Bii o ṣe Ṣẹda Awọn iwe-ẹri SSL ti ara ẹni ati Awọn bọtini fun Apache lori RHEL/CentOS 7.0
SSL (Secure Sockets Layer) jẹ ilana-iṣe cryptographic kan ti o fun laaye ṣiṣan data to ni aabo laarin olupin kan ati awọn alabara rẹ nipa lilo awọn bọtini isedogba/aibaramu nipa lilo ijẹrisi oni-nọmba ti o fowo si nipasẹ Iwe-aṣẹ Iwe-ẹri kan (CA).
- Fifi sori ipilẹ atupa lori RHEL/CentOS 7.0
Ikẹkọ yii pese ọna kan lori bii a ṣe le ṣeto Ilana aabo Sockets Layer (SSL) Ilana cryptographic ibaraẹnisọrọ lori Apata Wẹẹbu Apache ti a fi sii ni Red Hat Idawọlẹ Linux/CentOS 7.0, ati ipilẹṣẹ Awọn iwe-ifọwọsi ti ara ẹni ati Awọn bọtini pẹlu iranlọwọ ti iwe afọwọkọ bash eyiti o jẹ simplifies gbogbo ilana.
Igbesẹ 1: Fi sori ẹrọ ati Tunto SSL afun ni
1. Lati jẹki SSL lori Apache HTTP Server lo aṣẹ atẹle lati fi Module SSL ati ohun elo irinṣẹ OpenSSL sii eyiti o nilo fun atilẹyin SSL/TLS.
# yum install mod_ssl openssl
2. Lẹhin ti a ti fi sori ẹrọ module SSL, tun bẹrẹ HTTPD daemon ki o ṣafikun ofin ogiriina tuntun lati rii daju pe ibudo SSL - 443 - o ṣii si awọn isopọ ita lori ẹrọ rẹ ni gbigbọ ipinle.
# systemctl restart httpd # firewall-cmd --add-service=https ## On-fly rule # firewall-cmd --permanent --add-service=https ## Permanent rule – needs firewalld restart
3. Lati ṣe idanwo asopọ SSL, ṣii ẹrọ lilọ kiri lori ẹrọ latọna jijin kan si adirẹsi IP olupin rẹ ni lilo ilana HTPS lori https:/server_IP .
Igbesẹ 2: Ṣẹda Awọn iwe-ẹri SSL ati Awọn bọtini
4. Ibaraẹnisọrọ SSL ti tẹlẹ laarin olupin ati alabara ni a ṣe ni lilo Ijẹrisi aiyipada ati Kokoro ti ipilẹṣẹ laifọwọyi lori fifi sori ẹrọ. Lati ṣe awọn bọtini ikọkọ ikọkọ ati awọn ijẹrisi ti a fowo si ti ara ẹni ṣẹda iwe afọwọkọ bash wọnyi lori ọna eto ṣiṣe ( $PATH ).
Fun ikẹkọ yii /usr/agbegbe/bin/ ọna ti yan, rii daju pe iwe afọwọkọ naa ni eto bit ti o le ṣiṣẹ ati, lẹhinna, lo bi aṣẹ lati ṣẹda awọn orisii tuntun SSL lori /etc/httpd/ssl/ bi Awọn iwe-ẹri ati Awọn ipo aiyipada bọtini.
# nano /usr/local/bin/apache_ssl
Lo akoonu faili atẹle.
#!/bin/bash mkdir /etc/httpd/ssl cd /etc/httpd/ssl echo -e "Enter your virtual host FQDN: \nThis will generate the default name for Apache SSL Certificate and Key!" read cert openssl genpkey -algorithm RSA -pkeyopt rsa_keygen_bits:2048 -out $cert.key chmod 600 $cert.key openssl req -new -key $cert.key -out $cert.csr openssl x509 -req -days 365 -in $cert.csr -signkey $cert.key -out $cert.crt echo -e " The Certificate and Key for $cert has been generated!\nPlease link it to Apache SSL available website!" ls -all /etc/httpd/ssl exit 0
5. Bayi ṣe iwe afọwọkọ yii lati ṣiṣẹ ki o ṣe ifilọlẹ rẹ lati ṣe agbekalẹ bata tuntun ti Iwe-ẹri ati Kokoro fun Ile-iṣẹ Aṣoju SSL Apache rẹ.
Fọwọsi rẹ pẹlu alaye rẹ ki o ṣe akiyesi si Orukọ ti o wọpọ iye lati ba olupin rẹ FQDN ba tabi ni ti Alejo gbigba lati ba adirẹsi Adirẹsi Ayelujara ti o yoo wọle wọle nigbati o ba n sopọ si oju opo wẹẹbu to ni aabo.
# chmod +x /usr/local/bin/apache_ssl # apache_ssl
6. Lẹhin ti a ti ipilẹṣẹ Iwe-ẹri ati Koko-ọrọ, iwe afọwọkọ yoo mu atokọ gigun ti gbogbo awọn orisii SSL Apache rẹ ti o fipamọ ni ipo /etc/httpd/ssl/.
7. Ọna miiran lori sisẹ Awọn iwe-ẹri SSL ati Awọn bọtini jẹ nipa fifi sori ẹrọ crypto-utils package lori ẹrọ rẹ ati ipilẹṣẹ awọn orisii nipa lilo pipaṣẹ genkey , eyiti o le fa awọn iṣoro kan paapaa nigba lilo lori iboju ipari Putty .
Nitorinaa, Mo daba lati lo ọna yii nikan nigbati o ba sopọ taara si atẹle iboju kan.
# yum install crypto-utils # genkey your_FQDN
8. Lati ṣafikun Iwe-ẹri tuntun ati Kokoro si oju opo wẹẹbu SSL rẹ, ṣii faili iṣeto ni oju opo wẹẹbu rẹ ki o rọpo awọn alaye SSLCertificateFile ati SSLCertificateKeyFile awọn ipo pẹlu awọn orisii tuntun ati awọn orukọ ni ibamu.
9. Ti ijẹrisi naa ko ba fun ni aṣẹ nipasẹ igbẹkẹle CA - Alaṣẹ Iwe-ẹri tabi orukọ olupin lati ijẹrisi ko ni baamu orukọ olupin ti o fi idi asopọ mulẹ, aṣiṣe yẹ ki o han lori ẹrọ aṣawakiri rẹ ati pe o gbọdọ fi ọwọ gba ijẹrisi naa.
O n niyen! Bayi o le lo apache_ssl bi laini aṣẹ lori RHEL/CentOS 7.0 lati ṣe agbejade ọpọlọpọ awọn orisii Awọn iwe-ẹri ti a fowo si ti ara ẹni ati Awọn bọtini ti o nilo, ati pe gbogbo yoo wa ni titan lori /etc/httpd/ọna ssl/ pẹlu faili Kokoro ti o ni aabo pẹlu awọn igbanilaaye 700 .