服务器维护CentOS 7.3配置HTTPS服务
2020-06-10 16:27 作者:艾锑无限 浏览量:
服务器维护CentOS 7.3配置HTTPS服务
服务器维护小知识环境为CentOS 7.3、httpd2.4.6服务器维护小知识一 搭建证书
说明:
CA 主机为192.168.29.3
client主机为 192.168.29.100
服务器维护小知识1 生成私钥
[root@centos7 ~]# (umask 077 ; openssl genrsa -out /etc/pki/CA/private/cakey.pem 4096)
Generating RSAprivate key,4096bitlongmodulus
.....................++
...........................................................................................................................................................................................++
eis 65537(0x10001)
服务器维护小知识2 生成自签证书
[root@centos7 ~]# openssl req -new -x509 -key /etc/pki/CA/private/cakey.pem -out /etc/pki/CA/cacert.pem -days 365
You are abouttobe askedtoenter information that will be incorporated
into your certificate request.
What you are abouttoenteriswhatiscalled a Distinguished Nameora DN.
There are quite a few fields but you can leave some blank
Forsome fields there will be adefaultvalue,
If you enter '.', the field will be left blank.
-----
Country Name (2letter code) [XX]:CN
StateorProvince Name (full name) []:BeiJing
Locality Name (eg, city) [DefaultCity]:BeiJing
Organization Name (eg, company) [DefaultCompany Ltd]:Company
Organizational Unit Name (eg, section) []:OPS
Common Name (eg, your nameoryour server's hostname) []:www.test.com
Email Address []:
[root@centos7 ~]#
服务器维护小知识3 为CA提供所需的目录及文件
(1)所需目录,如果无,则创建
/etc/pki/CA/certs/
/etc/pki/CA/crl/
/etc/pki/CA/newcerts/
(2)所需文件
[root@centos7 ~]# touch /etc/pki/CA/serial #序列号文件
[root@centos7 ~]# touch /etc/pki/CA/index.txt #数据库文件
(3)
[root@centos7 ~]# echo 01 > /etc/pki/CA/serial #维护ca的序列号
服务器维护小知识4 在client上进行如下操作
(1)创建放置公钥私钥的文件夹
[root@CentOS7 ~]# mkdir /etc/httpd/ssl
(2)生成自己的私钥
[root@CentOS7 ~]# (umask 077; openssl genrsa -out /etc/httpd/ssl/httpd.key 2048)
Generating RSAprivate key,2048bitlongmodulus
.......................................+++
...................................+++
eis 65537(0x10001)
[root@CentOS7 ~]#
服务器维护小知识(3)请CA为自己生成公钥
[root@CentOS7 ~]# openssl req -new -key /etc/httpd/ssl/httpd.key -out /etc/httpd/ssl/httpd.csr -days 365
You are abouttobe askedtoenter information that will be incorporated
into your certificate request.
What you are abouttoenteriswhatiscalled a Distinguished Nameora DN.
There are quite a few fields but you can leave some blank
Forsome fields there will be adefaultvalue,
If you enter '.', the field will be left blank.
-----
Country Name (2letter code) [XX]:CN
StateorProvince Name (full name) []:BeiJing
Locality Name (eg, city) [DefaultCity]:BeiJing
Organization Name (eg, company) [DefaultCompany Ltd]:Company
Organizational Unit Name (eg, section) []:OPS
Common Name (eg, your nameoryour server's hostname) []:www.test.com
Email Address []:
Please enter the following 'extra' attributes
tobe sentwithyour certificate request
A challenge password []:
服务器维护小知识(4)把生成的公钥发送给CAAnoptionalcompany name []:
[root@CentOS7 ~]# scp /etc/httpd/ssl/httpd.csr root@192.168.29.3:/tmp/
The authenticityofhost'192.168.29.3 (192.168.29.3)' can't be established.
ECDSAkeyfingerprintisf2:2e:89:a2:8d:22:22:9c:a9:f8:c9:19:18:d3:b6:c4.
