Apache tls — различия между версиями
Материал из pNp Wiki
Andy (обсуждение | вклад) (→Включение TLS в Apache) |
Andy (обсуждение | вклад) (→Создание сертификата при помощи cli) |
||
| Строка 149: | Строка 149: | ||
[root@vm-01 certs]# ls -lahi /etc/pki/tls/private/vm-01.example.com.key | [root@vm-01 certs]# ls -lahi /etc/pki/tls/private/vm-01.example.com.key | ||
34004217 -rw-r--r--. 1 root root 1.7K Jan 31 10:00 /etc/pki/tls/private/vm-01.example.com.key | 34004217 -rw-r--r--. 1 root root 1.7K Jan 31 10:00 /etc/pki/tls/private/vm-01.example.com.key | ||
| + | [root@vm-01 certs]# | ||
| + | </syntaxhighlight> | ||
| + | Можно посмотреть содержимое сертификата: | ||
| + | <syntaxhighlight lang="bash"> | ||
| + | [root@vm-01 certs]# openssl x509 -in /etc/pki/tls/certs/vm-01.example.com.crt -text -noout | ||
| + | Certificate: | ||
| + | Data: | ||
| + | Version: 3 (0x2) | ||
| + | Serial Number: 14504393413317360002 (0xc949f4f63b4bf982) | ||
| + | Signature Algorithm: sha256WithRSAEncryption | ||
| + | Issuer: C=RU, ST=Moscow, L=Moscow, O=Horns and Hoofs, CN=vm-01.example.com | ||
| + | Validity | ||
| + | Not Before: Jan 31 07:00:26 2018 GMT | ||
| + | Not After : Jan 31 07:00:26 2019 GMT | ||
| + | Subject: C=RU, ST=Moscow, L=Moscow, O=Horns and Hoofs, CN=vm-01.example.com | ||
| + | Subject Public Key Info: | ||
| + | Public Key Algorithm: rsaEncryption | ||
| + | Public-Key: (2048 bit) | ||
| + | Modulus: | ||
| + | 00:dd:e1:1a:35:39:ae:11:1f:d1:69:80:a5:9d:53: | ||
| + | ae:6e:e2:33:2c:f3:6c:a6:00:48:fc:8b:ce:95:a9: | ||
| + | 3c:7e:47:0e:b7:1e:d0:5e:84:5b:4c:55:dd:ee:c7: | ||
| + | e5:cc:7c:a0:3b:a9:b2:96:da:5e:88:c0:c4:4a:d5: | ||
| + | 4c:50:29:0d:97:ce:fa:6b:59:47:91:c1:97:1e:71: | ||
| + | 78:d5:1b:47:fd:97:53:a6:cc:5c:c6:77:26:67:b0: | ||
| + | cf:8e:cd:f0:4f:26:d1:b2:41:22:ef:3e:82:1f:4f: | ||
| + | 8c:c5:64:78:91:00:7a:02:a0:89:50:16:7b:4b:ad: | ||
| + | 27:3f:8d:de:b3:01:e9:db:df:ec:02:b7:7b:d0:93: | ||
| + | 08:7e:4e:42:c5:ec:c8:fa:88:89:92:fd:d0:fa:7d: | ||
| + | 2f:3a:02:ec:9f:67:7c:19:4d:d2:a5:86:fb:e9:c7: | ||
| + | ca:af:39:2f:7b:12:b5:31:56:5c:21:94:e2:57:bd: | ||
| + | 2f:b1:cc:e7:29:b9:94:0e:bb:1b:4f:b6:5c:19:1e: | ||
| + | df:7c:12:d6:74:a7:4a:0a:61:e8:24:a6:34:12:e6: | ||
| + | 2c:31:88:72:38:b2:8a:85:d4:0b:e7:81:95:52:09: | ||
| + | e2:ec:9b:59:a7:cb:00:c7:14:11:ae:ed:10:c3:7a: | ||
| + | bf:d9:de:24:68:0a:7d:b8:4b:1d:80:22:15:b0:64: | ||
| + | 5c:6f | ||
| + | Exponent: 65537 (0x10001) | ||
| + | X509v3 extensions: | ||
| + | X509v3 Subject Key Identifier: | ||
| + | 0D:85:9C:7A:6D:B2:E7:EF:26:A7:E6:A3:05:33:A4:05:4C:36:BF:56 | ||
| + | X509v3 Authority Key Identifier: | ||
| + | keyid:0D:85:9C:7A:6D:B2:E7:EF:26:A7:E6:A3:05:33:A4:05:4C:36:BF:56 | ||
| + | |||
| + | X509v3 Basic Constraints: | ||
| + | CA:TRUE | ||
| + | Signature Algorithm: sha256WithRSAEncryption | ||
