OpenSSH的应用和利用OpenSSL创建私有CA签证给httpd服务器开https
Posted
tags:
篇首语:本文由小常识网(cha138.com)小编为大家整理,主要介绍了OpenSSH的应用和利用OpenSSL创建私有CA签证给httpd服务器开https相关的知识,希望对你有一定的参考价值。
https
http over ssl = https 443/tcp
ssl: v3
tls: v1
https://
SSL会话的简化过程
(1) 客户端发送可供选择的加密方式,并向服务器请求证书;
(2) 服务器端发送证书以及选定的加密方式给客户端;
(3) 客户端取得证书并进行证书验正:
如果信任给其发证书的CA:
(a) 验正证书来源的合法性;用CA的公钥解密证书上数字签名;
(b) 验正证书的内容的合法性:完整性验正
(c) 检查证书的有效期限;
(d) 检查证书是否被吊销;
(e) 证书中拥有者的名字,与访问的目标主机要一致;
(4) 客户端生成临时会话密钥(对称密钥),并使用服务器端的公钥加密此数据发送给服务器,完成密钥交换;
(5) 服务用此密钥加密用户请求的资源,响应给客户端;
注意:SSL会话是基于IP地址创建;所以单IP的主机上,仅可以使用一个https虚拟主机;
回顾几个术语:PKI,CA,CRL,X.509 (v1, v2, v3)
配置httpd支持https:
(1) 为服务器申请数字证书;
测试:通过私建CA发证书
(a) 创建私有CA
(b) 在服务器创建证书签署请求
(c) CA签证
(2) 配置httpd支持使用ssl,及使用的证书;
# yum -y install mod_ssl
配置文件:/etc/httpd/conf.d/ssl.conf
DocumentRoot
ServerName
SSLCertificateFile
SSLCertificateKeyFile
(3) 测试基于https访问相应的主机;
# openssl s_client [-connect host:port] [-cert filename] [-CApath directory] [-CAfile filename]
一、OpenSSH
OpenSSH与SSH协议是远程登录的首选连接工具。它加密所有流量,以消除窃听,连接劫持和其它攻击。OpenSSH常常被误认以为与 OpenSSL有关系,但实际上这两个项目的有不同的目的,不同的发展团队,名称相近只是因为两者有同样的软件发展目标──提供开放源代码的加密通讯软 件。
OpenSSH的套件包括以下工具:
远程操作使用 SSH, SCP,和 SFTP。
密钥管理 ssh-add, ssh-keysign, ssh-keyscan和ssh-keygen
服务端组成 sshd, SFTP服务器和 ssh-agent的。
OpenSSH的功能:
具有完全的开源项目
OpenSSH的源代码是免费提供给通过互联网大家。这鼓励代码重用和代码审核。代码审查,以确保该漏洞可以被发现和被任何人纠正。这导致的安全密 码。OpenSSH的不受任何限制的许可证。它可以用于任何和所有目的,并且明确包括商业用途。 该许可证包括在分布。我们觉得这个世界会更好,如果路由 器,网络设备,操作系统,和所有其他的网络设备已经SSH集成到他们。限制性性质(即专利)的所有成分被从源代码移除。任何许可或专利的组件从外部库(如 选择 LibreSSL)。
强大的加密(AES,ChaCha20,RSA,ECDSA,Ed25519 …)
加密身份验证之前启动,没有密码或其他信息以明文传输。加密也可用于防止欺骗的包。许多不同的密码和密钥类型可供选择,和传统的选项通常在合理时间内逐步淘汰。
X11转发(也加密X窗口系统的流量)
X11转发允许远程X窗口的流量进行加密,使没有人可以窥探您的远程xterm终端或插入恶意命令。该程序会自动设置服务器计算机上显示,并转发了 安全通道的X11连接。假XAUTHORITY信息自动生成并转发到远程机器; 本地客户端会自动检查传入X11连接,并取代与真实数据(从不告诉远程计 算机中的真实信息)假授权数据。
端口转发(对于传统协议加密频道)
端口转发允许通过加密通道TCP / IP连接到远程计算机上的转发。像POP不安全的互联网应用程序可以用此来保护。
强大的身份验证(公共密钥,一次性密码)
强大的身份验证可以防止一些安全问题:IP欺骗,伪造路线和DNS欺骗。一些身份验证方法包括公共密钥认证,具有S /键一次性密码和验证使用Kerberos(仅适用于 – 便携式)。
代理转发
一个认证代理,在用户的笔记本电脑或本地工作站上运行,可用于容纳用户的认证密钥。OpenSSH的自动转发过任何连接到验证代理的连接,并且也没 有必要存储该网络(除了用户自己的本地机)中的任何计算机上的认证密钥。该认证协议绝不泄露密钥; 它们只能用于验证用户的代理具有一定的键。最终,该代 理可依靠在智能卡上执行所有验证计算。
互通性
实施之间的互操作性是一个目标,但不是一个承诺。由于OpenSSH的开发的进展,对已知旧协议的弱点,加密算法,密钥类型和其他选项例行禁用。
SFTP客户端和服务器支持在这两个SSH1及SSH2协议
由于OpenSSH的2.5.0,完全支持SFTP包括,使用 SFTP 命令作为客户端。在 SFTP服务器 子系统自动工作在两个SSH1及SSH2协议。
可选的数据压缩
加密之前数据压缩提高低速网络链路的性能。
1、ssh客户端
ssh:Secure Shell创建在应用层和传输层基础上的安全协议
配置文件为:/etc/ssh/ssh_config
# $OpenBSD: ssh_config,v 1.28 2013/09/16 11:35:43 sthen Exp $ # This is the ssh client system-wide configuration file. See # ssh_config(5) for more information. This file provides defaults for # users, and the values can be changed in per-user configuration files # or on the command line. # Configuration data is parsed as follows: # 1. command line options # 2. user-specific file # 3. system-wide file # Any configuration value is only changed the first time it is set. # Thus, host-specific definitions should be at the beginning of the # configuration file, and defaults at the end. # Site-wide defaults for some commonly used options. For a comprehensive # list of available options, their meanings and defaults, please see the # ssh_config(5) man page. Host * #选项“Host”只对能够匹配后面字串的计算机有效。