Yadda ake Kirkirar Takaddun Takaddun Shaida na Gida na Kai tsaye akan CentOS 8


SSL (Secure Socket Layer), da ingantaccen sigar sa, TLS (Suffar Socket Layer), ladabi ne na tsaro waɗanda ake amfani dasu don amintar da zirga-zirgar yanar gizo da aka aiko daga burauzar yanar gizon abokin ciniki zuwa sabar yanar gizo.

Takaddun shaida na SSL takaddun shaida ne na dijital wanda ke ƙirƙirar amintaccen tashar tsakanin mai bincike na abokin ciniki da sabar yanar gizo. A yin haka, bayanan sirri da na sirri irin su bayanan katin kiredit, bayanan shiga, da sauran bayanan sirri masu zaman kansu an rufa masu asiri, suna hana masu fashin bayanan sauraren bayanan da satar bayanan.

Takardar shaidar SSL da ta sanya hannu, ba kamar sauran takaddun shaidar SSL waɗanda aka sanya hannu kuma suka aminta da su ta Takaddun Shaida (CA), takardar shaidar ce da wani ya mallaki ta.

Kyauta ce gabaɗaya don ƙirƙirar ɗaya kuma hanya ce mai arha ta ɓoye ɓoyayyen sabar gidan yanar sadarwar ku ta gida. Koyaya, yin amfani da takaddun shaidar SSL da aka sanya hannu kai tsaye yana da karfin gwiwa a cikin yanayin samarwa saboda dalilai masu zuwa:

  1. Tunda ba a sa hannu a kan Takaddun Shaida ba, takardar shaidar SSL da aka sanya hannu da kanta ta haifar da faɗakarwa a kan masu bincike na yanar gizo suna faɗakar da masu amfani da haɗarin da ke gabansu idan sun yanke shawarar ci gaba. Wadannan faɗakarwar basu dace ba kuma zasu hana masu amfani da ziyartar gidan yanar gizan ku, wanda hakan zai haifar da koma baya ga zirga-zirgar yanar gizo. A matsayin aiki ga waɗannan faɗakarwar, ƙungiyoyi galibi suna ƙarfafa ma'aikatansu suyi watsi da faɗakarwar kawai kuma su ci gaba. Wannan na iya haifar da wata ɗabi'a mai haɗari tsakanin masu amfani waɗanda ke iya yanke shawarar ci gaba da yin watsi da waɗannan faɗakarwar a kan wasu shafukan yanar gizo, mai yuwuwar faɗawa cikin shafukan yanar gizo na leƙen asiri.
  2. Takaddun shaida da kan sa hannu suna da matakan tsaro ƙarancin tsaro tun lokacin da suke aiwatar da ƙananan fasahohi da ƙira. Don haka matakin tsaro bazai iya zama daidai da daidaitattun manufofin tsaro ba.
  3. Bugu da ƙari, babu tallafi don ayyukan Maɓallan Maɓallin Gizon Jama'a (PKI).

Wancan ya ce, yin amfani da takardar shaidar SSL da aka sanya hannu da hannu ba mummunan ra'ayi ba ne don ayyukan gwaji da aikace-aikace a kan injin gida wanda ke buƙatar ɓoye TLS/SSL.

A cikin wannan jagorar, zaku koyi yadda ake girka takardar shaidar SSL da ta sanya hannu a cikin gidajan yanar gizo na Apache localhost akan tsarin sabar CentOS 8.

Kafin farawa, tabbatar cewa kana da waɗannan buƙatu na asali masu zuwa:

  1. Misali na uwar garken CentOS 8.
  2. Apache webserver da aka sanya a kan sabar
  3. An riga an riga an tsara sunan mai masauki kuma an bayyana shi a cikin fayil ɗin/sauransu/runduna. Don wannan jagorar, za mu yi amfani da tecmint.local sunan masauki don sabar mu.

Mataki 1: Shigar da Mod_SSL akan CentOS

1. Don fara kashe, kana buƙatar tabbatar cewa an shigar da sabar yanar gizo ta Apache.

$ sudo systemctl status httpd

Ga fitowar da ake tsammani.

Idan mai amfani da yanar gizo baya aiki, zaku iya farawa da kunna shi ta hanyar amfani da umarnin.

$ sudo systemctl start httpd
$ sudo systemctl enable httpd

Kuna iya tabbatarwa idan Apache yana sama da gudana.

2. Don kunna shigarwa da saitin takardar shaidar SSL mai zaman kanta ta gida, ana buƙatar kunshin mod_ssl.

$ sudo dnf install mod_ssl

Da zarar an shigar, zaka iya tabbatar da shigarwar ta gudana.

$ sudo rpm -q mod_ssl

Hakanan, tabbatar cewa an sanya kunshin OpenSSL (OpenSSL ya zo an shigar da shi ta tsohuwa a cikin CentOS 8).

$ sudo rpm -q openssl 

Mataki na 2: Createirƙiri Takaddun Shaidar SSL na Selfasashe don Abun Apache

3. Tare da sabar yanar gizo ta Apache da duk abubuwan da ake bukata a cikin dubawa, kana buƙatar ƙirƙirar kundin adireshi wanda za'a adana maɓallan rubutun.

