欢迎来到 黑吧安全网 聚焦网络安全前沿资讯,精华内容,交流技术心得!

一步一步实现linux系统apache实现https详解

来源:本站整理 作者:佚名 时间:2016-01-03 TAG: 我要投稿

1)配置域名支持ca:[root@ns ~]# vim /var/named/chroot/var/named/myhack58.com.zone  ##添加ca主机记录ca    IN    A    192.18.100.151:wq[root@ns ~]# /etc/init.d/named restart  ##重启服务[root@ns ~]# nslookup > server 192.168.100.100Default server: 192.168.100.100Address: 192.168.100.100#53> ca.myhack58.comServer:        192.168.100.100Address:    192.168.100.100#53Name:    ca.myhack58.comAddress: 192.18.100.151> exit2)配置CA服务器:(192.168.100.151)a.使用母盘克隆虚拟机,命名为ca服务器,修改如下:[root@localhost ~]# vim /etc/sysconfig/network-scripts/ifcfg-eth0 DEVICE=eth0HWADDR=00:0C:29:75:e6:ebTYPE=EthernetONBOOT=yesNM_CONTROLLED=noBOOTPROTO=staticIPADDR=192.168.100.151NETMASK=255.255.255.0DNS1=192.168.100.100GATEWAY=192.168.100.100:wq[root@localhost ~]# vim /etc/sysconfig/networkHOSTNAME=ca.myhack58.com:wq[root@localhost ~]#  vim /etc/udev/rules.d/70-persistent-net.rules   ##删除eth0,修改eth1为eth0[root@localhost ~]#  rebootb.配置CA:[root@ca ~]# hostname ca.myhack58.com[root@ca ~]# yum -y install openssl openssl-devel   ##安装openssl[root@ca ~]# rpm -ql openssl/etc/pki/CA/etc/pki/CA/certs   ##证书存放目录/etc/pki/CA/crl     ##吊销的证书存放的目录/etc/pki/CA/newcerts##新证书目录/etc/pki/CA/private ##私钥存放目录/etc/pki/tls/openssl.cnf   ##主配置文件/usr/bin/openssl     ##主程序命令[root@ca ~]# vim /etc/pki/tls/openssl.cnf   ##修改主配置文件使用“:set nu”打印行号 40 [ CA_default ] 41  42 dir             = /etc/pki/CA           # Where everything is kept 43 certs           = $dir/certs            # Where the issued certs are kept 44 crl_dir         = $dir/crl              # Where the issued crl are kept 45 database        = $dir/index.txt        # database index file. 46 #unique_subject = no                    # Set to 'no' to allow creation of 47                                         # several ctificates with same subject. 48 new_certs_dir   = $dir/newcerts         # default place for new certs. 49  50 certificate     = $dir/cacert.pem       # The CA certificate 51 serial          = $dir/serial           # The current serial number 52 crlnumber       = $dir/crlnumber        # the current crl number 53                                         # must be commented out to leave a V1 CRL 54 crl             = $dir/crl.pem          # The current CRL 55 private_key     = $dir/private/cakey.pem# The private key128 [ req_distinguished_name ]129 countryName                     = Country Name (2 letter code)130 countryName_default             = CN    ##修国家131 countryName_min                 = 2132 countryName_max                 = 2133 134 stateOrProvinceName             = State or Province Name (full name)135 stateOrProvinceName_default     = beijing   ##设置省136 137 localityName                    = Locality Name (eg, city)138 localityName_default            = beijing   ##设置城市139 140 0.organizationName              = Organization Name (eg, company)141 0.organizationName_default      = myhack58.com Ltd   ##设置组织名称142 143 # we can do this but it is not needed normally :-)144 #1.organizationName             = Second Organization Name (eg, company)145 #1.organizationName_default     = World Wide Web Pty Ltd146 147 organizationalUnitName          = Organizational Unit Name (eg, section)148 organizationalUnitName_default  = tech  ##设置部门:wq[root@ca ~]# cd /etc/pki/CA/[root@ca CA]# ls private/[root@ca CA]# (umask 077;openssl genrsa -out private/cakey.pem 2048)  ##生成私钥同时将权限设置为600Generating RSA private key, 2048 bit long modulus....................+++...........................................................................................+++e is 65537 (0x10001)[root@ca CA]# ls -l private/  ##验证私钥总用量 4-rw-------. 1 root root 1679 1月   2 20:09 cakey.pem[root@ca CA]# [root@ca CA]# openssl req -new -x509 -key private/cakey.pem -out cacert.pem -days 3650  ##生成自签证书(根证书)You are about to be asked to enter information that will be incorporatedinto your certificate request.What you are about to enter is what is called a Distinguished Name or a DN.There are quite a few fields but you can leave some blankFor some fields there will be a default value,If you enter '.', the field will be left blank.-----Country Name (2 letter code) [CN]:State or Province Name (full name) [BeiJing]:Locality Name (eg, city) [BeiJing]:Organization Name (eg, company) [myhack58.com]:Organizational Unit Name (eg, section) [tech]:Common Name (eg, your name or your server's hostname) []:ca.myhack58.com   ##主机名填写CA服务器的主机名Email Address []:admin@myhack58.com[root@ca CA]# ls -l cacert.pem -rw-r--r--. 1 root root 1419 1月   2 20:13 cacert.pem[root@ca CA]# [root@ca CA]# mkdir -p certs crl newcerts[root@ca CA]# touch index.txt  ##证书索引[root@ca CA]# echo 00 >serial  ##证书序列号[root@ca CA]# lscacert.pem  certs  crl  index.txt  newcerts  private  serial[root@ca CA]# 3)配置web服务器

[1] [2] [3]  下一页

【声明】:黑吧安全网(http://www.myhack58.com)登载此文出于传递更多信息之目的,并不代表本站赞同其观点和对其真实性负责,仅适于网络安全技术爱好者学习研究使用,学习中请遵循国家相关法律法规。如有问题请联系我们,联系邮箱admin@myhack58.com,我们会在最短的时间内进行处理。
上一篇:某公司泄露版IDA pro6.8去除局域网检测返回黑吧安全网首页】【进入黑吧技术论坛
下一篇:https提供安全的web通讯
  • 最新更新
    • 相关阅读
      • 本类热门
        • 最近下载