Shulou(Shulou.com)06/02 Report--

Deploy HTTPS

In this chapter, the network planning to build a private certification authority (CA) host is ca.example.com, its IP address and subnet mask prefix length is 192.168.1.40 prime 24, the gateway address is 192.168.1.1, the DNS1 address is 192.168.1.10.

The host of the web server is rhel7.example.com,IP is 192.168.1.20 DNS1 address is 192.168.1.10

Install Openssl

The main program of / usr/bin/openssl:CA server.

Configuration file for / etc/pki/tls/openssl.cnf:openssl

The home directory of the / etc/pki/CA:CA server.

[root@ca ~] # yum-y install openssl [root@ca ~] # vim / etc/pki/tls/openssl.cnf# OpenSSL example configuration file.# This is mostly being used for generation of certificate requests.## omitted partial output # # [ca] default_ca = CA_default # The default ca section#### [CA_default] dir = / etc/pki/CA # Where everything is kept certs = $dir/certs # Where the issued certs are keptcrl_dir = $dir/crl # Where the issued crl are keptdatabase = $dir/index.txt # database index file.#unique_subject = no # Set to 'no' to allow creation of # several ctificates With same subject.new_certs_dir = $dir/newcerts # default place for new certs.certificate = $dir/cacert.pem # The CA certificateserial = $dir/serial # The current serial numbercrlnumber = $dir/crlnumber # the current crlnumber # must be commented out to leave a V1 CRLcrl = $dir/crl.pem # The current CRLprivate_key = $dir/private/cakey.pem# The private keyRANDFILE = $dir/private/.rand # private random number file# omit partial output

Where / etc/pki/CA is the home directory of the CA organization, dir represents the defined variable, and the value of $dir is / etc/pki/CA. For example, after several CA are defined in the configuration file, the private key storage path is $dir/private/cakey.pem, that is, the real path is / etc/pki/CA/private/cakey.pem.

Build a private CA

Generate a self-signed certificate for the CA organization and provide CA with the required directories and files.

The key command used is "openssl", and its important options are as follows:

-new: generate a signing request for a new certificate

-x509: generates a self-signed certificate format designed to be used when creating a private CA

-key: the path of the private key file used to generate the request

-out: the storage path of the generated file. If it is a self-signed operation, the signed certificate will be generated directly.

-days: the validity period of the certificate (in days). Default is 365 days.

① generates private key

[root@ca ~] # (umask 077 Openssl genrsa-out / etc/pki/CA/private/cakey.pem) Generating RSA private key 1024 bit long modulus.+.+e is 65537 (0x10001) [root@ca ~] # cd / etc/pki/CA/private/ [root@ca private] # pwd/etc/pki/CA/private [root@ca private] # cat cakey.pem-BEGIN RSA PRIVATE KEY-MIICXAIBAAKBgQCstgIk2ZXLcwNDDNJYczZBCBaneWre2M+BwuJsN3IqIEQxGz3FRoDudbSnrxgqQnJKrOyIqGwUgg3JKd+ni3t2e5uM4I2Loo/TWNf5JX9mkBtBEu6m8iQvDBLZn/sehCG+BNxCDPu88KoOvy91tqjTCb2Uhn+5BT9E/SnQaHx/mQIDAQABAoGATEbWC5BNJ91Tw3kWLRo1C+OWncByApmei6CWf1S9hv1ZIJb3YPkSWD6D2srp0UAnWfOlQ3Wexi/qBr4HmOdxTthN16AHmEF7yUIBL2VDharmBvqz26ZFLRJV0iGncXmr7JjmdQGYEz9C8cSt/dpQ/fsadq+oO6WI3MJqgFo3IQECQQDkMPAyDbmgOay3FiqsCC06/FWnLD8vO0DDYAF4pLr4heZP6ZvfQb+h4O9s52ZGk9VC+DUTUWcFlGUJii+4AIMVAkEAwcI10b5L6hoNvqzZmNstmcsgV0kSMmqHVh4ucmWlDohmT5iqEd+7J9R41S9F2PRem2SPne2MUo4ghisi+4/7dQJAEQMtBS5MxotGOygl6kl5xcoGQL5lv4m1XFuOAIaXgevJre+GtXBbbx/focjmsSBYZ/PFUTliauITXlC1Ggy/uQJAKSUxwpmTi2H++ze/eYtJsrgE5SQ6PgSLOsleYmKdW2mxuENmEiedmcav5i2Eup6iHIONT+8q9jkCRRuR8TPRJQJBALal4fRE+m0Bl+AD/Oq2Tt6pdPqY8qe/aWBvjcHeXaQKf9HHMKDxby0TzpIx/FlVML9cAYbIpMcIAAoof24iKEU=-END RSA PRIVATE KEY- [root@ca private] #

