linux下搭建CA认证服务器并认证服务
搭建CA认证服务器并认证服务
1、安装openssl
[root@vipuser200 ~]# yum -y install openssl
[root@vipuser200 ~]# vim /etc/pki/tls/
将172 basicConstraints=CA:FALSE
改为172 basicConstraints=CA:TRUE#表示根级别的认证服务器不需要像上级请求认证2、生成公钥证书和私钥
[root@vipuser200 ~]# /etc/pki/tls/misc/CA --help
Unknown arg
usage: /etc/pki/tls/misc/CA -newcert|-newreq|-newreq-nodes|-newca|-sign|-verify
[root@vipuser200 ~]# /etc/pki/tls/misc/CA -newca
CA certificate filename (or enter to create)
Making CA certificate ...
Generating a 2048 bit RSA private key
..........................................................................+++
.+++
writing new private key to '/etc/pki/CA/private/./cakey.pem'
Enter PEM pass phrase:
Verifying - Enter PEM pass phrase: #填写密码
-----
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [XX]:CN #国家
State or Province Name (full name) []:HENAN #省
Locality Name (eg, city) [Default City]:LUOYANG #市
Organization Name (eg, company) [Default Company Ltd]:ZLF-COM #公司名字Organizational Unit Name (eg, section) []:IT #公司部门
Common Name (eg, your name or your server's hostname) []:vipuser200.club #服务器名字Email Address []:186********@https://www.wendangku.net/doc/1219265128.html, #邮件地址
Please enter the following 'extra' attributes #额外属性以下3行不填即可
to be sent with your certificate request
A challenge password []:
An optional company name []:
Using configuration from /etc/pki/tls/https://www.wendangku.net/doc/1219265128.html,f
Enter pass phrase for /etc/pki/CA/private/./cakey.pem: #输入上面你输入的密码
Check that the request matches the signature
Signature ok
Certificate Details:
Serial Number: 13248658701588095830 (0xb7dcb0e50a8be356)
Validity
Not Before: Jul 4 22:19:22 2016 GMT
Not After : Jul 4 22:19:22 2019 GMT
Subject:
countryName = CN
stateOrProvinceName = HENAN
organizationName = ZLF-COM
organizationalUnitName = IT
commonName = vipuser200.club
emailAddress = 186********@https://www.wendangku.net/doc/1219265128.html,
X509v3 extensions:
X509v3 Subject Key Identifier:
62:A8:4A:02:91:AA:56:FF:BD:91:26:49:6F:02:D0:5D:70:8A:41:36
X509v3 Authority Key Identifier:
keyid:62:A8:4A:02:91:AA:56:FF:BD:91:26:49:6F:02:D0:5D:70:8A:41:36
X509v3 Basic Constraints:
CA:TRUE
Certificate is to be certified until Jul 4 22:19:22 2019 GMT (1095 days)
Write out database with 1 new entries
Data Base Updated
查看CA的私钥
[root@vipuser200 ~]# vim /etc/pki/CA/private/cakey.pem
-----BEGIN ENCRYPTED PRIVATE KEY-----
MIIFDjBABgkqhkiG9w0BBQ0wMzAbBgkqhkiG9w0BBQwwDgQIYBaODVh/svsCAggA
MBQGCCqGSIb3DQMHBAhYEcNnBucpgwSCBMiEIKp4Qd851+hYOCUggAmWd4pgk8Sd NVkLFBTFinghYfQVoEXRFRScPI/BasNdCGHIVzGn+ZlIBWucg99j82FQhRA7kFlh 查看CA的公钥
[root@vipuser200 ~]# vim /etc/pki/CA/cacert.pem
Certificate:
Data:
Version: 3 (0x2)
Serial Number: 13248658701588095830 (0xb7dcb0e50a8be356)
Signature Algorithm: sha1WithRSAEncryption
Issuer: C=CN, ST=HENAN, O=ZLF-COM, OU=IT, CN=vipuser200.club/emailAddress=186********@https://www.wendangku.net/doc/1219265128.html,
Validity
Not Before: Jul 4 22:19:22 2016 GMT
Not After : Jul 4 22:19:22 2019 GMT
Subject: C=CN, ST=HENAN, O=ZLF-COM, OU=IT, CN=vipuser200.club/emailAddress=186********@https://www.wendangku.net/doc/1219265128.html,
Subject Public Key Info:
到此CA认证中心搭建好了
3、搭建认证https
①开启另一台web服务器并启动
[root@vipuser201 ~]# yum -y install httpd
[root@vipuser201 ~]# service httpd restart
Stopping httpd: [ OK ]
Starting httpd: httpd: apr_sockaddr_info_get() failed for vipuser201.club
httpd: Could not reliably determine the server's fully qualified domain name, using 127.0.0.1 for ServerName
[ OK ]
#这个表示hostname里面没有对应的域名,改/etc/hosts文件即可
②生成vipuser201证书请求文件,并获得证书
先生成私钥然后用私钥生成证书请求文件
用非对称加密算法加密并输入etc/httpd/conf.d/server.key私钥
[root@vipuser201 ~]#opensslgenrsa -des3 -out /etc/httpd/conf.d/server.key
Generating RSA private key, 1024 bit long modulus
..........................++++++
.............................++++++
