前言

CA证书,即“证书授权中心(Certificate Authority)”证书,是数字证书的一种。在数字证书体系中,CA证书是极其重要的部分,主要用于在互联网通讯中实现身份验证和数据加密。

  1. key 私钥 = 明文--自己生成(genrsa )
  2. csr 公钥 = 由私钥生成
  3. crt 证书 = 公钥 + 签名(自签名或者由CA签名)
  4. 证书:crt后缀的文件就是证书
  5. 签名:使用私钥key与公钥csr进行证书crt生成的过程称为签名

1. 服务器的准备

服务器IP
证书服务器192.168.179.18
Apache服务器192.168.179.19

2.CA证书的配置

[root@tianmoy ~]# yum install -y openssl
 
42 dir             = /etc/pki/CA           # 相关证书的存放的目录

 43 certs           = $dir/certs            # 存储签发的数字证书

 45 database        = $dir/index.txt        # 记录颁发证书的信息
 51 serial          = $dir/serial           # 记录证书编号

想要查看行数可输入 :set nu
set nu

[root@tianmoy private]# (umask 077;openssl genrsa -out /etc/pki/CA/private/cakey.pem 2048)
Generating RSA private key, 2048 bit long modulus
.......................................+++
....................................................................................................................................................................................................................+++
e is 65537 (0x10001)

然后接着 openssl req -new -x509 -key 私钥文件位置 -out 自签名CA证书的输出位置 -days 365

[root@tianmoy private]# openssl req -new -x509 -key /etc/pki/CA/private/cakey.pem -out /etc/pki/CA/cacert.pem -days 365
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [XX]:CN  //国家
State or Province Name (full name) []:HN  //省份
Locality Name (eg, city) [Default City]:ZZS  //城市
Organization Name (eg, company) [Default Company Ltd]:A  //单位名称
Organizational Unit Name (eg, section) []:B  //组织单位名称
Common Name (eg, your name or your server's hostname) []:tianmoy.com  //单位域名
Email Address []:a@tianmoy.com   //邮箱

CA证书服务还需要创建两个文件,才可以执行颁发证书操作
首先回到 /etc/pki/CA/ 这个目录

[root@tianmoy private]# cd /etc/pki/CA/
[root@tianmoy CA]# touch index.txt  //创建一份空白的index.txt文件
[root@tianmoy CA]# echo 01 > serial  //写入证书编号到serial
[root@tianmoy CA]# cat serial 
01

现在CA证书算是配置好了接下来是apache服务器

2. apache服务器的配置

[root@tianmoi ~]# yum install -y httpd mod_ssl  //安装apache服务和ssl模块
[root@tianmoi ~]# echo "Tianmoy" >>/var/www/html/index.html  //将 Tianmoy 写入/var/www/html/index.html
[root@tianmoi ~]# mkdir ssl  //在用户目录下创建一个ssl文件夹
[root@tianmoi ~]# cd ssl  //进入ssl
[root@tianmoi ssl]# (umask 077;openssl genrsa -out /root/ssl/httpd.key 2048)
Generating RSA private key, 2048 bit long modulus
.................................................+++
........................................................................................................................................................+++
e is 65537 (0x10001)

填写相关信息即可

[root@tianmoi ssl]# openssl req -new -key httpd.key -out httpd.csr
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [XX]:CN
State or Province Name (full name) []:HN
Locality Name (eg, city) [Default City]:ZZS
Organization Name (eg, company) [Default Company Ltd]:A
Organizational Unit Name (eg, section) []:B
Common Name (eg, your name or your server's hostname) []:tianmoy.com
Email Address []:a@tianmoy.com

Please enter the following 'extra' attributes
to be sent with your certificate request
A challenge password []:123456
An optional company name []:Tianmoy

[root@tianmoi ssl]# ls  //查看当前目录
httpd.csr  httpd.key

将文件传到CA服务器准备签名

[root@tianmoi ssl]# scp httpd.csr root@192.168.179.18:/

CA证书服务器的操作

签名证书

[root@tianmoy CA]# openssl ca -in /httpd.csr -out /etc/pki/CA/certs/httpd.crt -days 365
Using configuration from /etc/pki/tls/openssl.cnf
Check that the request matches the signature
Signature ok
Certificate Details:
        Serial Number: 1 (0x1)
        Validity
            Not Before: May 27 02:04:46 2024 GMT
            Not After : May 27 02:04:46 2025 GMT
        Subject:
            countryName               = CN
            stateOrProvinceName       = HN
            organizationName          = A
            organizationalUnitName    = B
            commonName                = tianmoy.com
            emailAddress              = a@tianmoy.com
        X509v3 extensions:
            X509v3 Basic Constraints: 
                CA:FALSE
            Netscape Comment: 
                OpenSSL Generated Certificate
            X509v3 Subject Key Identifier: 
                17:62:F0:48:81:6E:67:7C:F2:E8:32:FC:24:95:6F:E6:91:1D:52:9A
            X509v3 Authority Key Identifier: 
                keyid:41:5C:61:F9:8F:7D:DD:7D:4B:2D:4C:F6:A6:79:8F:B2:3F:3D:74:FC

Certificate is to be certified until May 27 02:04:46 2025 GMT (365 days)
Sign the certificate? [y/n]:y


1 out of 1 certificate requests certified, commit? [y/n]y
Write out database with 1 new entries
Data Base Updated

签完之后将签名文件下发到apache服务器

[root@tianmoy CA]# scp /etc/pki/CA/certs/httpd.crt root@192.168.179.19:/root/ssl/

apache服务器的操作

查看文件是否传输成功

[root@tianmoi ssl]# ls
httpd.crt  httpd.csr  httpd.key

编译 /etc/httpd/conf.d/ssl.conf

[root@tianmoi ssl]# vi /etc/httpd/conf.d/ssl.conf
    100 SSLCertificateFile /root/ssl/httpd.crt
    107 SSLCertificateKeyFile /root/ssl/httpd.key

然后关闭防火墙和selinux 不然启动的时候会出问题

[root@tianmoi ssl]# systemctl stop firewalld
[root@tianmoi ssl]# setenforce 0
[root@tianmoi ssl]# systemctl start httpd

查看 80 443 端口是否启动

[root@tianmoi ssl]# ss -tan |grep 80
LISTEN     0      128       [::]:80                    [::]:*                  
[root@tianmoi ssl]# ss -tan |grep 443
LISTEN     0      128       [::]:443                   [::]:*

然后进入 apache服务器的网站 https://192.168.179.19
网站截图
证书截图

2333~

最后修改:2025 年 05 月 26 日
© 允许规范转载
如果觉得我的文章对你有用,请随意赞赏