Article Directory
Linux cloud computing architecture-CA certification and https configuration [http, nginx]
1. CA certification process
CA(Certificate Authority), The certification center. The main function is to issue digital certificates to users as identity verification to realize the non-repudiation of data. Digital certificates can be 发放, 更新, 撤销, 验证.
The whole process of digital certificate signing and use:
① The certificate applicant generates the CSR certificate request file and the client private key.
② The certificate applicant sends a CSR to the certification authority.
③The certificate authority uses the root certificate private key to sign the CSR and generate the CRT certificate file.
④ The certification authority sends the CRT certificate file to the certificate applicant.
⑤ The certificate applicant uses the CRT certificate file and private key for https security authentication.
Configure CA certification center:
# 需要使用openssl CA认证软件包
# 我这里已经安装了,没有装的可以使用yum安装。【yum install openssl -y】
[root@server ~]# rpm -qa | grep openssl
xmlsec1-openssl-1.2.20-7.el7_4.x86_64
openssl-libs-1.0.2k-16.el7.x86_64
openssl-1.0.2k-16.el7.x86_64
# 配置自身作为CA中心。
[root@server ~]# vim /etc/pki/tls/openssl.cnf
172 basicConstraints=CA:TRUE
# 查看CA命令的用法
-newcert # 新证书
-newreq # 新请求
-newreq-nodes # 新请求节点
-newca # 新CA证书
-sign # 签名证书
-verify # 验证证书
[root@server ~]# /etc/pki/tls/misc/CA -h
usage: /etc/pki/tls/misc/CA -newcert|-newreq|-newreq-nodes|-newca|-sign|-verify
# 生成CA认证中心的公钥证书和私钥
[root@server ~]# /etc/pki/tls/misc/CA -newca
CA certificate filename (or enter to create) # CA证书文件名,回车即可。
Making CA certificate ...
Generating a 2048 bit RSA private key
.........+++
.........................+++
writing new private key to '/etc/pki/CA/private/./cakey.pem'
Enter PEM pass phrase: # 输入保护私钥的密码
Verifying - Enter PEM pass phrase: # 再次输入确认
-----
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [XX]:CN # CA认证中心的信息,国家名
State or Province Name (full name) []:guangdong # 省
Locality Name (eg, city) [Default City]:guangzhou # 城市
Organization Name (eg, company) [Default Company Ltd]:alibaba # 公司、组织名
Organizational Unit Name (eg, section) []:IT # 单位、部门
Common Name (eg, your name or your server's hostname) []:CAserver
Email Address []:[email protected] # 邮件
Please enter the following 'extra' attributes
to be sent with your certificate request # 输入一个额外的属性,额外的密码和公司名,默认回车即可。
A challenge password []:
An optional company name []:
Using configuration from /etc/pki/tls/openssl.cnf
Enter pass phrase for /etc/pki/CA/private/./cakey.pem: #输入前面设置的保护私钥的密码
Check that the request matches the signature
Signature ok
Certificate Details: # 数字证书详细情况
Serial Number:
c7:a5:9e:d7:e1:3b:de:2e
Validity
Not Before: Oct 20 15:13:37 2020 GMT
Not After : Oct 20 15:13:37 2023 GMT
Subject:
countryName = CN
stateOrProvinceName = guangdong
organizationName = alibaba
organizationalUnitName = IT
commonName = CAserver
emailAddress = [email protected]
X509v3 extensions:
X509v3 Subject Key Identifier:
76:5B:68:90:55:AA:59:F5:D0:E4:8C:19:A7:D8:FC:00:31:32:BA:B3
X509v3 Authority Key Identifier:
keyid:76:5B:68:90:55:AA:59:F5:D0:E4:8C:19:A7:D8:FC:00:31:32:BA:B3
X509v3 Basic Constraints:
CA:TRUE
Certificate is to be certified until Oct 20 15:13:37 2023 GMT (1095 days) # 证书有效期
Write out database with 1 new entries
Data Base Updated
At this point, the CA certification center has been set up.
Check some certifications of CA certification center:
# CA根证书,包括CA公钥信息
[root@server ~]# cat /etc/pki/CA/cacert.pem
-----BEGIN CERTIFICATE-----
公钥
-----END CERTIFICATE-----
# CA根证书,包括CA私钥信息
[root@server ~]# cat /etc/pki/CA/private/cakey.pem
-----BEGIN ENCRYPTED PRIVATE KEY-----
加密私钥
-----END ENCRYPTED PRIVATE KEY-----
2. Use of digital certificates
2.1 Generate digital certificate
①The client configures httpd service and can access it normally.