| + | ae:bb:57:86:46:e8:42:a5:33:50:8e:f5:5e:3e:c0:eb:68:aa: | ||
| + | b9:3a:7e:4c:be:ba:0e:13:1d:5a:ed:13:c5:26:08:4a:99:5a: | ||
| + | d4:1f:18:22:d7:e1:12:50:e8:1a:44:5b:7d:0b:dd:e6:04:29: | ||
| + | 4a:c1:ed:b9:4b:e0:56:34:77:0f:61:2f:40:90:a7:fa:82:b0: | ||
| + | a1:7a:9a:ea:4f:5f:f8:c2:bb:7f:3a:2d:23:bc:92:95:5a:a5: | ||
| + | bf:d2:e2:74:d2:8f:78:fe:90:dc:92:d6:e4:2f:42:5e:2b:e3: | ||
| + | 55:85:76:a9:bb:2a:0c:5a:c9:80:5a:fe:e4:ae:37:7c:31:54: | ||
| + | 7a:32:4d:c3:7c:2c:13:db:32:37:59:d3:50:6c:ee:83:3c:c1: | ||
| + | 4e:71:4f:a6:73:08:52:4c:97:45:0f:ca:02:82:8b:09:4f:00: | ||
| + | b6:d5:7b:51:6d:b9:42:eb:24:ae:2d:4e:57:c8:53:3e:cd:17: | ||
| + | 32:00:ae:bb:98:8c:ff:eb:db:fb:5e:d3:7f:e0:93:1f:44:59: | ||
| + | 97:5c:f7:65:76:b1:97:6d:c2:3e:21:49:6e:3d:7e:57:b3:cb: | ||
| + | b4:3b:d4:13:31:f1:7a:c0:2c:5c:5a:44:d5:0e:45:e4:bf:e7: | ||
| + | f8:5e:13:35:b2:0a:fd:22:57:6a:a9:f1:5e:e9:11:fc:dc:f0: | ||
| + | 60:1f:0f:58 | ||
[root@vm-01 certs]# | [root@vm-01 certs]# | ||
</syntaxhighlight> | </syntaxhighlight> | ||
Версия 10:07, 31 января 2018
Содержание
Конфигурирование Apache. Конфигурация TLS
Предварительные требования
- Виртуальная машина с двумя сетевыми интерфейсами
- Установленные пакеты:
bash-completion,policycoreutils,policycoreutils-python,policycoreutils-devel,setroubleshoot-server,httpd,httpd-manual,elinks,curl,perl,openssl,mod-ssl
Включение TLS в Apache
Установим mod_ssl
[root@vm-01 ~]# yum install -y mod_ssl crypto-utils
После инсталляции пакета, у нас появился файл /etc/httpd/conf.d/ssl.conf в котором указываются настройки защищенного
соединения для вебсервера. Нам нужно дописать в него параметр -SSLv3 в секцию SSLProtocol:
# SSL Protocol support:
# List the enable protocol levels with which clients will be able to
# connect. Disable SSLv2 access by default:
SSLProtocol all -SSLv2 -SSLv3
Далее следует создать сертификат. Сделать это можно несколькими способами:
Создание сертификата при помощи cli
Помнить все ключи для openssl не обязательно, достаточно поглядеть в имеющихся Makefile'ах:
[root@vm-01 certs]# rpm -ql openssl | head
/etc/pki/CA
/etc/pki/CA/certs
/etc/pki/CA/crl
/etc/pki/CA/newcerts
/etc/pki/CA/private
/etc/pki/tls/certs/Makefile
/etc/pki/tls/certs/make-dummy-cert
/etc/pki/tls/certs/renew-dummy-cert
/etc/pki/tls/misc/CA
/etc/pki/tls/misc/c_hash
[root@vm-01 certs]#
Посмотрим содержимое /etc/pki/tls/certs/Makefile:
[root@vm-01 certs]# cat /etc/pki/tls/certs/Makefile
UTF8 := $(shell locale -c LC_CTYPE -k | grep -q charmap.*UTF-8 && echo -utf8)
SERIAL=0
DAYS=365
KEYLEN=2048
TYPE=rsa:$(KEYLEN)
.PHONY: usage
.SUFFIXES: .key .csr .crt .pem
.PRECIOUS: %.key %.csr %.crt %.pem
usage:
@echo "This makefile allows you to create:"
@echo " o public/private key pairs"
@echo " o SSL certificate signing requests (CSRs)"
@echo " o self-signed SSL test certificates"
@echo
@echo "To create a key pair, run \"make SOMETHING.key\"."
