Π sathetha ngokubaluleka kwezinto ezimbini zokuqinisekiswa kwii-portals zenkampani yeenkampani. Ngexesha lokugqibela sibonise indlela yokuseta uqinisekiso olukhuselekileyo kwi-IIS iseva yewebhu.
Kwizimvo, sicelwe ukuba sibhale imiyalelo yeeseva zewebhu eziqhelekileyo zeLinux - nginx kunye neApache.
Ubuzile - sabhala.
Kufuneka wenze ntoni ukuze uqalise?
- Naluphi na unikezelo lweLinux lwangoku. Ndenze uvavanyo lokuseta kwi-MX Linux 18.2_x64. Oku ngokuqinisekileyo ayilulo unikezelo lweseva, kodwa akunakwenzeka ukuba kubekho umahluko kwiDebian. Kolunye unikezelo, iindlela eziya kwiilayibrari zoqwalaselo zinokwahluka kancinane.
- Umqondiso. Siyaqhubeka sisebenzisa imodeli , efanelekileyo ngokweempawu zesantya sokusetyenziswa kweenkampani.
- Ukuze usebenze ngethokheni kwiLinux, kufuneka ufake ezi phakheji zilandelayo:
libccid libpcsclite1 pcscd pcsc-izixhobo opensc
Ukukhupha izatifikethi
Kumanqaku angaphambili, besithembele kwinto yokuba iseva kunye nezatifikethi zabaxumi ziya kukhutshwa kusetyenziswa iMicrosoft CA. Kodwa ekubeni siseta yonke into kwiLinux, siya kukuxelela nangenye indlela yokukhupha ezi zatifikethi - ngaphandle kokushiya iLinux.
Siza kusebenzisa i-XCA njenge-CA (), ekhoyo nakuluphi na unikezelo lweLinux lwangoku. Zonke izenzo esiya kuzenza kwi-XCA zingenziwa kwimowudi yomyalelo usebenzisa i-OpenSSL kunye nezixhobo ze-pkcs11-isixhobo, kodwa ngokulula ngakumbi kunye nokucaca, asiyi kuziveza kweli nqaku.
Qalisa
- Faka:
$ apt-get install xca - Kwaye siqhuba:
$ xca - Senza idatabase yethu ye-CA - /root/CA.xdb
Sicebisa ukuba ugcine uGunyaziwe weSiqinisekiso sedatha kwifolda apho kuphela umlawuli unofikelelo. Oku kubalulekile ukukhusela izitshixo zabucala zezatifikethi zengcambu, ezisetyenziselwa ukusayina zonke ezinye izatifikethi.
Yenza izitshixo kunye nengcambu yesatifikethi se-CA
Iziseko zophuhliso ezingundoqo zikawonke-wonke (PKI) zisekelwe kwinkqubo yoluhlu lwemigangatho. Eyona nto iphambili kule nkqubo ligunya lesatifikethi sengcambu okanye ingcambu ye-CA. Isatifikethi sayo kufuneka senziwe kuqala.
- Senza i-RSA-2048 isitshixo sabucala se-CA. Ukwenza oku, kwithebhu Izitshixo zaBucala Dudula Isitshixo esitsha kwaye ukhethe uhlobo olufanelekileyo.
- Seta igama lesibini samaqhosha amatsha. Ndayibiza ngokuba yi-CA Key.
- Sikhupha isatifikethi se-CA ngokwaso, sisebenzisa iqhosha elidityanisiweyo. Ukwenza oku, yiya kwithebhu iziqinisekiso kwaye ucofe Isatifikethi Esitsha.
- Qiniseka ukuba ukhetha SHA-256, kuba ukusebenzisa i-SHA-1 akusayi kuthathwa njengekhuselekile.
- Qiniseka ukuba ukhetha njenge template [ehlala ikho] CA. Ungalibali ukucofa Faka zonke, kungenjalo itemplate ayisetyenziswanga.
- Kwithebhu Isihloko khetha iperi yethu engundoqo. Apho ungazalisa zonke iindawo eziphambili zesatifikethi.
Ukwenza izitshixo kunye nesatifikethi seseva ye-https
- Ngendlela efanayo, senza i-RSA-2048 isitshixo sabucala somncedisi, ndibize iSitshixo seSeva.
- Xa usenza isatifikethi, sikhetha ukuba isatifikethi somncedisi kufuneka sisayinwe kunye nesatifikethi se-CA.
- Ungalibali ukukhetha SHA-256.
- Sikhetha njenge template [okuhlala kukho] HTTPS_server. Cofa apha Faka zonke.
- Emva koko kwithebhu Isihloko khetha isitshixo sethu kwaye ugcwalise iindawo ezifunekayo.
