基于OpenSSL的HTTPS服务配置

242次阅读

没有评论

共计 8420 个字符，预计需要花费 22 分钟才能阅读完成。

CA 服务器：192.168.75.131

httpd 服务器：192.168.75.128

操作系统版本：RedHat 6.5(x_86_64)

一、安装 openssl

1、源码安装：

openssl：wget http://www.openssl.org/source/openssl-1.0.0a.tar.gz

# tar xvf openssl-1.0.0a.tar.gz

# cd openssl-1.0.0a

# ./config –prefix=/usr/local/openssl

# make && make install

2、RPM 安装

yum install openssl openssl-devel -y

二、安装 Apache

1、源码安装 httpd 参考：编译安装 Apache(httpd-2.4.18)

–enable-so #动态模块支持

–enable-ssl #开启 ssl 模块支持

–with-ssl=/usr/local/openssl 使用编译版本的 openssl，如果不指定，则使用 RPM 版本的 openssl

编译参数：

./configure –prefix=/usr/local/apache –enable-so –enable-ssl –enable-cgi –enable-rewrite –with-zlib –with-pcre=/usr/local/pcre –with-apr=/usr/local/apr –with-apr-util=/usr/local/apr-util –enable-mpms-shared=all –with-mpm=event –enable-proxy –enable-proxy-http –enable-proxy-ajp –enable-proxy-balancer –enable-lbmethod-heartbeat –enable-heartbeat –enable-slotmem-shm –enable-slotmem-plain –enable-watchdog –with-ssl=/usr/local/openssl

2、RPM 包安装 httpd

需要安装 mod_ssl 模块

# yum install httpd mod_ssl -y

三、CA 服务器生成自签证书（在 CA 服务器：192.168.75.131 上操作）

# yum install openssl -y

# cd /etc/pki/CA/

# (umask 077;openssl genrsa -out private/cakey.pem 2048) #生成私钥

# ll private/

total 4

-rw——-. 1 root root 1679 Feb 18 17:49 cakey.pem

生成自签证书的时候会有很多选项需要填写，如果不想填，可以编辑配置文件，更换默认值

# cd ../tls/

# diff openssl.cnf openssl.cnf.orig

130c130

< countryName_default= CN

—

> countryName_default= XX

135c135

< stateOrProvinceName_default= GuangDong

—

> #stateOrProvinceName_default= Default Province

138c138

< localityName_default= ShenZhen

—

> localityName_default= Default City

141c141

< 0.organizationName_default= SmallFish Company Ltd

—

> 0.organizationName_default= Default Company Ltd

148c148

< organizationalUnitName_default= Tech

—

> #organizationalUnitName_default=

# vim ../tls/openssl.cnf # 保证 dir 是在 /etc/pki/CA 目录

[CA_default]

dir = /etc/pki/CA # Where everything is kept

# openssl req -new -x509 -key private/cakey.pem -out cacert.pem -days 3665 #根据私钥给自己生成一个自签证书，这个证书可以给用户使用的

You are about to be asked to enter information that will be incorporated

into your certificate request.

What you are about to enter is what is called a Distinguished Name or a DN.

There are quite a few fields but you can leave some blank

For some fields there will be a default value,

If you enter ‘.’, the field will be left blank.

—–

Country Name (2 letter code) [CN]:

State or Province Name (full name) [GuangDong]:

Locality Name (eg, city) [ShenZhen]:

Organization Name (eg, company) [SmallFish Company Ltd]: #给别人签发的公司也必须是这个

Organizational Unit Name (eg, section) [Tech]:

Common Name (eg, your name or your server’s hostname) []:ca.smallfish.com #发给自己的证书

Email Address []:admin@smallfish.com

# cd /etc/pki/CA/

# touch index.txt

# echo 00 >serial

# tree .

.

├── cacert.pem

├── certs

├── crl

├── index.txt

├── newcerts

├── private

│ └── cakey.pem

└── serial

四、web 服务器端, 生成证书颁发请求（在 192.168.75.128 上操作）

# cd /usr/local/apache/conf

# mkdir ssl

# cd ssl/

#(umask 077;openssl genrsa 1024 > httpd.key) #生成密钥

Generating RSA private key, 1024 bit long modulus

…….++++++

………………………..++++++

e is 65537 (0x10001)

# ll

total 4

-rw——-. 1 root root 887 Feb 8 18:40 httpd.key

# openssl req -new -key httpd.key -out httpd.csr #生成证书申请请求

You are about to be asked to enter information that will be incorporated

into your certificate request.

What you are about to enter is what is called a Distinguished Name or a DN.

There are quite a few fields but you can leave some blank

For some fields there will be a default value,

If you enter ‘.’, the field will be left blank.

