信息安全实践Lab1-自建CA证书搭建https服务器
title: 信息安全实践Lab1-自建CA证书搭建https服务器
date: 2021-12-21 02:44:40
tags: 信息安全
categories: 信息安全实践
信息安全实践Lab1-自建CA证书搭建https服务器
搭建https服务器
本机环境: Ubuntu 20.04 OpenSSL 1.1.1f Firefox Browser 79.0(64-bit)
安装OpenSSL
$sudo apt-get install openssl
自建CA
建立myCA目录用于存放CA相关信息
cd && mkdir -p myCA/signedcerts && mkdir myCA/private && cd myCA
myCA 用于存放 CA 根证书,证书数据库,以及后续服务器生成的证书,密钥以及请求
signedcerts:保存签名证书的 copy
private: 包含私钥
配置myCA相关参数,在myCA目录下进行
echo '01'>serial && touch index.txt
创建caconfig.cnf文件
sudo apt-get install vim
vim ~/myCA/caconfig.cnf
caconfig.cnf文件内容如下:
注意文件中两个地方的username需要换成你自己的用户名。
# My sample caconfig.cnf file.
#
# Default configuration to use when one is not provided on the command line.
#
[ ca ]
default_ca = local_ca
#
#
# Default location of directories and files needed to generate certificates.
#
[ local_ca ]
dir = /home/username/myCA # 这里要将username替换为你的用户名
certificate = $dir/cacert.pem
database = $dir/index.txt
new_certs_dir = $dir/signedcerts
private_key = $dir/private/cakey.pem
serial = $dir/serial
#
#
# Default expiration and encryption policies for certificates.
#
default_crl_days = 365
default_days = 1825
default_md = SHA256
#
policy = local_ca_policy
x509_extensions = local_ca_extensions
#
#
# Default policy to use when generating server certificates. The following
# fields must be defined in the server certificate.
#
[ local_ca_policy ]
commonName = supplied
stateOrProvinceName = supplied
countryName = supplied
emailAddress = supplied
organizationName = supplied
organizationalUnitName = supplied
#
#
# x509 extensions to use when generating server certificates.
#
[ local_ca_extensions ]
subjectAltName = DNS:localhost
basicConstraints = CA:false
nsCertType = server
#
#
# The default root certificate generation policy.
#
[ req ]
default_bits = 2048
default_keyfile = /home/username/myCA/private/cakey.pem # 这里要将username替换为你的用户名
default_md = SHA256
#
prompt = no
distinguished_name = root_ca_distinguished_name
x509_extensions = root_ca_extensions
#
#
# Root Certificate Authority distinguished name. Change these fields to match
# your local environment!
#
[ root_ca_distinguished_name ]
commonName = MyOwn Root Certificate Authority # CA机构名
stateOrProvinceName = JS # CA所在省份
countryName = CN # CA所在国家(仅限2个字符)
emailAddress = XXXX@XXX.com # 邮箱
organizationName = XXX #
organizationalUnitName = XXX #
#
[ root_ca_extensions ]
basicConstraints = CA:true
生成CA根证书和密钥
export OPENSSL_CONF=~/myCA/caconfig.cnf #该命令用于给环境变量 OPENSSL_CONF 赋值为caconfig.cnf。
openssl req -x509 -newkey rsa:2048 -out cacert.pem -outform PEM -days 1825 # 生成 CA 根证书和密钥
该命令需要用户设置密码。不要忘记。
以上步骤生成了 CA 自签名根证书,和 RSA 公/私密钥对。证书的格式是 PEM,有效期是1825天。
- /myCA/cacert.pem: CA 根证书
- /myCA/private/cakey.pem: CA 私钥
创建服务器公私钥
生成服务器配置文件exampleserver.cnf
vim ~/myCA/exampleserver.cnf
exampleserver.cnf文件内容如下
#
# exampleserver.cnf
#
[ req ]
prompt = no
distinguished_name = server_distinguished_name
[ server_distinguished_name ]
commonName = localhost # 服务器域名
stateOrProvinceName = JS # 服务器所在省份
countryName = CN # 服务器所在国家(仅限2个字符)
emailAddress = XXXX@XXX.com # 邮箱
organizationName = XXX #
organizationalUnitName = XXX #
生成服务器证书和密钥
export OPENSSL_CONF=~/myCA/exampleserver.cnf # 该命令设置环境变量 OPENSSL_CONF,使得 openssl 更换配置文件。
openssl req -newkey rsa:2048 -keyout tempkey.pem -keyform PEM -out tempreq.pem -outform PEM
同样的,需要输入密码短语。
之后,有2种对临时秘钥的操作,选择其一即可
1.将临时私钥转换为 unencrypted key,即秘钥不加密状态。
openssl rsa -in tempkey.pem -out server_key.pem
需要输入密码短语。