A cikin wannan misalin, mun ƙirƙiri kundin adireshi a/etc/ssl/masu zaman kansu.

$ sudo mkdir -p /etc/ssl/private

Yanzu ƙirƙirar maɓallin takardar shaidar SSL na gida da fayil ta amfani da umarnin:

$ sudo openssl req -x509 -nodes -newkey rsa:2048 -keyout tecmint.local.key -out tecmint.local.crt

Bari muyi la'akari da menene wasu zaɓuɓɓuka a cikin umarnin a zahiri:

  • req -x509 - Wannan yana nuna cewa muna amfani da x509 Takardar Shiga Takaddun Shaida (CSR).
  • -nodes - Wannan zaɓin ya koyar da OpenSSL don tsallake ɓoye ɓoye takaddun shaidar SSL ta amfani da kalmar wucewa. Manufar a nan ita ce a ba Apache damar iya karanta fayil ɗin ba tare da kowane irin sa hannun mai amfani ba wanda ba zai yiwu ba idan an samar da maɓallin wucewa.
  • -newkey rsa: 2048 - Wannan yana nuna cewa muna son ƙirƙirar sabon maɓalli da sabon takaddun shaida a lokaci guda. Yankin rsa: 2048 yana nuna cewa muna son ƙirƙirar maɓallin RSA 2048-bit.
  • -kashe - Wannan zaɓin ya ƙayyade inda za a adana faifan maɓallin keɓaɓɓen abu da aka ƙirƙira akan halitta.
  • -fita - Zaɓin ya ƙayyade inda za a sanya takardar shaidar SSL.

Mataki na 3: Shigar da Takaddun Shafin SSL na Gida mai zaman kansa akan Apache

4. Bayan ƙirƙirar fayil ɗin takardar shaidar SSL, Yanzu ya zama lokaci don shigar da takardar shaidar ta amfani da saitunan uwar garken Apache. Buɗe kuma gyara fayil ɗin sanyi /etc/httpd/conf.d/ssl.conf.

$ sudo vi /etc/httpd/conf.d/ssl.conf

Tabbatar cewa kuna da layuka masu zuwa tsakanin alamun mai masauki.

<VirtualHost *:443>
    ServerAdmin [email 
    ServerName www.tecmint.local
    ServerAlias tecmint.local
 
    DocumentRoot /var/www/html
 
    SSLEngine on
    SSLCertificateFile /etc/ssl/private/tecmint.local.crt
    SSLCertificateKeyFile /etc/ssl/private/tecmint.local.key
</VirtualHost>

Adana kuma ka fita fayil din. Don canje-canje don aiwatarwa, sake kunna Apache ta amfani da umarnin:

$ sudo systemctl restart httpd

5. Ga masu amfani da waje don samun damar sabarku, kuna buƙatar buɗe tashar jiragen ruwa 443 ta cikin Tacewar zaɓi kamar yadda aka nuna.

$ sudo firewall-cmd --add-port=443 --zone=public --permanent
$ sudo firewall-cmd --reload

Mataki na 3: Gwada Takaddun Shafin SSL na Gida mai zaman kansa akan Apache

Tare da dukkan abubuwan daidaitawa a wurin, yi amfani da burauz ɗin ka kuma bincika adireshin uwar garkenka ta amfani da adireshin IP na uwar garke ko sunan yanki ta amfani da yarjejeniyar https.

Don daidaita gwajin, ƙila kuyi tunanin sake tura yarjejeniyar HTTP zuwa HTTPS akan Apache webserver. Wannan saboda duk lokacin da kuka bincika yankin a cikin HTTP bayyananne, za a tura shi ta atomatik zuwa yarjejeniyar HTTPS.

Don haka bincika yankin uwar garkenku ko IP

https://domain_name/

Za ku sami faɗakarwa don sanar da ku cewa haɗin ba amintacce ba kamar yadda aka nuna. Wannan zai banbanta daga wannan burauzar zuwa wancan. Kamar yadda zaku iya tsammani, faɗakarwar ta kasance saboda gaskiyar cewa takardar shaidar SSL ba ta sanya hannu ta hanyar Takaddun Shaida ba kuma mai binciken yana yin rajistar hakan kuma ya yi rahoton cewa ba za a iya amincewa da takardar shaidar ba.

Don ci gaba zuwa gidan yanar gizonku, danna maballin 'Na gaba' kamar yadda aka nuna a sama:

Gaba, ƙara banda ga mai bincike.

A ƙarshe, sake shigar da burauz ɗin ku kuma ku lura cewa yanzu zaku iya samun damar sabar, kodayake, za a yi gargaɗi a kan sandar URL cewa shafin ba shi da cikakken amintacce saboda dalili guda cewa takaddun shaidar SSL ta sa hannu ce kuma ba ta sanya hannu ba ta Hukumar Shaida.

Fatan mu ne cewa yanzu zaku iya ci gaba da ƙirƙirarwa da sanya takaddun shaidar SSL da aka sanya hannu a kan sabar yanar gizo ta Apache localhost akan CentOS 8.