自建CA证书客户端及使用nginx搭建https
一、CA简单介绍CA,Catificate Authority,通俗的理解就是一种认证机制。它的作用就是提供证书(也就是服务端证书,由域名,公司信息,序列号,签名信息等等组成)来加强客户端与服务器端访问信息的安全性,同时提供证书的发放等相关工作。国内的大部分互联网公司都在国际CA机构申请了CA证书,并且在用户进行访问的时候,对用户的信息加密,保障了用户的信息安全。
二、OpenSSL实现CA证书认证中心的搭建
1、搭建环境 本文使用centos7 2~3台
2、CA配置介绍
####################################################################
[ ca ]
default_ca= CA_default #默认CA
####################################################################
[ CA_default ]
dir=/etc/pki/CA # CA的工作目录这里其实是定义了一个变量
certs= $dir/certs # 证书存储路径
crl_dir= $dir/crl # 证书吊销列表
database= $dir/index.txt # 证书数据库列表
new_certs_dir= $dir/newcerts #新的证书路径
certificate = $dir/cacert.pem # CA自己的证书
serial= $dir/serial #下一个证书的编号,十六进制,默认00
crlnumber= $dir/crlnumber #下一个要被吊销的证书编号,十六进制,默认00
crl = $dir/crl.pem # The current CRL
private_key = $dir/private/cakey.pem # CA 的私钥
RANDFILE= $dir/private/.rand # private random number file
x509_extensions = usr_cert # The extentions to add to the cert
name_opt = ca_default # 命名方式
cert_opt = ca_default # CA的选项
default_days= 365 # 默认证书的有效期限
default_crl_days= 30 # how long before next CRL
default_md= default # use public key default MD
preserve= no # keep passed DN ordering
policy= policy_match #策略
#这里记录的是 将来CA在搭建的时候,以及客户端申请证书的时候,
需要提交的信息的匹配程度。
[ policy_match ] # match意味着CA以及子CA必须一致
countryName = match # 国家
stateOrProvinceName= match # 州或者省
organizationName= match #组织公司
organizationalUnitName = optional
commonName= supplied
emailAddress= optional
[ policy_anything ] #可以对外提供证书申请,这时,证书的匹配就可以不用那么严格
countryName = optional
stateOrProvinceName = optional
localityName= optional
organizationName= optional
organizationalUnitName = optional
commonName = supplied
emailAddress= optional
3、安装CA软件包
[root@xuegod63 Desktop]# rpm -qf `which openssl `openssl-1.0.2k-8.el7.x86_64
一般centos系统都会自带 openssl
[root@xuegod63 CA]# vim /etc/pki/tls/openssl.cnf
改:172 #basicConstraints=CA:FALSE为:172 basicConstraints=CA:TRUE
#让自己成为CA认证中心
4、CA 自签名证书(构造根CA)1、创建所需要的文件生成证书索引数据库文件 touch /etc/pki/CA/index.txt指定第一个颁发证书的序列号 echo 01 > /etc/pki/CA/serial如果不提前创建这两个文件,那么在生成证书的过程中会出现错误。首先构造根CA的证书。因为没有任何机构能够给根CA颁发证书,所以只能根CA自己给自己颁发证书。2、生成私钥文件私钥文件是非常重要的文件,除了自己本身以外,其他任何人都不能取得。所以在生成私钥文件的同时最好修改该文件的权限,并且采用加密的形式进行生成。# 执行命令生成私钥文件。
```powershell
[root@localhost ~]#(umask 066;openssl genrsa -out /etc/pki/CA/private/cakey.pem -des3 2048 )
Generating RSA private key, 2048 bit long modulus
...............+++