“*”表示所有的计算机。 ForwardAgent no #“ForwardAgent”设置连接是否经过验证代理(如果存在)转发给远程计算机。 ForwardX11 no #“ForwardX11”设置X11连接是否被自动重定向到安全的通道和显示集(DISPLAY set)。 RhostsAuthentication no #“RhostsAuthentication”设置是否使用基于rhosts的安全验证。 RhostsRSAAuthentication no #“RhostsRSAAuthentication”设置是否使用用RSA算法的基于rhosts的安全验证。 RSAAuthentication yes #“RSAAuthentication”设置是否使用RSA算法进行安全验证。 PasswordAuthentication yes #“PasswordAuthentication”设置是否使用口令验证。 FallBackToRsh no #“FallBackToRsh”设置如果用ssh连接出现错误是否自动使用rsh。 UseRsh no #“UseRsh”设置是否在这台计算机上使用“rlogin/rsh”。 BatchMode no #“BatchMode”如果设为“yes”,passphrase/password(交互式输入口令)的提示将被禁止。当不能交互式输入口令的时候,这个选项对脚本文件和批处理任务十分有用。 CheckHostIP yes #“CheckHostIP”设置ssh是否查看连接到服务器的主机的IP地址以防止DNS欺骗。建议设置为“yes”。 StrictHostKeyChecking no #“StrictHostKeyChecking”如果设置成“yes”,ssh就不会自动把计算机的密匙加入“$HOME/.ssh/known_hosts”文件,并且一旦计算机的密匙发生了变化,就拒绝连接。 IdentityFile ~/. ssh /identity #“IdentityFile”设置从哪个文件读取用户的RSA安全验证标识。 Port 22 #“Port”设置连接到远程主机的端口。 Cipher blowfish #“Cipher”设置加密用的密码。 EscapeChar ~ #“EscapeChar”设置escape字符。 |
在这个配置文件中,我们一般只修port的端口,因为默认端口很容易受到攻击,ssh的默认端口为22号端口
如果我要登录某ssh服务器则直接使用ssh [email protected]然后按照提示输入密码即可
[email protected]‘s password: Last login: Thu Apr 14 02:04:55 2016 from 172.16.7.211 |
ssh密钥认证登录
#生成密钥对 [[email protected] ~] # ssh-keygen -t rsa Generating public /private rsa key pair. #这里询问你要把生成的密钥文件保存在哪里,默认是在家目录下的.ssh文件夹中,回车保存默认目录 Enter file in which to save the key ( /root/ . ssh /id_rsa ): Created directory ‘/root/.ssh‘ . #这里是对密钥文件加密,不输入则表示不加密 Enter passphrase (empty for no passphrase): Your identification has been saved in /root/ . ssh /id_rsa . Your public key has been saved in /root/ . ssh /id_rsa .pub. The key fingerprint is: 04:9f:cb:9c:9d:1e:47:d7:e1:d4:c1:87:71:c3:a4:22 [email protected] The key‘s randomart image is: +--[ RSA 2048]----+ | . =O+| | o . ===| | +E .....o| | + +.o.. | | S + . | | . o | | . | | | | | +-----------------+ #已经成功生成了一对密钥 [[email protected] ~] # ls /root/.ssh id_rsa id_rsa.pub #其中id_rsa为私钥,id_rsa.pub为公钥 #在生成完密钥对之后将公钥上传给服务器对应用户的家目录 [[email protected] ~] # ssh-copy-id -i .ssh/id_rsa.pub [email protected] The authenticity of host ‘172.16.9.9 (172.16.9.9)‘ can‘t be established. ECDSA key fingerprint is 63:b9:6d:20:f0:22:b2:21:44:26:91:03:97:21:ff:b7. Are you sure you want to continue connecting ( yes /no )? yes /usr/bin/ssh-copy-id : INFO: attempting to log in with the new key(s), to filter out any that are already installed /usr/bin/ssh-copy-id : INFO: 1 key(s) remain to be installed -- if you are prompted now it is to install the new keys [email protected]‘s password: Number of key(s) added: 1 Now try logging into the machine, with: "ssh ‘[email protected]‘" and check to make sure that only the key(s) you wanted were added. #第一次输入密码后回车就上传成功了 然后尝试登录 [[email protected] ~] # ssh 172.16.9.9 Last login: Tue Mar 22 