② generates a self-signed certificate

[root@ca private] # openssl req-new-x509-key / etc/pki/CA/private/cakey.pem-out / etc/pki/CA/cacert.pem-days 365You are about to be asked to enter information that will be incorporatedinto your certificate request.What you are about to enter is what is called a Distinguished Name ora DN.There are quite a few fields but you can leave some blankFor some fields there will be a default value,If you enter'. The field will be left blank.-Country Name (2 letter code) [XX]: CNState or Province Name (full name) []: HNLocality Name (eg, city) [Default City]: ZZOrganization Name (eg, company) [Default Company Ltd]: GLOrganizational Unit Name (eg, section) []: xitongCommon Name (eg, your name or your server's hostname) []: ca.example.comEmail Address []: root@example.com

③ provides CA with the required directories and files.

[root@ca private] # cd.. / [root@ca CA] # touch serial [root@ca CA] # touch index.txt [root@ca CA] # echo 01 > / etc/pki/CA/serial

Add an A record about ca.example.com on the DNS server

④ requests web certificate for web site (needs to operate on web server)

This section requests an web certificate for the primary site rhel7.example.com on the web server

Generate the private key and store it in the / etc/httpd/ssl directory, which can be customized

[root@rhel7 ~] # mkdir / etc/httpd/ssl [root@rhel7 ~] # cd / etc/httpd/ssl/ [root@rhel7 ssl] # (umask 077 witch OpenSSL genrsa-out httpd.key) Generating RSA private key, 1024 bit long modulus.+..+e is 65537 (0x10001)

⑤ generates a signature request file for the rhel7.example.com site

[root@rhel7] # openssl req-new-key / etc/httpd/ssl/httpd.key-out / etc/httpd/ssl/httpd.csr-days 365You are about to be asked to enter information that will be incorporatedinto your certificate request.What you are about to enter is what is called a Distinguished Name ora DN.There are quite a few fields but you can leave some blankFor some fields there will be a default value,If you enter'. The field will be left blank.-Country Name (2 letter code) [XX]: CNState or Province Name (full name) []: HNLocality Name (eg, city) [Default City]: ZZOrganization Name (eg, company) [Default Company Ltd]: GLOrganizational Unit Name (eg, section) []: xitongCommon Name (eg, your name or your server's hostname) []: rhel7.example.comEmail Address []: root@example.comPlease enter the following 'extra' attributesto be sent with your certificate requestA challenge password []: An optional company name []:

⑥ sends the signature request file to the CA server in a reliable way

[root@rhel7] # scp / etc/httpd/ssl/httpd.csr root@ca.example.com:/etc/pki/CA/The authenticity of host 'ca.example.com (172.16.30.40)' can't be established.ECDSA key fingerprint is 4e:38:22:c7:5d:1a:ed:1c:ab:54:4f:7e:b2:84:6b:b5.Are you sure you want to continue connecting (yes/no)? YesWarning: Permanently added 'ca.example.com,172.16.30.40' (ECDSA) to the list of known hosts.root@ca.example.com's password:httpd.csr 100% 688 0.7KB/s 00:00

⑦ digitally signs the signing request on the CA server host and indicates the storage path of the generated web certificate

