Https服务配置基于apache2.4.4

环境:两台linux虚拟机和一台windows本机,一台充当要使用https传输的web服务器apache2.4.4,另一台CA服务器,window测试https配置。

1.CA服务器生成私有CA

1.1生成私钥,进入/etc/pki/CA

  

[[email protected] CA]# (umask 077; openssl genrsa -out private/cakey.pem 1024)      //CA私钥必须存放到private目录下名称为cakey.pemGenerating RSA private key, 1024 bit long modulus..................................................++++++........++++++e is 65537 (0x10001)

1.2制作私有CA

[[email protected] CA]# openssl req -new -x509 -key private/cakey.pem  -out cacert.pem -days 3655
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter ‘.‘, the field will be left blank.
-----
Country Name (2 letter code) [XX]:CN                                 //填写国家  随意填写,但是一定要记住
State or Province Name (full name) []:Hangzhou                       //省份  同上
Locality Name (eg, city) [Default City]:Hangzhou                     //城市  同上
Organization Name (eg, company) [Default Company Ltd]:Taobao          //公司 同上
Organizational Unit Name (eg, section) []:Test                        //组织
Common Name (eg, your name or your server‘s hostname) []:Test.com     //域名这里填写自己公司的域名
Email Address []:[email protected]                                        //管理员邮件
[[email protected] CA]#

看本地有没有 certs , newcerts,  crl 目录 和index.txt ,serial文件,如果没有 创建并给serial一个初始值

[[email protected] CA]# ls
ca.key  certs  crl  newcerts  private
[[email protected] CA]# touch serial index.txt
[[email protected] CA]# ls
ca.key  certs  crl  index.txt  newcerts  private  serial
[[email protected] CA]# echo "001">serial
[[email protected] CA]#

  

2.web服务器生成CA请求

  2.1比如为httpd服务配置https

  在/etc/httpd/下面创建一个ssl目录,创建私钥,和CA请求,这个目录随意选择

  2.2生成私钥,同上

[[email protected] ssl]# (umask 077; openssl genrsa  -out httpd.key 1024)
Generating RSA private key, 1024 bit long modulus
.......................++++++
..............................++++++
e is 65537 (0x10001)
[[email protected] ssl]# ls
httpd.key
[[email protected] ssl]#

2.2生成CA请求

[[email protected] ssl]# openssl req -new -key httpd.key -out httpd.csr
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter ‘.‘, the field will be left blank.
-----
Country Name (2 letter code) [XX]:CN                                         //前面这些信息一定要和私有CA一样,因为是内部私有的,所以要保持一直不然无法签署
State or Province Name (full name) []:Hangzhou
Locality Name (eg, city) [Default City]:Hangzhou
Organization Name (eg, company) [Default Company Ltd]:Taobao
Organizational Unit Name (eg, section) []:Test
Common Name (eg, your name or your server‘s hostname) []:www.a.org            //这里的域名为你配置https的名字
Email Address []:[email protected]

Please enter the following ‘extra‘ attributes
to be sent with your certificate request
A challenge password []:
An optional company name []:
[[email protected] ssl]#

3.将请求httpd.csr发送到CA服务器,请求签署,这里复制过去

[[email protected] ssl]# scp -P 5211 httpd.csr 192.168.136.131:/tmp/[email protected]‘s password: httpd.csr                                                                          100%  688     0.7KB/s   00:00    [[email protected] ssl]#

4.CA签署请求

 4.1 这里碰到一问题

[[email protected] CA]# openssl  ca -in /tmp/httpd.csr -out httpd.crt
Using configuration from /etc/pki/tls/openssl.cnf
Check that the request matches the signature      //意思说配置文件中policy,没有CN这个选项
Signature ok
CN:invalid type in ‘policy‘ configuration

4.2 查看配置文件

  

# For the CA policy          //这里就是配置CA请求和CA哪些选项是必须(match)匹配,一样的,哪些是(optional)可选自己填写的,哪些是(supplied)
[ policy_match ]            //这个是错误的,是以前想改默认配置改错了,红色的是正确的配置,把CN,Henan,WEB等修改为红色选项,就可以签署了。
countryName             = CN     match
stateOrProvinceName     = Henan      match
organizationName        = WEB        match
organizationalUnitName  = WEB      optional
commonName              = test       supplied
emailAddress            = [email protected]   optional