.......................................+++
e is 65537 (0x10001)
Enter pass phrase for /etc/pki/CA/private/cakey.pem: #这里需要输入密码
Verifying - Enter pass phrase for /etc/pki/CA/private/cakey.pem: #这里确认密码
[root@localhost ~]#cat /etc/pki/CA/private/cakey.pem
-----BEGIN RSA PRIVATE KEY-----
Proc-Type: 4,ENCRYPTED
DEK-Info: DES-EDE3-CBC,A4FB61EACD1544F2
9JrKVEPhnWhx1W+W1V4PdIvVHNDwb8mb0JYILvXZKc07gvNcYKIlvUoTxjtihbpk
wYQcVm0Z6b2+fjZBXVVR9igFB2OOE74BnSNMsbfPTs5W/SwWLxv0R6x0SbiZ8v/7
D6Qh3u/rXmOQWWTvQnLzh6JaT00c8zgUnn48vMev17Xyg32oJqKqJVL5RNBGmJur
6CaWX8mB5q+HYiBUXzNLQp9T3HNGcnmDNyk0gylEvjeJo3Hq+IOAkjfJE4sYO9ER
tQtsLViFUc5jXX7p0nIO0ANwE7zdjBt9I4aXknZiC4rFYJJtNSa1Wrhoo/MhuwWH
zjc4UyoB1C71sbq2LMgeElHhXN/TfqWGfXFqhkyBJwgrmzQibOJSFeWHZNurILof
UwgNLlABmazvIL5Ps6LgZtyrO2ODSDTzPiCO7kQ0S3mTHYk9+WEeEyMb4uum6oAx
oCofADL0wea+5mHVUA2s6KwRBFr01HiQ00fiul6LFvXdCwt9IL62blIJYn2veQHl
oPvC5cTnPVqJ28GJWbPvJjiOLB8Hh+4DPwxaRA1eYf2R9SR0R1SYJIBTI6NNqNwW
Lq+pD89bGCbFdYID+kAZfG27FonmmLvvhTn3jQKVPpwQBROHQ9gpwMLnpmpJWwNK
byUSit+Vt+mvbzOLjuTdsTzklwZEOkNpaE/jTqusWuhXS33D4bqA+Ws+xNVDnx6e
rbrGcbX9skXyti21oEIYem0H37ZS2fV9z+/CM/55maOX5xNVQ4aDxWuiMyyUd03D
nhhM5A4mcDvIZLpWDbHzjtkl2H9Pnb9fvGzOIOm7lVQrX8BdidpWjwGTLYG/zUX5
i9NimSnoiqgkhEYl8KXzbnMfD4hX69BXI7le5HAaS38wDKPsmRRW/dgGfRNKzfTZ
qmBimscMsllz21QnG9eqineFDdexGZw1oEQsHp2CivtEwaIKTqOZfNiwHJvm1cbz
M0NOgs+r2qze0czV9dTqM5pVND1Iac1DXYflYZ9g54riQNre/sHp1qpdNQHRRMTP
yTFnGsEfWmI4V4HiSrdQpyHIrnFUryse9kJmRKDfQK7icUf5/KrOD4FOS5zsHrep
/cE14w7s0Zqko9upkYQNBys5TbBmAK8yVJ/Zq7jU3qjDxkYNddpOt8k33vl9CG53
OeWxcWOzJCHIOjakJlLnS+XitsSY4hzUlfEO0/Ffi99zyHXybNPws5Og4KNfgcqW
ReG943oKc5qplfST2tr0K10ipD3WoV+lMbLugrwhfmVOyHGypfJhUMU0oKEjYPP3
JjHSiW0hrnNvrPQ4/mqSps3LyWYZWvH40N88U6dbxgbUgamXLHWtzJdyfBNii8uH
obtye7oeYpAzx0hNurXhpSoswFbxwU5u80eL0/YkfkzkL1P9vtMvDUw/TVNbwHVg
kTS9WEQA52XLMBtanzRzLGJVIXX6ODGgXt2Gql3KO1p43OyZq4Ksvyj8NuvdmBdO
y9SrMvv+cdOMmTkj4nmGBjqSDeFmrSSQf0HoUbfXXXw/RIW/gkcm4qPmNJXUolYp
WBOg5jT78pcJ2sRwb6YQDgC5HleBwuZujixUlKgdZxF1DEpJNBFnNDxq8yKadEzB
-----END RSA PRIVATE KEY-----
3、生成自签名证书# 调用命令生成一个签名证书
# 生成证书的过程中需要输入之前设定的私钥的密码
# -new: 生成新证书签署请求
# -x509: 专用于CA生成自签证书
# -key: 生成请求时用到的私钥文件
# -days n:证书的有效期限
# -out /PATH/TO/SOMECERTFILE: 证书的保存路径
[root@localhost ~]#openssl req -new -x509 -key /etc/pki/CA/private/cakey.pem -days 7300 -out /etc/pki/CA/cacert.pem
Enter pass phrase for /etc/pki/CA/private/cakey.pem:
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [XX]:CN
