Shulou(Shulou.com)06/01 Report--

Example demo: Both hosts are CentOS 7 system hosts

172.18.253.133 plays CA role

172.18.253.132 Acting as a server

1、

a) 172.18.253.133 Create a private CA

# cd /etc/pki/CA

# (umask 077;openssl genrsa -out private/cakey.pem 2048) //generate a private key

# ll private/

total 4

-rw------- 1 root root 1679 May 21 10:09 cakey.pem

# openssl req -new -x509 -key private/cakey.pem -out cacert.pem //generate your own self-visa book

# touch serial index.txt

# echo 01 >serial

b) 172.18.253.132 Create Certificate Signing Request

# cd /etc/httpd

# ls

conf conf.d conf.modules.d logs modules run

# mkdir ssl //Use to store certificate files

# cd ssl

# (umask 077;openssl genrsa -out httpd.key 1024)

# openssl req -new -key httpd.key -out httpd.csr //Create certificate signing request

# ls

httpd.csr httpd.key

# scp httpd.csr root@172.18.253.133:/tmp/

c) 172.18.253.133 Sign Certificate

# openssl ca -in /tmp/httpd.csr -out certs/httpd.crt

//Enter 2 y confirmations

# scp certs/httpd.crt root@172.18.253.132:/etc/httpd/ssl/

2, 172.18.253.132 configuration httpd support the use of ssl, and the certificate used

# ls

httpd.crt httpd.csr httpd.key

# yum install mod_ssl -y

# cd /etc/httpd/conf.d

# cp ssl.conf{,.backup}

# vim ssl.conf

Root "/var/www/html"

ServerName www.magedu.com hostname to match certificate

SSLEngine on //SSL engine enabled, must be on

SSLCertificateFile/etc/httpd/ssl/httpd. crt//Server certificate address

SSLCertificateKeyFile /etc/httpd/ssl/httpd.key //private key file

# httpd -t //detect syntax errors

Note: If the syntax is checked, the following error is reported

Cause: hostname and IP do not match, http server to try to reverse solution of the IP address of the machine, reverse solution of the hostname and the host name of the machine is inconsistent with the following warning.

Workaround: Add a hostname to the httpd program main configuration file

# vim /etc/httpd/conf/httpd.conf

ServerName www.magedu.com a hostname or IP

# httpd -t //Continue to monitor syntax

# systemctl restart httpd.service

3. Test accessing the corresponding host based on https;

1)Here is an example of CA host using openssl command for verification:

# openssl s_client -connect www.magedu.com:443

getaddrinfo: Temporary failure in name resolution

connect:errno=111 //At this time, the host cannot resolve www.magedu.com host. You need to add

# vim /etc/hosts

172.18.253.132 www.magedu.com www //Add

# openssl s_client -connect www.magedu.com:443

# openssl s_client -connect www.magedu.com:443 -CAfile /etc/pki/CA/cacert.pem/Because it is a CA host, import the CA certificate directly.

2)It can also be verified with a browser.

Start by adding a test page to the CA server

# vim /var/www/html/index.html

Test https

Visit http://172.18.253.132/index.html in your browser

At this time, because the browser does not import the CA certificate, https-based access will not be possible. You need to import the CA certificate file into the browser (copy the/etc/pki/CA/cacert.pem file from the virtual host to the physical host for import).

Method: Google Chrome--> Settings--> Advanced Settings--->HTTPS/SSL Manage Certificates--> Trusted Certificate Authorities--> Import cacert.pem.

Continue to https://172.18.253.132/index.html in your browser

At this point, you can click Advanced to continue access or add www.magedu.com host name to the local host.

Win10 system modification host file introduction:

1. Open the "Run" dialog box (you can use Win+R shortcut keys directly to quickly open it), and then type the hosts file path: C: \WINDOWS\system32\drivers\etc. After completion, click "OK" below to open it, as shown in the figure.

2. After finding the location of the hosts file, do not modify the file directly, otherwise there will be insufficient permissions to modify the problem. The specific method is to click the right mouse button on the hosts file, and in the pop-up options, click to open "Properties," as shown in the figure.

3. After opening the hosts file attribute, switch to the "Security" tab, and then click to select the current user name that needs to be changed, and then click "Edit" below. In the pop-up editing permission operation interface, first click to select the account name that needs higher permissions. For example, you need to give the name "Users" here.(HOSTNAME\Users)"user assigned to modify the hosts file permissions, select the user, check the upper and lower" modify "and" write "permissions, after completion, click" apply "in the lower right corner can be, as shown in the figure.

After clicking the application, a "Windows Security" prompt box will pop up, to the effect that after modifying the system folder permissions, the system security may be reduced. Here, we don't need to pay attention to it, just click "Yes", as shown in the figure.

After setting the write and modify hosts file permissions for the current user, you can easily modify the Win10 hosts file. The specific method is to click the right mouse button on the hosts file, and click "Open Mode" in the pop-up menu, as shown in the figure.

5. Then select Use Notepad to open Modify. For example, here we want to add a specified IP to access www.magedu.com. After the modification is completed, click "Save", then there will be no permission problem, as shown below.

Finally, we test the effect by ping, as shown below.

Then visit https://www.magedu.com/index.html to open the page and display the corresponding content.

Welcome to subscribe "Shulou Technology Information " to get latest news, interesting things and hot topics in the IT industry, and controls the hottest and latest Internet news, technology news and IT industry trends.