搭建基于8008端口号的安全服务器,可使用https: //web2.mydomain.com:8008地址访问,主目录是/var/www/web2,使用CA颁发证书进行安全认证。 “CSK Global Root CA”颁发机构颁发,网站证书信息如下: C = CN ST = China L = GuangZhou O = mydomain.com OU = Operations Departments CN = web2.mydomain.com
[root@webserver certs]# make server.csr umask 77 ; \ /usr/bin/openssl req -utf8 -new -key server.key -out server.csr You are about to be asked to enter information that will be incorporated into your certificate request. What you are about to enter is what is called a Distinguished Name or a DN. There are quite a few fields but you can leave some blank For some fields there will be a default value, If you enter '.', the field will be left blank. ----- Country Name (2 letter code) [XX]:CN State or Province Name (full name) []:China Locality Name (eg, city) [Default City]:GuangZhou Organization Name (eg, company) [Default Company Ltd]:ymx.com Organizational Unit Name (eg, section) []:Operations Deoartments Common Name (eg, your name or your server's hostname) []:web2.ymx.com Email Address []: Please enter the following 'extra' attributes to be sent with your certificate request A challenge password []: An optional company name []: [root@webserver certs]# openssl x509 -in server.csr -out server.pem -req -signkey server.key -days 365 [root@webserver certs]# chmod 400 server.* [root@webserver certs]# yum -y install httpd mod_ssl [root@webserver certs]# systemctl restart httpd
1. 修改OpenSSL配置文件
1 2 3 4
vim /etc/pki/tls/openssl.cnf //打开OpenSSL配置文件修改以下 my-ca.crt my-ca.crl my-ca.key
[ req_distinguished_name ] countryName = Country Name (2 letter code) countryName_default = CN countryName_min = 2 countryName_max = 2
stateOrProvinceName = State or Province Name (full name) stateOrProvinceName_default = China
localityName = Locality Name (eg, city) localityName_default = GuangZhou
0.organizationName = Organization Name (eg, company) 0.organizationName_default = ymx.com
# we can do this but it is not needed normally :-) #1.organizationName = Second Organization Name (eg, company) #1.organizationName_default = World Wide Web Pty Ltd
organizationalUnitName = Organizational Unit Name (eg, section) organizationalUnitName_default = Operations Deoartments
openssl req -new -key server.key -out server.csr //证书申请 ls //查看目录 openssl ca -in server.csr -out server.crt //生成公钥文件,输入密码,两次确认
三、在DNS服务器(Server)上添加记录
1. 添加正向区域记录
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17
vim /var/named/ymx.com.zone //打开正向区域文件 $TTL 1D @ IN SOA dns ymx.com. ( 0 ; serial 1D ; refresh 1H ; retry 1W ; expire 3H ) ; minimum NS dns dns A 192.168.1.10 www A 192.168.1.100 web1 A 192.168.1.100 //添加这两条 web2 A 192.168.1.100 mail A 192.168.1.200 ftp CNAME www mail MX 10 mail
2. 添加反向区域记录
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16
vim /var/named/1.168.192.zone //打开反向区域配置文件 $TTL 1D @ IN SOA dns ymx.com. ( 0 ; serial 1D ; refresh 1H ; retry 1W ; expire 3H ) ; minimum NS dns dns A 192.168.1.10 10 PTR dns.ymx.com. 100 PTR web1.ymx.com. //添加这两条 100 PTR web2.ymx.com. 100 PTR www.ymx.com. 100 PTR ftp.ymx.com. 200 PTR mail.ymx.com.