# For the ‘anything‘ policy
# At this point in time, you must list all acceptable ‘object‘
# types.
[ policy_anything ]
countryName             = optional
stateOrProvinceName     = optional
localityName            = optional
organizationName        = optional
organizationalUnitName  = optional
commonName              = supplied
emailAddress            = optional

4.3 CA签署

[[email protected] CA]# openssl  ca -in /tmp/httpd.csr -out httpd.crt
Using configuration from /etc/pki/tls/openssl.cnf
Check that the request matches the signature
Signature ok
Certificate Details:
        Serial Number: 1 (0x1)
        Validity
            Not Before: Jul 19 05:17:43 2015 GMT
            Not After : Jul 18 05:17:43 2016 GMT
        Subject:
            countryName               = CN
            stateOrProvinceName       = Hangzhou
            organizationName          = Taobao
            organizationalUnitName    = Test
            commonName                = www.a.org
            emailAddress               = [email protected]        X509v3 extensions:            X509v3 Basic Constraints:                 CA:FALSE            Netscape Comment:                 OpenSSL Generated Certificate            X509v3 Subject Key Identifier:                 C7:06:AC:D8:C2:49:DA:F6:DD:1A:03:75:4F:94:26:FD:53:E7:18:5F            X509v3 Authority Key Identifier:                 keyid:F2:A3:E1:30:32:E5:24:38:6F:4D:FF:3F:97:B1:E7:84:4A:41:97:36

Certificate is to be certified until Jul 18 05:17:43 2016 GMT (365 days)Sign the certificate? [y/n]:y1 out of 1 certificate requests certified, commit? [y/n]yWrite out database with 1 new entriesData Base Updated[[email protected] CA]# lscacert.pem  certs  crl  httpd.crt  index.txt  index.txt.attr  index.txt.old  newcerts  private  serial  serial.old[[email protected] CA]#

5.然后CA将httpd.crt发送给web服务器

[[email protected] CA]# scp httpd.crt 192.168.136.135:/etc/httpd/ssl
[email protected]192.168.136.135‘s password:
httpd.crt                                                                          100% 3128     3.1KB/s   00:00
[[email protected] CA]#

6如果没有mode_ssl模块需要安装模块先,修改web服务器/etc/httpd/conf.d/httpd.conf配置文件

6.1

LoadModule socache_shmcb_module modules/mod_socache_shmcb.so     //前面#去掉,如果不载入在这个模块会报错SSLSessionCache: ‘shmcb‘ session cache not supported (known names: ). Maybe you need to load the appropriate socache module (mod_socache_shmcb?).LoadModule ssl_module modules/mod_ssl.so                     //取代哦#去掉载入模块

6.2配置/etc/httpd/extra/httpd-ssl.conf

SSLCertificateFile "/etc/httpd/ssl/httpd.crt"        //修改证书文件位置
SSLCertificateKeyFile "/etc/httpd/ssl/httpd.key    //修改密钥存放位置

<VirtualHost 192.168.136.135:443>                  //修改VitualHost和httpd-vhost.cong中的配置一样即可

#   General setup for the virtual hostDocumentRoot "/usr/local/apache/htdocs/www.a.org"ServerName www.a.org:443ServerAdmin [email protected]ErrorLog "/usr/local/apache/logs/error_log"TransferLog "/usr/local/apache/logs/access_log"

#   SSL Engine Switch:#   Enable/Disable SSL for this virtual host.SSLEngine on                                    //这个表示开启ssl

7.重启服务,测试www.a.org,因为私有CA不公开使用,只在内部使用,所以不受信任互联网。可以自己导入CA的证书,让私有CA为可信任的证书颁发者。

将CA服务器上的cacert.pem下载到本地,更改为cacer.crt,安装,导入添加信任。

时间: 2024-10-06 00:40:52

Https服务配置基于apache2.4.4的相关文章

基于openssl 的https服务配置

1.安装mod_ssl 2.在另一台机器上创建CA cd /etc/pki/CA (umask 077; openssl genrsa -out private/cakey.pem 2048) 3.生成文件的权限是600 4.vim  ../tls/openssl.cnf 5.找到 [ req_distinguished_name ] 6.将默认城市改成CN 7.将默认省份名称stateOrProvinceName_default 改为Hebei 8.城市名称 localityName_defa

