CA认证服务搭建见:
实验环境: 基于centos6系统
- 安装httpd
[root@xinsz08-1 ~]# yum install httpd -y
- 修改http web服务器
[root@xinsz08-1 ~]# vim /etc/httpd/conf/httpd.conf [root@xinsz08-1 ~]# service httpd restart停止 httpd: [失败]正在启动 httpd: [确定]
[root@xinsz08-1 ~]# iptables -F
- 客户端服务器生成证书请求文件,获得证书
[root@xinsz08-1 ~]# openssl genrsa -des3 -out /etc/httpd/conf.d/sever.keyGenerating RSA private key, 1024 bit long modulus................++++++.......................++++++ e is 65537 (0x10001)Enter pass phrase for /etc/httpd/conf.d/sever.key: Verifying - Enter pass phrase for /etc/httpd/conf.d/sever.key:
- 使用私钥生成请求文件
[root@xinsz08-64 ~]# openssl req -new -key /etc/httpd/conf.d/server.key -out /server.csr #注意后期添加的国家,省,组织等信息要和CA保持一致Enter pass phrase for /etc/httpd/conf.d/server.key:123456 #输入私钥的密码You are about to be asked to enter information that will be incorporated into your certificate request. What you are about to enter is what is called a Distinguished Name or a DN. There are quite a few fields but you can leave some blank For some fields there will be a default value, If you enter '.', the field will be left blank. ----- Country Name (2 letter code) [XX]:CN State or Province Name (full name) []:beijing Locality Name (eg, city) [Default City]:haidian Organization Name (eg, company) [Default Company Ltd]:zmedu Organizational Unit Name (eg, section) []:IT Common Name (eg, your name or your server's hostname) []:xinsz08-64.cn #这里要求输入的CommonName必须与通过浏览器访问您网站的 URL 完全相同,否则用户会发 现您服务器证书的通用名与站点的名字不匹配,用户就会怀疑您的证书的真实性。可以使域名也可以 使IP地址。 Email Address []:1@163.com Please enter the following 'extra' attributes to be sent with your certificate request A challenge password []: #不输密码直接回车An optional company name []: 注:证书请求文件中有xinsz08-64的公钥。 这个公钥是在生成证书请求文件时,通过指定的私钥 /etc/httpd/conf.d/server.key生成的。 常识: 通过私钥可以生成公钥的,通过公钥不可以推出来私钥。
5、将证书请求文件发给CA服务器:
[root@xinsz08-64 ~]# scp /server.csr 192.168.1.63:/tmp/
- 签名
[root@xinsz08-62 ~]# openssl ca -h[root@xinsz08-62 ~]# openssl ca -keyfile /etc/pki/CA/private/cakey.pem -cert /etc/pki/CA/cacert.pem -in /tmp/server.csr -out /server.crt Using configuration from /etc/pki/tls/openssl.cnf Enter pass phrase for /etc/pki/CA/private/cakey.pem:123456 Check that the request matches the signature Signature ok Certificate Details: Serial Number: ce:60:e0:a3:fe:ee:88:09 Validity Not Before: Dec 21 14:25:53 2014 GMT Not After : Dec 21 14:25:53 2015 GMT Subject: countryName = CN stateOrProvinceName = beijing organizationName = xzmedu organizationalUnitName = IT commonName = xinsz08-64.cn emailAddress = 1@163.com X509v3 extensions: X509v3 Basic Constraints: CA:TRUE Netscape Comment: OpenSSL Generated Certificate X509v3 Subject Key Identifier: 1B:30:0B:28:4A:31:EA:FC:05:7D:54:A3:87:A0:6E:BE:F8:D6:3C:F8 X509v3 Authority Key Identifier: keyid:6D:0F:0C:C5:96:32:A8:8B:D3:FF:36:39:5B:14:5B:9B:31:12:4A:C3 Certificate is to be certified until Dec 21 14:25:53 2015 GMT (365 days) #证书有效期是365天。证书进行认证,直到12月21日十四时25分53秒格林尼治标准时间2015年(365天)Sign the certificate? [y/n]:y #注册证书1 out of 1 certificate requests certified, commit? [y/n]y #确认Write out database with 1 new entries Data Base Updated
7、将证书复制到xinsz08-64
[root@xinsz08-62 ~]# scp /server.crt 192.168.1.64:/
到此证书签名完毕。
使用证书实现https
18.4.2 在xinsz08-64上配置HTTPS web服务器
1、安装SSL模块
[root@xinsz08-64 ~]# yum install mod_ssl -y
2、配置apache加载证书文件
[root@xinsz08-64 ~]# cp /server.crt /etc/httpd/conf.d/ #复制证书
[root@xinsz08-64 ~]# ls /etc/httpd/conf.d/server.key #查看私钥/etc/httpd/conf.d/server.key
[root@xinsz08-64 ~]# vim /etc/httpd/conf.d/ssl.conf改:100 SSLCertificateFile /etc/pki/tls/certs/localhost.crt 为:100 SSLCertificateFile /etc/httpd/conf.d/server.crt 改:107 SSLCertificateKeyFile /etc/pki/tls/private/localhost.key 为:107 SSLCertificateKeyFile /etc/httpd/conf.d/server.key
3、启动服务:
[
root@xinsz08-64 ~]# systemctl restart httpdEnter SSL pass phrase for xinsz08-64.cn:443 (RSA) : 123456 #httpd私钥密码
4、测试https,查看端口
[root@xinsz08-64 ~]# netstat -antup | grep 443tcp 0 0 :::443 :::* LISTEN 5138/httpd
5、通过浏览器测试https效果
访问IP
查看浏览器上的证书