[root@ca ~] # openssl ca-in / etc/pki/CA/httpd.csr-out / etc/pki/CA/certs/httpd.crt-days 365Using configuration from / etc/pki/tls/openssl.cnfCheck that the request matches the signatureSignature okCertificate Details: Serial Number: 1 (0x1) Validity Not Before: Oct 9 16:58:42 2019 GMT Not After: Oct 8 16:58:42 2020 GMT Subject: CountryName = CN stateOrProvinceName = HN organizationName = GL organizationalUnitName = xitong commonName = rhel7.example.com emailAddress = root@example.com X509v3 extensions: X509v3 Basic Constraints: CA:FALSE Netscape Comment: OpenSSL Generated Certificate X509v3 Subject Key Identifier: B5:E9:B1:1E:D7:9F:3B:DC:97:D4:40:CE:7E:4A:2E:06:0D:15:08:5D X509v3 Authority Key Identifier: keyid:5F:68:24:75:05:1E:8C:C2:ED:34:CF:FF:B7:04:47:1A:83:E0:BC: F3Certificate is to be certified until Oct 8 16:58:42 2020 GMT (365days) Sign the certificate? [y/n]: y1 out of 1 certificate requests certified, commit? [YBO] yWrite out database with 1 new entriesData Base Updated [root@ca] #

⑧ downloads the digitally signed web certificate from the CA server on the web server host to the / etc/httpd/ssl directory through the scp command

[root@rhel7 ~] # scp root@ca.example.com:/etc/pki/CA/certs/httpd.crt / etc/httpd/ssl/root@ca.example.com's password:httpd.crt 3198 3.1KB/s 00:00 [root@rhel7 ~] # [root@rhel7 ~] # cd / Etc/httpd/ssl/ [root@rhel7 ssl] # lshttpd.crt httpd.csr httpd.key [root@rhel7 ssl] # cat httpd.crtCertificate: Data: Version: 3 (0x2) Serial Number: 1 (0x1) Signature Algorithm: sha256WithRSAEncryption Issuer: C=CN ST=HN, L=ZZ, O=GL, OU=xitong, CN=ca.example.com/emailAddress=root@example.com Validity Not Before: Oct 9 16:58:42 2019 GMT Not After: Oct 8 16:58:42 2020 GMT Subject: C=CN, ST=HN, O=GL, OU=xitong CN=rhel7.example.com/emailAddress=root@example.com Subject Public Key Info: Public Key Algorithm: rsaEncryption Public-Key: (1024 bit) Modulus: 00:d3:60:22:af:b5:4f:85:05:44:42:4f:ad:a2:71: b7:a4:74:88:fb:76:c0: 89:91:c8:f1:87:c6:a0:f6: 92:52:51:ff:3d:c8:fa:0e:3b:9f:68:77:6b:f9:77: 11:aa:96:d7:53:50:cb:40:72:54:3d:89:08:8e:51: 22:3c:b9:f3:a0:fb:3d: A4:09:58:22:80:2e:4b:4a: b2:b7:7e:84:c6:29:0c:97:2e:d2:cf:d0:b1:93:53: 82:7d:e7:99:a9:79:ee:f5:c8:d8:9b:8f:6e:5e:2a: 61:47:56:c7:a0:dc:1f: 7c:ad:75:6e:4e:bb:a9:33: 92:37:fd:01:d4:92:81:44:c9 Exponent: 65537 (0x10001) X509v3 extensions: X509v3 Basic Constraints: CA:FALSE Netscape Comment: OpenSSL Generated Certificate X509v3 Subject Key Identifier: B5:E9:B1:1E:D7:9F:3B:DC:97:D4:40:CE:7E:4A:2E:06:0D:15:08:5D X509v3 Authority Key Identifier: keyid:5F:68:24:75:05:1E:8C:C2:ED:34:CF:FF:B7:04:47:1A:83:E0:BC:F3 Signature Algorithm: sha256WithRSAEncryption 03:a8:b2:ef:1a:3c: 08:71:36:79:e8:0c:24:41:2a:dc:63:7b: 12:36:62:75:04:e6:5a:85:5d:a4:99:9a:be:69:35:19:0e:26: fb:4e:b0:75:59:98:94:3f:03:7c:5e:97:ea:fe:eb:66:d9:9b: 61:91:e2:9d:9d:b5: 9e:a2:f1:c5:db:bd:da:25:65:f1:68:69: 2d:13:b0:b4:1c:77:64:75:39:2a:ca:0e:91:89:4c:94:42:4d: aa:77:69:33:ce:7e:4d:3d:a0:a8:0d:e2:6a:b7:b5:33:e7:e9: d6:1b:ea:a5:92:5f: E9:cf:7e:7f:58:fe:cf:8b:1e:19:ac:17: cc:fc-BEGIN CERTIFICATE-MIIC5TCCAk6gAwIBAgIBATANBgkqhkiG9w0BAQsFADB/MQswCQYDVQQGEwJDTjELMAkGA1UECAwCSE4xCzAJBgNVBAcMAlpaMQswCQYDVQQKDAJHTDEPMA0GA1UECwwGeGl0b25nMRcwFQYDVQQDDA5jYS5leGFtcGxlLmNvbTEfMB0GCSqGSIb3DQEJARYQcmvdEBleGFtcGxlLmNvbTAeFw0xOTEwMDkxNjU4NDJaFw0yMDEwMDgxNjU4NDJaMHUxCzAJBgNVBAYTAkNOMQswCQYDVQQIDAJITjELMAkGA1UECgwCR0wxDzANBgNVBAsMBnhpdG9uZzEaMBgGA1UEAwwRcmhlbDcuZXhhbXBsZS5jb20xHzAdBgkqhkiG9w0BCQEWEHJvb3RAZXhhbXBsZS5jb20wgZ8wDQYJKoZIhvcNAQEBBQADgY0AMIGJAoGBANNgIq+1T4UFREJPraJxt6R0iPt2wImRyPGHxqD2klJR/z3I+g47n2h4a/l3EaqW11NQy0ByVD2JCI5RIjy586D7PaQJWCKALktKsrd+hMYpDJcu0s/QsZNTgn3nmal57vXI2JuPbl4qYUdWx6DcH3ytdW5Ou6kzkjf9AdSSgUTJAgMBAAGjezB5MAkGA1UdEwQCMAAwLAYJYIZIAYb4QgENBB8WHU9wZW5TU0wgR2VuZXJhdGVkIENlcnRpZmljYXRlMB0GA1UdDgQWBBS16bEe15873JfUQM5+Si4GDRUIXTAfBgNVHSMEGDAWgBRfaCR1BR6Mwu00z/+3BEcag+C88zANBgkqhkiG9w0BAQsFAAOBgQADqLLvGjwIcTZ56AwkQSrcY3sSNmJ1BOZahV2kmZq+aTUZDib7TrB1WZiUPwN8Xpfq/utm2ZthkeKdnbWeovHF273aJWXxaGktE7C0HHdkdTkqyg6RiUyUQk2qd2kzzn5NPaCoDeJqt7Uz5+nWG+qlkl/pz35/WP7Pix4ZrBfM/A==-END CERTIFICATE- [root@rhel7 ssl] #

