Linux : HTTPS服務

協議	傳輸方式	端口	安全性
HTTP	明文傳輸	80	無加密，可被竊聽
HTTPS	加密傳輸	443	HTTP + SSL/TLS

• 數據加密（防竊聽）
• 身份認證（防偽裝）
• 完整性校驗（防篡改）

OpenSSL 證書操作核心命令

命令選項	作用	使用場景示例
-x509	生成自簽名證書	創建私有CA根證書
-new	生成證書簽名請求(CSR)	為服務器創建證書請求
-key	指定私鑰文件路徑	-key server.key
-out	指定輸出文件路徑	-out server.crt
-days	設置證書有效期（天）	-days 3650（10年有效期）

標準路徑：/etc/pki/CA/

/etc/pki/CA/
├── certs/       # 存放已簽署的證書
├── crl/         # 證書吊銷列表(CRL)
├── newcerts/    # 新簽發證書備份
├── private/     # CA私鑰目錄（嚴格權限控制）
├── index.txt    # 證書數據庫（記錄所有簽發證書）
└── serial       # 當前證書序列號文件

在dns服務器的正向解析數據庫中添加ca.exanple.com的解析內容

cd /var/named/
vim xieyuhui.com

在主機CA上為主機CA生成私鑰

[root@xieyuhui2 ~]# (umask 077;openssl genrsa -out /etc/pki/CA/private/cakey.pem)
Generating RSA private key, 2048 bit long modulus
..+++
......................+++
e is 65537 (0x10001)

在主機CA上為主機CA生成自簽名證書

[root@xieyuhui2 ~]# openssl req -new -x509 -key /etc/pki/CA/private/cakey.pem -out /etc/pki/CA/cacert.pem -days 365
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [XX]:CN
State or Province Name (full name) []:HB
Locality Name (eg, city) [Default City]:WH
Organization Name (eg, company) [Default Company Ltd]:LQ
Organizational Unit Name (eg, section) []:IT
Common Name (eg, your name or your server's hostname) []:ca.example.com
Email Address []:

在主機CA上為CA提供所需的目錄及文件

[root@xieyuhui2 ~]# touch /etc/pki/CA/serial
[root@xieyuhui2 ~]# touch /etc/pki/CA/index.txt
[root@xieyuhui2 ~]# echo 01 > /etc/pki/CA/serial
[root@xieyuhui2 CA]# ls
cacert.pem  certs  crl  index.txt  newcerts  private  serial

在主機WEB上為主機WEB生成私鑰，并將私鑰存放在/etc/httpd/ssl目錄中

[root@xieyuhui ~]# mkdir /etc/httpd/ssl
[root@xieyuhui ~]# (umask 077;openssl genrsa -out /etc/httpd/ssl/httpd.key)
Generating RSA private key, 2048 bit long modulus
..........+++
.........................+++
e is 65537 (0x10001)

在主機WEB上為web.example.com站點生成簽署請求文件

[root@xieyuhui ~]# openssl req -new -key /etc/httpd/ssl/httpd.key -out /etc/httpd/ssl/httpd.csr -days 365
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [XX]:CN
State or Province Name (full name) []:HB
Locality Name (eg, city) [Default City]:WH
Organization Name (eg, company) [Default Company Ltd]:LQ
Organizational Unit Name (eg, section) []:IT
Common Name (eg, your name or your server's hostname) []:xieyuhui.example.com
Email Address []:Please enter the following 'extra' attributes
to be sent with your certificate request
A challenge password []:
An optional company name []:

在主機web上將簽署請求文件通過可靠方式發送給CA服務器

[root@xieyuhui ~]#scp /etc/httpd/ssl/httpd.csr                     root@ca.example.com:/etc/pki/CA/

在主機CA上 對簽署請求進行數字簽名，并指明所生成的Web證書的存放路徑

[root@xieyuhui2 ~]#openssl ca -in /etc/pki/CA/httpd.csr -out /etc/pki/CA/certs/httpd.crt -days 365Using configuration from /etc/pki/tls/openssl.cnf
Check that the request matches the signature
Signature ok
Certificate Details:Serial Number: 1 (0x1)ValidityNot Before: Aug 12 12:48:40 2025 GMTNot After : Aug 12 12:48:40 2026 GMTSubject:countryName               = CNstateOrProvinceName       = HBorganizationName          = LQorganizationalUnitName    = ITcommonName                = xieyuhui.example.comX509v3 extensions:X509v3 Basic Constraints: CA:FALSENetscape Comment: OpenSSL Generated CertificateX509v3 Subject Key Identifier: 92:CB:55:33:05:4C:C0:AA:B8:4D:48:F4:59:F0:B2:FA:1B:89:06:A8X509v3 Authority Key Identifier: keyid:8E:1E:9E:87:60:0B:9C:53:C9:2C:65:A4:63:B4:01:36:7D:10:DC:C1

在主機WEB上將CA主機上已經數字簽名后的Web證書下載下來

[root@xieyuhui ~]#scp root@ca.example.com:/etc/pki/CA/certs/httpd.crt /etc/httpd/ssl/

在主機WEB上安裝apche http擴展模塊mod_ssl

[root@xieyuhui ~]# yum install mod_ssl -y
[root@xieyuhui ~]# rpm -q mod_ssl 
mod_ssl-2.4.6-88.el7.centos.x86_64 確認安裝

修改主配置文件

[root@xieyuhui ~]# vim /etc/httpd/conf.d/ssl.conf

復制虛擬主機配置文件

[root@xieyuhui ~]# cp -p /usr/share/doc/httpd-2.4.6/httpd-vhosts.conf /etc/httpd/conf.d

部署https站點

[root@xieyuhui ~]# vim /etc/httpd/conf.d/httpd-vhosts.conf

重啟http服務

[root@xieyuhui ~]# systemctl restart httpd
[root@xieyuhui ~]# systemctl enable httpd

關閉防火墻和selinux

在客戶端上去下載CA服務器上的根證書

[root@xieyuhui3 ~]# scp root@ca.example.com:/etc/pki/CA/cacert.pem .

打開火狐瀏覽器，導入證書
設置–首選項–高級–證書–查看證書–導入–找到根證書，然后雙擊–把“信任使用此CA標識的網站”勾上–確定–確定
查看