HTTPS basic principles
CA Authentication Center (issued / revoked certificates) / \ \ CA certification authority (CA public key) / send \ \ at the WEB CA certificate request / certificate \ \ Client <digital certificate -------- ------ the WEB
(CA private key (signature)), WEB identity, WEB public key)
. 1 .web server, generating asymmetric cryptographic key pair (public web, web private)
2 using a web web + public identity information to generate the certificate request web server .web server, and the server certificate request to the CA
. 3 , CA servers using the CA's private key certificate for the web server requests a digital signature to obtain a digital certificate for the web server, and will be awarded to a web server web server's digital certificate.
4 .client access the web server, the request https connection, downloading web digital certificate
5 .client download CA digital certificate (CA + CA public key identity information, issued by a higher CA can also issue a self-signed), verify web digital certificate (CA CA public key with a digital certificate, digital certificate web using the CA private key signature)
. 6 .client symmetric encryption algorithm negotiation with the web, and Client generates a symmetric encryption key using the public key encryption web, sent to the web server, web server using private key to decrypt web
7 integrity of transmitted data using a symmetric encryption key, and check data
We simulate this authentication mode between the client and server;
Preparation before experiment: We use two virtual machines to be tested; CA server and the server for one; client;
First of CA + server to be configured;
1. Configure CA, CA generate its own public key, private key; CA certificate are to conduct their own signature
[root@host4 ~]# vim /etc/pki/tls/openssl.cnf
2. Generate a self-signed certificate
[root@host4 ~]# /etc/pki/tls/misc/CA -newca
/etc/pki/CA/private/cakey.pem CA私钥 /etc/pki/CA/cacert.pem CA自签数字证书 /etc/pki/CA/careq.pem CA证书请求
3.配置WEB服务器
[root@sxb-1 httpd]# openssl genrsa -des3 -out /etc/httpd/conf.d/server.key Generating RSA private key, 2048 bit long modulus ........................+++ .......+++ e is 65537 (0x10001) Enter pass phrase for /etc/httpd/conf.d/server.key: Verifying - Enter pass phrase for /etc/httpd/conf.d/server.key:
4.生成证书请求(使用身份表示+公钥)
[root@host4 ~]# openssl req -new -key /etc/httpd/conf.d/server.key -out /etc/httpd/conf.d/server.csr
5.将证书请求发给CA(这里我们用的私同一台虚拟机),CA服务器对证书进行数字签名;将签字后数字证书颁发给WEB
[root@host4 ~]# openssl ca -keyfile /etc/pki/CA/private/cakey.pem -cert /etc/pki/CA/cacert.pem -in /etc/httpd/conf.d/server.csr -out /etc/httpd/conf.d/server.crt
6.配置WEB支持ssl实现https
[root@host4 ~]# yum install mod_ssl
[root@host4 ~]# vim /etc/httpd/conf.d/ssl.conf
7.重启服务
[root@sxb-1 CA]# systemctl restart httpd Enter SSL pass phrase for fe80::20c:29ff:fe88:9d40:443 (RSA) : ******
[root@sxb-1 CA]# ss -anplt | grep 443 LISTEN 0 128 :::443 :::* users:(("httpd",pid=20066,fd=6),("httpd",pid=20065,fd=6),("httpd",pid=20064,fd=6),("httpd",pid=20063,fd=6),("httpd",pid=20062,fd=6),("httpd",pid=20060,fd=6))
8.client下载CA证书并导入到浏览器,然后访问www服务器;