⑨ installs the apache HTTP expansion module mod_ssl to support TLS

[root@rhel7 ~] # yum-y install mod_ssl

After installation, the configuration file ssl.conf is generated and the configuration file ssl.conf is edited in the / etc/httpd/conf.d directory. Deploy the rhel7.example.com site as HTTPS

# # When we also provide SSL we have to listen to the# the HTTPS port in addition.#Listen 443 https# omitted partial output # General setup for the virtual host, inherited from global configurationDocumentRoot "/ var/www/html" ServerName www.example.com:443# Use separate log files for the SSL virtual host Note that LogLevel# is not inherited from httpd.conf.ErrorLog logs/ssl_error_logTransferLog logs/ssl_access_logLogLevel warn# SSLEngine Switch:# Enable/Disable SSL for this virtual host.SSLEngine on# omitted part of the output # Server Certificate:# Point SSLCertificateFile at a PEM encoded certificate. If# the certificate is encrypted, then you will be prompted for a# pass phrase. Note that a kill-HUP will prompt again. A new# certificate can be generated using the genkey (1) command.SSLCertificateFile / etc/httpd/ssl/httpd.crt# Server Private Key:# If the key is not combined with the certificate, use this# directive to point at the key file. Keep in mind that if# you've both a RSA and a DSA private key you can configure# both in parallel (to also allow the use of DSA ciphers, etc.) SSLCertificateKeyFile / etc/httpd/ssl/httpd.key# Server Certificate Chain:# omits partial output

Restart services and set up firewall

[root@rhel7] # systemctl restart httpd [root@rhel7] # firewall-cmd-- add-service=https-- permanentsuccess [root@rhel7 ~] # firewall-cmd-- reload

Access Test:

Https://rhel7.example.com

Welcome to subscribe "Shulou Technology Information " to get latest news, interesting things and hot topics in the IT industry, and controls the hottest and latest Internet news, technology news and IT industry trends.