https CA自签名证书,并给Webserver颁发证书

# **CA主机执行命令**
[root@centos7 ~]# cd /etc/pki/CA
[root@centos7 CA]# touch index.txt
[root@centos7 CA]# echo 01 > serial
生成私钥文件
[root@centos7 CA]# (umask 077;openssl genrsa -out private/cakey.pem 2048)
Generating RSA private key, 2048 bit long modulus
.......................................+++
.....................................................................+++
e is 65537 (0x10001)
[root@centos7 CA]# openssl req -new -x509 -key private/cakey.pem -out cacert.pem -days 3650
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [XX]:CN     
State or Province Name (full name) []:beijing
Locality Name (eg, city) [Default City]:beijing
Organization Name (eg, company) [Default Company Ltd]:magedu.com
Organizational Unit Name (eg, section) []:Opt
Common Name (eg, your name or your server's hostname) []:ca.magedu.com      **颁发者名**
Email Address []:[email protected]
[root@centos7 CA]# tree .
.
├── cacert.pem
├── certs
├── crl
├── httpd.csr
├── index.txt
├── newcerts
├── private
│   └── cakey.pem
└── serial

4 directories, 5 files
[root@centos7 CA]# openssl ca -in httpd.csr -out certs/httpd.crt -days 700
Using configuration from /etc/pki/tls/openssl.cnf
Check that the request matches the signature
Signature ok
Certificate Details:
        Serial Number: 1 (0x1)
        Validity
            Not Before: Jan 27 19:08:15 2018 GMT
            Not After : Dec 28 19:08:15 2019 GMT
        Subject:
            countryName               = CN
            stateOrProvinceName       = beijing
            organizationName          = magedu.com
            organizationalUnitName    = Opt
            commonName                = *.magedu.com
            emailAddress              = [email protected]
        X509v3 extensions:
            X509v3 Basic Constraints: 
                CA:FALSE
            Netscape Comment: 
                OpenSSL Generated Certificate
            X509v3 Subject Key Identifier: 
                17:2B:8B:4F:9D:7A:0C:6B:33:05:1B:8A:49:94:A5:B2:41:72:47:1C
            X509v3 Authority Key Identifier: 
                keyid:EA:25:41:70:B4:61:A0:15:29:97:C6:60:4B:E9:B4:C1:8A:FA:3D:B7

Certificate is to be certified until Dec 28 19:08:15 2019 GMT (700 days)
Sign the certificate? [y/n]:y

1 out of 1 certificate requests certified, commit? [y/n]y
Write out database with 1 new entries
Data Base Updated
[root@centos7 CA]# scp c
cacert.pem  certs/      crl/        
[root@centos7 CA]# scp certs/httpd.crt 192.168.64.103:/etc/httpd/conf.d/ssl
The authenticity of host '192.168.64.103 (192.168.64.103)' can't be established.
RSA key fingerprint is SHA256:9m0dbsLLKTd4m4JYuBNwUB9D6Zk8jLIO5ySUs9nhCRc.
RSA key fingerprint is MD5:1a:f2:be:d3:9e:6e:df:83:a8:a4:1f:a8:c0:33:cd:b8.
Are you sure you want to continue connecting (yes/no)? yes
Warning: Permanently added '192.168.64.103' (RSA) to the list of known hosts.
[email protected]'s password: 
httpd.crt                                                       100% 3870     6.4MB/s   00:00    
[root@centos7 CA]# tree .
.
├── cacert.pem
├── certs
│   └── httpd.crt
├── crl
├── httpd.csr
├── index.txt
├── index.txt.attr
├── index.txt.old
├── newcerts
│   └── 01.pem
├── private
│   └── cakey.pem
├── serial
└── serial.old

4 directories, 10 files
[root@centos7 CA]# scp cacert.pem 192.168.64.103:/etc/httpd/conf.d/ssl
[email protected]'s password: 
Permission denied, please try again.
[email protected]'s password: 
cacert.pem                                 100% 1424     3.2MB/s   00:00 

# **webserver主机执行命令**

[root@cent6OS CA]# mkdir /etc/httpd/conf.d/ssl
[root@cent6OS CA]# cd /etc/httpd/conf.d/ssl
[root@cent6OS ssl]# (umask 077;openssl genrsa -out httpd.key)
Generating RSA private key, 1024 bit long modulus
...........++++++
....++++++
e is 65537 (0x10001)