10:01:02 2016 from 172.16.7.211 [[email protected] ~] # ip addr 1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN link /loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00 inet 127.0.0.1 /8 scope host lo valid_lft forever preferred_lft forever inet6 ::1 /128 scope host valid_lft forever preferred_lft forever 2: eno16777728: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast state UP qlen 1000 link /ether 00:0c:29:83:15:cb brd ff:ff:ff:ff:ff:ff inet 172.16.9.9 /16 brd 172.16.255.255 scope global eno16777728 valid_lft forever preferred_lft forever #可以看出不需要密钥就成功登录到了172.16.9.9这台服务器上了 |
在windows中使用密钥登录对应的服务器
这里我使用Xshlle
这里的密码是对密钥加密的,不加密直接点下一步
这里显示的就是公钥,点保存为文件,也可以直接复制
之后关闭
然后登录对应服务器,进入家目录下的.ssh/文件
[[email protected] ~] # cd /root/.ssh/ authorized_keys known_hosts |
编辑authorized_keys文件
ssh -rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQCoYslgClb39L0aPM8II18VBMG /pBHOR5kMKBAq6 +9MQFCvOsIqS0tNEFPkbCQaIkKyZahRpdOP4FSgWOmX18uuLqG1MZT /FoAKGV4tJzKwcGpMjfTJVxhMVW +mUi4sxzF2atl8q0SmvzqnJHD5Sg6T2mlV0TC+xdbB5Q /ucFZAiflLkVfSEMBjzvJZTHe8QCLFS358xHKOzv4jfnaZVnsIpZ/LArzy/Y/hvPoamWSg794XlqEuascwPGkLq6VYbltT24gEy89/lAJfK4vXRrZjVmCvfkU98X8oe5wQRxNrPDWPsWO0tBYCt2/LTx +1na5WOYPIxeo3tAZ5LYbRD5Kn [email protected] #这是之前的公钥,可以将刚才的公钥复制粘贴在这之后 ssh -rsa AAAAB3NzaC1yc2EAAAABIwAAAQEAr44c56Hx0dGCj1RTm7JoQkJn1P77y89IHG1S34onqmq /M0RpFn/rzjmxPgXiGS4FUr7LuPl0wLzczm29tTDGv8vkaeLcUeT9yz5pPh1NFNJKyBGNZ +6XQzx8dRw5Ez6bGOSN68kJ4uhZWyCVJl2KintCUWm9D /9ldvV0n8AvmfKsqZvPLEkxxE4zyxUy247AC7wtgd51pl0eRU +MqZ4JHZJ6xhJYgiYtxPR++D+VSeaGnlO7ihv19B3edEmltEs09BOd /Tgl9OuXy +q+fCz5WQekGO0ZkX6y6sSOd7qG11mR188Eccf /dlfymDeF +duKFvgLYATUu5ISCrulQEXfVw== |
保存之后就可以在本地面密码登录了,只需要在登录时选择对应的密钥即可
直接点确定
生成的密钥文件也可以带走,在不同的主机上使用
scp:远程复制命令
常用选项:
-r: 递归复制;
-p: 保持原文件的属性信息;
-q: 静默模式
-P PORT: 指明remote host的监听的端口;
下载:scp 远程主机上的账户@远程主机:远程主机对应的文件 本机目录
[[email protected] ~] # scp -r [email protected]:/root/tmp /root |
上传:scp 本机文件 远程主机上的账户@远程主机:远程主机对应的目录
[[email protected] ~] # scp -r /root [email protected]:/root/tmp |
sftp:远程文件管理
sftp可进行远程的文件的下载,目录的删除和建立等
sftp [[email protected]]host
使用help查看可用命令
[[email protected] tmp] # sftp [email protected] [email protected]‘s password: Connected to 172.16.9.9. sftp > help Available commands: bye Quit sftp #退出 cd path Change remote directory to ‘path‘ #复制 chgrp grp path Change group of file ‘path‘ to ‘grp‘ #改变属组 chmod mode path Change permissions of file ‘path‘ to ‘mode‘ #改变权限 chown own path Change owner of file ‘path‘ to ‘own‘ #改变属主 df [-hi] [path] Display statistics for current directory or #查看磁盘使用量 filesystem containing ‘path‘ exit Quit sftp #退出 get [-Ppr] remote [ local ] Download file #下载文件 reget remote [ local ] Resume download file help Display this help text lcd path Change local directory to ‘path‘ lls [ ls -options [path]] Display local directory listing #查看本地目录下的文件 lmkdir path Create local directory #创建本地目录 ln [-s] oldpath newpath Link remote file (-s for symlink ) lpwd Print local working directory查看本地目录路径 ls [-1afhlnrSt] [path] Display