CA服务器的简单搭建

一、简单介绍
CA 也拥有一个证书（内含公钥和私钥）。网上的公众用户通过验证 CA 的签字从而信任 CA ，任何人都可以得到 CA 的证书（含公钥），用以验证它所签发的证书。
如果用户想得到一份属于自己的证书，他应先向 CA 提出申请。在 CA 判明申请者的身份后，便为他分配一个公钥，并且 CA 将该公钥与申请者的身份信息绑在一起，并为之签字后，便形成证书发给申请者。
二、环境描述

ip：192.168.151.204
# cat /etc/redhat-release
CentOS release 6.7 (Final)
# uname -i
x86_64

三、所需软件

openssl  openssl-devel
# yum install openssl  openssl-devel -y

四、安装过程
1、
cd /etc/pki/CA
#如果没有 certs crl（过期证书） newcerts目录请创建

# mkdir {certs,crl,newcerts}

2、创建两个空文件,索引文件和序列号文件

# touch index.txt
# touch serial
# vim  /etc/hosts
192.168.151.204 ca.10fei3.top

3、创建根证书

# echo 01 > serial  (第一次创建根证书需此命令)

生成证书所使用的RSA秘钥，保存到private目录下

# openssl genrsa 1024 > private/hunk-ca.key

利用hunk-ca.key生成自签名的电子证书

# cat private/hunk-ca.key
-----BEGIN RSA PRIVATE KEY-----
MIICXAIBAAKBgQDSUxptT8nWMmKunlO+b5dlTPKAEFjevnT3T4w1dScOBCWQ4rv6
sWcLXIgKn8nhn3hW5PuYaOCd7n9zLuqvsK/o5u/gE4njhsDw1xLi1JNvftPm8YKn
9K0qQqz76nl7y0RBgGxfB+a4jgfb27OII2Oj1+B66pYvanIoRU3FWHQtcQIDAQAB
AoGAHwliYfUfPLuMsmXsx7Jh7fHv6xP+eUgzrHcRoqXaEIhuHrZGtRTOtu99p8uy
l9fXg0MhGXmIg+W46v9mZGy3WGuCVtmEvI/sI39pV0mTLYz+BhayOOX/YkOrW1+D
Pu6GJ6yNv+OQS8psUE8b1XYg854iumsHYlvRppn1Ok+bmq0CQQDz235ONq50po2v
kx7/IRKf1iqaFMykPrDfWPgxfMnyWNqjGoM3+jfvakL+RL2GZB6OVUoL8G20Vu0W
axFblZybAkEA3Mwo6kNL0XgVSfEl1MySfx/13sQ98Fx3j2LB+OykP1VHt0vdUBCF
GcFkkuMQIHfWaxK70mWN9JPSShNgPPvw4wJBAIVCv4UycKeilO8LsPavNiROvz0w
fJyM/c8wKYGxthJP6DsVs/uVK5gUM8QMAJ4+fEw/45UesHTKxAlqPTQVUF0CQFRF
I5SNjMFs2Is5G5xFW+BjHV8hfRZg5Ez4f1n3T5TQgqelr9kgBPzYf/9D5GLP+ikx
pDfgBLcFOCyHiqKb8csCQB6+A/SracoSaIcBu5NEikpFpf068y785FM2qbo/nBBP
/M8QAgfEbrmOXaBCmMleexmyLmyCNqEBG8Gb6vvLd1I=
-----END RSA PRIVATE KEY-----
[root@localhost CA]# openssl req -new -x509 -key private/hunk-ca.key -days 365 -out hunk-ca.crt
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [XX]:CN
State or Province Name (full name) []:Shanghai
Locality Name (eg, city) [Default City]:Shanghai
Organization Name (eg, company) [Default Company Ltd]:etnet
Organizational Unit Name (eg, section) []:IT
Common Name (eg, your name or your server's hostname) []:ca.10fei3.top
Email Address []:hunkz.gmail.com

4、修改openssl.conf

[root@localhost CA]# cd ../tls/
[root@localhost tls]# vim openssl.cnf
[ CA_default ]
dir             = /etc/pki/CA           # Where everything is kept
certs           = $dir/certs            # Where the issued certs are kept
crl_dir         = $dir/crl              # Where the issued crl are kept
database        = $dir/index.txt        # database index file.
#unique_subject = no                    # Set to 'no' to allow creation of# several ctificates with same subject.
new_certs_dir   = $dir/newcerts         # default place for new certs.
#certificate    = $dir/cacert.pem       # The CA certificate
certificate     = $dir/hunk-ca.crt      # The CA certificate
serial          = $dir/serial           # The current serial number
crlnumber       = $dir/crlnumber        # the current crl number# must be commented out to leave a V1 CRL
crl             = $dir/crl.pem          # The current CRL
private_key     = $dir/private/hunk-ca.key# The private key
RANDFILE        = $dir/private/.rand    # private random number file
x509_extensions = usr_cert              # The extentions to add to the cert
[ policy_match ]
countryName             = optional
stateOrProvinceName     = optional
organizationName        = optional
organizationalUnitName  = optional
commonName              = supplied
emailAddress            = optional