[root@client ~]# yum install httpd -y
[root@client ~]# echo "CA https" >> /var/www/html/index.html
[root@client ~]# vim /etc/httpd/conf/httpd.conf
95 ServerName localhost:80
[root@client ~]# firewall-cmd --permanent --zone=public --add-port=80/tcp
success
[root@client ~]# firewall-cmd --reload
success
[root@client ~]# systemctl start httpd && systemctl enable httpd
Created symlink from /etc/systemd/system/multi-user.target.wants/httpd.service to /usr/lib/systemd/system/httpd.service.
[root@client ~]# netstat -antup | grep httpd
tcp6 0 0 :::80 :::* LISTEN 23131/httpd
②The client generates the certificate request file
# client也需要openssl软件包
[root@client ~]# rpm -qa | grep openssl
# 查看openssl的帮助信息
[root@client ~]# openssl genrsa -h
usage: genrsa [args] [numbits]
三种加密算法
-des encrypt the generated key with DES in cbc mode
-des3 encrypt the generated key with DES in ede cbc mode (168 bit key)
-idea encrypt the generated key with IDEA in cbc mode
-seed
encrypt PEM output with cbc seed
-aes128, -aes192, -aes256
encrypt PEM output with cbc aes
-camellia128, -camellia192, -camellia256
encrypt PEM output with cbc camellia
-out file output the key to 'file # 输出到哪个文件
-passout arg output file pass phrase source
-f4 use F4 (0x10001) for the E value
-3 use 3 for the E value
-engine e use engine e, possibly a hardware device.
-rand file:file:...
load the file (or the files in the directory) into
the random number generator
# 生成私钥
[root@client ~]# openssl genrsa -des3 -out /etc/httpd/conf.d/private.key
Generating RSA private key, 2048 bit long modulus
..........................+++
.......................................................................................+++
e is 65537 (0x10001)
Enter pass phrase for /etc/httpd/conf.d/private.key: # 保护私钥的密码
Verifying - Enter pass phrase for /etc/httpd/conf.d/private.key:
# 使用私钥生成证书请求文件,包括公钥。
# 私钥可以生成公钥,但是公钥不可以生成私钥。
[root@client ~]# openssl req -new -key /etc/httpd/conf.d/private.key -out /root/cacert.csr
Enter pass phrase for /etc/httpd/conf.d/private.key: # 输入私钥文件private.key的保护密码
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [XX]:CN # 国家、省、市按照CA认证中心的填写即可。
State or Province Name (full name) []:guangdong
Locality Name (eg, city) [Default City]:guangzhou
Organization Name (eg, company) [Default Company Ltd]:alibaba
Organizational Unit Name (eg, section) []:IT
Common Name (eg, your name or your server's hostname) []:CAclient # Common Name与访问网站的URL要相同,否则client会认为CA数字证书的通用名和站点的名字不匹配,并怀疑证书的真实性。
Email Address []:[email protected]
Please enter the following 'extra' attributes
to be sent with your certificate request
A challenge password []:
An optional company name []:
# 查看下私钥文件private.key和证书请求文件cacert.csr
[root@client ~]# cat /etc/httpd/conf.d/private.key
[root@client ~]# cat cacert.csr
③Send the certificate request file cacert.csrto the CA certification center
[root@client ~]# scp /root/cacert.csr [email protected]:/root/
④CA certification center signs and authenticates the certificate request file
# 查看下ca命令的参数
[root@server ~]# openssl ca -h
unknown option -h
usage: ca args
-verbose - Talk alot while doing things
-config file - A config file
-name arg - The particular CA definition to use
-gencrl - Generate a new CRL
-crldays days - Days is when the next CRL is due
-crlhours hours - Hours is when the next CRL is due
-startdate YYMMDDHHMMSSZ - certificate validity notBefore
-enddate YYMMDDHHMMSSZ - certificate validity notAfter (overrides -days)
-days arg - number of days to certify the certificate for
-md arg - md to use, see openssl dgst -h for list
-policy arg - The CA 'policy' to support
-keyfile arg - private key file
-keyform arg - private key file format (PEM or ENGINE)
-key arg - key to decode the private key if it is encrypted
-cert file - The CA certificate
-selfsign - sign a certificate with the key associated with it
-in file - The input PEM encoded certificate request(s)
-out file - Where to put the output file(s)
-outdir dir - Where to put output certificates
-infiles .... - The last argument, requests to process
-spkac file - File contains DN and signed public key and challenge
-ss_cert file - File contains a self signed cert to sign
-preserveDN - Don't re-order the DN
-noemailDN - Don't add the EMAIL field into certificate' subject
-batch - Don't ask questions
-msie_hack - msie modifications to handle all those universal strings
-revoke file - Revoke a certificate (given in file)
-subj arg - Use arg instead of request's subject
-utf8 - input characters are UTF8 (default ASCII)
-multivalue-rdn - enable support for multivalued RDNs
-extensions .. - Extension section (override value in config file)
-extfile file - Configuration file with X509v3 extentions to add
-crlexts .. - CRL extension section (override value in config file)
-engine e - use engine e, possibly a hardware device.
