前言
CA证书,即“证书授权中心(Certificate Authority)”证书,是数字证书的一种。在数字证书体系中,CA证书是极其重要的部分,主要用于在互联网通讯中实现身份验证和数据加密。
- key 私钥 = 明文--自己生成(genrsa )
- csr 公钥 = 由私钥生成
- crt 证书 = 公钥 + 签名(自签名或者由CA签名)
- 证书:crt后缀的文件就是证书
- 签名:使用私钥key与公钥csr进行证书crt生成的过程称为签名
1. 服务器的准备
服务器 | IP |
---|---|
证书服务器 | 192.168.179.18 |
Apache服务器 | 192.168.179.19 |
2.CA证书的配置
[root@tianmoy ~]# yum install -y openssl
42 dir = /etc/pki/CA # 相关证书的存放的目录
43 certs = $dir/certs # 存储签发的数字证书
45 database = $dir/index.txt # 记录颁发证书的信息
51 serial = $dir/serial # 记录证书编号
想要查看行数可输入 :set nu
[root@tianmoy private]# (umask 077;openssl genrsa -out /etc/pki/CA/private/cakey.pem 2048)
Generating RSA private key, 2048 bit long modulus
.......................................+++
....................................................................................................................................................................................................................+++
e is 65537 (0x10001)
然后接着 openssl req -new -x509 -key 私钥文件位置 -out 自签名CA证书的输出位置 -days 365
[root@tianmoy private]# openssl req -new -x509 -key /etc/pki/CA/private/cakey.pem -out /etc/pki/CA/cacert.pem -days 365
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [XX]:CN //国家
State or Province Name (full name) []:HN //省份
Locality Name (eg, city) [Default City]:ZZS //城市
Organization Name (eg, company) [Default Company Ltd]:A //单位名称
Organizational Unit Name (eg, section) []:B //组织单位名称
Common Name (eg, your name or your server's hostname) []:tianmoy.com //单位域名
Email Address []:a@tianmoy.com //邮箱
CA证书服务还需要创建两个文件,才可以执行颁发证书操作
首先回到 /etc/pki/CA/
这个目录
[root@tianmoy private]# cd /etc/pki/CA/
[root@tianmoy CA]# touch index.txt //创建一份空白的index.txt文件
[root@tianmoy CA]# echo 01 > serial //写入证书编号到serial
[root@tianmoy CA]# cat serial
01
现在CA证书算是配置好了接下来是apache服务器
2. apache服务器的配置
[root@tianmoi ~]# yum install -y httpd mod_ssl //安装apache服务和ssl模块
[root@tianmoi ~]# echo "Tianmoy" >>/var/www/html/index.html //将 Tianmoy 写入/var/www/html/index.html
[root@tianmoi ~]# mkdir ssl //在用户目录下创建一个ssl文件夹
[root@tianmoi ~]# cd ssl //进入ssl
[root@tianmoi ssl]# (umask 077;openssl genrsa -out /root/ssl/httpd.key 2048)
Generating RSA private key, 2048 bit long modulus
.................................................+++
........................................................................................................................................................+++
e is 65537 (0x10001)
填写相关信息即可
[root@tianmoi ssl]# openssl req -new -key httpd.key -out httpd.csr
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [XX]:CN
State or Province Name (full name) []:HN
Locality Name (eg, city) [Default City]:ZZS
Organization Name (eg, company) [Default Company Ltd]:A
Organizational Unit Name (eg, section) []:B
Common Name (eg, your name or your server's hostname) []:tianmoy.com
Email Address []:a@tianmoy.com
Please enter the following 'extra' attributes
to be sent with your certificate request
A challenge password []:123456
An optional company name []:Tianmoy
[root@tianmoi ssl]# ls //查看当前目录
httpd.csr httpd.key
将文件传到CA服务器准备签名
[root@tianmoi ssl]# scp httpd.csr root@192.168.179.18:/
CA证书服务器的操作
签名证书
[root@tianmoy CA]# openssl ca -in /httpd.csr -out /etc/pki/CA/certs/httpd.crt -days 365
Using configuration from /etc/pki/tls/openssl.cnf
Check that the request matches the signature
Signature ok
Certificate Details:
Serial Number: 1 (0x1)
Validity
Not Before: May 27 02:04:46 2024 GMT
Not After : May 27 02:04:46 2025 GMT
Subject:
countryName = CN
stateOrProvinceName = HN
organizationName = A
organizationalUnitName = B
commonName = tianmoy.com
emailAddress = a@tianmoy.com
X509v3 extensions:
X509v3 Basic Constraints:
CA:FALSE
Netscape Comment:
OpenSSL Generated Certificate
X509v3 Subject Key Identifier:
17:62:F0:48:81:6E:67:7C:F2:E8:32:FC:24:95:6F:E6:91:1D:52:9A
X509v3 Authority Key Identifier:
keyid:41:5C:61:F9:8F:7D:DD:7D:4B:2D:4C:F6:A6:79:8F:B2:3F:3D:74:FC
Certificate is to be certified until May 27 02:04:46 2025 GMT (365 days)
Sign the certificate? [y/n]:y
1 out of 1 certificate requests certified, commit? [y/n]y
Write out database with 1 new entries
Data Base Updated
签完之后将签名文件下发到apache服务器
[root@tianmoy CA]# scp /etc/pki/CA/certs/httpd.crt root@192.168.179.19:/root/ssl/
apache服务器的操作
查看文件是否传输成功
[root@tianmoi ssl]# ls
httpd.crt httpd.csr httpd.key
编译 /etc/httpd/conf.d/ssl.conf
[root@tianmoi ssl]# vi /etc/httpd/conf.d/ssl.conf
100 SSLCertificateFile /root/ssl/httpd.crt
107 SSLCertificateKeyFile /root/ssl/httpd.key
然后关闭防火墙和selinux 不然启动的时候会出问题
[root@tianmoi ssl]# systemctl stop firewalld
[root@tianmoi ssl]# setenforce 0
[root@tianmoi ssl]# systemctl start httpd
查看 80 443 端口是否启动
[root@tianmoi ssl]# ss -tan |grep 80
LISTEN 0 128 [::]:80 [::]:*
[root@tianmoi ssl]# ss -tan |grep 443
LISTEN 0 128 [::]:443 [::]:*
然后进入 apache服务器的网站 https://192.168.179.19
2333~
1 条评论
很好的文章,使我牛牛转动