CA服务器的简单搭建
CA服务器的简单搭建
一、简单介绍
CA 也拥有一个证书(内含公钥和私钥)。网上的公众用户通过验证 CA 的签字从而信任 CA ,任何人都可以得到 CA 的证书(含公钥),用以验证它所签发的证书。
如果用户想得到一份属于自己的证书,他应先向 CA 提出申请。在 CA 判明申请者的身份后,便为他分配一个公钥,并且 CA 将该公钥与申请者的身份信息绑在一起,并为之签字后,便形成证书发给申请者。
二、环境描述
ip:192.168.151.204 # cat /etc/redhat-release CentOS release 6.7 (Final) # uname -i x86_64
三、所需软件
openssl openssl-devel # yum install openssl openssl-devel -y
四、安装过程
1、
cd /etc/pki/CA
#如果没有 certs crl(过期证书) newcerts目录请创建
# mkdir {certs,crl,newcerts}
2、创建两个空文件,索引文件和序列号文件
# touch index.txt # touch serial # vim /etc/hosts 192.168.151.204 ca.10fei3.top
3、创建根证书
# echo 01 > serial (第一次创建根证书需此命令)
生成证书所使用的RSA秘钥,保存到private目录下
# openssl genrsa 1024 > private/hunk-ca.key
利用hunk-ca.key生成自签名的电子证书
# cat private/hunk-ca.key -----BEGIN RSA PRIVATE KEY----- MIICXAIBAAKBgQDSUxptT8nWMmKunlO+b5dlTPKAEFjevnT3T4w1dScOBCWQ4rv6 sWcLXIgKn8nhn3hW5PuYaOCd7n9zLuqvsK/o5u/gE4njhsDw1xLi1JNvftPm8YKn 9K0qQqz76nl7y0RBgGxfB+a4jgfb27OII2Oj1+B66pYvanIoRU3FWHQtcQIDAQAB AoGAHwliYfUfPLuMsmXsx7Jh7fHv6xP+eUgzrHcRoqXaEIhuHrZGtRTOtu99p8uy l9fXg0MhGXmIg+W46v9mZGy3WGuCVtmEvI/sI39pV0mTLYz+BhayOOX/YkOrW1+D Pu6GJ6yNv+OQS8psUE8b1XYg854iumsHYlvRppn1Ok+bmq0CQQDz235ONq50po2v kx7/IRKf1iqaFMykPrDfWPgxfMnyWNqjGoM3+jfvakL+RL2GZB6OVUoL8G20Vu0W axFblZybAkEA3Mwo6kNL0XgVSfEl1MySfx/13sQ98Fx3j2LB+OykP1VHt0vdUBCF GcFkkuMQIHfWaxK70mWN9JPSShNgPPvw4wJBAIVCv4UycKeilO8LsPavNiROvz0w fJyM/c8wKYGxthJP6DsVs/uVK5gUM8QMAJ4+fEw/45UesHTKxAlqPTQVUF0CQFRF I5SNjMFs2Is5G5xFW+BjHV8hfRZg5Ez4f1n3T5TQgqelr9kgBPzYf/9D5GLP+ikx pDfgBLcFOCyHiqKb8csCQB6+A/SracoSaIcBu5NEikpFpf068y785FM2qbo/nBBP /M8QAgfEbrmOXaBCmMleexmyLmyCNqEBG8Gb6vvLd1I= -----END RSA PRIVATE KEY----- [root@localhost CA]# openssl req -new -x509 -key private/hunk-ca.key -days 365 -out hunk-ca.crt You are about to be asked to enter information that will be incorporated into your certificate request. What you are about to enter is what is called a Distinguished Name or a DN. There are quite a few fields but you can leave some blank For some fields there will be a default value, If you enter '.', the field will be left blank. ----- Country Name (2 letter code) [XX]:CN State or Province Name (full name) []:Shanghai Locality Name (eg, city) [Default City]:Shanghai Organization Name (eg, company) [Default Company Ltd]:etnet Organizational Unit Name (eg, section) []:IT Common Name (eg, your name or your server's hostname) []:ca.10fei3.top Email Address []:hunkz.gmail.com
4、修改openssl.conf
[root@localhost CA]# cd ../tls/ [root@localhost tls]# vim openssl.cnf [ CA_default ] dir = /etc/pki/CA # Where everything is kept certs = $dir/certs # Where the issued certs are kept crl_dir = $dir/crl # Where the issued crl are kept database = $dir/index.txt # database index file. #unique_subject = no # Set to 'no' to allow creation of# several ctificates with same subject. new_certs_dir = $dir/newcerts # default place for new certs. #certificate = $dir/cacert.pem # The CA certificate certificate = $dir/hunk-ca.crt # The CA certificate serial = $dir/serial # The current serial number crlnumber = $dir/crlnumber # the current crl number# must be commented out to leave a V1 CRL crl = $dir/crl.pem # The current CRL private_key = $dir/private/hunk-ca.key# The private key RANDFILE = $dir/private/.rand # private random number file x509_extensions = usr_cert # The extentions to add to the cert [ policy_match ] countryName = optional stateOrProvinceName = optional organizationName = optional organizationalUnitName = optional commonName = supplied emailAddress = optional