Yenza izitshixo kunye nesatifikethi somsebenzisi
- Isitshixo sabucala somsebenzisi siya kugcinwa kwithokheni yethu. Ukusebenzisana nayo, kufuneka ufake i-PKCS#11 kwithala leencwadi kwiwebhusayithi yethu. Ukusasaza okudumileyo, sisasaza iipakethi esezilungisiwe, ezibekwe apha - . Sikwanazo neendibano ze-arm64, armv7el, armv7hf, e2k, mipso32el, ezinokukhutshelwa kwi-SDK yethu - . Ukongeza kwiindibano zeLinux, kukwakho iindibano zeMacOS, ifreebsd kunye neandroid.
- Ukongeza i-PKCS#11 entsha kwi-XCA. Ukwenza oku, yiya kwimenyu iinketho kwisithuba PKCS#11 Umboneleli.
- Siyacinezela Yongeza kwaye ukhethe indlela eya kwithala leencwadi le-PKCS#11. Kwimeko yam yi usrliblibrtpkcs11ecp.so.
- Siza kufuna ithokheni efomathiweyo ye-Rutoken EDS PKI. Khuphela usetyenziso lwe-rtAdmin -
- Siyaqhuba
$ rtAdmin -f -q -z /usr/lib/librtpkcs11ecp.so -u <PIN-ΠΊΠΎΠ΄ ΠΏΠΎΠ»ΡΠ·ΠΎΠ²Π°ΡΠ΅Π»Ρ> - Sikhetha isitshixo se-RSA-2048 se-Rutoken EDS PKI njengohlobo oluphambili. Ndifowunele esi sitshixo seClient.
- Faka ikhowudi ye-PIN. Kwaye silindele ukugqitywa kokuveliswa kwe-hardware yesibini esibalulekileyo
- Senza isatifikethi somsebenzisi ngokufanisa nesatifikethi somncedisi. Ngeli xesha sikhetha itemplate [okuhlala kukho] HTTPS_client kwaye ungalibali ukucofa Faka zonke.
- Kwithebhu Isihloko ngenisa ulwazi malunga nomsebenzisi. Siphendula ngokuvumayo kwisicelo sokugcina isatifikethi somqondiso.
Ngenxa yoko, kwithebhu Izatifikethi kwi-XCA kufuneka ufumane into enje.
Le iseti encinci yezitshixo kunye nezatifikethi zanele ukuqalisa ukuseta abancedisi ngokwabo.
Ukuqwalasela, kufuneka sithumele ngaphandle isatifikethi se-CA, isatifikethi somncedisi kunye neqhosha labucala leseva.
Ukwenza oku, khetha ungeniso olufunekayo kwithebhu ehambelanayo kwi-XCA kwaye ucofe Ukuthumela ngaphandle.
Nginx
Andiyi kubhala indlela yokufaka kunye nokuqhuba iseva ye-nginx - kukho amanqaku aneleyo kwesi sihloko kwi-Intanethi, singasathethi ngamaxwebhu asemthethweni. Makhe siqonde ukuseta i-HTTPS kunye nokuqinisekiswa kwezinto ezimbini usebenzisa ithokheni.
Yongeza le migca ilandelayo kwicandelo leseva kwi nginx.conf:
server {
listen 443 ssl;
ssl_verify_depth 1;
ssl_certificate /etc/nginx/Server.crt;
ssl_certificate_key /etc/nginx/ServerKey.pem;
ssl_client_certificate /etc/nginx/CA.crt;
ssl_verify_client on;
}Inkcazo eneenkcukacha yazo zonke iiparameters ezinxulumene nokuqwalasela i-ssl kwi nginx inokufumaneka apha -
Ndiza kuchaza ngokufutshane ezo ndizibuze zona:
- ssl_verify_client - icacisa ukuba ikhonkco lokuthembela kwisatifikethi kufuneka liqinisekiswe.
- ssl_verify_depth - Ichaza ubunzulu bokukhangela kwesatifikethi sengcambu ethembekileyo kwikhonkco. Ekubeni isatifikethi somthengi wethu sisayinwe ngokukhawuleza kwisatifikethi sengcambu, ubunzulu bubekwe kwi-1. Ukuba isatifikethi somsebenzisi sisayinwe kwi-CA ephakathi, ngoko i-2 kufuneka ichazwe kule parameter, njalo njalo.
- ssl_client_certificate - ichaza indlela eya kwisatifikethi sengcambu ethembekileyo, esetyenziswa xa kuhlolwa ukuthembela kwisatifikethi somsebenzisi.
- ssl_certificate/ssl_certificate_key - bonisa indlela eya kwisatifikethi somncedisi/iqhosha labucala.