@echo "To create a CSR, run \"make SOMETHING.csr\"."
@echo "To create a test certificate, run \"make SOMETHING.crt\"."
@echo "To create a key and a test certificate in one file, run \"make SOMETHING.pem\"."
@echo
@echo "To create a key for use with Apache, run \"make genkey\"."
@echo "To create a CSR for use with Apache, run \"make certreq\"."
@echo "To create a test certificate for use with Apache, run \"make testcert\"."
@echo
@echo "To create a test certificate with serial number other than zero, add SERIAL=num"
@echo "You can also specify key length with KEYLEN=n and expiration in days with DAYS=n"
@echo
@echo Examples:
@echo " make server.key"
@echo " make server.csr"
@echo " make server.crt"
@echo " make stunnel.pem"
@echo " make genkey"
@echo " make certreq"
@echo " make testcert"
@echo " make server.crt SERIAL=1"
@echo " make stunnel.pem SERIAL=2"
@echo " make testcert SERIAL=3"
%.pem:
umask 77 ; \
PEM1=`/bin/mktemp /tmp/openssl.XXXXXX` ; \
PEM2=`/bin/mktemp /tmp/openssl.XXXXXX` ; \
/usr/bin/openssl req $(UTF8) -newkey $(TYPE) -keyout $$PEM1 -nodes -x509 -days $(DAYS) -out $$PEM2 -set_serial $(SERIAL) ; \
cat $$PEM1 > $@ ; \
echo "" >> $@ ; \
cat $$PEM2 >> $@ ; \
$(RM) $$PEM1 $$PEM2
%.key:
umask 77 ; \
/usr/bin/openssl genrsa -aes128 $(KEYLEN) > $@
%.csr: %.key
umask 77 ; \
/usr/bin/openssl req $(UTF8) -new -key $^ -out $@
%.crt: %.key
umask 77 ; \
/usr/bin/openssl req $(UTF8) -new -key $^ -x509 -days $(DAYS) -out $@ -set_serial $(SERIAL)
TLSROOT=/etc/pki/tls
KEY=$(TLSROOT)/private/localhost.key
CSR=$(TLSROOT)/certs/localhost.csr
CRT=$(TLSROOT)/certs/localhost.crt
genkey: $(KEY)
certreq: $(CSR)
testcert: $(CRT)
$(CSR): $(KEY)
umask 77 ; \
/usr/bin/openssl req $(UTF8) -new -key $(KEY) -out $(CSR)
$(CRT): $(KEY)
umask 77 ; \
/usr/bin/openssl req $(UTF8) -new -key $(KEY) -x509 -days $(DAYS) -out $(CRT) -set_serial $(SERIAL)
[root@vm-01 certs]#
Для создания crt сертификата нам подойдет нижняя строка, с небольшой модификацией:
[root@vm-01 certs]# /usr/bin/openssl req -new -nodes -x509 -days 365 -out /etc/pki/tls/certs/vm-01.example.com.crt -keyout /etc/pki/tls/private/vm-01.example.com.key
Generating a 2048 bit RSA private key
........................................+++
........................................+++
writing new private key to '/etc/pki/tls/private/vm-01.example.com.key'
-----
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [XX]:RU
State or Province Name (full name) []:Moscow
Locality Name (eg, city) [Default City]:Moscow
Organization Name (eg, company) [Default Company Ltd]:Horns and Hoofs
Organizational Unit Name (eg, section) []:
Common Name (eg, your name or your server's hostname) []:vm-01.example.com
Email Address []:
[root@vm-01 certs]#
Проверим наличие нужных файлов:
[root@vm-01 certs]# ls -lahi /etc/pki/tls/certs/vm-01.example.com.crt