5.dovecot 生成证书请求
[root@localhost tmp]# openssl genrsa 1024 > dovecot.key Generating RSA private key, 1024 bit long modulus .............++++++ .......++++++ e is 65537 (0x10001) [root@localhost tmp]# openssl req -key dovecot.key -out dovecot.csr ^C [root@localhost tmp]# openssl req -new -key dovecot.key -out dovecot.csr You are about to be asked to enter information that will be incorporated into your certificate request. What you are about to enter is what is called a Distinguished Name or a DN. There are quite a few fields but you can leave some blank For some fields there will be a default value, If you enter '.', the field will be left blank. ----- Country Name (2 letter code) [XX]:CN State or Province Name (full name) []:Shanghai Locality Name (eg, city) [Default City]:Shanghai Organization Name (eg, company) [Default Company Ltd]:etnet Organizational Unit Name (eg, section) []:IT Common Name (eg, your name or your server's hostname) []:www.abc.com Email Address []:hunkz@126.com Please enter the following 'extra' attributes to be sent with your certificate request A challenge password []: An optional company name []:
6.签名证书
[root@localhost tmp]# openssl ca -in dovecot.csr -out dovecot.crt Using configuration from /etc/pki/tls/openssl.cnf Check that the request matches the signature Signature ok Certificate Details:Serial Number: 1 (0x1)ValidityNot Before: Jun 23 03:29:48 2016 GMTNot After : Jun 23 03:29:48 2017 GMTSubject:countryName = CNstateOrProvinceName = ShanghaiorganizationName = etnetorganizationalUnitName = ITcommonName = www.abc.comemailAddress = hunkz@126.comX509v3 extensions:X509v3 Basic Constraints: CA:FALSENetscape Comment: OpenSSL Generated CertificateX509v3 Subject Key Identifier: 9D:1D:A6:54:5A:A9:55:1A:10:1A:CA:8E:AF:A9:00:82:44:1E:A2:E9X509v3 Authority Key Identifier: keyid:A6:85:80:4E:AE:B7:E6:DE:EA:35:88:63:2D:8A:AB:4E:FD:09:D8:3F Certificate is to be certified until Jun 23 03:29:48 2017 GMT (365 days) Sign the certificate? [y/n]:y 1 out of 1 certificate requests certified, commit? [y/n]y Write out database with 1 new entries Data Base Updated
7、有用的文件
dovecot.crt dovecot.key
8、用mutt测试证书
# mutt -f pops://hunk@10fei3.top@mail.10fei3.top q:退出 ?:帮助 此证书属于:www.abc.com hunkz@126.cometnetITShanghai CN 此证书发布自:ca.10fei3.top hunkz.gmail.cometnetITShanghai Shanghai CN 此证书有效来自 Thu, 23 Jun 2016 03:29:48 UTC发往 Fri, 23 Jun 2017 03:29:48 UTC SHA1 指纹:ACEC 40BC 4101 4E3A 7FB1 D1E0 23C5 7200 5BE9 994E MD5 指纹:FF9F 4BE0 BB97 CEBF 499B CE5D D4D6 F95D 警告:服务器主机名与证书不匹配 -- Mutt: SSL 证书检查 (检查链中有 1 个证书,共 1 个) 拒绝(r),接受一次(o),总是接受(a)
五、文章小结
1. ca.10fei3.top 要能解析到,不然可能有问题。 2. 本文生成ca证书是为了搭建安全的邮件收件服务器。经测试可以访问。
转载于:https://blog.51cto.com/hunkz/1793237
CA服务器的简单搭建相关推荐
- Windows下NLB(分工作组与域环境)、服务器群集简单搭建
实验 NLB(网络负载平衡)群集{工作组环境}.NLB(网络负载平衡){域环境} Cluster(服务器群集)的具体配置 {注意:本次实验采用VMWare 5.5.1版本} 首先我们来进行NLB(工作 ...