2.如果希望将 key 保持为加密状态,直接改名
mv tempkey.pem server_key.pem
两者的区别是,第二种需要在服务器启动时输入私钥的密码短语,否则会导致服务器启动失败,但第二种安全性高于第一种,可以更好的保护秘钥。
使用CA key对服务器证书签名
export OPENSSL_CONF=~/myCA/caconfig.cnf
openssl ca -in tempreq.pem -out server_crt.pem
删除临时证书和密码文件
rm -f tempkey.pem && rm -f tempreq.pem
现在,自签名的服务器证书和密钥对便产生了:
- server_crt.pem : 服务器证书文件
- server_key.pem : 服务器密钥文件
配置Apache
安装apache2
sudo apt-get update
sudo apt-get install apache2
建立ssl配置文件,lab-ssl.conf
sudo vim /etc/apache2/sites-available/lab-ssl.conf
lab-ssl.conf文件内容如下:
注意这里有两处username需要换成你的用户名。
<IfModule mod_ssl.c><VirtualHost _default_:443>ServerAdmin webmaster@localhostDocumentRoot /var/www/html# Available loglevels: trace8, ..., trace1, debug, info, notice, warn,# error, crit, alert, emerg.# It is also possible to configure the loglevel for particular# modules, e.g.#LogLevel info ssl:warnErrorLog ${APACHE_LOG_DIR}/error.logCustomLog ${APACHE_LOG_DIR}/access.log combined# For most configuration files from conf-available/, which are# enabled or disabled at a global level, it is possible to# include a line for only one particular virtual host. For example the# following line enables the CGI configuration for this host only# after it has been globally disabled with "a2disconf".#Include conf-available/serve-cgi-bin.conf# SSL Engine Switch:# Enable/Disable SSL for this virtual host.SSLEngine on# A self-signed (snakeoil) certificate can be created by installing# the ssl-cert package. See# /usr/share/doc/apache2/README.Debian.gz for more info.# If both key and certificate are stored in the same file, only the# SSLCertificateFile directive is needed.#SSLCertificateFile /etc/ssl/certs/ssl-cert-snakeoil.pem#SSLCertificateKeyFile /etc/ssl/private/ssl-cert-snakeoil.key# 网站证书和私钥地址SSLCertificateFile /home/username/myCA/server_crt.pem # 这里的username需要换成你的用户名SSLCertificateKeyFile /home/username/myCA/server_key.pem # 这里的username需要换成你的用户名# Server Certificate Chain:# Point SSLCertificateChainFile at a file containing the# concatenation of PEM encoded CA certificates which form the# certificate chain for the server certificate. Alternatively# the referenced file can be the same as SSLCertificateFile# when the CA certificates are directly appended to the server# certificate for convinience.#SSLCertificateChainFile /etc/apache2/ssl.crt/server-ca.crt# Certificate Authority (CA):# Set the CA certificate verification path where to find CA# certificates for client authentication or alternatively one# huge file containing all of them (file must be PEM encoded)# Note: Inside SSLCACertificatePath you need hash symlinks# to point to the certificate files. Use the provided# Makefile to update the hash symlinks after changes.#SSLCACertificatePath /etc/ssl/certs/#SSLCACertificateFile /etc/apache2/ssl.crt/ca-bundle.crt# Certificate Revocation Lists (CRL):# Set the CA revocation path where to find CA CRLs for client# authentication or alternatively one huge file containing all# of them (file must be PEM encoded)# Note: Inside SSLCARevocationPath you need hash symlinks# to point to the certificate files. Use the provided# Makefile to update the hash symlinks after changes.#SSLCARevocationPath /etc/apache2/ssl.crl/#SSLCARevocationFile /etc/apache2/ssl.crl/ca-bundle.crl# Client Authentication (Type):# Client certificate verification type and depth. Types are# none, optional, require and optional_no_ca. Depth is a# number which specifies how deeply to verify the certificate# issuer chain before deciding the certificate is not valid.