[root@cent6OS ssl]# openssl req -new -key httpd.key -out httpd.csr
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [XX]:CN    
State or Province Name (full name) []:beijing
Locality Name (eg, city) [Default City]:bj
Organization Name (eg, company) [Default Company Ltd]:magedu.com
Organizational Unit Name (eg, section) []:Opt
Common Name (eg, your name or your server's hostname) []:*.magedu.com      **webserver服务名,即是颁发给**
Email Address []:[email protected]

Please enter the following 'extra' attributes
to be sent with your certificate request
A challenge password []:
An optional company name []:

[root@cent6OS ssl]# scp httpd.csr 192.168.64.104:/etc/pki/CA
[email protected]'s password: 
httpd.csr                                                       100%  696     0.7KB/s   00:00

[root@cent6OS ssl]# tree .
.
├── cacert.pem
├── httpd.crt
├── httpd.csr
└── httpd.key

0 directories, 4 files

vim /etc/httpd/conf.d/ssl.conf 

servername www.magedu.com:443

SSLCertificateKeyFile /etc/httpd/conf.d/ssl/httpd.key

#   Server Certificate Chain:
#   Point SSLCertificateChainFile at a file containing the
#   concatenation of PEM encoded CA certificates which form the
#   certificate chain for the server certificate. Alternatively
#   the referenced file can be the same as SSLCertificateFile
#   when the CA certificates are directly appended to the server
#   certificate for convinience.
#SSLCertificateChainFile /etc/pki/tls/certs/server-chain.crt

#   Certificate Authority (CA):
#   Set the CA certificate verification path where to find CA
#   certificates for client authentication or alternatively one
#   huge file containing all of them (file must be PEM encoded)
SSLCACertificateFile /etc/httpd/conf.d/ssl/cacert.pem

实验:基于SSL加密的数据库主从复制

1 CA主机执行命令
mkdir /etc/my.cnf.d/ssl
cd /etc/my.cnf.d/ssl
openssl genrsa 2048 > cakey.pem   生成私钥
chmod 600 cakey.pem   为了安全设置权限
openssl  req -new -x509 -key cakey.pem -days 3650 -out cacert.pem

生成master私钥文件且生成证书申请文件
openssl req -newkey rsa:1024 -days 365 -nodes(不加密)  -keyout master.key > master.csr
给master颁发证书
openssl  x509 -req -in master.csr -CA cacert.pem -CAkey cakey.pem -set_serial 01 > master.crt
生成slave私钥文件且向CA申请证书
openssl req -newkey rsa:1024 -days 365 -nodes  -keyout slave.key > slave.csr
给slave颁发证书
openssl  x509 -req -in slave.csr -CA cacert.pem -CAkey cakey.pem -set_serial 02 > slave.crt

scp -r /etc/my.cnf.d/ssl/ 192.168.27.17:/etc/my.cnf.d/
scp -r /etc/my.cnf.d/ssl/ 192.168.27.27:/etc/my.cnf.d/

2 master主机执行命令
vim /etc/my.cnf
log-bin
server_id=1
innodb_file_per_table
ssl
ssl-ca=/etc/my.cnf.d/ssl/cacert.pem
ssl-cert=/etc/my.cnf.d/ssl/master.crt
ssl-key=/etc/my.cnf.d/ssl/master.key

创建从服务的同步帐号,且从服务器连接主服务器时强制加密
mysql>grant replication slave on *.* to repluser@'192.168.27.%' identified by 'centos' require ssl;

drop user repluser@'192.168.27.%'

3 slave主机执行命令
vim /etc/my.cnf
server_id=2
innodb_file_per_table
ssl
(binlog_format=row) 可选项
mysql>CHANGE MASTER TO MASTER_HOST='192.168.64.17', MASTER_USER='repluser', MASTER_PASSWORD='centos', MASTER_LOG_FILE='mariadb-bin.000001', MASTER_LOG_POS=400, MASTER_SSL=1,(和主服务器通讯)
MASTER_SSL_CA = '/etc/my.cnf.d/ssl/cacert.pem',MASTER_SSL_CERT = '/etc/my.cnf.d/ssl/slave.crt',MASTER_SSL_KEY = '/etc/my.cnf.d/ssl/slave.key';