- 云服务器的简单搭建,设置网页可以上网访问
最近准备做一个在线在网页,可以实现一些简单需求,然后通过学生优惠的方式买了一个一年云服务器,下面简单介绍如何设置云服务器并搭建网页. 1.购买云服务器 阿里云.腾讯云.华为云什么的都可,点进去,注册个 ...
- 时钟服务器linux,简单搭建NTP时钟服务器
centos的做法: yum -y install ntp ntpdate #安装NTP的服务器和客户端 echo "restrict default nomodify" > ...
- Windows2003服务器的简单搭建
Windows2003的服务器搭建 DHCP服务器 一.安装相应组件 二.部署DHCP服务器 三.服务器备份与还原 DNS服务器 一.安装相应组件 二.部署DNS服务器 1.创建正向解析 2.创建反向 ...
- git服务器的简单搭建
安装git 安装git,参考:https://git-scm.com/book/zh/v1/%E8%B5%B7%E6%AD%A5-%E5%AE%89%E8%A3%85-Git 创建git仓库 使用ro ...
- AuthorizationServer(授权服务器的简单搭建)
1.在pom文件里添加依赖 <!-- 服务发现--><dependency><groupId>com.alibaba.cloud</groupId>&l ...
- 常见的简单的搭建邮件服务器,邮件服务器的简单搭建
1. 邮件服务器域名解析 首先,我在万网上解析域名如下: 记录类型 主机记录 记录值 A mail 115.29.105.12 MX @ mail.chenlianfu.com TXT @ v=spf ...
- python简易版实例_Python3之简单搭建自带服务器的实例讲解
WEB开发,我们先从搭建一个简单的服务器开始,Python自带服务模块,且python3相比于python2有很大不同, 在Python2.6版本里,/usr/bin/lib/python2.6/ 目 ...
- ca 服务器的搭建 和证书的申请与颁发
CA是证书的签发机构,它是PKI的核心.CA是负责签发证书.认证证书.管理已颁发证书的机关.它要制定政策和具体步骤来验证.识别用户身份,并对用户证书进行签名,以确保证书持有者的身份和公钥的拥有权,那么 ...
最新文章
- 你哪来这么多事(四):职工信息排序
- mysql被拖垮_说几个拖垮系统的小细节!
- dev gridcontrol summaryitem如何加条件_如何一次清洗1000根核磁管
- 一个项目涉及到的50个Sql语句(整理版)
- python比较两个二进制文件_python三种方法判断文件是否为二进制文件
- YARP(Yet Another Reverse Proxy)是使用 .NET 构建的高度可定制的反向代理
- 用JDBC直连方式访问SQL Server 2005详解
- HiveQL中如何排查数据倾斜问题
- java.lang.UnsupportedOperationException
- 查找算法之三 插值查找(C++版本)
- win10+Python3.7.3+OpenCV3.4.1入门学习(十一 图像金字塔)————11.1 图像金字塔理论基础
- 0到100之间的阶乘linux算法,零基础学算法-阶乘
- android 软件 打开方式有哪些,apk是什么文件 apk文件打开方法详解
- SQLSERVER走起微信公众帐号已经开通搜狗微信搜索
- 一招连环追销,让顾客在第一次成交中买多个产品,客单价提高十倍
- 按摩肺经,补足肺气眠自安
- 【机器学习入门基础】Matrix
- 使用telnet命令检测端口是否正常报错“telnet: connect to address 192.168.88.132: Connection refused“
- 味觉脑科学:我们有另一个胃用来装甜品?
- 素人做课会踩的3大坑,你中了几个?
热门文章
- Python静态方法 类方法
- 【译】Input Method Manager (IMM):输入法管理器
- DT大数据 scala for查询
- 数据传递型情景下事件机制与消息机制的架构设计剖析(目录)
- 3.3 keras模型构建的三种方式
- 【ROS学习笔记】(十)ROS中的坐标系管理系统
- 机器学习:神经网络之表达
- mysql数据库访问程序_c++程序访问MySQL数据库操作示例
- rails使用html form,Rails 页面多选下拉框, form_for, form_tag 使用技巧及 select2 使用
- mysql2表连接优化性能_MySQL性能优化方法二:表结构优化