91av免费观看_日韩视频在线免费看_日本xxxx色视频在线观看免费_伊人222综合网图片_国产二区三区在线_91麻豆麻豆

IT之道-艾銻知道

您當前位置: 主頁 > 資訊動態 > IT知識庫 >

服務器維護CentOS 7.3配置HTTPS服務


2020-06-10 16:27 作者:艾銻無限 瀏覽量:

服務器維護CentOS 7.3配置HTTPS服務

 
如何做好服務器維護?北京艾銻無限科技與你談談IT人員必須知道的服務器維護信息
 
服務器維護小知識環境為CentOS 7.3、httpd2.4.6

服務器維護小知識一 搭建證書

說明:
CA 主機為192.168.29.3
client主機為 192.168.29.100

服務器維護小知識1 生成私鑰

[root@centos7 ~]# (umask 077 ; openssl genrsa -out /etc/pki/CA/private/cakey.pem 4096)
Generating RSA private key, 4096 bit long modulus
.....................++
...........................................................................................................................................................................................++
e is 65537 (0x10001)

服務器維護小知識2 生成自簽證書

[root@centos7 ~]# openssl req -new -x509 -key /etc/pki/CA/private/cakey.pem  -out /etc/pki/CA/cacert.pem -days 365
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [XX]:CN
State or Province Name (full name) []:BeiJing
Locality Name (eg, city) [Default City]:BeiJing
Organization Name (eg, company) [Default Company Ltd]:Company
Organizational Unit Name (eg, section) []:OPS
Common Name (eg, your name or your server's hostname) []:www.test.com
Email Address []:
[root@centos7 ~]#

服務器維護小知識3 為CA提供所需的目錄及文件

(1)所需目錄,如果無,則創建
    /etc/pki/CA/certs/
    /etc/pki/CA/crl/
    /etc/pki/CA/newcerts/
(2)所需文件
[root@centos7 ~]# touch  /etc/pki/CA/serial #序列號文件
[root@centos7 ~]# touch  /etc/pki/CA/index.txt #數據庫文件
(3)
[root@centos7 ~]# echo 01 > /etc/pki/CA/serial #維護ca的序列號

服務器維護小知識4 在client上進行如下操作

(1)創建放置公鑰私鑰的文件夾
[root@CentOS7 ~]# mkdir /etc/httpd/ssl
(2)生成自己的私鑰
[root@CentOS7 ~]# (umask 077; openssl genrsa -out /etc/httpd/ssl/httpd.key 2048)
Generating RSA private key, 2048 bit long modulus
.......................................+++
...................................+++
e is 65537 (0x10001)
[root@CentOS7 ~]#
服務器維護小知識(3)請CA為自己生成公鑰
[root@CentOS7 ~]# openssl req -new -key /etc/httpd/ssl/httpd.key -out /etc/httpd/ssl/httpd.csr -days 365
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [XX]:CN
State or Province Name (full name) []:BeiJing
Locality Name (eg, city) [Default City]:BeiJing
Organization Name (eg, company) [Default Company Ltd]:Company
Organizational Unit Name (eg, section) []:OPS
Common Name (eg, your name or your server's hostname) []:www.test.com
Email Address []:
Please enter the following 'extra' attributes
to be sent with your certificate request
A challenge password []:
An optional company name []:
服務器維護小知識(4)把生成的公鑰發送給CA
[root@CentOS7 ~]# scp  /etc/httpd/ssl/httpd.csr root@192.168.29.3:/tmp/
The authenticity of host '192.168.29.3 (192.168.29.3)' can't be established.
ECDSA key fingerprint is f2:2e:89:a2:8d:22:22:9c:a9:f8:c9:19:18:d3:b6:c4.
Are you sure you want to continue connecting (yes/no)? yes
Warning: Permanently added '192.168.29.3' (ECDSA) to the list of known hosts.
root@192.168.29.3's password: 
httpd.csr                               100% 1005     1.0KB/s   00:00  

服務器維護小知識5 在CA主機上為client簽證

[root@centos7 ~]# openssl ca -in /tmp/httpd.csr  -out /etc/pki/CA/certs/httpd.crt -days 365
Using configuration from /etc/pki/tls/openssl.cnf
Check that the request matches the signature
Signature ok
Certificate Details:
        Serial Number: 1 (0x1)
        Validity
            Not Before: Jun  3 02:54:23 2017 GMT
            Not After : Jun  3 02:54:23 2018 GMT
        Subject:
            countryName               = CN
            stateOrProvinceName       = BeiJing
            organizationName          = Company
            organizationalUnitName    = OPS
            commonName                = www.test.com
        X509v3 extensions:
            X509v3 Basic Constraints: 
                CA:FALSE
            Netscape Comment: 
                OpenSSL Generated Certificate
            X509v3 Subject Key Identifier: 
                5D:A9:5A:90:29:F3:3A:7F:76:BE:21:78:14:80:E5:FB:5E:03:D8:D9
            X509v3 Authority Key Identifier: 
                keyid:9E:1E:F3:84:4D:D0:79:E2:BD:DD:A8:50:29:6C:BA:0C:21:60:CA:96
Certificate is to be certified until Jun  3 02:54:23 2018 GMT (365 days)
Sign the certificate? [y/n]:y
 
