构建私有的CA机构,教你不用认证也能使用HTTPS
CA中心申请证书的流程:
过程:
1.web服务器,生成一对非对称加密密钥(web公钥,web私钥)
2.web服务器使用 web私钥生成 web服务器的证书请求,并将证书请求发给CA服务器
3.CA服务器使用 CA的私钥 对 web 服务器的证书请求 进行数字签名得到 web服务器的数字证书,并将web服务器的数字证书颁发给web服务器。
1.CA 介绍及准备
CA(Certificate Authority)证书颁发机构主要负责证书的颁发、管理以及归档和吊销。证书内包含了拥有证书者的姓名、地址、电子邮件帐号、公钥、证书有效期、发放证书的CA、CA的数字签名等信息。证书主要有三大功能:加密、签名、身份验证。
准备两台装有nginx的虚拟机,一台为服务端,一台为客户端
[root@server ~]# 192.168.13.129 这一台为服务端
[root@ca ~]# 192.168.13.137 这一台为客户端
这里我将主机名改了,过程可能会来回切换虚拟机,但是看准主机名就不会出错
2.构建私有 CA(192.168.13.137)
1、检查安装 openssl
[root@ca ~]# rpm -qa openssl
如果未安装
[root@ca ~]# yum install openssl openssl-devel -y
2、查看配置文件以及一些参数的说明
openssl 配置/etc/pki/tls/openssl.cnf有关CA的配置。如果服务器为证书签署者的身份那么就会用到此配置文件,此配置文件对于证书申请者是无作用的。
[root@ca ~]# vim /etc/pki/tls/openssl.cnf
####################################################################
[ ca ]
default_ca = CA_default # 默认的CA配置;CA_default指向下面配置块
####################################################################
[ CA_default ]
dir = /etc/pki/CA # CA的默认工作目录
certs = $dir/certs # 认证证书的目录
crl_dir = $dir/crl # 证书吊销列表的路径
database = $dir/index.txt # 数据库的索引文件
new_certs_dir = $dir/newcerts # 新颁发证书的默认路径
certificate = $dir/cacert.pem # 此服务认证证书,如果此服务器为根CA那么这里为自颁发证书
serial = $dir/serial # 下一个证书的证书编号
crlnumber = $dir/crlnumber # 下一个吊销的证书编号
crl = $dir/crl.pem # The current CRL
private_key = $dir/private/cakey.pem# CA的私钥
RANDFILE = $dir/private/.rand # 随机数文件
x509_extensions = usr_cert # The extentions to add to the cert
name_opt = ca_default # 命名方式,以ca_default定义为准
cert_opt = ca_default # 证书参数,以ca_default定义为准
default_days = 365 # 证书默认有效期
default_crl_days= 30 # CRl的有效期
default_md = sha256 # 加密算法
preserve = no # keep passed DN ordering
policy = policy_match #policy_match策略生效
# For the CA policy
[ policy_match ]