State or Province Name (full name) []:hlj
Locality Name (eg, city) [Default City]:harbin
Organization Name (eg, company) [Default Company Ltd]:****
Organizational Unit Name (eg, section) []:it
Common Name (eg, your name or your server's hostname) []:192.168.104.46
Email Address []:
到此CA认证中心搭建完成
5、颁发证书
注:此处颁发证书有两种方式,分别是 子CA证书机构向根CA证书机构申请证书以及普通用户向子CA证书机构申请证书。本次实验只有两台机器所以没有做子CA证书机构向根CA证书机构申请证书。下文附上制作过程仅供参考未做实验。
1、子CA证书机构向根CA证书机构申请证书
1)、首先在子CA证书机构主机上生成私钥,这一个过程与前面根CA机构生成私钥的过程是一致的。# 这次我们修改了私钥的长度
[root@centos6 pki]$(umask 066; openssl genrsa -out /etc/pki/CA/private/cakey.pem 1024)
Generating RSA private key, 1024 bit long modulus
......++++++
..............++++++
e is 65537 (0x10001)
[root@centos6 ~]$cat /etc/pki/CA/private/cakey.pem
-----BEGIN RSA PRIVATE KEY-----
MIICXgIBAAKBgQCxLyAKQCkysisrsuou6oJFJHs/Gk9L406x6sON1a2JX3516FJ2
·····中间省略······
R1ogCVEZq36sgNYUwaT55gLKk5Ik5T6YQimy0bsvo5oQuw==
-----END RSA PRIVATE KEY-----
2)、利用私钥生成证书申请文件# 其实这里的时间是没有必要指定的。
[root@centos6 tls]$openssl req -new -key /etc/pki/CA/private/cakey.pem -days 3650 -out /etc/pki/tls/subca.csr
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [XX]:CN
State or Province Name (full name) []:hlj
Locality Name (eg, city) [Default City]:harbin
Organization Name (eg, company) [Default Company Ltd]:***
Organizational Unit Name (eg, section) []:it
Common Name (eg, your name or your server's hostname) []:192.168.104.47
Email Address []:
Please enter the following ‘extra’ attributes
to be sent with your certificate request
A challenge password []:123456
An optional company name []:magedu.com
3)、将证书的申请文件,传递给根CA# 最好将申请文件,传输到指定的目录下,这样便于管理
[root@centos6 tls]$scp /etc/pki/tls/subca.csr 192.168.104.46:/etc/pki/CA
4)、颁发证书此时切换到根CA认证主机,生成证书# 这里的时间必须要进行指定。这时证书颁发机构指定的证书的有效期。
[root@localhost CA]#openssl ca -in /etc/pki/CA/subca.csr -out /etc/pki/CA/certs/subca.crt -days 3650
Using configuration from /etc/pki/tls/openssl.cnf
Enter pass phrase for /etc/pki/CA/private/cakey.pem:
Check that the request matches the signature
Signature ok
Certificate Details:
Serial Number: 1 (0x1)
Validity
Not Before: Sep 11 14:38:13 2017 GMT
Not After : Sep 11 14:38:14 2018 GMT
Subject:
countryName = CN
stateOrProvinceName = shandong
organizationName = pojun.tech
organizationalUnitName = opt
commonName = subca.pojun.tech
X509v3 extensions:
X509v3 Basic Constraints:
CA:FALSE
Netscape Comment:
OpenSSL Generated Certificate