-status serial - Shows certificate status given the serial number
-updatedb - Updates db for expired certificates
# 对证书请求文件进行签名
# 需要用到CA认证中心的私钥、CA根数字证书、证书请求文件
[root@server ~]# openssl ca -keyfile /etc/pki/CA/private/cakey.pem -cert /etc/pki/CA/cacert.pem -in /root/cacert.csr -out /root/cacert.crt
Using configuration from /etc/pki/tls/openssl.cnf
Enter pass phrase for /etc/pki/CA/private/cakey.pem: # CA认证中心的私钥保护密码
Check that the request matches the signature
Signature ok
Certificate Details:
Serial Number:
c7:a5:9e:d7:e1:3b:de:2f
Validity
Not Before: Oct 20 16:15:32 2020 GMT
Not After : Oct 20 16:15:32 2021 GMT
Subject:
countryName = CN
stateOrProvinceName = guangdong
organizationName = alibaba
organizationalUnitName = IT
commonName = CAclient
emailAddress = [email protected]
X509v3 extensions:
X509v3 Basic Constraints:
CA:TRUE
Netscape Comment:
OpenSSL Generated Certificate
X509v3 Subject Key Identifier:
DA:4E:12:75:70:C8:F1:BA:C7:41:19:BE:27:19:EE:8E:E8:F0:67:D7
X509v3 Authority Key Identifier:
keyid:76:5B:68:90:55:AA:59:F5:D0:E4:8C:19:A7:D8:FC:00:31:32:BA:B3
Certificate is to be certified until Oct 20 16:15:32 2021 GMT (365 days)
Sign the certificate? [y/n]:y # 是否确定签名
1 out of 1 certificate requests certified, commit? [y/n]y # 是否提交已签名的证书请求文件,确认提交。
Write out database with 1 new entries
Data Base Updated
# 这时可以看到,CA认证中心已经生成了一个数字证书。
[root@server ~]# ll cacert.crt
-rw-r--r--. 1 root root 4582 10月 21 00:15 cacert.crt
⑤ Send the digital certificate to the client
[root@server ~]# scp /root/cacert.crt [email protected]:/root/
⑥Documents required for https configuration:
# 经过CA认证中心签名的数字证书
[root@client ~]# ll cacert.crt
-rw-r--r-- 1 root root 4582 10月 21 00:21 cacert.crt
# 客户端的私钥文件
[root@client ~]# ll /etc/httpd/conf.d/private.key
-rw-r--r-- 1 root root 1751 10月 20 23:48 /etc/httpd/conf.d/private.key
2.2 http配置https
SSL证书It is a type of digital certificate, and it is also generally referred to as an SSL server certificate. Comply with the SSL protocol, issued by a trusted CA certification center after verifying the identity of the server, with server identity verification and data transmission encryption functions. The mainstream version is SSLV2, SSLV3.
SSL four-way handshake secure transmission:
①The client sends a request for encrypted communication to the server .
② The server responds and sends the server's digital certificate to the client.
③The client decrypts the server's digital certificate through the public key in the CA root certificate , thereby obtaining the server's public key . After the client generates a symmetric encryption key with the server's public encrypt the encryption key , and then use the latter part encryption key to encrypt data. It can verify whether the digital certificate of the server is valid, trusted, and whether it is a website that the client needs to visit.
④ The client sends the encrypted symmetric key to the server. This is the secure communication channel between the two parties has been established, and data can be safely transmitted.
# 安装mod_ssl服务
[root@client ~]# yum install mod_ssl -y
# 把服务器的数字证书和私钥放在一个文件夹下,这步随意。
[root@client ~]# cp cacert.crt /etc/httpd/conf.d/
[root@client ~]# cd /etc/httpd/conf.d/
[root@client conf.d]# ll
总用量 28
-rw-r--r-- 1 root root 2926 4月 2 2020 autoindex.conf
-rw-r--r-- 1 root root 4582 10月 21 20:08 cacert.crt
-rw-r--r-- 1 root root 1751 10月 20 23:48 private.key
-rw-r--r-- 1 root root 366 4月 2 2020 README
-rw-r--r-- 1 root root 1252 11月 27 2019 userdir.conf
-rw-r--r-- 1 root root 824 11月 27 2019 welcome.conf
[root@client ~]# vim /etc/httpd/conf.d/ssl.conf
100 SSLCertificateFile /etc/httpd/conf.d/cacert.crt
107 SSLCertificateKeyFile /etc/httpd/conf.d/private.key
[root@client ~]# systemctl restart httpd
Enter SSL pass phrase for localhost:443 (RSA) : ****** # 需要输入保护密钥的密码,我这里是123456
[root@client ~]# netstat -antup | grep 443
tcp6 0 0 :::443 :::* LISTEN 33278/httpd
[root@client ~]# firewall-cmd --permanent --zone=public --add-port=443/tcp
success
[root@client ~]# firewall-cmd --reload
success
Access is https://192.168.8.116/as follows:
you can see that the digital certificate used by the server is not trusted, after all, this is issued by the CA certification center deployed by itself. You can also view the basic information of the digital certificate.
