linux-ca自签发

账号认证
Linux  openca 只能为本单位发布证书
Linux下做rootca 自签发证书 实现client访问时有身份验证。

[root@localhost ~]# yum list all |grep openssl
This system is not registered with RHN.
RHN support will be disabled.
openssl.i686                           0.9.8e-7.el5          installed         
openssl-devel.i386                     0.9.8e-7.el5          installed         
openssl.i386                           0.9.8e-7.el5          rehl-server       
openssl-perl.i386                      0.9.8e-7.el5          rehl-server       
openssl097a.i386                       0.9.7a-9.el5_2.1      rehl-server       
xmlsec1-openssl.i386                   1.2.9-8.1             rehl-server       
xmlsec1-openssl-devel.i386             1.2.9-8.1             rehl-server       
[root@localhost ~]# yum install openssl*

 

1.编辑openssl.cnf产生存放私钥的文件
[root@apache-server pki]# pwd                
/etc/pki
[root@apache-server pki]# vim tls/openssl.cnf
--存放机构自己的私钥
dir             = /etc/pki/CA           # Where everything is kept
[root@apache-server pki]# cd /etc/pki/CA     
[root@apache-server CA]# ll
total 8
drwx------ 2 root root 4096 Dec 17  2008 private

2.产生机构的私钥
[root@apache-server CA]# openssl genrsa 1024 >private/cakey.pem
Generating RSA private key, 1024 bit long modulus
.................++++++
.......++++++
e is 65537 (0x10001)
--改变权限 
[root@apache-server CA]# chmod 600 private/*
[root@apache-server CA]# ll private/
total 4
-rw------- 1 root root 887 Aug 23 23:05 cakey.pem
[root@apache-server CA]#


3.自签发的证书ROOTCA
[root@apache-server CA]# openssl req -x509 -new -key private/cakey.pem -out cacert.pem -days

365
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [GB]:CN
State or Province Name (full name) [Berkshire]:HENAN
Locality Name (eg, city) [Newbury]:ZHENGZHOU
Organization Name (eg, company) [My Company Ltd]:ZZU
Organizational Unit Name (eg, section) []:TEC
Common Name (eg, your name or your server's hostname) []:ROOTCA.ZZU.COM
Email Address []:
[root@apache-server CA]#

 
Client申请证书
1. 产生私钥
[root@apache-server httpd]# mkdir certs
[root@apache-server httpd]# cd certs
[root@apache-server certs]# ll
total 0
[root@apache-server certs]# pwd
/etc/httpd/certs
[root@apache-server certs]# openssl genrsa 1024 >httpd.key
Generating RSA private key, 1024 bit long modulus
...............++++++
.......++++++
e is 65537 (0x10001)
[root@apache-server certs]# chmod 600 httpd.key
[root@apache-server certs]# ll
total 4
-rw------- 1 root root 887 Aug 23 23:20 httpd.key
[root@apache-server certs]#
2. 请求签发证书
前五部分跟rootca要保持一致,否则发布不了证书,只能本单位的签发证书
[root@apache-server certs]# openssl req -new -key httpd.key -out httpd.csr
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [GB]:CN
State or Province Name (full name) [Berkshire]:HENAN
Locality Name (eg, city) [Newbury]:ZHENGZHOU
Organization Name (eg, company) [My Company Ltd]:ZZU
Organizational Unit Name (eg, section) []:TEC
Common Name (eg, your name or your server's hostname) []:www.zzu.com
Email Address []:

Please enter the following 'extra' attributes
to be sent with your certificate request
A challenge password []:
An optional company name []:
[root@apache-server certs]#