remote directory listing查看远端目录文件 lumask umask Set local umask to ‘umask‘ mkdir path Create remote directory创建远端目录 progress Toggle display of progress meter put [-Ppr] local [remote] Upload file pwd Display remote working directory查看远端目录路径 quit Quit sftp 退出 rename oldpath newpath Rename remote file rm path Delete remote file 删除远端文件 rmdir path Remove remote directory删除远端目录 symlink oldpath newpath Symlink remote file version Show SFTP version ! command Execute ‘command‘ in local shell ! Escape to local shell ? Synonym for help |
2、服务器端
服务器端的配置文件为/etc/ssh/sshd_config,注意和客户端对比多了一个d
配置文件中以#开头后面带空格的是注释,不带空格的是可选项
[[email protected] ~] # vim /etc/ssh/sshd_config # $OpenBSD: sshd_config,v 1.93 2014/01/10 05:59:19 djm Exp $ # This is the sshd server system-wide configuration file. See # sshd_config(5) for more information. # This sshd was compiled with PATH=/usr/local/bin:/usr/bin # The strategy used for options in the default sshd_config shipped with # OpenSSH is to specify options with their default value where # possible, but leave them commented. Uncommented options override the # default value. # If you want to change the port on a SELinux system, you have to tell # SELinux about this change. # semanage port -a -t ssh_port_t -p tcp #PORTNUMBER # Port 22 #这里默认端口是22,可以改成其他端口,在作为服务器使用事建议改为其他端口,不要监听默认端口,不要监听默认端口,不要监听默认端口 #AddressFamily any ListenAddress 0.0.0.0 #这里0.0.0.0代表监听在本机的所有地址上 #ListenAddress :: # The default requires explicit activation of protocol 1 #Protocol 2 # HostKey for protocol version 1 #HostKey /etc/ssh/ssh_host_key # HostKeys for protocol version 2 #这里是主机密钥的位置 HostKey /etc/ssh/ssh_host_rsa_key #HostKey /etc/ssh/ssh_host_dsa_key HostKey /etc/ssh/ssh_host_ecdsa_key HostKey /etc/ssh/ssh_host_ed25519_key # Lifetime and size of ephemeral version 1 server key #KeyRegenerationInterval 1h #ServerKeyBits 1024 # Ciphers and keying #RekeyLimit default none # Logging # obsoletes QuietMode and FascistLogging #SyslogFacility AUTH #这是主机日志的记录方式。主机登录日志的位置在 /var/log/secure SyslogFacility AUTHPRIV #LogLevel INFO # Authentication: #LoginGraceTime 2m #PermitRootLogin yes #这里表示是否允许管理员登录,改成no之后就只能允许普通用户登录 #StrictModes yes #MaxAuthTries 6 #这是最大认证尝试次数,默认为6次 #MaxSessions 10 #这是最大会话数,默认10个 #RSAAuthentication yes #PubkeyAuthentication yes # The default is to check both .ssh/authorized_keys and .ssh/authorized_keys2 # but this is overridden so installations will only check .ssh/authorized_keys AuthorizedKeysFile . ssh /authorized_keys #这是公钥默认的保存位置 #AuthorizedPrincipalsFile none #AuthorizedKeysCommand none #AuthorizedKeysCommandUser nobody # For this to work you will also need host keys in /etc/ssh/ssh_known_hosts #RhostsRSAAuthentication no # similar for protocol version 2 #HostbasedAuthentication no # Change to yes if you don‘t trust ~/.ssh/known_hosts for # RhostsRSAAuthentication and HostbasedAuthentication #IgnoreUserKnownHosts no # Don‘t read the user‘s ~/.rhosts and ~/.shosts files #IgnoreRhosts yes # To disable tunneled clear