X509v3 Subject Key Identifier:
DB:3E:9C:F4:F4:E9:42:15:00:E7:35:52:FE:04:9A:48:8C:BD:1A:1B
X509v3 Authority Key Identifier:
keyid:01:17:F1:CB:91:4B:20:AD:C7:DF:13:05:A4:D8:83:B2:AB:75:D1:05
Certificate is to be certified until Sep 11 14:38:14 2018 GMT (3650 days)
Sign the certificate? [y/n]:y
1 out of 1 certificate requests certified, commit? [y/n]y
Write out database with 1 new entries
Data Base Updated
#此时查看index.txt 文件中,会看到增加了一条新的记录。
[root@localhost CA]#cat index.txt
V 180911143814Z 01 unknown /C=CN/ST=shandong/O=pojun.tech/OU=opt/CN=subca.pojun.tech
5)、将根CA主机生成的证书颁发给请求者# 主机B是作为子CA机构存在的,所以证书文件,必须是cacert.pem,否则,子CA将不能够给其他用户颁发证书。
[root@localhost CA]#scp /etc/pki/CA/certs/subca.crt 192.168.104.47:/etc/pki/CA/cacert.pem
2、普通用户向子CA机构,申请证书注:这一个过程,与子CA向根CA申请证书的过程是类似的。流程如下
1)、生成私钥,证书申请文件#生成私钥文件
[root@localhost ~]# (umask 066; openssl genrsa -out /etc/pki/tls/private/yyjg47.key 1024)
#利用私钥文件,生成证书申请文件
[root@localhost ~]# openssl req -new -key /etc/pki/tls/private/yyjg47.key -out /etc/pki/tls/yyjg47.csr
[root@localhost ~]# scp /etc/pki/tls/yyjg47.csr 192.168.104.46:/etc/pki/CA
2)、切换到子CA证书颁发机构# 子CA证书颁发机构颁发证书
因颁发证书为自签证书解决Chrome不能识别证书通用名称NET::ERR_CERT_COMMON_NAME_INVALID问题(火狐或IE不需要)
[root@CA ~]# vim http.ext
subjectAltName=@SubjectAlternativeName
[ SubjectAlternativeName ]
IP.1=192.168.104.47
[root@centos6 CA]$openssl ca -in /etc/pki/CA/yyjg47.csr -out /etc/pki/CA/certs/yyjg47.crt -days 365 -extfile http.ext
或者
[root@centos6 CA]$openssl ca -in /etc/pki/CA/yyjg47.csr -out /etc/pki/CA/certs/yyjg47.crt -days 365
#将生成的证书传递给申请者
[root@centos6 CA]$scp /etc/pki/CA/certs/yyjg47.crt 192.168.104.47:/etc/pki/CA/certs/
到此证书已颁发完毕,可以进行使用了
6、使用nginx搭建https此过程比较简单,直接修改nginx配置即可将上述过程中得到的证书和私钥配置到nginx配置文件中
server {
listen 443 ssl;
server_name 192.168.104.47;
ssl_certificate "/ect/nginx/cert/yyjg47.crt"; #证书
ssl_certificate_key "/ect/nginx/cert/yyjg47.key"; #私钥
ssl_session_cache shared:SSL:1m;
ssl_session_timeout 10m;
ssl_ciphers ECDHE-RSA-AES128-GCM-SHA256:ECDHE:ECDH:AES:HIGH:!NULL:!aNULL:!MD5:!ADH:!RC4;
ssl_protocols TLSv1 TLSv1.1 TLSv1.2; #使用该协议进行配置。
ssl_prefer_server_ciphers on;
root /usr/share/nginx/html/dist;#前端项目文件
location / {
if ($request_filename ~* .*\.(?:htm|html)$) ## 配置页面不缓存html和htm结尾的文件
{
add_header Cache-Control no-store;
add_header Pragma no-cache;
}
index index.html index.htm;#默认页面
try_files $uri /index.html;
}
}
7、浏览器导入自签根证书
1)、找到CA认证中心的根证书下载到本地
打开页面看看效果吧 希望对你会有所帮助 如果帮到了你请点个赞吧