e is 65537 (0x10001)
Enter pass phrase for /etc/httpd/conf.d/server.key: #写个密码保护
Verifying - Enter pass phrase for /etc/httpd/conf.d/server.key:
用私钥生成证书请求文件
[root@vipuser201 ~]#opensslreq -new -key /etc/httpd/conf.d/server.key -out /server.csr Enter pass phrase for /etc/httpd/conf.d/server.key:
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [XX]:CN
State or Province Name (full name) []:HENAN
Locality Name (eg, city) [Default City]:LUOYANG
Organization Name (eg, company) [Default Company Ltd]:ZLF-COM
Organizational Unit Name (eg, section) []:IT
Common Name (eg, your name or your server's hostname) []:vipuser201.club
Email Address []:
Please enter the following 'extra' attributes
to be sent with your certificate request
A challenge password []:
An optional company name []:
#证书请求文件中有vipuser201的公钥,这个公钥是在生成证书请求文件时,通过指定的私钥/etc/httpd/conf.d/server.key生成的,通过私钥可以生成公钥,通过公钥推不出私钥。
③、证书发送到vipuser200认证中心,并签证书
[root@vipuser201 ~]#scp /server.csr 172.27.35.200:/root
[root@vipuser200 ~]#openssl ca -keyfile /etc/pki/CA/private/cakey.pem -cert /etc/pki/CA/cacert.pem -in /root/server.csr -out /root/server.crt
Using configuration from /etc/pki/tls/https://www.wendangku.net/doc/1219265128.html,f
Enter pass phrase for /etc/pki/CA/private/cakey.pem:
Check that the request matches the signature
Signature ok
Certificate Details:
Serial Number: 13248658701588095831 (0xb7dcb0e50a8be357)
Validity
Not Before: Jul 4 23:12:56 2016 GMT
Not After : Jul 4 23:12:56 2017 GMT
Subject:
countryName = CN
stateOrProvinceName = HENAN
organizationName = ZLF-COM
organizationalUnitName = IT
commonName = vipuser201.club
X509v3 extensions:
X509v3 Basic Constraints:
CA:TRUE
Netscape Comment:
OpenSSL Generated Certificate
X509v3 Subject Key Identifier:
05:05:CA:78:12:8D:C9:53:69:92:EE:CA:49:C7:3F:01:DD:FC:64:23 X509v3 Authority Key Identifier:
keyid:62:A8:4A:02:91:AA:56:FF:BD:91:26:49:6F:02:D0:5D:70:8A:41:36
Certificate is to be certified until Jul 4 23:12:56 2017 GMT (365 days)
Sign the certificate? [y/n]:y #签证书y
1 out of 1 certificate requests certified, commit? [y/n]y #再次确认
Write out database with 1 new entries
Data Base Updated
④将证书下发给vipuser201
[root@vipuser200 ~]#scp /root/server.crt 172.27.35.201:/root/
vipuser201上查看
[root@vipuser201 ~]# ls
!anaconda-ks.cfg install.loginstall.log.syslog server.crt
4、使用证书实现https
配置https web服务器vipuser201
[root@vipuser201 ~]# yum -y install mod_ssl #安装mod_ssl模块
[root@vipuser201 ~]#scp /root/server.crt /etc/httpd/conf.d/
[root@vipuser201 ~]# ls /etc/httpd/conf.d/server.
server.crt server.key
[root@vipuser201 ~]# vim /etc/httpd/conf.d/ssl.conf #修改为以下两项
SSLCertificateFile /etc/httpd/conf.d/server.crt
SSLCertificateKeyFile /etc/httpd/conf.d/server.key
重启服务
[root@vipuser201 ~]# service httpd restart
Stopping httpd: [ OK ]
Starting httpd: httpd: apr_sockaddr_info_get() failed for vipuser201.club
httpd: Could not reliably determine the server's fully qualified domain name, using 127.0.0.1 for ServerName
Apache/2.2.15 mod_ssl/2.2.15 (Pass Phrase Dialog)
Some of your private key files are encrypted for security reasons.
In order to read them you have to provide the pass phrases.
Server 127.0.0.1:443 (RSA)
Enter pass phrase: #输入生成私钥时候的baohu密码
OK: Pass Phrase Dialog successful.
[ OK ]
查看端口
[root@vipuser201 ~]#netstat -anptu | grep 443
tcp 0 0 :::443 :::* LISTEN 2040/httpd#端口已经起来了
到此完成。
- Linux服务器网络环境搭建
- 网络服务器搭建配置与管理——Linux版
- linux网络服务器配置与管理考试A卷
- 网络服务器搭建配置与管理Linux版课后习题答案
- Linux环境下网络服务器配置
- 网络服务器搭建配置与管理Linux版课后习题答案
- Linux网络服务器配置和管理.ppt
- LINUX HTTP服务器搭建
- 一般生产环境Linux服务器配置
- Linux网络服务器配置与管理
- Linux服务器环境搭建(设置)
- networking 1(基于Linux系统的网络服务器搭建--Linux简介)
- Linux常用服务器搭建
- 网络服务器搭建(项目一)
- RHEL Linux网络服务器配置
- Linux网络服务器配置管理项目实训教程(PPT 51张)
- 《网络服务器搭建、配置与管理-Linux(第二版)》课后习题答案
- 网络服务器搭建配置与管理Linux版网络服务器搭建(项目二) [杨云]
- Linux系统服务器的搭建方法
- 网络服务器搭建配置与管理Linux版