1 out of 1 certificate requests certified, commit? [y/n]y
Write out database with 1 new entries
Data Base Updated

服務器維護小知識6 把簽署的證書發給client

[root@centos7 ~]# scp  /etc/pki/CA/certs/httpd.crt   root@192.168.29.100:/etc/httpd/ssl/
The authenticity of host '192.168.29.100 (192.168.29.100)' can't be established.
ECDSA key fingerprint is 32:16:f3:2d:78:65:9f:a0:31:6c:dc:b9:24:e7:5a:8f.
Are you sure you want to continue connecting (yes/no)? yes
Warning: Permanently added '192.168.29.100' (ECDSA) to the list of known hosts.
root@192.168.29.100's password: 
httpd.crt                               100% 5711     5.6KB/s   00:00    

服務器維護小知識二 HTTPS配置

服務器維護小知識7 安裝mod_ssl模塊

[root@CentOS7 ~]# yum install mod_ssl -y

8 修改配置文件/etc/httpd/conf.d/ssl.conf

DocumentRoot "/data/https"
ServerName www.test.com:443
    <Directory "data/https">
         AllowOverride None
         Require all granted
        </Directory>
SSLCertificateFile /etc/httpd/ssl/httpd.crt
 
SSLCertificateKeyFile  /etc/httpd/ssl/httpd.crt
注意:
并修該/etc/httpd/ssl/httpd.crt、/etc/httpd/ssl/httpd.crt兩個文件的屬性,確保apach為可讀就行,當然也可放在默認文件夾下,就不需要修改權限了。
[root@CentOS7 ~]#chmod  +r  /etc/httpd/ssl/httpd.key

服務器維護小知識9 檢查語法

[root@CentOS7 ~]# httpd -t
Syntax OK

服務器維護小知識10 修給默認頁面

[root@CentOS7 ~]# echo "www.test.com" > /data/https/index.html

服務器維護小知識11 啟動http服務

[root@CentOS7 ~]# systemctl start httpd.service

服務器維護小知識12 把CA 的自簽證書傳到桌面

[root@centos7 ~]# sz /etc/pki/CA/cacert.pem
改名為cacert.crt
 
雙擊導入IE瀏覽器

服務器維護小知識13 配置DNS解析

 www.test.com 為192.168.29.100
或者 修改windows 下的C:\Windows\Systeme32\drivers\etc\hosts文件
192.168.29.100  www.test.com    

服務器維護小知識14 打開IE瀏覽器測試

輸入https://www.test.com
 
好了 成功了 好用成就感呀!!
IT運維  我們選擇北京艾銻無限
以上文章由北京艾銻無限科技發展有限公司整理
 

 

相關文章

IT外包服務
二維碼 關閉
主站蜘蛛池模板: 国产性夜夜春夜夜爽1A片 | jizzjizz日本护士视频 | 欧美国产激情二区三区 | 调教小奴高潮惩罚PLAY露出 | 最新中文乱码字字幕在线 | 九九热re日本精品 | 又大又粗进去爽A片免费 | 国产精品无码不卡一区二区三区 | 欧美老少配性行为 | 免费看午夜无码福利专区 | 午夜男女无遮掩免费视频 | 久久人人爽人人爽人人片DVD | 在线免费观看一区二区 | 黄色影视在线观看 | mm131美女视频毛片 | 加勒比东京热无码国产AV | 久久婷婷五月综合中文字幕 | 国产乱人伦偷精品视频免 | 精品无码一区二区三区亚洲桃色 | av网站国产在线 | 铜铜铜铜铜铜铜铜好大无打码 | 欧美精品久久凉森玲梦 | 无码人妻丰满熟妇区BBBBXXXX | 国产超薄丝袜足底脚交国产 | 三年片在线观看大全 | 中文字幕精品一二三四五六七八 | 精品国产乱码久久久久软件 | 最新欧美一区二区 | 国产亚洲精品无码不卡 | 日韩精品一区二区三区色欲AV | 国产日产亚洲系列最新 | 国产hd老太婆中国老太60 | 最近中文字幕高清中文字幕无 | 成熟女人特级毛片www免费 | www.久久亚洲 | 麻豆视传媒在线观看 | 乱人伦中文视频在线观看 | 国产嫖妓风韵犹存对白 | 欧美天天澡天天爽日日A | 少妇午夜啪爽嗷嗷叫视频 | AV国产精品 |