Linux入门——https协议的虚拟主机的部署原理及私有CA的部署

部署https协议的虚拟主机

知识简介

部署https协议的虚拟主机
http协议
明文传输
https协议
密文传输

安全保障要素:
数据安全性 【加密】
数据完整性
身份的真实性
数据安全性

核心思想:
发送方加密数据、接收方解密数据

加密算法类型

对称加密算法 非对称加密算法

对称加密算法

加密、解密时使用的**是一样的

代表性对称加密算法: DES, 3DES, AES

优势： 简单、速度快
劣势： 安全性低

加密数据

[aaa@qq.com ~]# openssl enc ‐e ‐des ‐in /tmp/file01 ‐out /tmp/file01_ new

解密数据

[aaa@qq.com ~]# openssl enc ‐d ‐des ‐in /tmp/file01_new ‐out /tmp/file01

非对称加密算法 / **加密算法

**对
公钥、私钥
加密领域： 公钥加密、私钥解密
代表性算法: DSA, RSA
借助gpg工具
优势: 安全性较高
劣势： 速度慢

实际应用： 使用对称加密算法加密真实的数据，使用非对称加密算法加密对称算法的**
将数据及校验码发送到主机B， 主机B利用相同的算法进行校验，对比校验码
代表性算法： MD5, SHA

[aaa@qq.com ~]# md5sum /etc/fstab
[aaa@qq.com ~]# sha256sum /etc/fstab

验证身份的真实性

加密： 公钥加密、私钥解密
签名： 私钥签名、公钥验证签名

1. 电商服务器生成证书申请（网站名称、地址、性质、公钥）， 发送给CA
2. CA验证信息的真实性，验证通过后，CA会使用自己的私钥签名；CA将证书 返回给电商服务器
3. 客户端访问电商时，电商会将证书发送给客户端，客户端联系CA验证证书的 真实性
4. 客户端会生成对称算法、**，使用电商的公钥加密发送给电商
5. 客户端与服务器间使用对称加密算法进行数据加密、解密的传输

私有CA的部署

部署私有CA
1、生成**对
2、生成自签证书

部署web服务器
1、生成**对
2、生成证书申请
3、获取证书
4、网站相关配置

部署方法

1.创建私有CA的数据库文件（index）以及***文件（serial）

[aaa@qq.com ~]# touch /etc/pki/CA/index.txt
[aaa@qq.com ~]# echo 01 > /etc/pki/CA/serial
[aaa@qq.com ~]# ls /etc/pki/CA/
certs  crl  index.txt  newcerts  private  serial

２.利用ｏｐｅｎｓｓｌ命令生成**对
ｏｐｅｎｓｓｌ　【加密类型】　【参数】　【存储位置】　【长度】

[aaa@qq.com ~]# openssl genrsa -out /etc/pki/CA/private/cakey.pem 1024
Generating RSA private key, 1024 bit long modulus
....++++++
.......................................................................++++++
e is 65537 (0x10001)

３.生成自签证书
openssl　 请求　 参数 　证书格式　 指定**参数　 **位置　 参数　输出位置 有效期

[aaa@qq.com ~]# openssl genrsa -out /etc/pki/CA/private/cakey.pem 1024
Generating RSA private key, 1024 bit long modulus
....++++++
.......................................................................++++++
e is 65537 (0x10001)
[aaa@qq.com ~]# openssl req -new -x509 -key /etc/pki/CA/private/cakey.pem -out /etc/pki/CA/cacert.pem -days 3650
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [XX]:China
string is too long, it needs to be less than  2 bytes long
Country Name (2 letter code) [XX]:CN
State or Province Name (full name) []:BJ
Locality Name (eg, city) [Default City]:BJ
Organization Name (eg, company) [Default Company Ltd]:BJ
Organizational Unit Name (eg, section) []:BJ
Common Name (eg, your name or your server's hostname) []:ca.linux.com
Email Address []:aaa@qq.com

部署网站服务器

1.创建网站服务器存储**信息

[aaa@qq.com ~]# mkdir /etc/httpd/cassl

2.生成服务器**

[aaa@qq.com ~]# openssl genrsa -out /etc/httpd/cassl/text.key 1024
Generating RSA private key, 1024 bit long modulus
..........++++++
..........++++++
e is 65537 (0x10001)

