CA介绍




搭建CA服务器  (网站服务的数据加密传输)



 

CA服务器  (172.40.55.10)

第一步:配置CA签署环境

第二步:为CA服务器生成私钥

第三步:为CA服务器创建根证书

第四步:发布根证书文件


第一步:配置CA签署环境

[root@room5pc00 ~]# rpm -qf  /etc/pki/tls/openssl.cnf

openssl-1.0.1e-42.el6.x86_64

[root@room5pc00 ~]#


vim  /etc/pki/tls/openssl.cnf

[ CA_default ]

dir = /etc/pki/CA  

certs  = $dir/certs 

certificate?= $dir/my-ca.crt   根证书名

private_key?= $dir/private/my-ca.key   私钥名


[ req_distinguished_name ]

countryName_default = CN   国家

stateOrProvinceName_default = beijing  省

localityName_default = beijing  城市

0.organizationName_default = tarena    单位

:wq


根据需要建立 index.txt、serial文件

[root@svr5 ~]# cd  /etc/pki/CA

[root@svr5 CA]# touch  index.txt

[root@svr5 CA]# echo  01  >  serial


第二步:为CA服务器生成私钥

cd   /etc/pki/CA/private/

openssl  genrsa  -des3  2048  >  my-ca.key   (123456 密码)

chmod  600  my-ca.key


第三步:为CA服务器创建根证书

cd   /etc/pki/CA/

openssl  req  -new  -x509  -key  private/my-ca.key  -days 365  >  my-ca.crt    (输入私钥的密码)


[root@room5pc00 CA]# openssl  req  -new  -x509  -key  private/my-ca.key  -days 365 > my-ca.crt

Enter pass phrase for private/my-ca.key:

You are about to be asked to enter information that will be incorporated

into your certificate request.

What you are about to enter is what is called a Distinguished Name or a DN.

There are quite a few fields but you can leave some blank

For some fields there will be a default value,

If you enter '.', the field will be left blank.

-----

Country Name (2 letter code) [CN]:

State or Province Name (full name) [beijing]:

Locality Name (eg, city) [beijing]:

Organization Name (eg, company) [tarena]:

Organizational Unit Name (eg, section) []:mis

Common Name (eg, your name or your server's hostname) []:ca.tarena.com

Email Address []:plj@tedu.cn

[root@room5pc00 CA]#



第四步:发布根证书文件

cd   /etc/pki/CA/

cp  my-ca.crt    /var/www/html/

service  httpd  restart


++++++++++++++++++++++++

网站服务器

1  生成自己私钥

2  生成证书申请文件

3  CA服务器签发证书

4  下载签发的证书

5  配置网站服务运行时,使用签发的证书

6  重启网站服务


1  生成自己私钥

cd  /etc/pki/tls/private/

openssl  genrsa  2048  >  www.key

chmod 600 www.key


2  生成证书申请文件

cd  /etc/pki/tls/private/

openssl  req  -new  -key  www.key  >  /root/www.csr


[root@room5pc00 private]# 

[root@room5pc00 private]# openssl  req  -new  -key  www.key  >  /root/www.csr

You are about to be asked to enter information that will be incorporated

into your certificate request.

What you are about to enter is what is called a Distinguished Name or a DN.

There are quite a few fields but you can leave some blank

For some fields there will be a default value,

If you enter '.', the field will be left blank.

-----

Country Name (2 letter code) [CN]:

State or Province Name (full name) [beijing]:

Locality Name (eg, city) [beijing]:

Organization Name (eg, company) [tarena]:

Organizational Unit Name (eg, section) []:mis

Common Name (eg, your name or your server's hostname) []:ca.tarenac^H.^H^C

[root@room5pc00 private]# 

[root@room5pc00 private]# openssl  req  -new  -key  www.key  >  /root/www.csr

You are about to be asked to enter information that will be incorporated

into your certificate request.

What you are about to enter is what is called a Distinguished Name or a DN.

There are quite a few fields but you can leave some blank

For some fields there will be a default value,

If you enter '.', the field will be left blank.

