实战:搭建CA认证中心,使用CA证书搭建HTTPS
CA認證中心服務端:xuegod63.cn ??????????????????????? IP:192.168.0.61
客戶端????????????????? :xuegod64.cn ????????????????????????IP:192.168.0.62
CA:Certificate Authority的縮寫,通常翻譯成認證權威或者認證中心,主要用途是為用戶發放數字證書。
認證中心(CA)的功能有:證書發放、證書更新、證書撤銷和證書驗證。
CA證書作用:身份認證--->數據的不可否認性
https 監聽端口: 443
證書請求文件:CSR是Cerificate Signing Request的英文縮寫,即證書請求文件,也就是證書申請者在申請數字證書時由CSP(加密服務提供者)在生成私鑰的同時也生成證書請求文件,證書申請者只要把CSR文件提交給證書頒發機構后,證書頒發機構使用其根證書的私鑰簽名就生成了證書文件,也就是頒發給用戶的證書。
總結:證書簽名過程
1、 生成請求文件
2、 CA使用根證書的私鑰加密請求文件,生成證書
3、 把證書傳給申請者
申請免費證書:
https://buy.wosign.com/free/
實戰:搭建CA認證中心
安裝CA認證軟件包中心:
[root@xuegod61 ~]# rpm -qf `which openssl`
openssl-1.0.1e-15.el6.x86_64
配置一個自己的CA認證中心。生成CA的根證書和私鑰。 根證書中包括:CA的公鑰
[root@xuegod61 ~]# vim /etc/pki/tls/openssl.cnf
改: 172 #basicConstraints=CA:FALSE
為:172 basicConstraints=CA:TRUE #讓自己成為CA認證中心
生成CA的公鑰證書和私鑰
[root@xuegod61 ~]# /etc/pki/tls/misc/CA -h???? ##查看幫助
usage: /etc/pki/tls/misc/CA -newcert|-newreq|-newreq-nodes|-newca|-sign|-verify??
[root@xuegod61 ~]# /etc/pki/tls/misc/CA -newca
CA certificate filename (or enter to create) ????#直接回車
Making CA certificate ...
Generating a 2048 bit RSA private key
....................+++
..........................................................................+++
writing new private key to '/etc/pki/CA/private/./cakey.pem'
Enter PEM pass phrase:123456 ????????# 輸入密碼,保護私鑰
Verifying - Enter PEM pass phrase:123456 ????#再次輸入密碼
-----
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
----
Country Name (2 letter code) [XX]:CN
State or Province Name (full name) []:beijing
Locality Name (eg, city) [Default City]:haidian
Organization Name (eg, company) [Default Company Ltd]: xuegod
Organizational Unit Name (eg, section) []:IT
Common Name (eg, your name or your server's hostname) []:xuegod61.cn #通用名稱(例如,您的姓名或您的服務器的主機名),隨便寫
Email Address []:1@163.com
Please enter the following 'extra' attributes
to be sent with your certificate request #添加一個“額外”的屬性,讓客戶端發送CA證書,請求文件時,要輸入的密
A challenge password []: ????#直接加車
An optional company name []:????#直接加車
Using configuration from /etc/pki/tls/openssl.cnf ????# CA服務器的配置文件。上面修改的內容會添加到這個配置文件中
Enter pass phrase for /etc/pki/CA/private/./cakey.pem: 123456 ????#輸入剛才保護CA密鑰的密碼
Check that the request matches the signature
Signature ok
Certificate Details:
??????? Serial Number: 10592025808180940008 (0x92fe6f5a84650ce8)
??????? Validity
??????????? Not Before: Nov? 5 22:55:32 2015 GMT
??????????? Not After : Nov? 4 22:55:32 2018 GMT
??????? Subject:
??????????? countryName?????????????? = CN
??????????? stateOrProvinceName?????? = beijing
??????????? organizationName????????? = xuegod
??????????? organizationalUnitName??? = IT
??????????? commonName??????????????? = xuegod61.cn
??????????? emailAddress????????????? = 1@163.com
??????? X509v3 extensions:
??????????? X509v3 Subject Key Identifier:
??????????????? 33:DB:C9:59:D1:A5:C4:63:64:A2:5E:87:5F:10:21:CF:BB:D6:FC:FA
??????????? X509v3 Authority Key Identifier:
??????????????? keyid:33:DB:C9:59:D1:A5:C4:63:64:A2:5E:87:5F:10:21:CF:BB:D6:FC:FA
??????????? X509v3 Basic Constraints:
??????????????? CA:TRUE
Certificate is to be certified until Nov? 4 22:55:32 2018 GMT (1095 days)
Write out database with 1 new entries
Data Base Updated
到此CA認證中心就搭建好了。
查看生成的CA根證書:
[root@xuegod61 ~]# vim? /etc/pki/CA/cacert.pem
