CA认证

----以下在CA服务器端配置—IP：80.110

1、 确认安装了openssl软件

rpm -qa | grep openssl

openssl-devel-1.0.1e-15.el6.x86_64

openssl-1.0.1e-15.el6.x86_64

vi /etc/pki/tls/openssl.cnf ：openssl服务的配置文件

[ CA_default ]

dir = /etc/pki/CA 工作目录 # Where everything is kept(保存)
certs = $dir/certs 颁发了的证书 # Where the issued（发行者）certs are
kept crl_dir = $dir/crl 吊销了的证书 # Where the issued crl are
kept database = $dir/index.txt 索引文件 # database index file.
new_certs_dir = $dir/newcerts 新证书 # default place for new certs.

certificate = $dir/cacert.pem 根证书 # The CA certificate serial
= $dir/serial 序列号 # The current serial number crlnumber = $dir/crlnumber # the current crl number crl =
$dir/crl.pem # The current CRL private_key =
$dir/private/cakey.pem# The private key RANDFILE =
$dir/private/.rand # private random number file

x509_extensions = usr_cert # The extentions to add to the
cert

—修改以下配置----

[ req_distinguished_name ] L128

countryName = Country Name (2 letter code)
countryName_default = CN

stateOrProvinceName = State or Province Name (full name)
stateOrProvinceName_default = JiangSu

localityName = Locality Name (eg, city)
localityName_default = NanJing

commonName = NJXT Certificate Authority
commonName_max = 64

emailAddress = [email protected] emailAddress_max
= 64

cd /etc/pki/CA/ echo 01 > serial touch index.txt //新建一个索引文件

openssl genrsa -out private/cakey.pem -des3 2048 //生成私钥必须输入密码

openssl req -new -x509 -key private/cakey.pem -days 365 > cacert.pem
//生成根证书需要输以上密码 一直回车

yum install httpd //通过WWW服务器共享出去

cp cacert.pem /var/www/html/ //把根证书发布出去

cd /var/www/html/ mv cacert.pem ROOTCA.pem

------以下在邮件服务器上配置----------IP:80.111

openssl genrsa -out imaps-ser.key 1024 //生成私钥文件

openssl req -new -key imaps-ser.key -out imaps-svr.csr
//生成签名请求文件要和CA相同

Country Name (2 letter code) [XX]:CN State or Province Name (full
name) []:JiangSu Locality Name (eg, city) [Default City]:NanJing

Common Name (eg, your name or your server’s hostname)
[]:localhost.localdomain //写主机名

其它直接回车……

scp imaps-svr.csr [email protected]:/root/ //把签名请求文件传送给CA服务器

--------以下在CA上操作---------

openssl req -in imaps-svr.csr -noout -text //查看一imaps-svr.csr的内容

openssl ca -in imaps-svr.csr -out imaps-svr.crt //为客户端生成证书，全部回答Y

scp imaps-svr.crt [email protected]:/root //把证书传送给客户端

-------以下在web服务器上操作------

yum install httpd yum install mod_ssl -y cp imaps-ser.key
/etc/httpd/conf.d/server.key 将密钥复制到相应目录中

cp imaps-svr.crt /etc/httpd/conf.d/server.crt 将证书复制到相应位置

vi /etc/httpd/conf.d/ssl.conf 编辑认证安全配置，修改成以下内容： 100 SSLCertificateFile
/etc/httpd/conf.d/server.crt

107 SSLCertificateKeyFil /etc/httpd/conf.d/server.key

systemctl restart httpd

测试：浏览器访问192.168.80.101，看能否访问http

然后在访问https://192.168.80.101,看是否需要下载证书