数字证书的安装配置
openssl的安装和配置文件其实都很简单,唯一有困难的是openssl复杂的命令,大家可以参考一下我上传到文件
1,软件安装
[root@test4 ~]# yum install openssl -y
2,配置文件
[root@test4 ~]#vim/etc/pki/tls/openssl.cnf
dir= /etc/pki/CA CA家目录
certs= $dir/certs证书
crl_dir= $dir/crl证书吊销列表
database= $dir/index.txt证书的信息
#unique_subject = no# Set to 'no' to allowcreationof
#several ctificates with same subject.
new_certs_dir= $dir/newcerts存放证书的副本
certificate= $dir/cacert.pem CA的公钥
serial= $dir/serial 记录序列号,每签一次证书都会+1
crlnumber= $dir/crlnumber 吊销的证书的数量
# mustbe commented out to leavea V1 CRL
crl= $dir/crl.pem 吊销证书的客户端黑名单
private_key=$dir/private/cakey.pem # CAThe private key
RANDFILE= $dir/private/.rand # private randomnumber file
default_days= 365证书的有效期
default_crl_days= 30每30天去更新一次黑名单
default_md= sha1# which md to use.
preserve= no
optional 表示可选match 表示要匹配supplied 表示的是必须不一样
countryName=match国家代码
stateOrProvinceName=match省份名字
organizationName= match
organizationalUnitName= optional
commonName= supplied
emailAddress= optional
[ req_distinguished_name ]
countryName = Country Name (2 letter code)
countryName_default = CN
countryName_min = 2
countryName_max = 2
stateOrProvinceName = hubei
#stateOrProvinceName_default = Default Province
localityName = Locality Name (eg, city)
localityName_default = Default City
0.organizationName = wuhan
0.organizationName_default = Default Company Ltd
3,实例配置
ca中心是test4 服务器是mail
(1)通过CA中心的私钥自请求生成CA中心的公钥
[root@test4 ~]# (umask 077;openssl genrsa -out /etc/pki/CA/private/cakey.pem -des3 2048 )
Generating RSA private key, 2048 bit long modulus
......................................................+++
............................................................................................................................................+++
e is 65537 (0x10001)
Enter pass phrase for /etc/pki/CA/private/cakey.pem:1050311018
Verifying - Enter pass phrase for /etc/pki/CA/private/cakey.pem:1050311018
[root@test4 ~]# openssl req -new -key /etc/pki/CA/private/cakey.pem -out /etc/pki/CA/cacert.pem -x509 -days 365
Enter pass phrase for /etc/pki/CA/private/cakey.pem:1050311018
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [CN]:CN
State or Province Name (full name) []:
Locality Name (eg, city) [Default City]:
Organization Name (eg, company) [Default Company Ltd]:
Organizational Unit Name (eg, section) []:
Common Name (eg, your name or your server's hostname) []:
Email Address []:
(2)mail主机请求验证自己的私钥生成证书请求文件
[root@mail ~]# openssl genrsa 1024 > mail.key
Generating RSA private key, 1024 bit long modulus
.....++++++
............++++++
e is 65537 (0x10001)
[root@mail ~]# openssl req -new -key mail.key -out mail.csr
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [GB]:CN
State or Province Name (full name) [Berkshire]:hubei
Locality Name (eg, city) [Newbury]:
Organization Name (eg, company) [My Company Ltd]:wuhan
Organizational Unit Name (eg, section) []:
Common Name (eg, your name or your server's hostname) []:t^H^H
[root@mail ~]#
[root@mail ~]# openssl req -new -key mail.key -out mail.csr
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [GB]:CN
State or Province Name (full name) [Berkshire]:hubei
Locality Name (eg, city) [Newbury]:
Organization Name (eg, company) [My Company Ltd]:wuhan
Organizational Unit Name (eg, section) []:
Common Name (eg, your name or your server's hostname) []:mail.example.org
Email Address []:
Please enter the following 'extra' attributes
to be sent with your certificate request
A challenge password []:
An optional company name []:
将自己通过证书请求文件发送到服务器端进行签字
[root@mail ~]# scp mail.csr [email protected]:/root
The authenticity of host '192.168.87.129 (192.168.87.129)' can't be established.
RSA key fingerprint is 7c:76:9e:08:fc:5e:60:a6:d0:13:71:21:7e:2f:90:47.
Are you sure you want to continue connecting (yes/no)? yes
Warning: Permanently added '192.168.87.129' (RSA) to the list of known hosts.
[email protected]'s password:
mail.csr 100% 651 0.6KB/s 00:00
(3)ca签字
[root@test4 ~]# openssl ca -in mail.csr -out mail.crt
Using configuration from /etc/pki/tls/openssl.cnf
Enter pass phrase for /etc/pki/CA/private/cakey.pem:
Check that the request matches the signature
Signature ok
Certificate Details:
Serial Number: 0 (0x0)
Validity
Not Before: Jun 1 14:39:01 2013 GMT
Not After : Jun 1 14:39:01 2014 GMT
Subject:
countryName = CN
stateOrProvinceName = hubei
organizationName = wuhan
commonName = mail.example.org
X509v3 extensions:
X509v3 Basic Constraints:
CA:FALSE
Netscape Comment:
OpenSSL Generated Certificate
X509v3 Subject Key Identifier:
70:0D:4C:A6:C2:94:1A:0F:F1:1A:7A:B2:DD:5A:81:55:60:EF:7F:D6
X509v3 Authority Key Identifier:
keyid:88:23:82:0E:D4:B8:04:54:3B:9E:2F:32:2E:F4:E9:5C:A2:EF:E4:51
Certificate is to be certified until Jun 1 14:39:01 2014 GMT (365 days)
Sign the certificate? [y/n]:y
1 out of 1 certificate requests certified, commit? [y/n]y
Write out database with 1 new entries
Data Base Updated
(4)邮件服务器上的应用
这里是用的dovecot,在其配置文件中加入就可以进行openssl了
ssl_cert_file = /etc/pki/dovecot/certs/mail.crt
ssl_key_file = /etc/pki/dovecot/private/mail.key