CA介绍
搭建CA服务器 (网站服务的数据加密传输)
CA服务器 (172.40.55.10)
第一步:配置CA签署环境
第二步:为CA服务器生成私钥
第三步:为CA服务器创建根证书
第四步:发布根证书文件
第一步:配置CA签署环境
[root@room5pc00 ~]# rpm -qf /etc/pki/tls/openssl.cnf
openssl-1.0.1e-42.el6.x86_64
[root@room5pc00 ~]#
vim /etc/pki/tls/openssl.cnf
[ CA_default ]
dir = /etc/pki/CA
certs = $dir/certs
certificate?= $dir/my-ca.crt 根证书名
private_key?= $dir/private/my-ca.key 私钥名
[ req_distinguished_name ]
countryName_default = CN 国家
stateOrProvinceName_default = beijing 省
localityName_default = beijing 城市
0.organizationName_default = tarena 单位
:wq
根据需要建立 index.txt、serial文件
[root@svr5 ~]# cd /etc/pki/CA
[root@svr5 CA]# touch index.txt
[root@svr5 CA]# echo 01 > serial
第二步:为CA服务器生成私钥
cd /etc/pki/CA/private/
openssl genrsa -des3 2048 > my-ca.key (123456 密码)
chmod 600 my-ca.key
第三步:为CA服务器创建根证书
cd /etc/pki/CA/
openssl req -new -x509 -key private/my-ca.key -days 365 > my-ca.crt (输入私钥的密码)
[root@room5pc00 CA]# openssl req -new -x509 -key private/my-ca.key -days 365 > my-ca.crt
Enter pass phrase for private/my-ca.key:
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [CN]:
State or Province Name (full name) [beijing]:
Locality Name (eg, city) [beijing]:
Organization Name (eg, company) [tarena]:
Organizational Unit Name (eg, section) []:mis
Common Name (eg, your name or your server's hostname) []:ca.tarena.com
Email Address []:[email protected]
[root@room5pc00 CA]#
第四步:发布根证书文件
cd /etc/pki/CA/
cp my-ca.crt /var/www/html/
service httpd restart
++++++++++++++++++++++++
网站服务器
1 生成自己私钥
2 生成证书申请文件
3 CA服务器签发证书
4 下载签发的证书
5 配置网站服务运行时,使用签发的证书
6 重启网站服务
1 生成自己私钥
cd /etc/pki/tls/private/
openssl genrsa 2048 > www.key
chmod 600 www.key
2 生成证书申请文件
cd /etc/pki/tls/private/
openssl req -new -key www.key > /root/www.csr
[root@room5pc00 private]#
[root@room5pc00 private]# openssl req -new -key www.key > /root/www.csr
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [CN]:
State or Province Name (full name) [beijing]:
Locality Name (eg, city) [beijing]:
Organization Name (eg, company) [tarena]:
Organizational Unit Name (eg, section) []:mis
Common Name (eg, your name or your server's hostname) []:ca.tarenac^H.^H^C
[root@room5pc00 private]#
[root@room5pc00 private]# openssl req -new -key www.key > /root/www.csr
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [CN]:
State or Province Name (full name) [beijing]:
Locality Name (eg, city) [beijing]:
Organization Name (eg, company) [tarena]:
Organizational Unit Name (eg, section) []:mis
Common Name (eg, your name or your server's hostname) []:ca.tedu.cn
Email Address []:[email protected]
Please enter the following 'extra' attributes
to be sent with your certificate request
A challenge password []:
An optional company name []:
[root@room5pc00 private]#
3 CA服务器签发证书 并共享签发的证书
cd /etc/pki/CA/certs/
openssl ca -in /root/www.csr > www.crt
[root@room5pc00 certs]# openssl ca -in /root/www.csr > www.crt
Using configuration from /etc/pki/tls/openssl.cnf
Enter pass phrase for /etc/pki/CA/private/my-ca.key:
Check that the request matches the signature
Signature ok
Certificate Details:
Serial Number: 1 (0x1)
Validity
Not Before: May 7 09:20:09 2016 GMT
Not After : May 7 09:20:09 2017 GMT
Subject:
countryName = CN
stateOrProvinceName = beijing
organizationName = tarena
organizationalUnitName = mis
commonName = ca.tedu.cn
emailAddress = [email protected]
X509v3 extensions:
X509v3 Basic Constraints:
CA:FALSE
Netscape Comment:
OpenSSL Generated Certificate
X509v3 Subject Key Identifier:
F9:5D:62:DF:AF:9E:23:29:BE:B6:CE:DC:88:4F:E6:C7:B0:36:11:A6
X509v3 Authority Key Identifier:
keyid:5B:1D:A7:F7:B6:22:FE:6D:F2:F1:8E:CE:89:EB:EF:58:E4:CF:A0:A5
Certificate is to be certified until May 7 09:20:09 2017 GMT (365 days)
Sign the certificate? [y/n]:y
1 out of 1 certificate requests certified, commit? [y/n]y
Write out database with 1 new entries
Data Base Updated
[root@room5pc00 certs]#
cp www.crt /var/www/html/
4 客户端下载签发的证书
cd /etc/pki/tls/certs/
cp /etc/pki/CA/certs/www.crt ./
[root@room5pc00 certs]# ls /etc/pki/tls/private/
www.key
[root@room5pc00 certs]#
5 配置网站服务运行时,使用签发的证书
rpm -q mod_ssl
yum -y install mod_ssl
vim /etc/httpd/conf.d/ssl.conf
88 SSLEngine on
105 SSLCertificateFile /etc/pki/tls/certs/www.crt
112 SSLCertificateKeyFile /etc/pki/tls/private/www.key
:wq
6 重启网站服务
service httpd restart
[root@room5pc00 conf]# ps aux | grep vmware-hostd
netstat -untlap | grep :443
[root@room5pc00 conf.d]# netstat -utnalp | grep :443
tcp 0 0 :::443 :::* LISTEN 8973/httpd
+++++++++++++++++++++++++++++++++++
客户机
80 http://web-ip
443 https://web-ip
[root@room5pc00 conf]# elinks --dump https://localhost/one.html
ELinks: 拒绝连接
[root@room5pc00 conf]#
[root@room5pc00 conf]#
[root@room5pc00 conf]# elinks --dump http://localhost/one.html
hello a student
[root@room5pc00 conf]#
++++++++++++++++++++++++++++++++++++
网站客户端的配置(访问http自动跳转https)
https://172.40.55.10/one.html
vim httpd.conf
<IfModule ssl_module>
SSLRandomSeed startup builtin
SSLRandomSeed connect builtin
</IfModule>
RewriteEngine on
RewriteCond %{SERVER_PORT} !^443$
RewriteRule (.*) https://%{SERVER_NAME}/$1 [R]
:wq
service httpd restat
http://ca.tedu.cn/one.html