Certificate:
??? Data:
??????? Version: 3 (0x2)
??????? Serial Number: 10592025808180940008 (0x92fe6f5a84650ce8)
??? Signature Algorithm: sha1WithRSAEncryption
??????? Issuer: C=CN, ST=beijing, O=xuegod, OU=IT,CN=xuegod61.cn/emailAddress=1@163.com
??????? Validity?????????? #CA認證機構信息
??????????? Not Before: Nov? 5 22:55:32 2015 GMT
??????????? Not After : Nov? 4 22:55:32 2018 GMT
??????? Subject: C=CN, ST=beijing, O=xuegod, OU=IT, CN=xuegod61.cn/emailAddress=1.163.com
??????? Subject Public Key Info:????? #CA認證中心公鑰信息
??????????? Public Key Algorithm: rsaEncryption
??????????????? Public-Key: (2048 bit)
??????????????? Modulus:
查看根證書的私鑰
[root@xuegod61 ~]# vim /etc/pki/CA/private/cakey.pem
-----BEGIN ENCRYPTED PRIVATE KEY-----
MIIFDjBABgkqhkiG9w0BBQ0wMzAbBgkqhkiG9w0BBQwwDgQIAVthQXWJA3cCAggA
MBQGCCqGSIb3DQMHBAjtrTJksBjvtASCBMgaX0dxU1Cnhx8iXyMFLVpeWm35L2Wf
實戰:使用證書搭建https
在xuegod64上配置https
1、安裝:httpd
2、xuegod62生成證書請求文件,獲得證書
3、把證書和httpd相結合。
1、安裝HTTPD
[root@xuegod62 ~]# yum install -y httpd
2、xuegod62生成證書請求文件,獲得證書
[root@xuegod62 ~]# openssl genrsa -h?? ##查看幫助
生一個私鑰密鑰:
[root@xuegod62 ~]# openssl genrsa -des3 -out /etc/httpd/conf.d/server.key
Generating RSA private key, 512 bit long modulus
.....++++++++++++
..............................++++++++++++
e is 65537 (0x10001)
Enter pass phrase for /etc/httpd/conf.d/server.key:123456 ????#輸入保護私鑰的密碼
Verifying - Enter pass phrase for /etc/httpd/conf.d/server.key: 123456
使用私鑰生成證書請求文件
[root@xuegod62 ~]# openssl req -new -key /etc/httpd/conf.d/server.key -out /server.csr???????????? #注意后期添加的國家,省,組織等信息要和CA保持一致
Enter pass phrase for /etc/httpd/conf.d/server.key:???? 123456????? #輸入私鑰的密碼
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [XX]:CN
State or Province Name (full name) []:beijing
Locality Name (eg, city) [Default City]:haidian
Organization Name (eg, company) [Default Company Ltd]:xuegod
Organizational Unit Name (eg, section) []:IT
Common Name (eg, your name or your server's hostname) []:xuegod62.cn
#這里要求輸入的CommonName必須不通過瀏覽器訪問您網站的 URL 完全相同,否則用戶會發現您服務器證書的通用名不站點的名字丌匹配,用戶就會懷疑您的證書的真實性。可以使域名也可以使IP址。
Email Address []:1@162.com
Please enter the following 'extra' attributes
to be sent with your certificate request
A challenge password []:????????#不輸密碼直接回車
An optional company name []:
將證書請求文件發給CA服務器:
[root@xuegod62 ~]# scp /server.csr 192.168.0.61:/tmp/
root@192.168.0.61's password:
server.csr????????????????? 100%? 684???? 0.7KB/s?? 00:00
CA簽名:
[root@xuegod61 ~]# openssl ca -keyfile /etc/pki/CA/private/cakey.pem -cert /etc/pki/CA/cacert.pem -in /tmp/server.csr -out /server.crt
Using configuration from /etc/pki/tls/openssl.cnf
Enter pass phrase for /etc/pki/CA/private/cakey.pem:????123456
Check that the request matches the signature
Signature ok
Certificate Details:
??????? Serial Number: 10592025808180940009 (0x92fe6f5a84650ce9)
??????? Validity
??????????? Not Before: Nov? 5 23:43:21 2015 GMT
??????????? Not After : Nov? 4 23:43:21 2016 GMT
??????? Subject:
??????????? countryName?????????????? = CN
??????????? stateOrProvinceName?????? = beijing
??????????? organizationName????????? = xuegod
??????????? organizationalUnitName??? = IT
??????????? commonName??????????????? = xuegod62.cn
??????????? emailAddress????????????? = 1@162.com
??????? X509v3 extensions:
