linux-搭建CDA數字證書

CA介紹

搭建CA服務器  (網站服務的數據加密傳輸)

 

CA服務器  (172.40.55.10)

第一步：配置CA簽署環境

第二步：爲CA服務器生成私鑰

第三步：爲CA服務器建立根證書

第四步：發佈根證書文件

第一步：配置CA簽署環境

[root@room5pc00 ~]# rpm -qf  /etc/pki/tls/openssl.cnf

openssl-1.0.1e-42.el6.x86_64

[root@room5pc00 ~]#

vim  /etc/pki/tls/openssl.cnf

[ CA_default ]

dir = /etc/pki/CA  

certs  = $dir/certs 

certificate?= $dir/my-ca.crt   根證書名

private_key?= $dir/private/my-ca.key   私鑰名

[ req_distinguished_name ]

countryName_default = CN   國家

stateOrProvinceName_default = beijing  省

localityName_default = beijing  城市

0.organizationName_default = tarena    單位

:wq

根據須要創建 index.txt、serial文件

[root@svr5 ~]# cd  /etc/pki/CA

[root@svr5 CA]# touch  index.txt

[root@svr5 CA]# echo  01  >  serial

第二步：爲CA服務器生成私鑰

cd   /etc/pki/CA/private/

openssl  genrsa  -des3  2048  >  my-ca.key   (123456 密碼)

chmod  600  my-ca.key

第三步：爲CA服務器建立根證書

cd   /etc/pki/CA/

openssl  req  -new  -x509  -key  private/my-ca.key  -days 365  >  my-ca.crt    (輸入私鑰的密碼)

[root@room5pc00 CA]# openssl  req  -new  -x509  -key  private/my-ca.key  -days 365 > my-ca.crt

Enter pass phrase for private/my-ca.key:

You are about to be asked to enter information that will be incorporated

into your certificate request.

What you are about to enter is what is called a Distinguished Name or a DN.

There are quite a few fields but you can leave some blank

For some fields there will be a default value,

If you enter '.', the field will be left blank.

-----

Country Name (2 letter code) [CN]:

State or Province Name (full name) [beijing]:

Locality Name (eg, city) [beijing]:

Organization Name (eg, company) [tarena]:

Organizational Unit Name (eg, section) []:mis

Common Name (eg, your name or your server's hostname) []:ca.tarena.com

Email Address []:plj@tedu.cn

[root@room5pc00 CA]#

第四步：發佈根證書文件

cd   /etc/pki/CA/

cp  my-ca.crt    /var/www/html/

service  httpd  restart

++++++++++++++++++++++++

網站服務器

1  生成本身私鑰

2  生成證書申請文件

3  CA服務器簽發證書

4  下載簽發的證書

5  配置網站服務運行時，使用簽發的證書

6  重啓網站服務

1  生成本身私鑰

cd  /etc/pki/tls/private/

openssl  genrsa  2048  >  www.key

chmod 600 www.key

2  生成證書申請文件

cd  /etc/pki/tls/private/

openssl  req  -new  -key  www.key  >  /root/www.csr

[root@room5pc00 private]# 

[root@room5pc00 private]# openssl  req  -new  -key  www.key  >  /root/www.csr

You are about to be asked to enter information that will be incorporated

into your certificate request.

What you are about to enter is what is called a Distinguished Name or a DN.

There are quite a few fields but you can leave some blank

For some fields there will be a default value,

If you enter '.', the field will be left blank.

-----

Country Name (2 letter code) [CN]:

State or Province Name (full name) [beijing]:

Locality Name (eg, city) [beijing]:

Organization Name (eg, company) [tarena]:

Organizational Unit Name (eg, section) []:mis

Common Name (eg, your name or your server's hostname) []:ca.tarenac^H.^H^C

[root@room5pc00 private]# 

[root@room5pc00 private]# openssl  req  -new  -key  www.key  >  /root/www.csr

You are about to be asked to enter information that will be incorporated

into your certificate request.

What you are about to enter is what is called a Distinguished Name or a DN.

There are quite a few fields but you can leave some blank

For some fields there will be a default value,

If you enter '.', the field will be left blank.