text passwords, change to no here! #PasswordAuthentication yes #PermitEmptyPasswords no #这里表示是否支持口令认证 PasswordAuthentication yes # Change to no to disable s/key passwords #ChallengeResponseAuthentication yes ChallengeResponseAuthentication no # Kerberos options #KerberosAuthentication no #KerberosOrLocalPasswd yes #KerberosTicketCleanup yes #KerberosGetAFSToken no #KerberosUseKuserok yes # GSSAPI options GSSAPIAuthentication yes GSSAPICleanupCredentials no #GSSAPIStrictAcceptorCheck yes #GSSAPIKeyExchange no #GSSAPIEnablek5users no # Set this to ‘yes‘ to enable PAM authentication, account processing, # and session processing. If this is enabled, PAM authentication will # be allowed through the ChallengeResponseAuthentication and # PasswordAuthentication. Depending on your PAM configuration, # PAM authentication via ChallengeResponseAuthentication may bypass # the setting of "PermitRootLogin without-password". # If you just want the PAM account and session checks to run without # PAM authentication, then enable this but set PasswordAuthentication # and ChallengeResponseAuthentication to ‘no‘. # WARNING: ‘UsePAM no‘ is not supported in Red Hat Enterprise Linux and may cause several # problems. UsePAM yes #AllowAgentForwarding yes #AllowTcpForwarding yes #GatewayPorts no X11Forwarding yes #X11DisplayOffset 10 #X11UseLocalhost yes #PermitTTY yes #PrintMotd yes #PrintLastLog yes #TCPKeepAlive yes #UseLogin no UsePrivilegeSeparation sandbox # Default for new installations. #PermitUserEnvironment no #Compression delayed #ClientAliveInterval 0 #ClientAliveCountMax 3 #ShowPatchLevel no #UseDNS no #这里表示是否反解DNS,建议改为no #PidFile /var/run/sshd.pid #MaxStartups 10:30:100 #PermitTunnel no #ChrootDirectory none #VersionAddendum none # no default banner path #Banner none # Accept locale-related environment variables AcceptEnv LANG LC_CTYPE LC_NUMERIC LC_TIME LC_COLLATE LC_MONETARY LC_MESSAGES AcceptEnv LC_PAPER LC_NAME LC_ADDRESS LC_TELEPHONE LC_MEASUREMENT AcceptEnv LC_IDENTIFICATION LC_ALL LANGUAGE AcceptEnv XMODIFIERS # override default of no subsystems #支持sftp远程连接 Subsystem sftp /usr/libexec/openssh/sftp-server # Example of overriding settings on a per-user basis #Match User anoncvs # X11Forwarding no # AllowTcpForwarding no # PermitTTY no # ForceCommand cvs server |
改完端口记得重启sshd服务
二、创建私有CA并签证给httpd服务器
CA:证书办法机构
私有CA的ip地址:192.168.1.13
请求证书的主机,这里我使用的是一台httpd主机:192.168.1.107
打开CA的openssl配置文件:/etc/pki/tls/openssl.cnf并查看和CA相关的配置
[[email protected] tls] # vim /etc/pki/tls/openssl.cnf #################################################################### [ CA_default ] dir = /etc/pki/CA # Where everything is kept#CA的工作目录 certs = $ dir /certs # Where the issued certs are kept#已签发证书位置也就是/etc/pki/CA/certs crl_dir = $ dir /crl # Where the issued crl are kept#证书吊销列表的位置/etc/pki/CA/crl database = $ dir /index .txt # database index file.