Article Directory
https
A simplified process SSL session
1, the first visit to an encrypted site, sent by the client to choose the encryption method, and requests a certificate server, the server does not respond immediately
2, the server sends the selected encryption and certificate to the client
(A site because the certificate contains a public key signed by the CA private key, the CA information, expired time, this step is equivalent to the client got the A's public key sites)
3, the client obtain a certificate and a certificate verifying
CA if the trust certificates issued to its
(a) verify the credentials of the source of legitimacy; with the public key to decrypt the digital signature certificate CA
legitimacy verification certificate (b): integrity verification
validity period © inspection certificate
(d) to check whether the certificate revoked
names (e) the certificate owner, to be consistent with the target host access
The client then generates a temporary session key (symmetric key), and using the public key of the server encrypts the data sent to the server to complete the key exchange
4, this service resource with the key to encrypt the user's request, in response to the client
5, the next communication, still use
Note: SSL is realized based on the IP address, a single IP host can only use a https web hosting
Two, httpd method of realization https
process:
2.1 request a digital certificate for the server
-
Creating a private CA
-
Create a certificate signing request in server
-
CA visa
Configure httpd 2.2 supports the use of ssl, and the use of certificates
yum -y install mod_ssl
Profile: /etc/httpd/conf.d/ssl.conf
-
DocumentRoot
-
ServerName
-
SSLCertificateFile
-
SSLCertificateKeyFile
example:
-
Create a relevant certificate
openssl genrsa 2048 > cakey.pem openssl req -new -x509 -key cakey.pem -out cacert.pem -days 3650 openssl req -newkey rsa:1024 -days 365 -nodes -keyout httpd.key > httpd.csr openssl x509 -req -in httpd.csr -CA cacert.pem -CAkey cakey.pem -set_serial 01 > httpd.crt
Note: httpd.csr last common name in the Common Name must be a ready access to encrypted website
Common Name (eg, your name or your server’s hostname) [ ]:www.a.com
-
Ssl module installation
yum -y install mod_ssl
-
Modify conf
[root@node1 ~]# vim /etc/httpd/conf.d/ssl.conf
ssl.conf generated from the installation module configuration file ssl
<VirtualHost _default_:443> DocumentRoot "/data/asite" <directory /data/asite> require all granted </directory> SSLCertificateFile /data/dd/httpd.crt SSLCertificateKeyFile /data/dd/httpd.key SSLCACertificateFile /data/dd/cacert.pem </VirtualHost>