歡迎來到Linux教程網
Linux教程網
Linux教程網
Linux教程網
您现在的位置: Linux教程網 >> UnixLinux >  >> Linux基礎 >> 關於Linux

linux下SSL的實現過程

首先,客戶端與服務器端進行三次握手。(因為http基於TCP/IP協議進行通信),然後他們建立SSL會話,協商要使用的加密算法,當協商完成之後。服務器端就會將自己的證書發送給客戶端,客戶端驗證發現沒有問題之後,就會生成一個對稱密鑰發送給服務器端,然後客戶端就發送請求給服務器端,服務器端便會使用剛剛客戶端發來的對稱密鑰加密將內容發送給客戶端。這樣ssl會話就建立起來了。

但是,客戶端如何驗證服務器的證書是否真實呢,那麼便需要一個CA:第三方證書頒發機構給我們的服務器端頒發證書。所以客戶端便可以到CA去驗證服務器端的證書。

這時候的CA,應該自己有一份證書保存在客戶端這邊,並且這段證書是自簽的。(用以客戶端可以到CA去驗證服務器端的證書。)

那麼服務器端如何到CA讓CA給自己搞一份證書呢:首先服務器端先生成一份密鑰,將公鑰交給CA,由CA對它簽署並生成證書,保存一份並回送給服務器端。服務器對其進行配置使用,然後在通話過後就可以將證書發送給客戶端,客戶端詢問CA在進行驗證。

①前提:

要想使你的web服務器支持ssl功能,第一步得安裝SSL模塊

[root@Cyz ~]# yum install mod_ssl     
//查看都安裝了什麼     
[root@Cyz ~]# rpm -ql mod_ssl     
/etc/httpd/conf.d/ssl.conf //說明是配置文件,更改配置需要重啟     
/usr/lib/httpd/modules/mod_ssl.so      
/var/cache/mod_ssl          //緩存目錄     
/var/cache/mod_ssl/scache.dir     
/var/cache/mod_ssl/scache.pag     
/var/cache/mod_ssl/scache.sem

②提供CA

重新找台主機,用這台主機做我們的CA:這台主機的IP為111.9

要想做CA,首先得生成自簽證書,:

[root@localhost ~]# cd /etc/pki/CA/     
//生成私鑰     
[root@localhost CA]# (umask 077; openssl genrsa -out private/cakey.pem 2048)     
//umask為了生成時權限其他用戶無權限訪問 –out表示路徑)     
Generating RSA private key, 2048 bit long modulus     
.......................................+++     
........................+++     
e is 65537 (0x10001)     
//查看權限     
[root@localhost CA]# ls -l private/     
total 8     
-rw------- 1 root root 1679 Apr 10 16:15 cakey.pem //600的權限     
        
//然後去修改配置文件中的默認信息,將其改為我們通常使用的     
[root@localhost CA]# vim ../tls/openssl.cnf

//為自己生成自簽證書     
[root@localhost CA]# openssl req -new -x509 -key private/cakey.pem -out cacert.pem -days 3655     
//然後繼續編輯openssl.cnf找到     
[ CA_default ]     
        
dir             = /etc/pki/CA//改為這樣子     
//然後創建     
[root@localhost CA]# mkdir certs crl newcerts     
[root@localhost CA]# touch index.txt     
[root@localhost CA]# echo 01 > serial     
[root@localhost CA]# ls     
cacert.pem  certs  crl  index.txt  newcerts  private  serial     
//這個時候就已經准備好了CA就可以使用了

這個時候回到我們的客戶端111.1

[root@Cyz ~]# cd /etc/httpd/          //保存在這裡     
[root@Cyz httpd]# mkdir ssl     
[root@Cyz httpd]# ls     
conf conf.d logs modules run ssl     
[root@Cyz httpd]# cd ssl/     
[root@Cyz ssl]# ls     
[root@Cyz ssl]# (umask 077; openssl genrsa 1024 > httpd.key)    //生成密鑰     
Generating RSA private key, 1024 bit long modulus     
................................++++++     
.....................................................++++++     
e is 65537 (0x10001)     
[root@Cyz ssl]# ll     
total 8     
-rw------- 1 root root 887 Apr 10 16:33 httpd.key     
[root@Cyz ssl]# openssl req -new -key httpd.key -out httpd.csr  //生成證書頒發請求     
You are about to be asked to enter information that will be incorporated     
into your certificate request.     
What you are about to enter is what is called a Distinguished Name or a DN.     
There are quite a few fields but you can leave some blank     
For some fields there will be a default value,     
If you enter '.', the field will be left blank.     
-----     
Country Name (2 letter code) [GB]:CN     
State or Province Name (full name) [Berkshire]:Henan        
Locality Name (eg, city) [Newbury]:Zhengzhou     
Organization Name (eg, company) [My Company Ltd]:MageEdu        
Organizational Unit Name (eg, section) []:Tech     
Common Name (eg, your name or your server's hostname) []:hello.magedu.com     
Email Address []:[email protected]     
          