Ungalibali ukusebenzisa nginx -t ukujonga ukuba akukho typos kwi-config, kwaye zonke iifayile zikwindawo efanelekileyo, njalo njalo.
Kwaye yiyo yonke loo nto! Njengoko ubona, ukuseta kulula kakhulu.
Ukujonga ukuba iyasebenza kwiFirefox
Kuba senza yonke into ngokupheleleyo kwiLinux, siya kucinga ukuba abasebenzisi bethu basebenza kwiLinux (ukuba baneWindows, ke .
- Masiqalise iFirefox.
- Masizame ukungena ngaphandle kwethokheni kuqala. Sifumana lo mfanekiso:
- Siyaqhubeka malunga: nokhetho # lwangasese, kwaye siya ku Izixhobo zoKhuseleko...
- Siyacinezela umthwaloukongeza i-PKCS#11 entsha Umqhubi wesiXhobo kwaye uchaze indlela yethu librtpkcs11ecp.so.
- Ukujonga ukuba isatifikethi siyabonakala, ungaya ku Umphathi weSatifikethi. Uya kucelwa ukuba ufake i-PIN yakho. Emva kwegalelo elichanekileyo, ungajonga into ekwisithuba Izatifikethi zakho isatifikethi sethu esisuka kuphawu sivele.
- Ngoku masihambe nomqondiso. IFirefox ikukhuthaza ukuba ukhethe isatifikethi esiya kukhethelwa umncedisi. Khetha isatifikethi sethu.
- INZUZO!
Ukuseta kwenziwa kube kanye, kwaye njengoko ubona kwifestile yesicelo sesatifikethi, sinokugcina ukhetho lwethu. Emva koko, ixesha ngalinye singena kwi-portal, siya kufuna kuphela ukufaka ithokheni kwaye sifake ikhowudi ye-PIN yomsebenzisi echazwe ngexesha lokufomatha. Emva kobungqina obunjalo, umncedisi sele esazi ukuba nguwuphi na umsebenzisi ongenileyo kwaye awukwazi ukwenza nayiphi na iwindow eyongezelelweyo yokuqinisekisa, kodwa ngokukhawuleza vumela umsebenzisi ukuba angene kwiakhawunti yakhe.
Apache
Kanye njenge nginx, akukho mntu kufuneka abe nayo nayiphi na ingxaki yokufaka i-apache. Ukuba awuyazi indlela yokufaka le seva yewebhu, sebenzisa nje amaxwebhu asemthethweni.
Kwaye siqala ukuseta i-HTTPS yethu kunye nokuqinisekiswa kwezinto ezimbini:
- Okokuqala kufuneka uvule i-mod_ssl:
$ a2enmod ssl - Kwaye ke uvule useto lwe-HTTPS olungagqibekanga lwesiza:
$ a2ensite default-ssl - Ngoku sihlela ifayile yoqwalaselo: /etc/apache2/sites-enabled/default-ssl.conf:
SSLEngine on SSLProtocol all -SSLv2 SSLCertificateFile /etc/apache2/sites-enabled/Server.crt SSLCertificateKeyFile /etc/apache2/sites-enabled/ServerKey.pem SSLCACertificateFile /etc/apache2/sites-enabled/CA.crt SSLVerifyClient require SSLVerifyDepth 10Njengoko ubona, amagama eeparamitha ahambelana ngokuthe ngqo namagama eeparamitha kwi nginx, ke andizukuzichaza. Kwakhona, nabani na onomdla kwiinkcukacha wamkelekile kumaxwebhu.
Ngoku siqala kwakhona iseva yethu:$ service apache2 reload $ service apache2 restart
Njengoko ubona, ukuseta ungqinisiso lwezinto ezimbini kuyo nayiphi na iseva yewebhu, nokuba ikwiWindows okanye iLinux, kuthatha iyure enye ubuninzi. Kwaye ukuseta iibhrawuza kuthatha malunga nemizuzu emi-5. Abantu abaninzi bacinga ukuba ukuseta kunye nokusebenza ngokuqinisekiswa kwezinto ezimbini kunzima kwaye akucaci. Ndiyathemba ukuba inqaku lethu liyayichaza le ntsomi, ubuncinci.
Ngabasebenzisi ababhalisiweyo kuphela abanokuthatha inxaxheba kuphando. , ndiyacela.
Ngaba ufuna imiyalelo yokuseta i-TLS kunye nezatifikethi ngokweGOST 34.10-2012:
-
Ewe, i-TLS-GOST iyimfuneko kakhulu
-
Hayi, ukulungiswa kunye ne-GOST algorithms ayinomdla
Bangama-44 abasebenzisi abavotileyo. Abasebenzisi abali-9 abakhange.
umthombo: www.habr.com