  zhengshu.key

[root@localhost ~]# cat /var/www/jiami/index.html 
this is jiami

[root@localhost certs]# systemctl restart httpd
Enter TLS private key passphrase for 192.168.14.131:443 (RSA) : ******（redhat）


结果验证：
[root@localhost ~]# curl -k https://192.168.14.131:443
this is jiami

附件

Makefile 文件内容，可以直接复制生成新文件，导入虚拟机即可使用。

[root@localhost ~]# cat /etc/pki/tls/certs/Makefile 
UTF8 := $(shell locale -c LC_CTYPE -k | grep -q charmap.*UTF-8 && echo -utf8)
SERIAL=0
DAYS=365
KEYLEN=2048
TYPE=rsa:$(KEYLEN)

.PHONY: usage
.SUFFIXES: .key .csr .crt .pem
.PRECIOUS: %.key %.csr %.crt %.pem

usage:
	@echo "This makefile allows you to create:"
	@echo "  o public/private key pairs"
	@echo "  o SSL certificate signing requests (CSRs)"
	@echo "  o self-signed SSL test certificates"
	@echo
	@echo "To create a key pair, run \\"make SOMETHING.key\\"."
	@echo "To create a CSR, run \\"make SOMETHING.csr\\"."
	@echo "To create a test certificate, run \\"make SOMETHING.crt\\"."
	@echo "To create a key and a test certificate in one file, run \\"make SOMETHING.pem\\"."
	@echo
	@echo "To create a key for use with Apache, run \\"make genkey\\"."
	@echo "To create a CSR for use with Apache, run \\"make certreq\\"."
	@echo "To create a test certificate for use with Apache, run \\"make testcert\\"."
	@echo
	@echo "To create a test certificate with serial number other than zero, add SERIAL=num"
	@echo "You can also specify key length with KEYLEN=n and expiration in days with DAYS=n"
	@echo
	@echo Examples:
	@echo "  make server.key"
	@echo "  make server.csr"
	@echo "  make server.crt"
	@echo "  make stunnel.pem"
	@echo "  make genkey"
	@echo "  make certreq"
	@echo "  make testcert"
	@echo "  make server.crt SERIAL=1"
	@echo "  make stunnel.pem SERIAL=2"
	@echo "  make testcert SERIAL=3"

%.pem:
	umask 77 ; \\
	PEM1=`/bin/mktemp /tmp/openssl.XXXXXX` ; \\
	PEM2=`/bin/mktemp /tmp/openssl.XXXXXX` ; \\
	/usr/bin/openssl req $(UTF8) -newkey $(TYPE) -keyout $$PEM1 -nodes -x509 -days $(DAYS) -out $$PEM2 -set_serial $(SERIAL) ; \\
	cat $$PEM1 >  $@ ; \\
	echo ""    >> $@ ; \\
	cat $$PEM2 >> $@ ; \\
	$(RM) $$PEM1 $$PEM2

%.key:
	umask 77 ; \\
	/usr/bin/openssl genrsa -aes128 $(KEYLEN) > $@

%.csr: %.key
	umask 77 ; \\
	/usr/bin/openssl req $(UTF8) -new -key $^ -out $@

%.crt: %.key
	umask 77 ; \\
	/usr/bin/openssl req $(UTF8) -new -key $^ -x509 -days $(DAYS) -out $@ -set_serial $(SERIAL)

TLSROOT=/etc/pki/tls
KEY=$(TLSROOT)/private/localhost.key
CSR=$(TLSROOT)/certs/localhost.csr
CRT=$(TLSROOT)/certs/localhost.crt

genkey: $(KEY)
certreq: $(CSR)
testcert: $(CRT)

$(CSR): $(KEY)
	umask 77 ; \\
	/usr/bin/openssl req $(UTF8) -new -key $(KEY) -out $(CSR)

$(CRT): $(KEY)
	umask 77 ; \\
	/usr/bin/openssl req $(UTF8) -new -key $(KEY) -x509 -days $(DAYS) -out $(CRT) -set_serial $(SERIAL)