Please enter the following 'extra' attributes     
to be sent with your certificate request     
A challenge password []:     
An optional company name []:     
[root@Cyz ssl]# ls     
httpd.csr httpd.key     
[root@Cyz ssl]# scp httpd.csr 172.16.111.9:/tmp //將csr(證書簽署請求)復制到CA     
The authenticity of host '172.16.111.9 (172.16.111.9)' can't be established.     
RSA key fingerprint is 44:0a:1f:77:7f:cb:df:09:a8:8d:ac:23:47:b3:a8:99.     
Are you sure you want to continue connecting (yes/no)? yes     
Warning: Permanently added '172.16.111.9' (RSA) to the list of known hosts.     
[email protected]'s password:      
httpd.csr                                                   100% 704     0.7KB/s   00:00

然後回到CA進行簽署

[root@localhost CA]# openssl ca -in /tmp/httpd.csr -out /tmp/httpd.crt -days 3650     
Using configuration from /etc/pki/tls/openssl.cnf     
Check that the request matches the signature     
Signature ok     
Certificate Details:     
        Serial Number: 1 (0x1)     
        Validity     
            Not Before: Apr 10 08:41:24 2013 GMT     
            Not After : Apr 8 08:41:24 2023 GMT     
        Subject:     
            countryName               = CN    
            stateOrProvinceName       = Henan    
            organizationName          = MageEdu    
            organizationalUnitName    = Tech    
            commonName                = hello.magedu.com     
            emailAddress              = [email protected]     
        X509v3 extensions:     
            X509v3 Basic Constraints:      
                CA:FALSE     
            Netscape Comment:      
                OpenSSL Generated Certificate     
            X509v3 Subject Key Identifier:      
                10:B1:D2:C5:48:58:66:7B:35:71:BD:62:1D:77:85:12:EB:36:DF:63     
            X509v3 Authority Key Identifier:      
                keyid:30:86:2F:D5:DC:10:09:DA:38:19:E5:72:34:05:D5:5D:CE:83:B2:86     
          
Certificate is to be certified until Apr 8 08:41:24 2023 GMT (3650 days)     
Sign the certificate? [y/n]:y     
          
          
1 out of 1 certificate requests certified, commit? [y/n]y     
Write out database with 1 new entries     
Data Base Updated //頒發成功     
          
//去查看生成的證書     
[root@localhost CA]# cd /etc/pki/CA/         
[root@localhost CA]# ls     
cacert.pem crl        index.txt.attr newcerts serial     
certs       index.txt index.txt.old   private   serial.old     
[root@localhost CA]# cat index.txt //查看內容     
V 230408084124Z            01    unknown       /C=CN/ST=Henan/O=MageEdu/OU=Tech/CN=hello.magedu.com/[email protected]     
[root@localhost CA]# cat serial //已經自動排序     
02     
          
//然後把證書發送給請求者。這裡我們到客戶端去復制證書     
[root@Cyz ssl]# scp 172.16.111.9:/tmp/httpd.crt ./     
[email protected]'s password:      
httpd.crt                                                   100% 3864     3.8KB/s   00:00     
          
這個時候要記得返回CA中將tmp下的臨時文件給刪除掉以免別人獲取     
[root@localhost CA]# cd /tmp/     
[root@localhost tmp]# ls     
busybox                  grub-install.log.s11228 httpd.csr whatis.Fa3163     
grub-install.img.o11227 httpd.crt                initrd     
[root@localhost tmp]# rm httpd.c*     
rm: remove regular file `httpd.crt'? y     
rm: remove regular file `httpd.csr'? y

這個時候證書已經簽署成功了,我們應該如何配置使用它呢:

[root@Cyz ssl]# cd /etc/httpd/conf.d/     
[root@Cyz conf.d]# ls     
manual.conf php.conf proxy_ajp.conf README ssl.conf virtual.conf welcome.con1     
[root@Cyz conf.d]# vim ssl.conf     
          
//將裡面的內容作如下修改:     
          
<VirtualHost 172.16.111.1:443>    
          
#ServerName www.example.com:443     
ServerName hello.magedu.com     
DocumentRoot "/www/magedu.com" 
          
SSLCertificateFile /etc/httpd/ssl/httpd.crt   //證書文件     
          
SSLCertificateKeyFile /etc/httpd/ssl/httpd.key //密鑰文件     
//檢查語法     
[root@Cyz conf.d]# httpd -t     
Syntax OK     
          
//重啟服務     
[root@Cyz conf.d]# service httpd restart

然後繼續修改物理機的HOSTS文件

//添加如下

172.16.111.1   hello.magedu.com

然後我們來訪問下:(我們這裡的是https://)系統提示我們這個網站安全證書有問題,原因是因為我們CA不受信任,解決方法自然是我們手動導入證書了:

我們來到CA,將CA的證書發送給物理主機一份

點擊這裡的綠色按鈕

將其擴展名改為crt 會發現變了樣子

然後雙擊進行安裝

完成之後就可以打來IE來驗證啦

Copyright © Linux教程網 All Rights Reserved