3.请求证书传递,请求文件httpd.crs输出httpd.crt
 [root@apache-server certs]# openssl ca -in httpd.csr -out httpd.crt
Using configuration from /etc/pki/tls/openssl.cnf
I am unable to access the /etc/pki/CA/newcerts directory
/etc/pki/CA/newcerts: No such file or directory
--存放根ca的目录没有创建
[root@apache-server certs]# cd /etc/pki/CA/
[root@apache-server CA]# ll              
total 12
-rw-r--r-- 1 root root 1131 Aug 23 23:11 cacert.pem
drwx------ 2 root root 4096 Aug 23 23:05 private
[root@apache-server CA]# mkdir certs crl newcerts
[root@apache-server CA]# touch index.txt serial
[root@apache-server CA]#echo “01” >serial
--ca的编号
[root@apache-server CA]# cd /etc/httpd/certs
[root@apache-server certs]# ll
total 8
-rw-r--r-- 1 root root 643 Aug 23 23:25 httpd.csr
-rw------- 1 root root 887 Aug 23 23:20 httpd.key
[root@apache-server certs]# openssl ca -in httpd.csr -out httpd.crt
Using configuration from /etc/pki/tls/openssl.cnf
Check that the request matches the signature
Signature ok
Certificate Details:
        Serial Number: 1 (0x1)
        Validity
            Not Before: Aug 23 15:43:45 2011 GMT
            Not After : Aug 22 15:43:45 2012 GMT
        Subject:
            countryName               = CN
            stateOrProvinceName       = HENAN
            organizationName          = ZZU
            organizationalUnitName    = TEC
            commonName                = www.zzu.com
        X509v3 extensions:
            X509v3 Basic Constraints:
                CA:FALSE
            Netscape Comment:
                OpenSSL Generated Certificate
            X509v3 Subject Key Identifier:
                BC:38:DA:E8:CA:1C:D6:D9:34:80:B7:4B:4A:91:21:19:08:90:49:74
            X509v3 Authority Key Identifier:
                keyid:4D:07:D3:61:34:AA:57:A9:07:9F:62:6A:3C:04:27:52:E6:FE:A8:76

Certificate is to be certified until Aug 22 15:43:45 2012 GMT (365 days)
Sign the certificate? [y/n]:y


1 out of 1 certificate requests certified, commit? [y/n]y
Write out database with 1 new entries
Data Base Updated
[root@apache-server certs]#
--已签发证书

 

4.更改ssl.conf文件
[root@localhost ~]# yum list all |grep mod_ssl
This system is not registered with RHN.
RHN support will be disabled.
mod_ssl.i386                           1:2.2.3-22.el5        rehl-server       
[root@localhost ~]# yum install mod_ssl
[root@localhost ~]# vim /etc/httpd/conf.d/ssl.conf
112 #SSLCertificateFile /etc/pki/tls/certs/localhost.crt
113
114 SSLCertificateFile /etc/httpd/certs/httpd.crt
120 #SSLCertificateKeyFile /etc/pki/tls/private/localhost.key
121
122 SSLCertificateKeyFile /etc/httpd/certs/httpd.key
        
[root@localhost ~]#
[root@localhost ~]# httpd -t       
Syntax OK
[root@localhost ~]# service httpd restart
Stopping httpd:                                            [  OK  ]
Starting httpd:                                            [  OK  ]
--证书不信任,需要本地连接证书链,安装信任的根证书
[root@localhost ~]# vim /etc/httpd/conf.d/ssl.conf
132 SSLCertificateChainFile /etc/pki/CA/cacert.pem
--证书链,指定根证书
[root@localhost ~]# httpd -t       
Syntax OK
[root@localhost ~]# service httpd restart
Stopping httpd:                                            [  OK  ]
Starting httpd:                                            [  OK  ]

5.本地安装根证书




 
21-1
 

21-2
--确定信任选择是


6.安装证书名称无效
--需要有指定的dns server,也可以更改hosts文件添加条目,是client之间访问站点,不会再显示证书提
 

示问题
 


21-3


7.client安装证书之后范围server的不同结果
1)以ip访问
 

 

21-4


2)域名访问
 



21-5

你可能感兴趣的:(linux,职场,休闲,linux-ca自签发)