当前位置 : 加密连接https
日期:2017-06-14
加密连接https
非对称加密
1.创建私钥文件
2.创建证书颁发请求
3.交给CA中心
4.返回证书
5.配置https虚拟主机
自建CA中心
环境:
servera WEB 172.25.34.10
serverb CA中心 172.25.34.11
1.servera WEB部署配置
[root@servera ~]#yum install -y wget vim unzip bzip2 gzip net-tools openssl openssl-devel
[root@servera ~]#wget http://nginx.org/packages/centos/7/x86_64/RPMS/nginx-1.8.0-1.el7.ngx.x86_64.rpm
2.servera上创建私钥
[root@servera ~]#mkdir /etc/nginx/key
[root@servera ~]#cd /etc/nginx/key
[root@servera key]#openssl genrsa 2048 > servera-web.key
Generating RSA private key, 2048 bit long modulus
.................+++
........................................................+++
e is 65537 (0x10001)
3.生成证书颁发请求
[root@servera key]#openssl req -new -key servera-web.key -out servera-web.csr
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [XX]:CN
State or Province Name (full name) []:shanghai
Locality Name (eg, city) [Default City]:shanghai
Organization Name (eg, company) [Default Company Ltd]:hpoto Company .Ltd
Organizational Unit Name (eg, section) []:www.hpoto.com
Common Name (eg, your name or your server's hostname) []:www.hpoto.com
Email Address []:root@hpoto.com
Please enter the following 'extra' attributes
to be sent with your certificate request
A challenge password []:
An optional company name []:
[root@servera key]#ls
servera-web.csr servera-web.key
4.将证书颁发请求提交给CA中心(serverb模拟成CA中心)
[root@servera key]#scp servera-web-csr root@172.25.34.11:~
5.serverb模拟成CA,执行自签名操作
[root@serverb ~]# openssl genrsa -des3 -out ca.key 4096
Generating RSA private key, 4096 bit long modulus
......................++
....................................................++
e is 65537 (0x10001)
Enter pass phrase for ca.key: # 此处设置密码需要在后续签名过程中用到
Verifying - Enter pass phrase for ca.key: # 密码位数不回显
[root@serverb ~]# openssl req -new -x509 -days 3650 -key ca.key -out ca.crt
Enter pass phrase for ca.key: # 使用之前设置过的密码
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [XX]:CN
State or Province Name (full name) []:shanghai
Locality Name (eg, city) [Default City]:shanghai
Organization Name (eg, company) [Default Company Ltd]:redhat .Ltd
Organizational Unit Name (eg, section) []:www.redhat.com
Common Name (eg, your name or your server's hostname) []:www.redhat.com
Email Address []:redhat@redhat.com
6.CA中心针对证书颁发请求创建证书
[root@serverb ~]#openssl x509 -req -days 365 -in servera-web.csr -CA ca.crt -CAkey ca.key -set_serial 01 -out servera-web.crt
Signature ok
subject=/C=CN/ST=shanghai/L=shanghai/O=hpoto Company .Ltd/OU=www.hpoto.com/CN=www.hpoto.com/emailAddress=root@hpoto.com
Getting CA Private Key
Enter pass phrase for ca.key:
证书回传到客户端
[root@serverb ~]# scp servera-web.crt 172.25.0.10:/etc/nginx/key
The authenticity of host '172.25.0.10 (172.25.0.10)' can't be established.
ECDSA key fingerprint is 6c:49:1a:9c:b8:9c:4c:91:20:f6:7f:9c:da:ef:57:7f.
Are you sure you want to continue connecting (yes/no)? yes
Warning: Permanently added '172.25.0.10' (ECDSA) to the list of known hosts.