3.生成证书申请

[aaa@qq.com ~]# openssl req -new -key /etc/httpd/cassl/text.key -out /etc/httpd/cassl/text.csr
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [XX]:CN        
State or Province Name (full name) []:BJ
Locality Name (eg, city) [Default City]:BJ
Organization Name (eg, company) [Default Company Ltd]:BJ
Organizational Unit Name (eg, section) []:BJ
Common Name (eg, your name or your server's hostname) []:text.linux.com
Email Address []:aaa@qq.com  
Please enter the following 'extra' attributes
to be sent with your certificate request
A challenge password []:
An optional company name []:           

4.将证书申请发送给CA

[aaa@qq.com ~]# cp /etc/httpd/cassl/text.csr ./
[aaa@qq.com ~]# ls
anaconda-ks.cfg  text.csr

配置CA签发证书

1.签发证书

[aaa@qq.com ~]# openssl ca -in ./text.csr -out /etc/pki/CA/certs/text.crt -days 3650
Using configuration from /etc/pki/tls/openssl.cnf
Check that the request matches the signature
Signature ok
Certificate Details:
        Serial Number: 1 (0x1)
        Validity
            Not Before: Aug 31 20:32:43 2020 GMT
            Not After : Aug 29 20:32:43 2030 GMT
        Subject:
            countryName               = CN
            stateOrProvinceName       = BJ
            organizationName          = BJ
            organizationalUnitName    = BJ
            commonName                = text.linux.com
            emailAddress              = aaa@qq.com
        X509v3 extensions:
            X509v3 Basic Constraints: 
                CA:FALSE
            Netscape Comment: 
                OpenSSL Generated Certificate
            X509v3 Subject Key Identifier: 
                9D:AC:5D:6B:8F:72:6C:F5:0D:BF:9E:3F:D4:03:64:CF:02:CC:0C:47
            X509v3 Authority Key Identifier: 
                keyid:9B:E5:4D:1C:88:62:D6:34:A3:CB:59:F2:22:47:98:44:9D:0D:B7:9F
Certificate is to be certified until Aug 29 20:32:43 2030 GMT (3650 days)
Sign the certificate? [y/n]:y
1 out of 1 certificate requests certified, commit? [y/n]y
Write out database with 1 new entries
Data Base Updated
[aaa@qq.com ~]# ls /etc/pki/CA/certs/
text.crt

2.将证书拷贝给网站服务器

[aaa@qq.com ~]# cp /etc/pki/CA/certs/text.crt /etc/httpd/cassl/
cp: overwrite ‘/etc/httpd/cassl/text.csr’? y
[aaa@qq.com ~]# ls /etc/httpd/cassl/
text.csr  text.key text.crt
[aaa@qq.com ~]# 

配置虚拟主机

1.安装mod_ssl模块

[aaa@qq.com ~]# yum install -y mod_ssl
Loaded plugins: fastestmirror

2.配置加密主机

[aaa@qq.com ~]# vim /etc/httpd/conf.d/ssl.conf
 56 <VirtualHost _default_:443>
 57 
 58 # General setup for the virtual host, inherited from global configuration
 59 DocumentRoot "/var/www/html/text"
 60 ServerName text.linux.com:443          
 100 SSLCertificateFile /etc/httpd/cassl/text.crt
101 
102 #   Server Private Key:
103 #   If the key is not combined with the certificate, use this
104 #   directive to point at the key file.  Keep in mind that if
105 #   you've both a RSA and a DSA private key you can configure
106 #   both in parallel (to also allow the use of DSA ciphers, etc.)
107 SSLCertificateKeyFile /etc/httpd/cassl/text.key                                            
108 
217 <Directory "/var/www/html/text">
218     Require all granted
219 </Directory>              

3.创捷测试网页目录

[aaa@qq.com ~]# cd /var/www/html/
[aaa@qq.com html]# ls
index.html  vvv
[aaa@qq.com html]# mkdir text
[aaa@qq.com html]# cd text
[aaa@qq.com text]# ls
[aaa@qq.com text]# vim index.html
  2 welcome text.linux.com!!!
  3 </h1>                          

4.检测并重启http服务

[aaa@qq.com ~]# httpd -t
Syntax OK
[aaa@qq.com ~]# 
[aaa@qq.com ~]# systemctl restart httpd

5.在windows下的C:\Windows\System32\drivers\etc目录里的host文件里添加域名解析并测试

注：协议要写https之后继续访问页面