#SSLVerifyClient require#SSLVerifyDepth 10# SSL Engine Options:# Set various options for the SSL engine.# o FakeBasicAuth:# Translate the client X.509 into a Basic Authorisation. This means that# the standard Auth/DBMAuth methods can be used for access control. The# user name is the `one line' version of the client's X.509 certificate.# Note that no password is obtained from the user. Every entry in the user# file needs this password: `xxj31ZMTZzkVA'.# o ExportCertData:# This exports two additional environment variables: SSL_CLIENT_CERT and# SSL_SERVER_CERT. These contain the PEM-encoded certificates of the# server (always existing) and the client (only existing when client# authentication is used). This can be used to import the certificates# into CGI scripts.# o StdEnvVars:# This exports the standard SSL/TLS related `SSL_*' environment variables.# Per default this exportation is switched off for performance reasons,# because the extraction step is an expensive operation and is usually# useless for serving static content. So one usually enables the# exportation for CGI and SSI requests only.# o OptRenegotiate:# This enables optimized SSL connection renegotiation handling when SSL# directives are used in per-directory context.#SSLOptions +FakeBasicAuth +ExportCertData +StrictRequire<FilesMatch "\.(cgi|shtml|phtml|php)$">SSLOptions +StdEnvVars</FilesMatch><Directory /usr/lib/cgi-bin>SSLOptions +StdEnvVars</Directory># SSL Protocol Adjustments:# The safe and default but still SSL/TLS standard compliant shutdown# approach is that mod_ssl sends the close notify alert but doesn't wait for# the close notify alert from client. When you need a different shutdown# approach you can use one of the following variables:# o ssl-unclean-shutdown:# This forces an unclean shutdown when the connection is closed, i.e. no# SSL close notify alert is send or allowed to received. This violates# the SSL/TLS standard but is needed for some brain-dead browsers. Use# this when you receive I/O errors because of the standard approach where# mod_ssl sends the close notify alert.# o ssl-accurate-shutdown:# This forces an accurate shutdown when the connection is closed, i.e. a# SSL close notify alert is send and mod_ssl waits for the close notify# alert of the client. This is 100% SSL/TLS standard compliant, but in# practice often causes hanging connections with brain-dead browsers. Use# this only for browsers where you know that their SSL implementation# works correctly.# Notice: Most problems of broken clients are also related to the HTTP# keep-alive facility, so you usually additionally want to disable# keep-alive for those clients, too. Use variable "nokeepalive" for this.# Similarly, one has to force some clients to use HTTP/1.0 to workaround# their broken HTTP/1.1 implementation. Use variables "downgrade-1.0" and# "force-response-1.0" for this.# BrowserMatch "MSIE [2-6]" \# nokeepalive ssl-unclean-shutdown \# downgrade-1.0 force-response-1.0</VirtualHost>
</IfModule># vim: syntax=apache ts=4 sw=4 sts=4 sr noet
启动ssl服务
sudo a2ensite /etc/apache2/sites-available/lab-ssl.conf
sudo a2enmod ssl
让浏览器信任我们自建的CA
打开 FireFox 浏览器,依次选择“编辑”----“首选项”----“隐私与安全”----“证书”----“查看证书”----“证书机构”,点击导入,选择 myCA 目录下的根证书“cacert.pem”, 导入。
在浏览器地址栏输入 https://localhost
信息安全实践Lab1-自建CA证书搭建https服务器相关推荐
- 自建CA证书搭建https服务器
由于CA收费,所以可以自建CA,通过将CA导入浏览器实现https的效果,曾经12306购票就需要自行导入网站证书. 关于https 2015年阿里巴巴将旗下淘宝.天猫(包括移动客户端)全站启用HTT ...
