Π sikhulume ngokubaluleka kokuqinisekiswa kwezinto ezimbili kuma-portal ezinkampani ezinkampani. Esikhathini esidlule sibonise indlela yokusetha ukuqinisekiswa okuphephile kuseva yewebhu ye-IIS.
Kumazwana, sicelwe ukuthi sibhale imiyalo yamaseva ewebhu ajwayelekile eLinux - nginx ne-Apache.
Ubuzile - sibhalile.
Yini oyidingayo ukuze uqalise?
- Noma yikuphi ukusatshalaliswa kweLinux yesimanje. Ngenze ukusetha kokuhlola ku-MX Linux 18.2_x64. Lokhu akukona ukusatshalaliswa kweseva, kodwa mancane amathuba okuthi kube khona umehluko we-Debian. Kokunye ukusatshalaliswa, izindlela eziya kulabhulali yokulungisa zingahluka kancane.
- Uphawu. Siyaqhubeka nokusebenzisa imodeli , okuyinto ekahle mayelana nezici zejubane zokusetshenziswa kwezinkampani.
- Ukuze usebenze ngethokheni ku-Linux, udinga ukufaka amaphakheji alandelayo:
libccid libpcsclite1 pcscd pcsc-amathuluzi opensc
Ukukhipha izitifiketi
Ezihlokweni ezedlule, sithembele eqinisweni lokuthi izitifiketi zeseva nezeklayenti zizokhishwa kusetshenziswa i-Microsoft CA. Kodwa njengoba simisa yonke into ku-Linux, sizophinde sikutshele ngenye indlela yokukhipha lezi zitifiketi - ngaphandle kokushiya i-Linux.
Sizosebenzisa i-XCA njenge-CA (), etholakala kunoma yikuphi ukusatshalaliswa kweLinux yesimanje. Zonke izenzo esizozenza ku-XCA zingenziwa ngemodi yomugqa womyalo kusetshenziswa izinsiza ze-OpenSSL ne-pkcs11-tool, kodwa ukuze zibe lula futhi zicace kakhudlwana, ngeke sizethule kulesi sihloko.
Ukuqalisa
- Faka:
$ apt-get install xca - Futhi sigijima:
$ xca - Sakha isizindalwazi sethu se-CA - /root/CA.xdb
Sincoma ukuthi ugcine isizindalwazi Sokugunyazwa Kwesitifiketi kufolda lapho umlawuli kuphela anokufinyelela khona. Lokhu kubalulekile ukuze kuvikelwe okhiye abayimfihlo bezitifiketi zempande, ezisetshenziselwa ukusayina zonke ezinye izitifiketi.
Dala okhiye nesitifiketi se-CA sempande
Ingqalasizinda yokhiye womphakathi (i-PKI) isuselwe kusistimu yokulandelana kwezigaba. Into eyinhloko kulolu hlelo yigunya lesitifiketi sezimpande noma i-CA yezimpande. Isitifiketi saso kufanele sidalwe kuqala.
- Sakha ukhiye oyimfihlo we-RSA-2048 we-CA. Ukuze wenze lokhu, kuthebhu Okhiye Abayimfihlo Phusha Ukhiye omusha bese ukhetha uhlobo olufanele.
- Setha igama lokubhanqwa kokhiye abasha. Ngayibiza ngokuthi i-CA Key.
- Sikhipha isitifiketi se-CA ngokwaso, sisebenzisa amabhangqa okhiye adaliwe. Ukuze wenze lokhu, yiya kuthebhu Izitifiketi bese uqhafaza Isitifiketi Esisha.
- Qiniseka ukuthi uyakhetha I-SHA-256, ngoba ukusebenzisa i-SHA-1 ngeke kusabhekwa njengokuphephile.
- Qiniseka ukuthi ukhetha njengesifanekiso [okuzenzakalelayo] CA. Ungakhohlwa ukuchofoza Faka konke, ngaphandle kwalokho isifanekiso asisetshenziswa.
- Kuthebhu Isihloko khetha ipheya yethu eyisihluthulelo. Lapho ungagcwalisa zonke izinkambu eziyinhloko zesitifiketi.
Ukudala okhiye nesitifiketi seseva ye-https
- Ngendlela efanayo, sakha ukhiye oyimfihlo we-RSA-2048 weseva, ngayibiza ngokuthi Ukhiye Weseva.
- Lapho udala isitifiketi, sikhetha ukuthi isitifiketi seseva kufanele sisayinwe ngesitifiketi se-CA.
- Ungakhohlwa ukukhetha I-SHA-256.
- Sikhetha njengesifanekiso [okuzenzakalelayo] HTTPS_server. Chofoza ku- Faka konke.