countryName = match #国家;match表示申请者的申请信息必须与此一致
stateOrProvinceName = match #州、省
organizationName = match #组织名、公司名
organizationalUnitName = optional #部门名称;optional表示申请者可以的信息与此可以不一致
commonName = supplied
emailAddress = optional
# For the 'anything' policy
# At this point in time, you must list all acceptable 'object'
# types.
[ policy_anything ] #由于定义了policy_match策略生效,所以此策略暂未生效
countryName = optional
stateOrProvinceName = optional
localityName = optional
organizationName = optional
organizationalUnitName = optional
commonName = supplied
emailAddress = optional
3、根证书服务器目录
根CA服务器:因为只有 CA 服务器的角色,所以用到的目录只有/etc/pki/CA
网站服务器:只是证书申请者的角色,所以用到的目录只有/etc/pki/tls
4、创建所需要的文件
[root@ca ~]# cd /etc/pki/CA/
[root@ca CA]# touch index.txt #创建生成证书索引数据库文件
[root@ca CA]# echo 01 > serial #指定第一个颁发证书的序列号
[root@ca CA]# ls
certs crl index.txt newcerts private serial
[root@ca CA]#
5、创建秘钥
在根CA服务器上创建密钥,密钥的位置必须为/etc/pki/CA/private/cakey.pem,这个是openssl.cnf中中指定的路径。如果你想要改变位置的话,你需要去更改配置文件,只要与配置文件中指定的匹配即可。
[root@ca CA]# (umask 066; openssl genrsa -out private/cakey.pem 2048)
Generating RSA private key, 2048 bit long modulus
...............................................................................+++
.........+++
e is 65537 (0x10001)
6、生成自签名证书
根CA自签名证书,根CA是最顶级的认证机构,没有人能够认证他,所以只能自己认证自己生成自签名证书。
生成证书是会让你填写一些东西,如下表格所示:
| 要求填写的内容 | 解释 |
|---|---|
| Country Name (2 letter code) [XX]: | 使用国际标准组织(IOS)国码格式,填写两个字母的国家代号。中国请填写CN |
| State or Province Name (full name) []: | 省份,比如填写ShangHai |
| Locality Name (eg, city) [Default City]: | 城市,比如ShangHai |
| Organization Name (eg, company) [Default Company Ltd]: | 组织单位,比如填写公司名称的简拼 |
| Organizational Unit Name (eg, section) []: | 比如填写IT Dept |
| Common Name (eg, your name or your server’s hostname) []: | 你的名字或者你的服务器的主机名 |
| Email Address []: | 邮箱地址,可以不填 |
[root@ca CA]# openssl req -new -x509 -key /etc/pki/CA/private/cakey.pem -days 7300 -out /etc/pki/CA/cacert.pem -days 7300
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [XX]:CN
State or Province Name (full name) []:BEIJING
Locality Name (eg, city) [Default City]:BEIJING
Organization Name (eg, company) [Default Company Ltd]:CA
Organizational Unit Name (eg, section) []:OPT
Common Name (eg, your name or your server's hostname) []:ca.yjssjm.com
Email Address []:
[root@ca CA]# ls
cacert.pem certs crl index.txt newcerts private serial
#你会发现多了一个cacert.pem文件,这个文件就是生成的自签名证书文件
-new: 生成新证书签署请求
-x509: 专用于CA生成自签证书
-key: 生成请求时用到的私钥文件
-days n: 证书的有效期限
-out /PATH/TO/SOMECERTFILE: 证书的保存路径
7、下载安装证书
/etc/pki/CA/cacert.pem就是生成的自签名证书文件,使用 SZ/xftp工具将他导出到窗口机器中。然后双击安装此证书到受信任的根证书颁发机构
[root@ca CA]# yum install -y lrzsz
[root@ca CA]# sz cacert.pem
然后打开你的搜索引擎,找到设置,找到管理证书并打开,然后导入刚刚的cacert.pem文件,如图所示:
然后直接下一步,下一步,完成
3.客户端CA 证书申请及签名(192.168.13.129 )
1、检查安装 openssl
[root@server ~]# rpm -qa openssl
同样,如果没安装的话
[root@server ~]# yum -y install openssl openssl-devel
2、服务端生成私钥文件
#www.yjssjm.com 要跟你在ca上创建的名字保持一致
[root@server ~]# (umask 066; openssl genrsa -out /etc/pki/tls/private/www.yjssjm.com.key 2048)
Generating RSA private key, 2048 bit long modulus
...............................................................+++
......................................+++
e is 65537 (0x10001)
[root@server ~]# cd /etc/pki/tls/private/
3、服务端用私钥加密生成证书请求
[root@server ~]# (umask 066; openssl genrsa -out /etc/pki/tls/private/www.yjssjm.com.key 2048)
Generating RSA private key, 2048 bit long modulus
...............................................................+++
......................................+++
e is 65537 (0x10001)
[root@server ~]# cd /etc/pki/tls/private/
[root@server private]# ls ../
cert.pem certs misc openssl.cnf private
[root@server private]# openssl req -new -key /etc/pki/tls/private/www.yjssjm.com.key -days 365 -out /etc/pki/tls/www.yjssjm.com.csr
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [XX]:CN
State or Province Name (full name) []:BEIJING
Locality Name (eg, city) [Default City]:BEIJING
Organization Name (eg, company) [Default Company Ltd]:TEST
Organizational Unit Name (eg, section) []:OPT
Common Name (eg, your name or your server's hostname) []:www.yjssjm.com
Email Address []:
Please enter the following 'extra' attributes
to be sent with your certificate request
A challenge password []:
An optional company name []:
[root@server private]# ls ../
cert.pem certs misc openssl.cnf private www.yjssjm.com.csr
CSR(Certificate Signing Request)包含了公钥和名字信息。通常以.csr为后缀,是网站向CA发起认证请求的文件,是中间文件。
最后把生成的请求文件(/etc/pki/tls/www.yjssjm.com.csr)传输给CA ,这里我使用scp命令,通过ssh协议,将该文件传输到CA下的/etc/pki/CA/private/目录
[root@server private]# cd ../
[root@server tls]# scp www.yjssjm.com.csr 192.168.13.137:/etc/pki/CA/private
The authenticity of host '192.168.13.137 (192.168.13.137)' can't be established.
