首先,客戶端與服務器端進行三次握手。(因為http基於TCP/IP協議進行通信),然後他們建立SSL會話,協商要使用的加密算法,當協商完成之後。服務器端就會將自己的證書發送給客戶端,客戶端驗證發現沒有問題之後,就會生成一個對稱密鑰發送給服務器端,然後客戶端就發送請求給服務器端,服務器端便會使用剛剛客戶端發來的對稱密鑰加密將內容發送給客戶端。這樣ssl會話就建立起來了。
但是,客戶端如何驗證服務器的證書是否真實呢,那麼便需要一個CA:第三方證書頒發機構給我們的服務器端頒發證書。所以客戶端便可以到CA去驗證服務器端的證書。
這時候的CA,應該自己有一份證書保存在客戶端這邊,並且這段證書是自簽的。(用以客戶端可以到CA去驗證服務器端的證書。)
那麼服務器端如何到CA讓CA給自己搞一份證書呢:首先服務器端先生成一份密鑰,將公鑰交給CA,由CA對它簽署並生成證書,保存一份並回送給服務器端。服務器對其進行配置使用,然後在通話過後就可以將證書發送給客戶端,客戶端詢問CA在進行驗證。
①前提:
要想使你的web服務器支持ssl功能,第一步得安裝SSL模塊
[root@Cyz ~]# yum install mod_ssl //查看都安裝了什麼 [root@Cyz ~]# rpm -ql mod_ssl /etc/httpd/conf.d/ssl.conf //說明是配置文件,更改配置需要重啟 /usr/lib/httpd/modules/mod_ssl.so /var/cache/mod_ssl //緩存目錄 /var/cache/mod_ssl/scache.dir /var/cache/mod_ssl/scache.pag /var/cache/mod_ssl/scache.sem
②提供CA
重新找台主機,用這台主機做我們的CA:這台主機的IP為111.9
要想做CA,首先得生成自簽證書,:
[root@localhost ~]# cd /etc/pki/CA/
//生成私鑰
[root@localhost CA]# (umask 077; openssl genrsa -out private/cakey.pem 2048)
//umask為了生成時權限其他用戶無權限訪問 –out表示路徑)
Generating RSA private key, 2048 bit long modulus
.......................................+++
........................+++
e is 65537 (0x10001)
//查看權限
[root@localhost CA]# ls -l private/
total 8
-rw------- 1 root root 1679 Apr 10 16:15 cakey.pem //600的權限
//然後去修改配置文件中的默認信息,將其改為我們通常使用的
[root@localhost CA]# vim ../tls/openssl.cnf
//為自己生成自簽證書
[root@localhost CA]# openssl req -new -x509 -key private/cakey.pem -out cacert.pem -days 3655
//然後繼續編輯openssl.cnf找到
[ CA_default ]
dir = /etc/pki/CA//改為這樣子
//然後創建
[root@localhost CA]# mkdir certs crl newcerts
[root@localhost CA]# touch index.txt
[root@localhost CA]# echo 01 > serial
[root@localhost CA]# ls
cacert.pem certs crl index.txt newcerts private serial
//這個時候就已經准備好了CA就可以使用了
這個時候回到我們的客戶端111.1
[root@Cyz ~]# cd /etc/httpd/ //保存在這裡 [root@Cyz httpd]# mkdir ssl [root@Cyz httpd]# ls conf conf.d logs modules run ssl [root@Cyz httpd]# cd ssl/ [root@Cyz ssl]# ls [root@Cyz ssl]# (umask 077; openssl genrsa 1024 > httpd.key) //生成密鑰 Generating RSA private key, 1024 bit long modulus ................................++++++ .....................................................++++++ e is 65537 (0x10001) [root@Cyz ssl]# ll total 8 -rw------- 1 root root 887 Apr 10 16:33 httpd.key [root@Cyz ssl]# openssl req -new -key httpd.key -out httpd.csr //生成證書頒發請求 You are about to be asked to enter information that will be incorporated into your certificate request. What you are about to enter is what is called a Distinguished Name or a DN. There are quite a few fields but you can leave some blank For some fields there will be a default value, If you enter '.', the field will be left blank. ----- Country Name (2 letter code) [GB]:CN State or Province Name (full name) [Berkshire]:Henan Locality Name (eg, city) [Newbury]:Zhengzhou Organization Name (eg, company) [My Company Ltd]:MageEdu Organizational Unit Name (eg, section) []:Tech Common Name (eg, your name or your server's hostname) []:hello.magedu.com Email Address []:[email protected] Please enter the following 'extra' attributes to be sent with your certificate request A challenge