- 信安实践——自建CA证书搭建https服务器
https://www.cnblogs.com/libaoquan/p/7965873.html 1.理论知识 https简介 HTTPS(全称:Hyper Text Transfer Protoco ...
- 腾讯云CentOS自建CA证书搭建https服务器
为了完成实验以及不同电脑虚拟机不同,索性买了一个腾讯云的服务器,学生价,很便宜. 实验环境:CentOS7.5,Apache 2.4.6 OpenSSL 1.0.2k 理论知识 Http和Https的 ...
- 实战:搭建CA认证中心,使用CA证书搭建HTTPS
CA认证中心服务端:xuegod63.cn IP:192.168.0.61 客户端 :xuegod64.cn ...
- 利用openssl自建ca并且使apache2用自建的ca证书进行https链接(自用,,,
参考了信安实践--自建CA证书搭建https服务器 - LiBaoquan - 博客园 (cnblogs.com) 加一些关于apache的命令: sudo systemctl start apach ...
- Android——自建CA证书,实现https请求
Android 使用https 协议请求客户端 server端操作 自己创建 CA 证书 拿自建CA 证书创建 server 端证书 创建 https 服务 Android客户端操作 创建项目并引入相 ...
- 自建CA,并给服务器颁发证书,将该证书安装至浏览器
一.目标: 自建CA,并给服务器颁发证书,将该证书安装至浏览器. 二.步骤: 1.生成CA 密钥对和自签名证书: 使用 OpenSSL 工具生成 CA 密钥对和自签名证书: openssl genpk ...
- 自建CA证书以及导入到浏览器实现https安全连接
自建CA证书以及导入到浏览器实现https安全连接 安装 openssl(一般centos 系统都会自带安装好的了) 目录:/etc/pki/CA/ yum install openssl opens ...
- centos信任自建CA证书
我们经常会用配置网站可以用https访问,但是购买证书不现实,所以我们会选择自建CA证书,但是自建的CA证书,在linux中用curl访问时总会报错,报错信息如下: curl: (60) Peer c ...
最新文章
- 除了数据还是数据?2018年5大 AI (人工智能)预测
- 详析数字图像中高斯模糊理论及实现
- 二叉树的六种遍历方法汇总(转)
- Linq Coding -- Part Eight (Equals Topic)
- 审计日志_Oracle审计日志过大?如何清理及关闭审计机制?
- MongoDB学习笔记lt;七gt;
- windows下将多个文件里面的内容合并成一个一个文件
- 起点文学网ViewState解码分析后的结果研究
- 1400+款调色预设LR/PS/PR/FCPX/达芬奇lightroom滤镜LUT素材
- IIC,SPI,I2S
- 「LOJ#10068」「一本通 3.1 练习 3」秘密的牛奶运输(次小生成树
- phpmyadmin突破secure_file_priv写shell 的渗透
- ping 不通百度问题的解决
- Espresso测试框架的使用
- 「解决方案」Acrel-2000Z变电站综合自动化系统
- EEG 信号频带功率计算
- 国盛源投资量化买卖一定会挣钱吗?量化买卖怎样挣钱的?
- 用计算机来画出整个方格图,怎么画小学数学中的方格图
- 【北京科技大学成绩单打印网址】【中科院自动化所邮箱登录网址】等
- 手动制作Iphone ipa软件教程