linux-ca自签发-021

  

账号认证

Linux  openca 只能为本单位发布证书

Linux下做rootca 自签发证书 实现client访问时有身份验证。

 

[root@localhost ~]# yum list all |grep openssl

This system is not registered with RHN.

RHN support will be disabled.

openssl.i686                           0.9.8 e-7.el5          installed         

openssl-devel.i386                     0.9.8 e-7.el5          installed         

openssl.i386                           0.9.8 e-7.el5          rehl-server       

openssl-perl.i386                      0.9.8 e-7.el5          rehl-server       

openssl097a.i386                       0.9.7a -9.el5_2.1      rehl-server       

xmlsec1-openssl.i386                   1.2.9 -8.1             rehl-server       

xmlsec1-openssl-devel.i386             1.2.9 -8.1             rehl-server       

[root@localhost ~]# yum install openssl*

 

 

 

1.编辑openssl.cnf产生存放私钥的文件

[root@apache-server pki]# pwd                

/etc/pki

[root@apache-server pki]# vim tls/openssl.cnf

--存放机构自己的私钥

dir             = /etc/pki/CA           # Where everything is kept

[root@apache-server pki]# cd /etc/pki/CA     

[root@apache-server CA]# ll

total 8

drwx------ 2 root root 4096 Dec 17  2008 private

 

2.产生机构的私钥

[root@apache-server CA]# openssl genrsa 1024 >private/cakey.pem

Generating RSA private key, 1024 bit long modulus

.................++++++

.......++++++

e is 65537 (0x10001)

--改变权限 

[root@apache-server CA]# chmod 600 private/*

[root@apache-server CA]# ll private/

total 4

-rw------- 1 root root 887 Aug 23 23:05 cakey.pem

[root@apache-server CA]#

 

 

3.自签发的证书ROOTCA

[root@apache-server CA]# openssl req -x509 -new -key private/cakey.pem -out cacert.pem -days 365

You are about to be asked to enter information that will be incorporated

into your certificate request.

What you are about to enter is what is called a Distinguished Name or a DN.

There are quite a few fields but you can leave some blank

For some fields there will be a default value,

If you enter '.', the field will be left blank.

-----

Country Name (2 letter code) [GB]:CN

State or Province Name (full name) [Berkshire]: HENAN

Locality Name (eg, city) [Newbury]: ZHENGZHOU

Organization Name (eg, company) [My Company Ltd]:ZZU

Organizational Unit Name (eg, section) []:TEC

Common Name (eg, your name or your server's hostname) []:ROOTCA.ZZU.COM

Email Address []:

[root@apache-server CA]#

 


Client申请证书

1.       产生私钥

[root@apache-server httpd]# mkdir certs

[root@apache-server httpd]# cd certs

[root@apache-server certs]# ll

total 0

[root@apache-server certs]# pwd

/etc/httpd/certs

[root@apache-server certs]# openssl genrsa 1024 >httpd.key

Generating RSA private key, 1024 bit long modulus

...............++++++

.......++++++

e is 65537 (0x10001)

[root@apache-server certs]# chmod 600 httpd.key

[root@apache-server certs]# ll

total 4

-rw------- 1 root root 887 Aug 23 23:20 httpd.key

[root@apache-server certs]#

2.       请求签发证书

前五部分跟rootca要保持一致,否则发布不了证书,只能本单位的签发证书

[root@apache-server certs]# openssl req -new -key httpd.key -out httpd.csr

You are about to be asked to enter information that will be incorporated

into your certificate request.

What you are about to enter is what is called a Distinguished Name or a DN.

There are quite a few fields but you can leave some blank

For some fields there will be a default value,

If you enter '.', the field will be left blank.