- Bese kuba kuthebhu Isihloko khetha ukhiye wethu bese ugcwalisa izinkambu ezidingekayo.
Dala okhiye nesitifiketi somsebenzisi
- Ukhiye oyimfihlo womsebenzisi uzogcinwa kuthokheni yethu. Ukuze usebenze ngakho, udinga ukufaka umtapo wezincwadi we-PKCS#11 kuwebhusayithi yethu. Ngokusatshalaliswa okudumile, sisabalalisa amaphakheji esenziwe ngomumo, atholakala lapha - . Siphinde sibe nemihlangano ye-arm64, armv7el, armv7hf, e2k, mipso32el, engalandwa ku-SDK yethu - . Ngaphezu kwemihlangano ye-Linux, kukhona nemihlangano ye-macOS, i-freebsd ne-android.
- Ingeza i-PKCS#11 Provider ku-XCA. Ukuze wenze lokhu, yiya kumenyu Izinketho kuthebhu I-PKCS#11 Umhlinzeki.
- Siyacindezela Engeza bese ukhetha indlela eya kulabhulali ye-PKCS#11. Esimeni sami yi-usrliblibrtpkcs11ecp.so.
- Sizodinga ithokheni efomethiwe ye-Rutoken EDS PKI. Landa insiza ye-rtAdmin -
- Siyaqhuba
$ rtAdmin -f -q -z /usr/lib/librtpkcs11ecp.so -u <PIN-ΠΊΠΎΠ΄ ΠΏΠΎΠ»ΡΠ·ΠΎΠ²Π°ΡΠ΅Π»Ρ> - Sikhetha ukhiye we-RSA-2048 we-Rutoken EDS PKI njengohlobo lokhiye. Ngibize lokhiye weKlayenti.
- Faka i-PIN khodi. Futhi silinda ukuqedwa kokukhiqizwa kwezingxenyekazi zekhompiyutha zamabhangqa okhiye
- Sakha isitifiketi somsebenzisi ngokufanisa nesitifiketi seseva. Kulokhu sikhetha isifanekiso [okuzenzakalelayo] HTTPS_client futhi ungakhohlwa ukuchofoza Faka konke.
- Kuthebhu Isihloko faka ulwazi mayelana nomsebenzisi. Siphendula ngokuvumayo esicelweni sokulondoloza isitifiketi sethokheni.
Ngenxa yalokho, kuthebhu Izitifiketi ku-XCA kufanele uthole into efana nale.
Le sethi encane yokhiye nezitifiketi kwanele ukuqala ukumisa amaseva ngokwawo.
Ukuze ulungiselele, sidinga ukuthekelisa isitifiketi se-CA, isitifiketi seseva nokhiye oyimfihlo weseva.
Ukuze wenze lokhu, khetha okufakiwe okufunayo kuthebhu ehambisanayo ku-XCA bese uchofoza Thumela.
Nginx
Ngeke ngibhale indlela yokufaka nokusebenzisa iseva ye-nginx - kunezindatshana ezanele kulesi sihloko ku-inthanethi, ingasaphathwa eyombhalo osemthethweni. Masiqonde ekusetheni i-HTTPS kanye nokuqinisekiswa kwezinto ezimbili sisebenzisa ithokheni.
Engeza imigqa elandelayo esigabeni seseva kokuthi nginx.conf:
server {
listen 443 ssl;
ssl_verify_depth 1;
ssl_certificate /etc/nginx/Server.crt;
ssl_certificate_key /etc/nginx/ServerKey.pem;
ssl_client_certificate /etc/nginx/CA.crt;
ssl_verify_client on;
}Incazelo enemininingwane yawo wonke amapharamitha ahlobene nokumisa i-ssl ku-nginx ingatholakala lapha -
Ngizochaza kafushane nje lezo engizibuze yona:
- ssl_verify_client - icacisa ukuthi uchungechunge lokwethenjwa lwesitifiketi ludinga ukuqinisekiswa.
- ssl_verify_depth - Ichaza ukujula kosesho kwesitifiketi sempande ethembekile kuketango. Njengoba isitifiketi sethu seklayenti sisayinwe ngokushesha kusitifiketi sempande, ukujula kusethelwe ku-1. Uma isitifiketi somsebenzisi sisayinwe ku-CA ephakathi, khona-ke i-2 kufanele icaciswe kule parameter, njalonjalo.
- ssl_client_certificate - icacisa indlela eya kusitifiketi sempande ethembekile, esetshenziswa lapho kuhlolwa ukwethenjwa kwesitifiketi somsebenzisi.
- ssl_certificate/ssl_certificate_key - bonisa indlela eya kusitifiketi seseva/ukhiye oyimfihlo.