#数据库索引文件位置 #unique_subject = no # Set to ‘no‘ to allow creation of # several ctificates with same subject. new_certs_dir = $ dir /newcerts # default place for new certs. certificate = $ dir /cacert .pem # The CA certificate#CA自己的证书的位置 serial = $ dir /serial # The current serial number#证书序列号 crlnumber = $ dir /crlnumber # the current crl number#已吊销证书序列号 # must be commented out to leave a V1 CRL crl = $ dir /crl .pem # The current CRL private_key = $ dir /private/cakey .pem # The private key#CA自己私钥的位置 RANDFILE = $ dir /private/ .rand # private random number file ######################################################################## default_days = 365 # how long to certify for#证书有效期 default_crl_days= 30 # how long before next CRL#吊销列表有效期 |
1、CA【192.168.1.13】创建需要的文件
[[email protected] ~] # cd /etc/pki/CA/ #创建index.txt文件 [[email protected] CA] # touch index.txt #创建序列号文件,这里用的01作第一个序列号 [[email protected] CA] # echo 01 > serial |
2、给私有CA自签证书
#生成密钥对保存在/etc/pki/CA/private/cakey.pem中 [[email protected] CA] # (umask 077; openssl genrsa -out /etc/pki/CA/private/cakey.pem 2048) Generating RSA private key, 2048 bit long modulus ..............................................+++ ...........................................................+++ e is 65537 (0x10001) [[email protected] CA] # ll private/ 总用量 4 -rw------- 1 root root 1675 3月 22 14:20 cakey.pem #自签证书 [[email protected] CA] # openssl req -new -x509 -key /etc/pki/CA/private/cakey.pem -days 7300 -out /etc/pki/CA/cacert.pem Country Name (2 letter code) [XX]:cn #国家缩写,只有2位 State or Province Name (full name) []:chongqing #地区名称,全称 Locality Name (eg, city) [Default City]:chongqing #城市名称 Organization Name (eg, company) [Default Company Ltd]:xinfeng #组织名称或公司名称 Organizational Unit Name (eg, section) []:xxoo #部门名称 Common Name (eg, your name or your server‘s hostname ) []:ca.xinfeng.com #主机名,这里是CA主机通过DNS解析出来的名称,请不要填错 Email Address []:[email protected] #邮箱地址 |
openssl req命令中各选项的含义:
-new:生成新证书签署请求;
-x509:专用于CA生成自签证书;
-key:生成请求时用到的私钥文件;
-days:证书的有效期限;
-out:证书的保存路径;
3、发证
请求证书的主机【192.168.1.107】生成请求
[[email protected] httpd] # mkdir /etc/httpd/ssl [[email protected] httpd] # cd /etc/httpd/ssl/ #给httpd服务器生产私钥文件 [[email protected] ssl] # (umask 077;openssl genrsa -out httpd.key 2048) Generating RSA private key, 2048 bit long modulus ....................+++ ...+++ e is 65537 (0x10001) #用私钥中提取的公钥生成证书签署请求,其中的信息要与自签的CA保持一致 [[email protected] ssl] # openssl req -new -key httpd.key -days 365 -out /etc/httpd/ssl/httpd.csr Country Name (2 letter code) [XX]:cn State or Province Name (full name) []:chongqing Locality Name (eg, city) [Default City]:chongqing Organization Name (eg, company) [Default Company Ltd]:xinfeng Organizational Unit Name (eg, section) []:xxoo Common Name (eg, your name or your server‘s hostname ) []:www.xinfeng.com #这里一定得是你httpd服务器的主机名 Email Address []:[email protected] Please enter the following ‘extra‘ attributes to be sent with your certificate request A challenge password []: #加密证书签署请求 An optional company name []: [[email protected] ssl] # scp httpd.csr [email protected]:/root #将证书请求上传到CA的/root目录下 |