2.3 nginx configuration https
# 安装nginx服务
[root@client ~]# yum install nginx -y
[root@client ~]# rpm -ql nginx
通过以上命令可以看到:
nginx的网站数据目录为/usr/share/nginx/html/
nginx的主配置文件为/etc/nginx/nginx.conf
# 编写测试页
[root@client ~]# echo "nginx https" > /usr/share/nginx/html/index.html
# 停止httpd服务,运行nginx服务。
[root@client ~]# systemctl stop httpd
[root@client ~]# systemctl start nginx
[root@client ~]# systemctl enable nginx
Created symlink from /etc/systemd/system/multi-user.target.wants/nginx.service to /usr/lib/systemd/system/nginx.service.
[root@client ~]# netstat -antup |grep nginx
tcp 0 0 0.0.0.0:80 0.0.0.0:* LISTEN 38698/nginx: master
tcp6 0 0 :::80 :::* LISTEN 38698/nginx: master
The visit is http://192.168.8.116/as follows:
# 编写一台虚拟主机,内容可以直接从nginx的主配置文件中复制过来
# 可以使用Ctrl+v模式,去掉多行注释。
[root@client ~]# vim /etc/nginx/conf.d/default.conf
server {
listen 443 ssl;
server_name localhost;
root /usr/share/nginx/html;
ssl_protocols TLSv1 TLSv1.1 TLSv1.2 # 加密协议
ssl_ciphers HIGH:!aNULL:!MD5; # 加密算法
ssl_prefer_server_ciphers on; # 是否由服务器决定采用哪种加密算法
ssl_certificate "/etc/httpd/conf.d/cacert.crt"; # 服务器的数字证书
ssl_certificate_key "/etc/httpd/conf.d/private.key"; # 服务器的私钥
ssl_session_cache shared:SSL:1m; # 安全会话共享缓存区大小:1M
ssl_session_timeout 10m; # 安全会话保持时间:10分钟。
include /etc/nginx/default.d/*.conf;
location / {
}
error_page 404 /404.html;
location = /404.html {
}
error_page 500 502 503 504 /50x.html;
location = /50x.html {
}
}
# 检查nginx配置文件是否有语法错误
[root@client ~]# nginx -t
Enter PEM pass phrase:
nginx: the configuration file /etc/nginx/nginx.conf syntax is ok
nginx: configuration file /etc/nginx/nginx.conf test is successful
# 重新启动下nginx
# 由于配置了nginx的https,需要验证私钥的保护密码,但systemctl启动没有输入密码的接口,故无法使用systemctl命令进行启动。可以直接使用nginx命令启动。
[root@client ~]# systemctl stop nginx
[root@client ~]# systemctl start nginx
Job for nginx.service failed because the control process exited with error code. See "systemctl status nginx.service" and "journalctl -xe" for details.
[root@client ~]# nginx
Enter PEM pass phrase:
[root@client ~]# netstat -antup | grep nginx
tcp 0 0 0.0.0.0:80 0.0.0.0:* LISTEN 53057/nginx: master
tcp 0 0 0.0.0.0:443 0.0.0.0:* LISTEN 53057/nginx: master
tcp6 0 0 :::80 :::* LISTEN 53057/nginx: master
The visit is https://192.168.8.116/as follows:
3. nginx configuration to access http jump https
[root@client ~]# vim /etc/nginx/nginx.conf
server {
listen 80;
server_name localhost;
# 以下两种rewrite重定向都可以,建议使用https://$server_name$request_uri
rewrite ^(.*)$ https://$server_name$request_uri permanent;
# rewrite ^(.*)$ https://$host$1 permanent; # 永久转发到https://$host$1
include /etc/nginx/default.d/*.conf;
root /usr/share/nginx/html;
location / {
}
error_page 404 /404.html;
location = /404.html {
}
error_page 500 502 503 504 /50x.html;
location = /50x.html {
}
}
# 重启nginx服务
[root@client ~]# nginx -s stop
Enter PEM pass phrase:
[root@client ~]# nginx
Enter PEM pass phrase:
[root@client ~]# netstat -antup |grep nginx
tcp 0 0 0.0.0.0:80 0.0.0.0:* LISTEN 61913/nginx: master
tcp 0 0 0.0.0.0:443 0.0.0.0:* LISTEN 61913/nginx: master
Visit http://192.168.8.116/, you can see that it will jump to https://192.168.8.116/.