??????????? X509v3 Basic Constraints:
??????????????? CA:TRUE
??????????? Netscape Comment:
??????????????? OpenSSL Generated Certificate
??????????? X509v3 Subject Key Identifier:
??????????????? 80:FB:DE:AB:6D:CC:20:E2:F9:AE:73:09:8A:1B:50:F2:9B:84:BC:C5
??????????? X509v3 Authority Key Identifier:
??????????????? keyid:33:DB:C9:59:D1:A5:C4:63:64:A2:5E:87:5F:10:21:CF:BB:D6:FC:FA
Certificate is to be certified until Nov? 4 23:43:21 2016 GMT (365 days)
Sign the certificate? [y/n]:y
1 out of 1 certificate requests certified, commit? [y/n]y
Write out database with 1 new entries
Data Base Updated
Certificate is to be certified until Dec 21 14:25:53 2015 GMT (365 days) #證書有效期是365天。證書進行認證,直到12月21日十四時25分53秒格林尼治標準時間2015年(365天)
Sign the certificate? [y/n]:y #注冊證書
1 out of 1 certificate requests certified, commit? [y/n]y #確認
Write out database with 1 new entries
Data Base Updated
將證書復制到xuegod64
[root@xuegod61 ~]# scp /server.crt 192.168.0.62:/
到此證書簽名完畢。
實戰:使用證書實現https
SSL:(Secure Socket Layer)安全套接字層,通過一種機制在互聯網上提供密鑰傳輸。其主要目標是保證兩個應用間通信數據的保密性和可靠性,可在服務器端和用戶端同時支持的一種加密算法。目前主流版本SSLV2、SSLV3(常用)。
SSL四次握手安全傳輸:
加密協議: SSL 3.0 或 TLS 1.0
C -------------------------------------------------> S
請求一個安全的會話,協商算法
C <------------------------------------------------- S
2. 將自己Server端的證書給客戶端
C -------------------------------------------------> S
3. 客戶端用瀏覽中存放CA的根證書檢測xuegod64證書,如果對,使用CA根證書中的公鑰解密。得到xuegod64的公鑰;
然后生成一把對稱的加密密鑰,用xuegod64的公鑰加密這個密鑰發給xuegod64。 后期使用對稱密鑰加密數據
C <------------------------------------------------> S
4. xuegod62使用私鑰解密,得到對稱的加密密鑰
然后,使用對稱加密密鑰來進行安全快速傳輸數據
配置HTTPS web服務器: xuegod62
[root@xuegod62 ~]# yum install mod_ssl -y?????? 安裝:SSL模塊
配置:
[root@xuegod62 ~]# cp /server.crt /etc/httpd/conf.d/????? #復制證書
[root@xuegod62 ~]# ll /etc/httpd/conf.d/server.key???? # 查看私鑰
-rw-r--r--. 1 root root 963 11月? 6 07:24 /etc/httpd/conf.d/server.key
[root@xuegod62 ~]# vim /etc/httpd/conf.d/ssl.conf
104 # certificate can be generated using the genkey(1) command.
改:105 SSLCertificateFile /etc/pki/tls/certs/localhost.crt
為:
SSLCertificateFile /etc/httpd/conf.d/server.crt
106 #SSLCertificateFile /etc/pki/tls/certs/localhost.crt
107
108 # Server Private Key:
109 # If the key is not combined with the certificate, use this
110 # directive to point at the key file. Keep in mind that if
111 # you've both a RSA and a DSA private key you can configure
112 # both in parallel (to also allow the use of DSA ciphers, etc.)
改:113 SSLCertificateKeyFile /etc/pki/tls/private/localhost.key
為:
SSLCertificateKeyFile /etc/httpd/conf.d/server.key
114 #SSLCertificateKeyFile /etc/pki/tls/private/localhost.key
啟動服務:
[root@xuegod62 ~]# /etc/init.d/httpd start
正在啟動 httpd:Apache/2.2.15 mod_ssl/2.2.15 (Pass Phrase Dialog)
Some of your private key files are encrypted for security reasons.
In order to read them you have to provide the pass phrases.
Server xuegod62.cn:443 (RSA)
Enter pass phrase:? 123456
OK: Pass Phrase Dialog successful.
?????????????????????????????????????????????????????????? [確定]
測試
查看端口號:
[root@xuegod62 ~]# netstat -anupt |grep 443
tcp??????? 0????? 0 :::443????????????????????? :::*??????????????????????? LISTEN????? 49865/httpd
轉載于:https://blog.51cto.com/1359775010/1710218
總結
以上是生活随笔為你收集整理的实战:搭建CA认证中心,使用CA证书搭建HTTPS的全部內容,希望文章能夠幫你解決所遇到的問題。
- 上一篇: mysql 日期和时间类型
- 下一篇: JQuery中html、append、a