Yadda ake Ƙirƙirar Takaddun shaida na SSL da Maɓallai don Apache akan RHEL/CentOS 7.0

SSL (Secure Sockets Layer) ƙa'idar sirri ce wacce ke ba da damar amintaccen kwararar bayanai tsakanin sabar da abokan cinikinta ta amfani da maɓallai na asymmetric/maɓalli ta amfani da takardar shedar dijital ta sami sa hannun wata Hukumar Takaddun shaida (CA).

  1. Shigarwar LAMP na asali akan RHEL/CentOS 7.0

Wannan koyaswar tana ba da hanya kan yadda ake saita Secure Sockets Layer(SSL) ƙa'idar sadarwar cryptographic akan Sabar Yanar Gizo ta Apache da aka shigar a cikin Red Hat Enterprise Linux/CentOS 7.0, da samar da Takaddun shaida da Maɓallai masu sanya hannu tare da Taimakon rubutun bash wanda ke sauƙaƙa dukkan tsari sosai.

Mataki 1: Shigar kuma Sanya Apache SSL

1. Don kunna SSL akan uwar garken HTTP Apache yi amfani da umarni mai zuwa don shigar da Module na SSL da OpenSSL kayan aiki-kit wanda ake buƙata don tallafin SSL/TLS.

# yum install mod_ssl openssl

2. Bayan an shigar da tsarin SSL, sake kunna HTTPD daemon kuma ƙara sabon ka'idar Firewall don tabbatar da tashar tashar SSL - 443 - an buɗe shi zuwa haɗin waje a kan injin ku a saurare. jihar

# systemctl restart httpd
# firewall-cmd --add-service=https   ## On-fly rule

# firewall-cmd --permanent  --add-service=https   ## Permanent rule – needs firewalld restart

3. Don gwada haɗin SSL, buɗe mai bincike mai nisa kuma kewaya zuwa adireshin IP na uwar garke ta amfani da ka'idar HTPS akan https://server_IP.

Mataki 2: Ƙirƙiri Takaddun shaida na SSL da Maɓallai

4. Sadarwar SSL ta baya tsakanin uwar garken da abokin ciniki an yi ta amfani da takaddun shaida da Maɓalli da aka samar ta atomatik akan shigarwa. Domin samar da sababbin maɓallai masu zaman kansu da nau'i-nau'i masu hannu da shuni suna ƙirƙirar rubutun bash mai zuwa akan hanyar tsarin aiwatarwa (PATH).

Don wannan koyaswar an zaɓi hanyar /usr/local/bin/, tabbatar cewa rubutun yana da saitin bit mai aiwatarwa kuma, sannan, yi amfani da shi azaman umarni don ƙirƙirar sabbin nau'ikan SSL akan /da sauransu/ httpd/ssl/ a matsayin Takaddun shaida da Maɓalli na asali.

# nano /usr/local/bin/apache_ssl

Yi amfani da abun ciki na fayil mai zuwa.

#!/bin/bash
mkdir /etc/httpd/ssl
cd /etc/httpd/ssl

echo -e "Enter your virtual host FQDN: \nThis will generate the default name for Apache SSL Certificate and Key!"
read cert

openssl genpkey -algorithm RSA -pkeyopt rsa_keygen_bits:2048 -out $cert.key
chmod 600 $cert.key
openssl req -new -key $cert.key -out $cert.csr
openssl x509 -req -days 365 -in $cert.csr -signkey $cert.key -out $cert.crt

echo -e " The Certificate and Key for $cert has been generated!\nPlease link it to Apache SSL available website!"
ls -all /etc/httpd/ssl
exit 0

5. Yanzu sanya wannan rubutun aiwatarwa kuma ƙaddamar da shi don samar da sabon takaddun shaida da Maɓalli don Mai watsa shiri na Apache SSL Virtual Host.

Cika shi da bayanin ku kuma kula da ƙimar Na kowa Suna don dacewa da uwar garken FQDN ko kuma idan akwai Virtual Hosting don dacewa da adireshin gidan yanar gizon da zaku shiga yayin haɗawa zuwa amintaccen gidan yanar gizo.

# chmod +x /usr/local/bin/apache_ssl
# apache_ssl

6. Bayan an samar da Takaddun shaida da Maɓalli, rubutun zai gabatar da dogon jerin duk nau'ikan SSL ɗin Apache ɗinku da aka adana a /etc/httpd/ssl/wuri.

7. Sauran hanyoyin samar da Takaddun shaida na SSL da Maɓallai shine ta shigar da kunshin crypto-utils a kan tsarin ku da kuma samar da nau'i-nau'i ta amfani da genkey umurnin, wanda zai iya haifar da wasu matsaloli musamman idan aka yi amfani da su. a Putty allon tasha.

Don haka, ina ba da shawarar amfani da wannan hanyar kawai lokacin da aka haɗa ku kai tsaye zuwa na'urar duba allo.

# yum install crypto-utils
# genkey your_FQDN

8. Don ƙara sabon Takaddun shaida da Maɓalli zuwa gidan yanar gizon ku na SSL, buɗe fayil ɗin daidaitawar gidan yanar gizon ku kuma maye gurbin SSLCertificateFile da SSLCertificateKeyFile kalamai tare da sabbin wurare biyu da sunaye daidai.

9. Idan ba a bayar da Takaddun Takaddun Takaddun Takaddun Takaddun Takaddun Shaida ba - Hukumar Takaddun Shaida ko sunan mai masauki daga takardar shaidar bai dace da sunan mai watsa shiri wanda ya kafa haɗin yanar gizo ba, kuskure ya kamata ya bayyana akan burauzar ku kuma dole ne ku karɓi takardar shaidar da hannu.

Shi ke nan! Yanzu za ku iya amfani da apache_ssla matsayin layin umarni akan RHEL/CentOS 7.0 don samar da nau'i-nau'i na Takaddun Shaida da Maɓallan da kuke buƙata, kuma duk za'a kiyaye su akan /etc/httpd/ ssl/ hanya tare da fayil ɗin Maɓalli da aka kiyaye tare da izini 700.