57343108 -rw-r--r--. 1 root root 1.3K Jan 31 10:00 /etc/pki/tls/certs/vm-01.example.com.crt
[root@vm-01 certs]# ls -lahi /etc/pki/tls/private/vm-01.example.com.key
34004217 -rw-r--r--. 1 root root 1.7K Jan 31 10:00 /etc/pki/tls/private/vm-01.example.com.key
[root@vm-01 certs]#
Можно посмотреть содержимое сертификата:
[root@vm-01 certs]# openssl x509 -in /etc/pki/tls/certs/vm-01.example.com.crt -text -noout
Certificate:
Data:
Version: 3 (0x2)
Serial Number: 14504393413317360002 (0xc949f4f63b4bf982)
Signature Algorithm: sha256WithRSAEncryption
Issuer: C=RU, ST=Moscow, L=Moscow, O=Horns and Hoofs, CN=vm-01.example.com
Validity
Not Before: Jan 31 07:00:26 2018 GMT
Not After : Jan 31 07:00:26 2019 GMT
Subject: C=RU, ST=Moscow, L=Moscow, O=Horns and Hoofs, CN=vm-01.example.com
Subject Public Key Info:
Public Key Algorithm: rsaEncryption
Public-Key: (2048 bit)
Modulus:
00:dd:e1:1a:35:39:ae:11:1f:d1:69:80:a5:9d:53:
ae:6e:e2:33:2c:f3:6c:a6:00:48:fc:8b:ce:95:a9:
3c:7e:47:0e:b7:1e:d0:5e:84:5b:4c:55:dd:ee:c7:
e5:cc:7c:a0:3b:a9:b2:96:da:5e:88:c0:c4:4a:d5:
4c:50:29:0d:97:ce:fa:6b:59:47:91:c1:97:1e:71:
78:d5:1b:47:fd:97:53:a6:cc:5c:c6:77:26:67:b0:
cf:8e:cd:f0:4f:26:d1:b2:41:22:ef:3e:82:1f:4f:
8c:c5:64:78:91:00:7a:02:a0:89:50:16:7b:4b:ad:
27:3f:8d:de:b3:01:e9:db:df:ec:02:b7:7b:d0:93:
08:7e:4e:42:c5:ec:c8:fa:88:89:92:fd:d0:fa:7d:
2f:3a:02:ec:9f:67:7c:19:4d:d2:a5:86:fb:e9:c7:
ca:af:39:2f:7b:12:b5:31:56:5c:21:94:e2:57:bd:
2f:b1:cc:e7:29:b9:94:0e:bb:1b:4f:b6:5c:19:1e:
df:7c:12:d6:74:a7:4a:0a:61:e8:24:a6:34:12:e6:
2c:31:88:72:38:b2:8a:85:d4:0b:e7:81:95:52:09:
e2:ec:9b:59:a7:cb:00:c7:14:11:ae:ed:10:c3:7a:
bf:d9:de:24:68:0a:7d:b8:4b:1d:80:22:15:b0:64:
5c:6f
Exponent: 65537 (0x10001)
X509v3 extensions:
X509v3 Subject Key Identifier:
0D:85:9C:7A:6D:B2:E7:EF:26:A7:E6:A3:05:33:A4:05:4C:36:BF:56
X509v3 Authority Key Identifier:
keyid:0D:85:9C:7A:6D:B2:E7:EF:26:A7:E6:A3:05:33:A4:05:4C:36:BF:56
X509v3 Basic Constraints:
CA:TRUE
Signature Algorithm: sha256WithRSAEncryption
ae:bb:57:86:46:e8:42:a5:33:50:8e:f5:5e:3e:c0:eb:68:aa:
b9:3a:7e:4c:be:ba:0e:13:1d:5a:ed:13:c5:26:08:4a:99:5a:
d4:1f:18:22:d7:e1:12:50:e8:1a:44:5b:7d:0b:dd:e6:04:29:
4a:c1:ed:b9:4b:e0:56:34:77:0f:61:2f:40:90:a7:fa:82:b0:
a1:7a:9a:ea:4f:5f:f8:c2:bb:7f:3a:2d:23:bc:92:95:5a:a5:
bf:d2:e2:74:d2:8f:78:fe:90:dc:92:d6:e4:2f:42:5e:2b:e3:
55:85:76:a9:bb:2a:0c:5a:c9:80:5a:fe:e4:ae:37:7c:31:54:
7a:32:4d:c3:7c:2c:13:db:32:37:59:d3:50:6c:ee:83:3c:c1:
4e:71:4f:a6:73:08:52:4c:97:45:0f:ca:02:82:8b:09:4f:00:
b6:d5:7b:51:6d:b9:42:eb:24:ae:2d:4e:57:c8:53:3e:cd:17:
32:00:ae:bb:98:8c:ff:eb:db:fb:5e:d3:7f:e0:93:1f:44:59:
97:5c:f7:65:76:b1:97:6d:c2:3e:21:49:6e:3d:7e:57:b3:cb:
b4:3b:d4:13:31:f1:7a:c0:2c:5c:5a:44:d5:0e:45:e4:bf:e7:
f8:5e:13:35:b2:0a:fd:22:57:6a:a9:f1:5e:e9:11:fc:dc:f0:
60:1f:0f:58
[root@vm-01 certs]#