password []: An optional company name []: [root@Cyz ssl]# ls httpd.csr httpd.key [root@Cyz ssl]# scp httpd.csr 172.16.111.9:/tmp //將csr(證書簽署請求)復制到CA The authenticity of host '172.16.111.9 (172.16.111.9)' can't be established. RSA key fingerprint is 44:0a:1f:77:7f:cb:df:09:a8:8d:ac:23:47:b3:a8:99. Are you sure you want to continue connecting (yes/no)? yes Warning: Permanently added '172.16.111.9' (RSA) to the list of known hosts. [email protected]'s password: httpd.csr 100% 704 0.7KB/s 00:00
然後回到CA進行簽署
[root@localhost CA]# openssl ca -in /tmp/httpd.csr -out /tmp/httpd.crt -days 3650
Using configuration from /etc/pki/tls/openssl.cnf
Check that the request matches the signature
Signature ok
Certificate Details:
Serial Number: 1 (0x1)
Validity
Not Before: Apr 10 08:41:24 2013 GMT
Not After : Apr 8 08:41:24 2023 GMT
Subject:
countryName = CN
stateOrProvinceName = Henan
organizationName = MageEdu
organizationalUnitName = Tech
commonName = hello.magedu.com
emailAddress = [email protected]
X509v3 extensions:
X509v3 Basic Constraints:
CA:FALSE
Netscape Comment:
OpenSSL Generated Certificate
X509v3 Subject Key Identifier:
10:B1:D2:C5:48:58:66:7B:35:71:BD:62:1D:77:85:12:EB:36:DF:63
X509v3 Authority Key Identifier:
keyid:30:86:2F:D5:DC:10:09:DA:38:19:E5:72:34:05:D5:5D:CE:83:B2:86
Certificate is to be certified until Apr 8 08:41:24 2023 GMT (3650 days)
Sign the certificate? [y/n]:y
1 out of 1 certificate requests certified, commit? [y/n]y
Write out database with 1 new entries
Data Base Updated //頒發成功
//去查看生成的證書
[root@localhost CA]# cd /etc/pki/CA/
[root@localhost CA]# ls
cacert.pem crl index.txt.attr newcerts serial
certs index.txt index.txt.old private serial.old
[root@localhost CA]# cat index.txt //查看內容
V 230408084124Z 01 unknown /C=CN/ST=Henan/O=MageEdu/OU=Tech/CN=hello.magedu.com/[email protected]
[root@localhost CA]# cat serial //已經自動排序
02
//然後把證書發送給請求者。這裡我們到客戶端去復制證書
[root@Cyz ssl]# scp 172.16.111.9:/tmp/httpd.crt ./
[email protected]'s password:
httpd.crt 100% 3864 3.8KB/s 00:00
這個時候要記得返回CA中將tmp下的臨時文件給刪除掉以免別人獲取
[root@localhost CA]# cd /tmp/
[root@localhost tmp]# ls
busybox grub-install.log.s11228 httpd.csr whatis.Fa3163
grub-install.img.o11227 httpd.crt initrd
[root@localhost tmp]# rm httpd.c*
rm: remove regular file `httpd.crt'? y
rm: remove regular file `httpd.csr'? y
這個時候證書已經簽署成功了,我們應該如何配置使用它呢:
[root@Cyz ssl]# cd /etc/httpd/conf.d/
[root@Cyz conf.d]# ls
manual.conf php.conf proxy_ajp.conf README ssl.conf virtual.conf welcome.con1
[root@Cyz conf.d]# vim ssl.conf
//將裡面的內容作如下修改:
<VirtualHost 172.16.111.1:443>
#ServerName www.example.com:443
ServerName hello.magedu.com
DocumentRoot "/www/magedu.com"
SSLCertificateFile /etc/httpd/ssl/httpd.crt //證書文件
SSLCertificateKeyFile /etc/httpd/ssl/httpd.key //密鑰文件
//檢查語法
[root@Cyz conf.d]# httpd -t
Syntax OK
//重啟服務
[root@Cyz conf.d]# service httpd restart
然後繼續修改物理機的HOSTS文件
//添加如下
172.16.111.1 hello.magedu.com
然後我們來訪問下:(我們這裡的是https://)系統提示我們這個網站安全證書有問題,原因是因為我們CA不受信任,解決方法自然是我們手動導入證書了:
我們來到CA,將CA的證書發送給物理主機一份
點擊這裡的綠色按鈕
將其擴展名改為crt 會發現變了樣子
然後雙擊進行安裝
完成之後就可以打來IE來驗證啦