Ungakhohlwa ukusebenzisa nginx -t ukuze uhlole ukuthi awekho ama-typos ku-config, nokuthi wonke amafayela asendaweni efanele, njalonjalo.
Futhi yilokho kuphela! Njengoba ubona, ukusetha kulula kakhulu.
Ihlola ukuthi iyasebenza kuFirefox
Njengoba senza yonke into ngokuphelele ku-Linux, sizocabanga ukuthi abasebenzisi bethu nabo basebenza ku-Linux (uma bene-Windows, ke .
- Masiqalise iFirefox.
- Ake sizame ukungena ngaphandle kwethokheni kuqala. Sithola lesi sithombe:
- Asambe siye mayelana: izintandokazi # ubumfihlo, bese siya Amadivayisi Okuphepha...
- Siyacindezela Layishaukwengeza i-PKCS#11 Device Driver entsha futhi ucacise indlela eya ku-librtpkcs11ecp.so yethu.
- Ukuhlola ukuthi isitifiketi siyabonakala, ungaya ku Umphathi Wesitifiketi. Uzocelwa ukuthi ufake i-PIN yakho. Ngemva kokufaka okulungile, ungabheka ukuthi yini ekuthebhu Izitifiketi Zakho isitifiketi sethu esivela kuthokheni sivele.
- Manje ake sihambe nophawu. IFirefox ikutshela ukuthi ukhethe isitifiketi esizokhethelwa iseva. Khetha isitifiketi sethu.
- INZUZO!
Ukusetha kwenziwa kanye, futhi njengoba ubona efasiteleni lesicelo sesitifiketi, singagcina ukukhetha kwethu. Ngemva kwalokhu, isikhathi ngasinye lapho singena kuphothali, sizodinga kuphela ukufaka ithokheni futhi sifake ikhodi ye-PIN yomsebenzisi eshiwo ngesikhathi sokufometha. Ngemuva kokuqinisekisa okunjalo, iseva isiyazi kakade ukuthi yimuphi umsebenzisi ongene ngemvume futhi awusakwazi ukudala noma yiziphi ezinye windows ukuze kuqinisekiswe, kodwa ngokushesha vumela umsebenzisi ku-akhawunti yakhe yomuntu siqu.
Apache
Njenge-nginx, akekho okufanele abe nezinkinga zokufaka i-apache. Uma ungazi ukuthi uyifaka kanjani le seva yewebhu, vele usebenzise imibhalo esemthethweni.
Futhi siqala ukusetha i-HTTPS yethu kanye nokuqinisekiswa kwezinto ezimbili:
- Okokuqala udinga ukwenza kusebenze i-mod_ssl:
$ a2enmod ssl - Bese unika amandla izilungiselelo ze-HTTPS ezizenzakalelayo zesayithi:
$ a2ensite default-ssl - Manje sihlela ifayela lokumisa: /etc/apache2/sites-enabled/default-ssl.conf:
SSLEngine on SSLProtocol all -SSLv2 SSLCertificateFile /etc/apache2/sites-enabled/Server.crt SSLCertificateKeyFile /etc/apache2/sites-enabled/ServerKey.pem SSLCACertificateFile /etc/apache2/sites-enabled/CA.crt SSLVerifyClient require SSLVerifyDepth 10Njengoba ubona, amagama amapharamitha ahambisana cishe namagama amapharamitha ku-nginx, ngakho-ke ngeke ngiwachaze. Futhi, noma ubani onentshisekelo emininingwaneni wamukelekile kumadokhumenti.
Manje siqala kabusha iseva yethu:$ service apache2 reload $ service apache2 restart
Njengoba ubona, ukusetha ukuqinisekiswa kwezinto ezimbili kunoma iyiphi iseva yewebhu, kungakhathaliseki ukuthi iku-Windows noma i-Linux, kuthatha ihora elilodwa eliphezulu. Futhi ukusetha iziphequluli kuthatha cishe imizuzu emi-5. Abantu abaningi bacabanga ukuthi ukusetha nokusebenza ngokuqinisekiswa kwezinto ezimbili kunzima futhi akucacile. Ngithemba ukuthi isihloko sethu sizoyichitha le nganekwane, okungenani kancane.
Abasebenzisi ababhalisiwe kuphela abangabamba iqhaza kuhlolovo. , wamukelekile.
Ingabe udinga imiyalelo yokusetha i-TLS ngezitifiketi ngokusho kwe-GOST 34.10-2012:
-
Yebo, i-TLS-GOST iyadingeka kakhulu
-
Cha, ukushuna ngama-algorithms e-GOST akujabulisi
Bangu-44 abasebenzisi abavotile. Abasebenzisi abangu-9 bagobile.
Source: www.habr.com