-----

Country Name (2 letter code) [CN]:

State or Province Name (full name) [beijing]:

Locality Name (eg, city) [beijing]:

Organization Name (eg, company) [tarena]:

Organizational Unit Name (eg, section) []:mis

Common Name (eg, your name or your server's hostname) []:ca.tedu.cn

Email Address []:plj@163.com

Please enter the following 'extra' attributes

to be sent with your certificate request

A challenge password []:

An optional company name []:

[root@room5pc00 private]# 

3  CA服務器簽發證書  並共享簽發的證書

cd  /etc/pki/CA/certs/

openssl  ca  -in  /root/www.csr  >  www.crt

[root@room5pc00 certs]# openssl  ca  -in  /root/www.csr  >  www.crt

Using configuration from /etc/pki/tls/openssl.cnf

Enter pass phrase for /etc/pki/CA/private/my-ca.key:

Check that the request matches the signature

Signature ok

Certificate Details:

        Serial Number: 1 (0x1)

        Validity

            Not Before: May  7 09:20:09 2016 GMT

            Not After : May  7 09:20:09 2017 GMT

        Subject:

            countryName               = CN

            stateOrProvinceName       = beijing

            organizationName          = tarena

            organizationalUnitName    = mis

            commonName                = ca.tedu.cn

            emailAddress              = plj@163.com

        X509v3 extensions:

            X509v3 Basic Constraints: 

                CA:FALSE

            Netscape Comment: 

                OpenSSL Generated Certificate

            X509v3 Subject Key Identifier: 

                F9:5D:62:DF:AF:9E:23:29:BE:B6:CE:DC:88:4F:E6:C7:B0:36:11:A6

            X509v3 Authority Key Identifier: 

                keyid:5B:1D:A7:F7:B6:22:FE:6D:F2:F1:8E:CE:89:EB:EF:58:E4:CF:A0:A5

Certificate is to be certified until May  7 09:20:09 2017 GMT (365 days)

Sign the certificate? [y/n]:y

1 out of 1 certificate requests certified, commit? [y/n]y

Write out database with 1 new entries

Data Base Updated

[root@room5pc00 certs]# 

cp  www.crt   /var/www/html/

4  客戶端下載簽發的證書 

cd  /etc/pki/tls/certs/

cp /etc/pki/CA/certs/www.crt   ./

[root@room5pc00 certs]# ls /etc/pki/tls/private/

www.key

[root@room5pc00 certs]#

5  配置網站服務運行時，使用簽發的證書

rpm  -q  mod_ssl

yum  -y  install  mod_ssl

vim /etc/httpd/conf.d/ssl.conf

88 SSLEngine on

105 SSLCertificateFile /etc/pki/tls/certs/www.crt

112 SSLCertificateKeyFile /etc/pki/tls/private/www.key

:wq

6  重啓網站服務

service httpd restart

[root@room5pc00 conf]# ps aux  | grep  vmware-hostd

netstat  -untlap  | grep   :443

[root@room5pc00 conf.d]# netstat -utnalp  | grep :443

tcp        0      0 :::443                      :::*                        LISTEN      8973/httpd

+++++++++++++++++++++++++++++++++++

客戶機

80    http://web-ip

443  https://web-ip

[root@room5pc00 conf]# elinks  --dump https://localhost/one.html

ELinks: 拒絕鏈接

[root@room5pc00 conf]# 

[root@room5pc00 conf]# 

[root@room5pc00 conf]# elinks  --dump http://localhost/one.html

   hello a student

[root@room5pc00 conf]#

++++++++++++++++++++++++++++++++++++

網站客戶端的配置（訪問http自動跳轉https）

https://172.40.55.10/one.html

vim httpd.conf

<IfModule ssl_module>

    SSLRandomSeed  startup  builtin

    SSLRandomSeed  connect  builtin

</IfModule>

RewriteEngine  on

RewriteCond  %{SERVER_PORT}  !^443$

RewriteRule  (.*)  https://%{SERVER_NAME}/$1  [R]

:wq

service  httpd restat

http://ca.tedu.cn/one.html