—–

Country Name (2 letter code) [XX]:CN #信息必须和 CA 端保持一致

State or Province Name (full name) []:GuangDong #信息必须和 CA 端保持一致

Locality Name (eg, city) [Default City]:ShenZhen #信息必须和 CA 端保持一致

Organization Name (eg, company) [Default Company Ltd]:SmallFish Company Ltd # 必须是 CA 证书中填写的是同一个公司，不如后面生成公司证书的时候会报错

Organizational Unit Name (eg, section) []:Tech

Common Name (eg, your name or your server’s hostname) []:www.vip.com

Email Address []:www.vip.com

Please enter the following ‘extra’ attributes

to be sent with your certificate request

A challenge password []:

An optional company name []:

[root@master ssl]#

# scp httpd.csr 192.168.75.131:/tmp #用 U 盘拷贝，发邮件都可以

五、CA 服务器签发证书（在 CA 服务器：192.168.75.131 上操作）

# openssl ca -in /tmp/httpd.csr -out /tmp/httpd.crt -days 3650 #CA 进行签署证书，公司名称不一样，会报错

Using configuration from /etc/pki/tls/openssl.cnf

Check that the request matches the signature

Signature ok

The organizationName field needed to be the same in the

CA certificate (SmallFish Company Ltd) and the request (vip Ltd)

# openssl ca -in /tmp/httpd.csr -out /tmp/httpd.crt -days 3650 #CA 进行签署证书

Using configuration from /etc/pki/tls/openssl.cnf

Check that the request matches the signature

Signature ok

Certificate Details:

Serial Number: 0 (0x0)

Validity

Not Before: Feb 18 10:10:26 2016 GMT

Not After : Feb 15 10:10:26 2026 GMT

Subject:

countryName = CN

stateOrProvinceName = GuangDong

organizationName = SmallFish Company Ltd

organizationalUnitName = Tech

commonName = www.vip.com

emailAddress = www.vip.com

X509v3 extensions:

X509v3 Basic Constraints:

CA:FALSE

Netscape Comment:

OpenSSL Generated Certificate

X509v3 Subject Key Identifier:

68:4F:A6:95:E8:65:0D:FE:9E:E2:81:31:8A:AF:69:3A:4C:43:E0:94

X509v3 Authority Key Identifier:

keyid:AA:27:66:F1:0F:7A:7C:CA:CD:85:95:1F:D5:92:5A:36:23:FE:1A:36

Certificate is to be certified until Feb 15 10:10:26 2026 GMT (3650 days)

Sign the certificate? [y/n]:y

1 out of 1 certificate requests certified, commit? [y/n]y

Write out database with 1 new entries

Data Base Updated

# cat index.txt

V260215101026Z00unknown/C=CN/ST=GuangDong/O=SmallFish Company Ltd/OU=Tech/CN=www.vip.com/emailAddress=www.vip.com

# cat serial

01

# tree .

.

├── cacert.pem

├── certs

├── crl

├── index.txt

├── index.txt.attr

├── index.txt.old

├── newcerts

│ └── 00.pem

├── private

│ └── cakey.pem

├── serial

└── serial.old

4 directories, 8 files

# scp /tmp/httpd.crt 192.168.75.128:/usr/local/apache/conf/ssl #拷贝证书到 Web 服务器

# rm /tmp/httpd.crt /tmp/httpd.csr #CA 服务器端制作完毕之后可以删除掉 web 服务器端证书

六、web 服务器端配置 openssl（在 192.168.75.128 上操作）

vim /usr/local/apache/conf/extra/httpd-ssl.conf

DocumentRoot “/usr/local/apache/htdocs” #和 80 端口文档目录的保持一致，不然和 80 访问的内容不一样

ServerName www.vip.com:443

ServerAdmin admin@vip.com

ErrorLog “/usr/local/apache/logs/error_log”

TransferLog “/usr/local/apache/logs/access_log”

SSLEngine on

SSLCertificateFile “/usr/local/apache/conf/ssl/httpd.crt”

SSLCertificateKeyFile “/usr/local/apache/conf/ssl/httpd.key”

# vim /usr/local/apache/conf/httpd.conf #打开下面的注释

LoadModule socache_shmcb_module modules/mod_socache_shmcb.so

LoadModule ssl_module modules/mod_ssl.so

LoadModule slotmem_shm_module modules/mod_slotmem_shm.so

Include conf/extra/httpd-ssl.conf

# /usr/local/apache/bin/httpd -t

Syntax OK

# httpd -M| grep ssl_mod #查看是否支持 ssl_module

ssl_module (shared)

# /usr/local/apache/bin/apachectl start

# lsof -i:80

COMMAND PID USER FD TYPE DEVICE SIZE/OFF NODE NAME

httpd 13445 root 4u IPv6 349321 0t0 TCP *:http (LISTEN)

httpd 13446 daemon 4u IPv6 349321 0t0 TCP *:http (LISTEN)

httpd 13447 daemon 4u IPv6 349321 0t0 TCP *:http (LISTEN)

httpd 13448 daemon 4u IPv6 349321 0t0 TCP *:http (LISTEN)