4、CA对证书请求进行签证【192.168.1.13】
#对刚才上传的/root/htppd.csr进行签证,有效期356天,生成的证书是/root/httpd.crt [[email protected] ~] # openssl ca -in /root/httpd.csr -out /root/httpd.crt -days 365 Using configuration from /etc/pki/tls/openssl .cnf Check that the request matches the signature Signature ok Certificate Details: Serial Number: 1 (0x1) Validity Not Before: Mar 22 06:58:31 2016 GMT Not After : Mar 22 06:58:31 2017 GMT Subject: countryName = cn stateOrProvinceName = chongqing organizationName = xinfeng organizationalUnitName = xxoo commonName = www.xinfeng.com emailAddress = [email protected] X509v3 extensions: X509v3 Basic Constraints: CA:FALSE Netscape Comment: OpenSSL Generated Certificate X509v3 Subject Key Identifier: 42:07:4F:68:C6:05:0D:40:C8:A0:32:BE:53:DC:01:DA:DC:E6:81:9D X509v3 Authority Key Identifier: keyid:D1:91:5E:B5:A4:06:9B:DF:4B:0A:54:6B:A9:15:35:36:56:A5:F9:38 Certificate is to be certified until Mar 22 06:58:31 2017 GMT (365 days) Sign the certificate? [y /n ]:y 1 out of 1 certificate requests certified, commit? [y /n ]y Write out database with 1 new entries Data Base Updated #可以在/etc/pki/CA/index.txt看到刚才签署的01号证书 [[email protected] ~] # cat /etc/pki/CA/index.txt V 170322065831Z 01 unknown /C =cn /ST =chongqing /O =xinfeng /OU =xxoo /CN = # 将证书保存一份在/etc/pki/CA/certs/这个证书存取库中 [[email protected] ~] # cp /root/httpd.crt /etc/pki/CA/certs/ #发回请求证书的主机下的的/etc/httpd/ssl/目录下 [[email protected] ~] # scp /root/httpd.crt [email protected]:/etc/httpd/ssl/ |
5、httpd【192.168.1.107】打开https
#先安装ssl模块 [[email protected] ssl] #yum -y install mod_ssl [[email protected] ssl] # rpm -ql mod_ssl /etc/httpd/conf .d /ssl .conf /etc/httpd/conf .modules.d /00-ssl .conf /usr/lib64/httpd/modules/mod_ssl .so /usr/libexec/httpd-ssl-pass-dialog /var/cache/httpd/ssl #打开/etc/httpd/conf.d/ssl.conf进行配置 [[email protected] ssl] # vim /etc/httpd/conf.d/ssl.conf ServerName www.xinfeng.com DocumentRoot "/var/www/html" SSLCertificateFile /etc/httpd/ssl SSLCertificateKeyFile /etc/httpd/ssl/httpd .key #将<VirtualHost _default_:443>改为 <VirtualHost *:443> #编辑httpd主配置文件 [[email protected] conf] # vim /etc/httpd/conf/httpd.conf ServerName www.xinfeng.com DocumentRoot "/var/www/html" Loadmodule ssl_module modules /mod_ssl .so |
6、启动https
[[email protected] conf.d] # systemctl start httpd [[email protected] conf.d] # ss -tunl Netid State Recv-Q Send-Q Local Address:Port Peer Address:Port udp UNCONN 0 0 *:20644 *:* udp UNCONN 0 0 *:68 *:* udp UNCONN 0 0 :::50143 :::* tcp LISTEN 0 128 *:22 *:* tcp LISTEN 0 100 127.0.0.1:25 *:* tcp LISTEN 0 128 :::80 :::* tcp LISTEN 0 128 :::22 :::* tcp LISTEN 0 100 ::1:25 :::* tcp LISTEN 0 128 :::443 :::* |
可以看到80和443端口都启动了
7、访问测试
因为我这里的ip对应的网站都是我假设的,所以要通过网址访问Ip需要修改host文件
在host文件中加入
192.168.1.107 www.xinfeng.com
将刚才的证书下载到本地
然后导入
可以看到其实已经成功了,但是因为我们自建的私有CA不是公认的证书办法机构,所以不受信任
可以关心一下http://www.178linux.com/15072
本文出自 “梁小明的博客” 博客,请务必保留此出处http://7038006.blog.51cto.com/7028006/1860849
以上是关于OpenSSH的应用和利用OpenSSL创建私有CA签证给httpd服务器开https的主要内容,如果未能解决你的问题,请参考以下文章