Are you sure you wantto continueconnecting (yes/no)? yes
Warning: Permanently added '192.168.29.3' (ECDSA) to the list of known hosts.
root@192.168.29.3's password:
httpd.csr100%1005 1.0KB/s00:00
服务器维护小知识5 在CA主机上为client签证
[root@centos7 ~]# openssl ca -in /tmp/httpd.csr -out /etc/pki/CA/certs/httpd.crt -days 365
Using configuration from /etc/pki/tls/openssl.cnf
Check that the request matches the signature
Signature ok
Certificate Details:
Serial Number: 1(0x1)
Validity
Not Before: Jun3 02:54:23 2017GMT
Not After: Jun3 02:54:23 2018GMT
Subject:
countryName = CN
stateOrProvinceName = BeiJing
organizationName = Company
organizationalUnitName = OPS
commonName = www.test.com
X509v3 extensions:
X509v3 Basic Constraints:
CA:FALSE
Netscape Comment:
OpenSSLGeneratedCertificate
X509v3 SubjectKeyIdentifier:
5D:A9:5A:90:29:F3:3A:7F:76:BE:21:78:14:80:E5:FB:5E:03:D8:D9
X509v3 AuthorityKeyIdentifier:
keyid:9E:1E:F3:84:4D:D0:79:E2:BD:DD:A8:50:29:6C:BA:0C:21:60:CA:96
Certificateis tobe certifieduntilJun3 02:54:23 2018GMT (365 days)
Signthe certificate? [y/n]:y
1 out of 1certificate requests certified,commit? [y/n]y
Writeout database with 1 newentries
Data Base Updated
服务器维护小知识6 把签署的证书发给client
[root@centos7 ~]# scp /etc/pki/CA/certs/httpd.crt root@192.168.29.100:/etc/httpd/ssl/
The authenticityofhost'192.168.29.100 (192.168.29.100)' can't be established.
ECDSAkeyfingerprintis 32:16:f3:2d:78:65:9f:a0:31:6c:dc:b9:24:e7:5a:8f.
Are you sure you wantto continueconnecting (yes/no)? yes
Warning: Permanently added '192.168.29.100' (ECDSA) to the list of known hosts.
root@192.168.29.100's password:
httpd.crt100%5711 5.6KB/s00:00
服务器维护小知识二 HTTPS配置
服务器维护小知识7 安装mod_ssl模块
[root@CentOS7 ~]# yum install mod_ssl -y
8 修改配置文件/etc/httpd/conf.d/ssl.conf
DocumentRoot "/data/https"
ServerName www.test.com:443
<Directory "data/https">
AllowOverride None
Require all granted
</Directory>
SSLCertificateFile/etc/httpd/ssl/httpd.crt
注意:SSLCertificateKeyFile/etc/httpd/ssl/httpd.crt
并修该/etc/httpd/ssl/httpd.crt、/etc/httpd/ssl/httpd.crt两个文件的属性,确保apach为可读就行,当然也可放在默认文件夹下,就不需要修改权限了。
[root@CentOS7 ~]#chmod +r /etc/httpd/ssl/httpd.key
服务器维护小知识9 检查语法
[root@CentOS7 ~]# httpd -t
Syntax OK
服务器维护小知识10 修给默认页面
[root@CentOS7~]# echo"www.test.com"> /data/https/index.html
服务器维护小知识11 启动http服务
[root@CentOS7 ~]# systemctl start httpd.service
服务器维护小知识12 把CA 的自签证书传到桌面
[root@centos7 ~]# sz /etc/pki/CA/cacert.pem改名为cacert.crt
双击导入IE浏览器
服务器维护小知识13 配置DNS解析
www.test.com 为192.168.29.100
或者 修改windows 下的C:\Windows\Systeme32\drivers\etc\hosts文件
192.168.29.100 www.test.com
服务器维护小知识14 打开IE浏览器测试
输入https://www.test.com
好了 成功了 好用成就感呀!!
IT运维 我们选择北京艾锑无限
相关文章
IT电脑维护外包
关闭