5.dovecot 生成证书请求

[root@localhost tmp]# openssl genrsa 1024 > dovecot.key
Generating RSA private key, 1024 bit long modulus
.............++++++
.......++++++
e is 65537 (0x10001)
[root@localhost tmp]# openssl req -key dovecot.key -out dovecot.csr
^C
[root@localhost tmp]# openssl req -new -key dovecot.key -out dovecot.csr
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [XX]:CN
State or Province Name (full name) []:Shanghai
Locality Name (eg, city) [Default City]:Shanghai
Organization Name (eg, company) [Default Company Ltd]:etnet
Organizational Unit Name (eg, section) []:IT
Common Name (eg, your name or your server's hostname) []:www.abc.com
Email Address []:hunkz@126.com
Please enter the following 'extra' attributes
to be sent with your certificate request
A challenge password []:
An optional company name []:

6.签名证书

[root@localhost tmp]# openssl ca -in dovecot.csr -out dovecot.crt
Using configuration from /etc/pki/tls/openssl.cnf
Check that the request matches the signature
Signature ok
Certificate Details:Serial Number: 1 (0x1)ValidityNot Before: Jun 23 03:29:48 2016 GMTNot After : Jun 23 03:29:48 2017 GMTSubject:countryName               = CNstateOrProvinceName       = ShanghaiorganizationName          = etnetorganizationalUnitName    = ITcommonName                = www.abc.comemailAddress              = hunkz@126.comX509v3 extensions:X509v3 Basic Constraints: CA:FALSENetscape Comment: OpenSSL Generated CertificateX509v3 Subject Key Identifier: 9D:1D:A6:54:5A:A9:55:1A:10:1A:CA:8E:AF:A9:00:82:44:1E:A2:E9X509v3 Authority Key Identifier: keyid:A6:85:80:4E:AE:B7:E6:DE:EA:35:88:63:2D:8A:AB:4E:FD:09:D8:3F
Certificate is to be certified until Jun 23 03:29:48 2017 GMT (365 days)
Sign the certificate? [y/n]:y
1 out of 1 certificate requests certified, commit? [y/n]y
Write out database with 1 new entries
Data Base Updated

7、有用的文件

dovecot.crt  dovecot.key

8、用mutt测试证书

# mutt -f pops://hunk@10fei3.top@mail.10fei3.top
q:退出  ?:帮助
此证书属于：www.abc.com  hunkz@126.cometnetITShanghai  CN
此证书发布自：ca.10fei3.top  hunkz.gmail.cometnetITShanghai  Shanghai  CN
此证书有效来自 Thu, 23 Jun 2016 03:29:48 UTC发往 Fri, 23 Jun 2017 03:29:48 UTC
SHA1 指纹：ACEC 40BC 4101 4E3A 7FB1 D1E0 23C5 7200 5BE9 994E
MD5 指纹：FF9F 4BE0 BB97 CEBF 499B CE5D D4D6 F95D
警告：服务器主机名与证书不匹配
-- Mutt: SSL 证书检查 (检查链中有 1 个证书，共 1 个)
拒绝(r)，接受一次(o)，总是接受(a)

五、文章小结

1. ca.10fei3.top 要能解析到，不然可能有问题。
2. 本文生成ca证书是为了搭建安全的邮件收件服务器。经测试可以访问。

转载于:https://blog.51cto.com/hunkz/1793237

CA服务器的简单搭建相关推荐

Windows下NLB（分工作组与域环境）、服务器群集简单搭建
实验 NLB(网络负载平衡)群集{工作组环境}.NLB(网络负载平衡){域环境} Cluster(服务器群集)的具体配置 {注意:本次实验采用VMWare 5.5.1版本} 首先我们来进行NLB(工作 ...
云服务器的简单搭建，设置网页可以上网访问
最近准备做一个在线在网页,可以实现一些简单需求,然后通过学生优惠的方式买了一个一年云服务器,下面简单介绍如何设置云服务器并搭建网页. 1.购买云服务器阿里云.腾讯云.华为云什么的都可,点进去,注册个 ...
时钟服务器linux,简单搭建NTP时钟服务器
centos的做法: yum -y install ntp ntpdate #安装NTP的服务器和客户端 echo "restrict default nomodify" > ...
Windows2003服务器的简单搭建
Windows2003的服务器搭建 DHCP服务器一.安装相应组件二.部署DHCP服务器三.服务器备份与还原 DNS服务器一.安装相应组件二.部署DNS服务器 1.创建正向解析 2.创建反向 ...
git服务器的简单搭建
安装git 安装git,参考:https://git-scm.com/book/zh/v1/%E8%B5%B7%E6%AD%A5-%E5%AE%89%E8%A3%85-Git 创建git仓库使用ro ...
AuthorizationServer（授权服务器的简单搭建）
1.在pom文件里添加依赖 <dependency><groupId>com.alibaba.cloud</groupId>&l ...
常见的简单的搭建邮件服务器,邮件服务器的简单搭建
1. 邮件服务器域名解析首先,我在万网上解析域名如下: 记录类型主机记录记录值 A mail 115.29.105.12 MX @ mail.chenlianfu.com TXT @ v=spf ...
python简易版实例_Python3之简单搭建自带服务器的实例讲解
WEB开发,我们先从搭建一个简单的服务器开始,Python自带服务模块,且python3相比于python2有很大不同, 在Python2.6版本里,/usr/bin/lib/python2.6/ 目 ...
ca 服务器的搭建和证书的申请与颁发
CA是证书的签发机构,它是PKI的核心.CA是负责签发证书.认证证书.管理已颁发证书的机关.它要制定政策和具体步骤来验证.识别用户身份,并对用户证书进行签名,以确保证书持有者的身份和公钥的拥有权,那么 ...

CA服务器的简单搭建

CA服务器的简单搭建相关推荐

最新文章

热门文章