-----

Country Name (2 letter code) [CN]:

State or Province Name (full name) [beijing]:

Locality Name (eg, city) [beijing]:

Organization Name (eg, company) [tarena]:

Organizational Unit Name (eg, section) []:mis

Common Name (eg, your name or your server's hostname) []:ca.tedu.cn

Email Address []:plj@163.com


Please enter the following 'extra' attributes

to be sent with your certificate request

A challenge password []:

An optional company name []:

[root@room5pc00 private]# 


3  CA服务器签发证书  并共享签发的证书

cd  /etc/pki/CA/certs/

openssl  ca  -in  /root/www.csr  >  www.crt


[root@room5pc00 certs]# openssl  ca  -in  /root/www.csr  >  www.crt

Using configuration from /etc/pki/tls/openssl.cnf

Enter pass phrase for /etc/pki/CA/private/my-ca.key:

Check that the request matches the signature

Signature ok

Certificate Details:

        Serial Number: 1 (0x1)

        Validity

            Not Before: May  7 09:20:09 2016 GMT

            Not After : May  7 09:20:09 2017 GMT

        Subject:

            countryName               = CN

            stateOrProvinceName       = beijing

            organizationName          = tarena

            organizationalUnitName    = mis

            commonName                = ca.tedu.cn

            emailAddress              = plj@163.com

        X509v3 extensions:

            X509v3 Basic Constraints: 

                CA:FALSE

            Netscape Comment: 

                OpenSSL Generated Certificate

            X509v3 Subject Key Identifier: 

                F9:5D:62:DF:AF:9E:23:29:BE:B6:CE:DC:88:4F:E6:C7:B0:36:11:A6

            X509v3 Authority Key Identifier: 

                keyid:5B:1D:A7:F7:B6:22:FE:6D:F2:F1:8E:CE:89:EB:EF:58:E4:CF:A0:A5


Certificate is to be certified until May  7 09:20:09 2017 GMT (365 days)

Sign the certificate? [y/n]:y



1 out of 1 certificate requests certified, commit? [y/n]y

Write out database with 1 new entries

Data Base Updated

[root@room5pc00 certs]# 



cp  www.crt   /var/www/html/


4  客户端下载签发的证书 

cd  /etc/pki/tls/certs/

cp /etc/pki/CA/certs/www.crt   ./


[root@room5pc00 certs]# ls /etc/pki/tls/private/

www.key

[root@room5pc00 certs]#


5  配置网站服务运行时,使用签发的证书

rpm  -q  mod_ssl

yum  -y  install  mod_ssl

vim /etc/httpd/conf.d/ssl.conf

88 SSLEngine on

105 SSLCertificateFile /etc/pki/tls/certs/www.crt

112 SSLCertificateKeyFile /etc/pki/tls/private/www.key

:wq


6  重启网站服务

service httpd restart



[root@room5pc00 conf]# ps aux  | grep  vmware-hostd


netstat  -untlap  | grep   :443


[root@room5pc00 conf.d]# netstat -utnalp  | grep :443

tcp        0      0 :::443                      :::*                        LISTEN      8973/httpd




+++++++++++++++++++++++++++++++++++

客户机

80    http://web-ip

443  https://web-ip

[root@room5pc00 conf]# elinks  --dump https://localhost/one.html

ELinks: 拒绝连接

[root@room5pc00 conf]# 

[root@room5pc00 conf]# 

[root@room5pc00 conf]# elinks  --dump http://localhost/one.html

   hello a student

[root@room5pc00 conf]#

++++++++++++++++++++++++++++++++++++

网站客户端的配置(访问http自动跳转https)

https://172.40.55.10/one.html


vim httpd.conf

<IfModule ssl_module>

    SSLRandomSeed  startup  builtin

    SSLRandomSeed  connect  builtin

</IfModule>

RewriteEngine  on

RewriteCond  %{SERVER_PORT}  !^443$

RewriteRule  (.*)  https://%{SERVER_NAME}/$1  [R]

:wq

service  httpd restat


http://ca.tedu.cn/one.html