-----

Country Name (2 letter code) [GB]:CN

State or Province Name (full name) [Berkshire]: HENAN

Locality Name (eg, city) [Newbury]: ZHENGZHOU

Organization Name (eg, company) [My Company Ltd]:ZZU

Organizational Unit Name (eg, section) []:TEC

Common Name (eg, your name or your server's hostname) []:www.zzu.com

Email Address []:

 

Please enter the following 'extra' attributes

to be sent with your certificate request

A challenge password []:

An optional company name []:

[root@apache-server certs]#

 

3.请求证书传递,请求文件httpd.crs输出httpd.crt

 [root@apache-server certs]# openssl ca -in httpd.csr -out httpd.crt

Using configuration from /etc/pki/tls/openssl.cnf

I am unable to access the /etc/pki/CA/newcerts directory

/etc/pki/CA/newcerts: No such file or directory

--存放根ca的目录没有创建

[root@apache-server certs]# cd /etc/pki/CA/

[root@apache-server CA]# ll              

total 12

-rw-r--r-- 1 root root 1131 Aug 23 23:11 cacert.pem

drwx------ 2 root root 4096 Aug 23 23:05 private

[root@apache-server CA]# mkdir certs crl newcerts

[root@apache-server CA]# touch index.txt serial

[root@apache-server CA]#echo “01” >serial

--ca的编号

[root@apache-server CA]# cd /etc/httpd/certs

[root@apache-server certs]# ll

total 8

-rw-r--r-- 1 root root 643 Aug 23 23:25 httpd.csr

-rw------- 1 root root 887 Aug 23 23:20 httpd.key

[root@apache-server certs]# openssl ca -in httpd.csr -out httpd.crt

Using configuration from /etc/pki/tls/openssl.cnf

Check that the request matches the signature

Signature ok

Certificate Details:

        Serial Number: 1 (0x1)

        Validity

            Not Before: Aug 23 15:43:45 2011 GMT

            Not After : Aug 22 15:43:45 2012 GMT

        Subject:

            countryName               = CN

            stateOrProvinceName       = HENAN

            organizationName          = ZZU

            organizationalUnitName    = TEC

            commonName                = www.zzu.com

        X509v3 extensions:

            X509v3 Basic Constraints:

                CA:FALSE

            Netscape Comment:

                OpenSSL Generated Certificate

            X509v3 Subject Key Identifier:

                BC:38:DA:E8:CA:1C:D6:D9:34:80:B7:4B:4A:91:21:19:08:90:49:74

            X509v3 Authority Key Identifier:

                keyid:4D:07:D3:61:34:AA:57:A9:07:9F:62:6A:3C:04:27:52:E6:FE:A8:76

 

Certificate is to be certified until Aug 22 15:43:45 2012 GMT (365 days)

Sign the certificate? [y/n]:y

 

 

1 out of 1 certificate requests certified, commit? [y/n]y

Write out database with 1 new entries

Data Base Updated

[root@apache-server certs]#

--已签发证书

 

 

 

4.更改ssl.conf文件

[root@localhost ~]# yum list all |grep mod_ssl

This system is not registered with RHN.

RHN support will be disabled.

mod_ssl.i386                           1: 2.2.3 -22.el5        rehl-server       

[root@localhost ~]# yum install mod_ssl

[root@localhost ~]# vim /etc/httpd/conf.d/ssl.conf

112 #SSLCertificateFile /etc/pki/tls/certs/localhost.crt

113

114 SSLCertificateFile /etc/httpd/certs/httpd.crt

120 #SSLCertificateKeyFile /etc/pki/tls/private/localhost.key

121

122 SSLCertificateKeyFile /etc/httpd/certs/httpd.key

        

[root@localhost ~]#

[root@localhost ~]# httpd -t        

Syntax OK

[root@localhost ~]# service httpd restart

Stopping httpd:                                            [  OK  ]

Starting httpd:                                            [  OK  ]

--证书不信任,需要本地连接证书链,安装信任的根证书

[root@localhost ~]# vim /etc/httpd/conf.d/ssl.conf

132 SSLCertificateChainFile /etc/pki/CA/cacert.pem

--证书链,指定根证书

[root@localhost ~]# httpd -t       

Syntax OK

[root@localhost ~]# service httpd restart

Stopping httpd:                                            [  OK  ]

Starting httpd:                                            [  OK  ]

 

5.本地安装根证书

 

 


 

21-1


21-2

--确定信任选择是

 

 

6.安装证书名称无效

--需要有指定的dns server,也可以更改hosts文件添加条目,是client之间访问站点,不会再显示证书提示问题


 

21-3

7.client安装证书之后范围server的不同结果

1)以ip访问


21-4

2)域名访问


21-5

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

你可能感兴趣的:(linux,职场,休闲,openca自签发)