# lsof -i:443

COMMAND PID USER FD TYPE DEVICE SIZE/OFF NODE NAME

httpd 13445 root 6u IPv6 349329 0t0 TCP *:https (LISTEN)

httpd 13446 daemon 6u IPv6 349329 0t0 TCP *:https (LISTEN)

httpd 13447 daemon 6u IPv6 349329 0t0 TCP *:https (LISTEN)

httpd 13448 daemon 6u IPv6 349329 0t0 TCP *:https (LISTEN)

七、访问验证

1、在 win hosts 文件中添加

C:\WINDOWS\System32\drivers\etc\hosts

192.168.85.128 www.vip.com

2、安装证书

拷贝 CA 服务器中的证书（/etc/pki/CA/cacert.pem）到客户端，重命名为 cacert.crt，双击运行安装，导入到浏览器，用浏览器打开

基于 OpenSSL 的 HTTPS 服务配置

3、访问：

https://www.vip.com/

基于 OpenSSL 的 HTTPS 服务配置

http://www.vip.com/

基于 OpenSSL 的 HTTPS 服务配置

八、遇到的问题

问题 1：

# /usr/local/apache2/bin/apachectl start

AH00526: Syntax error on line 51 of /usr/local/apache2/conf/extra/httpd-ssl.conf:

Invalid command ‘SSLCipherSuite’, perhaps misspelled or defined by a module not included in the server configuration

解决 1：

# vi /usr/local/apache2/conf/httpd.conf

LoadModule ssl_module modules/mod_ssl.so

问题 2：

# /usr/local/apache2/bin/apachectl start

AH00526: Syntax error on line 76 of /usr/local/apache2/conf/extra/httpd-ssl.conf:

SSLSessionCache: ‘shmcb’ session cache not supported (known names:). Maybe you need to load the appropriate socache module (mod_socache_shmcb?).

解决 2：

# vi /usr/local/apache2/conf/httpd.conf

LoadModule socache_shmcb_module modules/mod_socache_shmcb.so

问题 3:

The countryName field needed to be the same in the

CA certificate (cn) and the request (sh)

解决 3：证书的国家名称，省名要相同

九、注意：

SSL 会话不能基于主机名区分，服务器只有一个 ip 地址，只能为一个主机提供 ssl 的功能，如果有很多基于域名的虚拟主机，ssl 只能提供给其中的一个虚拟主机使用.

更多 OpenSSL 相关内容可以查看以下的有用链接：

使用 OpenSSL 命令行构建 CA 及证书 http://www.linuxidc.com/Linux/2015-10/124682.htm

Ubuntu 安装 OpenSSL http://www.linuxidc.com/Linux/2015-10/124001.htm

通过 OpenSSL 提供 FTP+SSL/TLS 认证功能，并实现安全数据传输 http://www.linuxidc.com/Linux/2013-05/84986.htm

Linux 下使用 OpenSSL 生成证书 http://www.linuxidc.com/Linux/2015-05/117034.htm

利用 OpenSSL 签署多域名证书 http://www.linuxidc.com/Linux/2014-10/108222.htm

在 OpenSSL 中添加自定义加密算法 http://www.linuxidc.com/Linux/2015-08/121749.htm

OpenSSL 的详细介绍：请点这里
OpenSSL 的下载地址：请点这里

本文永久更新链接地址：http://www.linuxidc.com/Linux/2016-02/128569.htm

正文完

星哥说事-微信公众号

发表至：服务器应用

2022-01-21

0

转载说明：除特殊说明外本站文章皆由CC-4.0协议发布，转载请注明出处。

Linux入门教程：Squid代理服务器

在CentOS Linux 7.5上使用Let’s Encrypt以保护Nginx

分布式服务框架的4项特性

ELK Stack集群部署与Grafana及可视化图形

Keepalived实现高可用Nginx反向代理

Ubuntu Server下Docker实战 01: 安装Docker

为Linux上的Tomcat安装apr支持

CentOS 6.6下Tomcat集群

Mesos+Marathon管理Docker集群

基于OpenSSL的HTTPS服务配置

已备案网站变更并且不影响现有业务的方案

介绍一些好玩且实用的开源的AI工具

一、前端三要素

CSS样式实现显示和隐藏特效功能详解

Vue中vue-router实现原理详解

腾讯云GPU服务器GN7实例NVIDIA T4 GPU卡优惠价格表

DNS 原理入门

亿级Web系统的高容错性实践

iptables 常用规则使用实例

教你如何在C++二进制文件中注入git信息