ECDSA key fingerprint is SHA256:2b7gKyVcuu0CvHkz9DP/SANmS0h5VaAp5HpgNjzabjU.
ECDSA key fingerprint is MD5:28:c0:74:4e:20:fa:62:5d:1e:2b:42:e8:fe:bc:b1:5e.
Are you sure you want to continue connecting (yes/no)? yes
Warning: Permanently added '192.168.13.137' (ECDSA) to the list of known hosts.
[email protected]'s password:
www.yjssjm.com.csr
4、CA 签署证书(在ca服务器上面操作192.168.13.137)
使用/etc/pki/tls/openssl.cnf,修改organizationName=supplied
修改 /etc/pki/tls/openssl.cnf
[root@ca CA]# vim /etc/pki/tls/openssl.cnf
CA 签署证书
[root@ca CA]# openssl ca -in /etc/pki/CA/private/www.yjssjm.com.csr -out /etc/pki/CA/certs/www.yjssjm.com.crt -days 365
Using configuration from /etc/pki/tls/openssl.cnf
Check that the request matches the signature
Signature ok
Certificate Details:
Serial Number: 1 (0x1)
Validity
Not Before: Mar 14 13:44:05 2020 GMT
Not After : Mar 14 13:44:05 2021 GMT
Subject:
countryName = CN
stateOrProvinceName = BEIJING
organizationName = TEST
organizationalUnitName = OPT
commonName = www.yjssjm.com
X509v3 extensions:
X509v3 Basic Constraints:
CA:FALSE
Netscape Comment:
OpenSSL Generated Certificate
X509v3 Subject Key Identifier:
45:62:5E:3D:54:72:E8:3E:AD:FA:02:AC:02:2F:A6:18:64:46:6C:43
X509v3 Authority Key Identifier:
keyid:FF:DD:BB:EE:44:A6:91:F0:88:DD:98:17:0B:3D:68:23:CB:AA:AC:F7
Certificate is to be certified until Mar 14 13:44:05 2021 GMT (365 days)
Sign the certificate? [y/n]:y
1 out of 1 certificate requests certified, commit? [y/n]y
Write out database with 1 new entries
Data Base Updated
查看生成的证书的信息
[root@ca CA]# openssl x509 -in /etc/pki/CA/certs/www.yjssjm.com.crt -noout -subject
subject= /C=CN/ST=BEIJING/O=TEST/OU=OPT/CN=www.yjssjm.com
将生成的证书发放给服务端
[root@ca certs]# cd /etc/pki/CA/certs/
[root@ca certs]# scp www.yjssjm.com.crt 192.168.13.129:/etc/pki/tls/certs
[email protected]'s password:
www.yjssjm.com.crt
测试:服务端(192.168.13.129)
[root@server certs]# vim /etc/nginx/conf.d/default.conf
清空并添加以下内容
server {
listen 443 ssl;
server_name localhost;
ssl_certificate /etc/pki/tls/certs/www.yjssjm.com.crt; #指定证书路径
ssl_certificate_key /etc/pki/tls/private/www.yjssjm.com.key; #指定私钥路径
ssl_session_timeout 5m; #配置用于SSL会话的缓存
ssl_protocols SSLv2 SSLv3 TLSv1; #指定使用的协议
ssl_ciphers ALL:!ADH:!EXPORT56:RC4+RSA:+HIGH:+MEDIUM:+LOW:+SSLv2:+EXP; # //密码指定为OpenSSL支持的格式
ssl_prefer_server_ciphers on; #设置协商加密算法时,优先使用服务端的加密,而不是客户端浏览器的。
location / {
root /usr/share/nginx/html;
index index.html index.htm;
}
}
保存重启
[root@server conf.d]# nginx -t
[root@server conf.d]# nginx -s reload
然后打开网页输入服务端https://192.168.13.129就可以看到了