基于openssl的https服务配置

1.安装模块 [[email protected] yum.repos.d]# yum -y install mod_ssl [[email protected] yum.repos.d]# rpm -ql mod_ssl /etc/httpd/conf.d/ssl.conf 配置文件 /usr/lib/httpd/modules/mod_ssl.so /var/cache/mod_ssl /var/cache/mod_ssl/scache.dir /var/cache/mod_ssl/scac

基于httpd-2.4配置虚拟主机web站点,并提供https服务(二)

使用httpd-2.2和httpd-2.4实现 > 1.建立httpd服务,要求: > 1) 提供两个基于名称的虚拟主机www1, www2:要求每个虚拟主机都有单独的错误日志和访问日志: > 2) 通过www1的/server-status提供状态信息,且仅允许172.16.0.1主机访问: > 3) www2不允许192.168.1.0/24网络中任意主机访问: > 2.为上面的第2)个虚拟主机提供https服务. > 基于httpd-2.4配置虚拟主机web站点,

tomcat搭建https服务

1.生成服务器站点证书 1) 生成密钥仓库 进入jdk的bin目录,如:D:\jdk1.6.0_16\bin 执行: D:\jdk1.6.0_16\bin\keytool -genkey -v -alias tomcat -keyalg RSA -keystore D:\server.keystore -validity 36500 (参数简要说明:“D:\server.keystore”含义是将证书仓库文件的保存路径,证书仓库文件名称是server.keystore :“-validity 3

基于openssl的https服务的配置

openssl实现私有CA,并配置基于openssl的https服务的配置,原理如下图 在CA服务器上实现私有CA步骤如下: 1.生成一对密钥 2.生成自签证书 基本的配置如下代码; [[email protected] CA]# pwd /etc/pki/CA [[email protected] CA]# (umask 077;openssl genrsa -out private/cakey.pem 2048) [[email protected] CA]# openssl req -ne

基于httpd-2.2和httpd-2.4配置虚拟主机web站点,并提供https服务(一)

使用httpd-2.2和httpd-2.4实现 > 1.建立httpd服务,要求: > 1) 提供两个基于名称的虚拟主机www1, www2:要求每个虚拟主机都有单独的错误日志和访问日志: > 2) 通过www1的/server-status提供状态信息,且仅允许172.16.0.1主机访问: > 3) www2不允许192.168.1.0/24网络中任意主机访问: > 2.为上面的第2)个虚拟主机提供https服务. > 一.使用httpd-2.2实现基于主机名的虚拟

基于httpd-2.2和httpd-2.4配置虚拟主机web站点,并提供https服务(二)

使用httpd-2.2和httpd-2.4实现 > 1.建立httpd服务,要求: > 1) 提供两个基于名称的虚拟主机www1, www2:要求每个虚拟主机都有单独的错误日志和访问日志: > 2) 通过www1的/server-status提供状态信息,且仅允许172.16.0.1主机访问: > 3) www2不允许192.168.1.0/24网络中任意主机访问: > 2.为上面的第2)个虚拟主机提供https服务. > 二.基于httpd-2.4配置虚拟主机web站

基于httpd-2.2配置虚拟主机web站点,并提供https服务(一)

使用httpd-2.2和httpd-2.4实现 > 1.建立httpd服务,要求: > 1) 提供两个基于名称的虚拟主机www1, www2:要求每个虚拟主机都有单独的错误日志和访问日志: > 2) 通过www1的/server-status提供状态信息,且仅允许172.16.0.1主机访问: > 3) www2不允许192.168.1.0/24网络中任意主机访问: > 2.为上面的第2)个虚拟主机提供https服务. > 使用httpd-2.2实现基于主机名的虚拟主机

Apache httpd(apache2)服务配置详解,Mac下设置虚拟主机部署多个web项目,及反向代理部署Java项目

Apache httpd服务配置详解 查看版本:httpd -v Server version: Apache/2.4.33 (Unix) Server built:   Apr  3 2018 17:54:07 文件路径:/etc/apache2/httpd.conf # 服务目录(全局配置)用于指定Apache的安装路径,# 此选项参数值在安装Apache时系统会自动把Apache的路径写入ServerRoot "/usr" # 设置互斥对象的目录# Mutex default:/