账号认证
Linux openca 只能为本单位发布证书
Linux下做rootca 自签发证书 实现client访问时有身份验证。
[root@localhost ~]# yum list all |grep openssl
This system is not registered with RHN.
RHN support will be disabled.
openssl.i686
openssl-devel.i386
openssl.i386
openssl-perl.i386
openssl097a.i386
xmlsec1-openssl.i386
xmlsec1-openssl-devel.i386
[root@localhost ~]# yum install openssl*
1.编辑openssl.cnf产生存放私钥的文件
[root@apache-server pki]# pwd
/etc/pki
[root@apache-server pki]# vim tls/openssl.cnf
--存放机构自己的私钥
dir = /etc/pki/CA # Where everything is kept
[root@apache-server pki]# cd /etc/pki/CA
[root@apache-server CA]# ll
total 8
drwx------ 2 root root 4096 Dec 17 2008 private
2.产生机构的私钥
[root@apache-server CA]# openssl genrsa 1024 >private/cakey.pem
Generating RSA private key, 1024 bit long modulus
.................++++++
.......++++++
e is 65537 (0x10001)
--改变权限
[root@apache-server CA]# chmod 600 private/*
[root@apache-server CA]# ll private/
total 4
-rw------- 1 root root 887 Aug 23 23:05 cakey.pem
[root@apache-server CA]#
3.自签发的证书ROOTCA
[root@apache-server CA]# openssl req -x509 -new -key private/cakey.pem -out cacert.pem -days 365
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [GB]:CN
State or Province Name (full name) [Berkshire]:
Locality Name (eg, city) [Newbury]:
Organization Name (eg, company) [My Company Ltd]:ZZU
Organizational Unit Name (eg, section) []:TEC
Common Name (eg, your name or your server's hostname) []:ROOTCA.ZZU.COM
Email Address []:
[root@apache-server CA]#
Client申请证书
1. 产生私钥
[root@apache-server httpd]# mkdir certs
[root@apache-server httpd]# cd certs
[root@apache-server certs]# ll
total 0
[root@apache-server certs]# pwd
/etc/httpd/certs
[root@apache-server certs]# openssl genrsa 1024 >httpd.key
Generating RSA private key, 1024 bit long modulus
...............++++++
.......++++++
e is 65537 (0x10001)
[root@apache-server certs]# chmod 600 httpd.key
[root@apache-server certs]# ll
total 4
-rw------- 1 root root 887 Aug 23 23:20 httpd.key
[root@apache-server certs]#
2. 请求签发证书
前五部分跟rootca要保持一致,否则发布不了证书,只能本单位的签发证书
[root@apache-server certs]# openssl req -new -key httpd.key -out httpd.csr
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [GB]:CN
State or Province Name (full name) [Berkshire]:
Locality Name (eg, city) [Newbury]:
Organization Name (eg, company) [My Company Ltd]:ZZU
Organizational Unit Name (eg, section) []:TEC
Common Name (eg, your name or your server's hostname) []:www.zzu.com
Email Address []:
Please enter the following 'extra' attributes
to be sent with your certificate request
A challenge password []:
An optional company name []:
[root@apache-server certs]#
3.请求证书传递,请求文件httpd.crs输出httpd.crt
[root@apache-server certs]# openssl ca -in httpd.csr -out httpd.crt
Using configuration from /etc/pki/tls/openssl.cnf
I am unable to access the /etc/pki/CA/newcerts directory
/etc/pki/CA/newcerts: No such file or directory
--存放根ca的目录没有创建
[root@apache-server certs]# cd /etc/pki/CA/
[root@apache-server CA]# ll
total 12
-rw-r--r-- 1 root root 1131 Aug 23 23:11 cacert.pem
drwx------ 2 root root 4096 Aug 23 23:05 private
[root@apache-server CA]# mkdir certs crl newcerts
[root@apache-server CA]# touch index.txt serial
[root@apache-server CA]#echo “01” >serial
--ca的编号
[root@apache-server CA]# cd /etc/httpd/certs
[root@apache-server certs]# ll
total 8
-rw-r--r-- 1 root root 643 Aug 23 23:25 httpd.csr
-rw------- 1 root root 887 Aug 23 23:20 httpd.key
[root@apache-server certs]# openssl ca -in httpd.csr -out httpd.crt
Using configuration from /etc/pki/tls/openssl.cnf
Check that the request matches the signature
Signature ok
Certificate Details:
Serial Number: 1 (0x1)
Validity
Not Before: Aug 23 15:43:45 2011 GMT
Not After : Aug 22 15:43:45 2012 GMT
Subject:
countryName = CN
stateOrProvinceName =
organizationName = ZZU
organizationalUnitName = TEC
commonName = www.zzu.com
X509v3 extensions:
X509v3 Basic Constraints:
CA:FALSE
Netscape Comment:
OpenSSL Generated Certificate
X509v3 Subject Key Identifier:
BC:38:DA:E8:CA:1C:D6:D9:34:80:B7:4B:4A:91:21:19:08:90:49:74
X509v3 Authority Key Identifier:
keyid:4D:07:D3:61:34:AA:57:A9:07:9F:62:6A:3C:04:27:52:E6:FE:A8:76
Certificate is to be certified until Aug 22 15:43:45 2012 GMT (365 days)
Sign the certificate? [y/n]:y
1 out of 1 certificate requests certified, commit? [y/n]y
Write out database with 1 new entries
Data Base Updated
[root@apache-server certs]#
--已签发证书
4.更改ssl.conf文件
[root@localhost ~]# yum list all |grep mod_ssl
This system is not registered with RHN.
RHN support will be disabled.
mod_ssl.i386 1:
[root@localhost ~]# yum install mod_ssl
[root@localhost ~]# vim /etc/httpd/conf.d/ssl.conf
112 #SSLCertificateFile /etc/pki/tls/certs/localhost.crt
113
114 SSLCertificateFile /etc/httpd/certs/httpd.crt
120 #SSLCertificateKeyFile /etc/pki/tls/private/localhost.key
121
122 SSLCertificateKeyFile /etc/httpd/certs/httpd.key
[root@localhost ~]#
[root@localhost ~]# httpd -t
Syntax OK
[root@localhost ~]# service httpd restart
Stopping httpd: [ OK ]
Starting httpd: [ OK ]
--证书不信任,需要本地连接证书链,安装信任的根证书
[root@localhost ~]# vim /etc/httpd/conf.d/ssl.conf
132 SSLCertificateChainFile /etc/pki/CA/cacert.pem
--证书链,指定根证书
[root@localhost ~]# httpd -t
Syntax OK
[root@localhost ~]# service httpd restart
Stopping httpd: [ OK ]
Starting httpd: [ OK ]
5.本地安装根证书
21-1
21-2
--确定信任选择是
6.安装证书名称无效
--需要有指定的dns server,也可以更改hosts文件添加条目,是client之间访问站点,不会再显示证书提示问题
21-3
7.client安装证书之后范围server的不同结果
1)以ip访问
21-4
2)域名访问
21-5