root@172.25.0.10's password:
servera-web.crt 100% 1688 1.7KB/s 00:00
7.ssl的配置
[root@servera key]# cd /etc/nginx/conf.d/
[root@servera conf.d]# vim www.hpoto.com.conf
server {
listen 443 ssl; # https监听443端口
server_name www.hpoto.com;
ssl_certificate /etc/nginx/key/servera-web.crt; #证书存放位置
ssl_certificate_key /etc/nginx/key/servera-web.key; #私钥存放位置
ssl_session_cache shared:SSL:1m;
ssl_session_timeout 5m;
ssl_ciphers HIGH:!aNULL:!MD5;
#指出允许的密码,密码指定为openssl支持的格式
ssl_prefer_server_ciphers on;
#依赖SSLv3 和TLSv1 协议的服务器密码将优先于客户端密码
root /usr/share/nginx/hpoto.com; #定义网站根目录相关http://www.hpoto.com.cn/koke2050/
index index.html index.htm;
}
8.创建网站根目录及测试首页
[root@servera conf.d]# mkdir /usr/share/nginx/hpoto.com
[root@servera conf.d]# echo hpoto > /usr/share/nginx/hpoto.com/index.html
9.重启服务
[root@servera conf.d]# systemctl restart nginx
10.测试访问
浏览器里输入https://www.hpoto.com
浏览器出现报错:该信息为此连接不受信任,模拟的CA中心并未纳入浏览器的CA中心列表中。
(解决方法)
向浏览器中导入ca中心crt证书文件,然后再次刷新浏览器就可以打开网页
非对称加密
1.创建私钥文件
2.创建证书颁发请求
3.交给CA中心
4.返回证书
5.配置https虚拟主机
自建CA中心
环境:
servera WEB 172.25.34.10
serverb CA中心 172.25.34.11
1.servera WEB部署配置
[root@servera ~]#yum install -y wget vim unzip bzip2 gzip net-tools openssl openssl-devel
[root@servera ~]#wget http://nginx.org/packages/centos/7/x86_64/RPMS/nginx-1.8.0-1.el7.ngx.x86_64.rpm
2.servera上创建私钥
[root@servera ~]#mkdir /etc/nginx/key
[root@servera ~]#cd /etc/nginx/key
[root@servera key]#openssl genrsa 2048 > servera-web.key
Generating RSA private key, 2048 bit long modulus
.................+++
........................................................+++
e is 65537 (0x10001)
3.生成证书颁发请求
[root@servera key]#openssl req -new -key servera-web.key -out servera-web.csr
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [XX]:CN
State or Province Name (full name) []:shanghai
Locality Name (eg, city) [Default City]:shanghai
Organization Name (eg, company) [Default Company Ltd]:hpoto Company .Ltd
Organizational Unit Name (eg, section) []:www.hpoto.com
Common Name (eg, your name or your server's hostname) []:www.hpoto.com
Email Address []:root@hpoto.com
Please enter the following 'extra' attributes
to be sent with your certificate request
A challenge password []:
An optional company name []:
[root@servera key]#ls
servera-web.csr servera-web.key
4.将证书颁发请求提交给CA中心(serverb模拟成CA中心)
[root@servera key]#scp servera-web-csr root@172.25.34.11:~
5.serverb模拟成CA,执行自签名操作
[root@serverb ~]# openssl genrsa -des3 -out ca.key 4096
Generating RSA private key, 4096 bit long modulus
......................++
....................................................++
e is 65537 (0x10001)
Enter pass phrase for ca.key: # 此处设置密码需要在后续签名过程中用到
Verifying - Enter pass phrase for ca.key: # 密码位数不回显
[root@serverb ~]# openssl req -new -x509 -days 3650 -key ca.key -out ca.crt
Enter pass phrase for ca.key: # 使用之前设置过的密码
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [XX]:CN
State or Province Name (full name) []:shanghai
Locality Name (eg, city) [Default City]:shanghai
Organization Name (eg, company) [Default Company Ltd]:redhat .Ltd
Organizational Unit Name (eg, section) []:www.redhat.com
Common Name (eg, your name or your server's hostname) []:www.redhat.com
Email Address []:redhat@redhat.com
6.CA中心针对证书颁发请求创建证书
[root@serverb ~]#openssl x509 -req -days 365 -in servera-web.csr -CA ca.crt -CAkey ca.key -set_serial 01 -out servera-web.crt
Signature ok
subject=/C=CN/ST=shanghai/L=shanghai/O=hpoto Company .Ltd/OU=www.hpoto.com/CN=www.hpoto.com/emailAddress=root@hpoto.com
Getting CA Private Key
Enter pass phrase for ca.key:
证书回传到客户端
[root@serverb ~]# scp servera-web.crt 172.25.0.10:/etc/nginx/key
The authenticity of host '172.25.0.10 (172.25.0.10)' can't be established.
ECDSA key fingerprint is 6c:49:1a:9c:b8:9c:4c:91:20:f6:7f:9c:da:ef:57:7f.
Are you sure you want to continue connecting (yes/no)? yes
Warning: Permanently added '172.25.0.10' (ECDSA) to the list of known hosts.
root@172.25.0.10's password:
servera-web.crt 100% 1688 1.7KB/s 00:00
7.ssl的配置
[root@servera key]# cd /etc/nginx/conf.d/
[root@servera conf.d]# vim www.hpoto.com.conf
server {
listen 443 ssl; # https监听443端口
server_name www.hpoto.com;
ssl_certificate /etc/nginx/key/servera-web.crt; #证书存放位置
ssl_certificate_key /etc/nginx/key/servera-web.key; #私钥存放位置
ssl_session_cache shared:SSL:1m;
ssl_session_timeout 5m;
ssl_ciphers HIGH:!aNULL:!MD5;
#指出允许的密码,密码指定为openssl支持的格式
ssl_prefer_server_ciphers on;
#依赖SSLv3 和TLSv1 协议的服务器密码将优先于客户端密码
root /usr/share/nginx/hpoto.com; #定义网站根目录相关http://www.hpoto.com.cn/koke2050/
index index.html index.htm;
}
8.创建网站根目录及测试首页
[root@servera conf.d]# mkdir /usr/share/nginx/hpoto.com
[root@servera conf.d]# echo hpoto > /usr/share/nginx/hpoto.com/index.html
9.重启服务
[root@servera conf.d]# systemctl restart nginx
10.测试访问
浏览器里输入https://www.hpoto.com
浏览器出现报错:该信息为此连接不受信任,模拟的CA中心并未纳入浏览器的CA中心列表中。
(解决方法)
向浏览器中导入ca中心crt证书文件,然后再次刷新浏览器就可以打开网页
上一篇:Nginx简单配置与反向代理
下一篇:没有了