CA认证中心服务端:xuegod63.cn                         IP:192.168.0.61
客户端                  :xuegod64.cn                         IP:192.168.0.62
CA:Certificate Authority的缩写,通常翻译成认证权威或者认证中心,主要用途是为用户发放数字证书。
认证中心(CA)的功能有:证书发放、证书更新、证书撤销和证书验证。
CA证书作用:身份认证--->数据的不可否认性

https 监听端口: 443

证书请求文件:CSR是Cerificate Signing Request的英文缩写,即证书请求文件,也就是证书申请者在申请数字证书时由CSP(加密服务提供者)在生成私钥的同时也生成证书请求文件,证书申请者只要把CSR文件提交给证书颁发机构后,证书颁发机构使用其根证书的私钥签名就生成了证书文件,也就是颁发给用户的证书。

总结:证书签名过程
1、 生成请求文件
2、 CA使用根证书的私钥加密请求文件,生成证书
3、 把证书传给申请者

申请免费证书:
https://buy.wosign.com/free/

实战:搭建CA认证中心

安装CA认证软件包中心:

[root@xuegod61 ~]# rpm -qf `which openssl`
openssl-1.0.1e-15.el6.x86_64

配置一个自己的CA认证中心。生成CA的根证书和私钥。 根证书中包括:CA的公钥

[root@xuegod61 ~]# vim /etc/pki/tls/openssl.cnf

改: 172 #basicConstraints=CA:FALSE
为:172 basicConstraints=CA:TRUE #让自己成为CA认证中心

生成CA的公钥证书和私钥

[root@xuegod61 ~]# /etc/pki/tls/misc/CA -h     ##查看帮助

usage: /etc/pki/tls/misc/CA -newcert|-newreq|-newreq-nodes|-newca|-sign|-verify

[root@xuegod61 ~]# /etc/pki/tls/misc/CA -newca
CA certificate filename (or enter to create)     #直接回车
Making CA certificate ...
Generating a 2048 bit RSA private key
....................+++
..........................................................................+++
writing new private key to '/etc/pki/CA/private/./cakey.pem'
Enter PEM pass phrase:123456         # 输入密码,保护私钥
Verifying - Enter PEM pass phrase:123456     #再次输入密码
-----
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
----
Country Name (2 letter code) [XX]:CN
State or Province Name (full name) []:beijing
Locality Name (eg, city) [Default City]:haidian
Organization Name (eg, company) [Default Company Ltd]: xuegod
Organizational Unit Name (eg, section) []:IT
Common Name (eg, your name or your server's hostname) []:xuegod61.cn #通用名称(例如,您的姓名或您的服务器的主机名),随便写
Email Address []:1@163.com
Please enter the following 'extra' attributes
to be sent with your certificate request #添加一个“额外”的属性,让客户端发送CA证书,请求文件时,要输入的密
A challenge password []:     #直接加车
An optional company name []:    #直接加车
Using configuration from /etc/pki/tls/openssl.cnf     # CA服务器的配置文件。上面修改的内容会添加到这个配置文件中
Enter pass phrase for /etc/pki/CA/private/./cakey.pem: 123456     #输入刚才保护CA密钥的密码

Check that the request matches the signature
Signature ok
Certificate Details:
        Serial Number: 10592025808180940008 (0x92fe6f5a84650ce8)
        Validity
            Not Before: Nov  5 22:55:32 2015 GMT
            Not After : Nov  4 22:55:32 2018 GMT
        Subject:
            countryName               = CN
            stateOrProvinceName       = beijing
            organizationName          = xuegod
            organizationalUnitName    = IT
            commonName                = xuegod61.cn
            emailAddress              = 1@163.com
        X509v3 extensions:
            X509v3 Subject Key Identifier:
                33:DB:C9:59:D1:A5:C4:63:64:A2:5E:87:5F:10:21:CF:BB:D6:FC:FA
            X509v3 Authority Key Identifier:
                keyid:33:DB:C9:59:D1:A5:C4:63:64:A2:5E:87:5F:10:21:CF:BB:D6:FC:FA

X509v3 Basic Constraints:
                CA:TRUE
Certificate is to be certified until Nov  4 22:55:32 2018 GMT (1095 days)

Write out database with 1 new entries
Data Base Updated

到此CA认证中心就搭建好了。

查看生成的CA根证书:

[root@xuegod61 ~]# vim  /etc/pki/CA/cacert.pem
Certificate:
    Data:
        Version: 3 (0x2)
        Serial Number: 10592025808180940008 (0x92fe6f5a84650ce8)
    Signature Algorithm: sha1WithRSAEncryption
        Issuer: C=CN, ST=beijing, O=xuegod, OU=IT,CN=xuegod61.cn/emailAddress=1@163.com
        Validity           #CA认证机构信息
            Not Before: Nov  5 22:55:32 2015 GMT
            Not After : Nov  4 22:55:32 2018 GMT
        Subject: C=CN, ST=beijing, O=xuegod, OU=IT, CN=xuegod61.cn/emailAddress=1.163.com
        Subject Public Key Info:      #CA认证中心公钥信息
            Public Key Algorithm: rsaEncryption
                Public-Key: (2048 bit)
                Modulus:

查看根证书的私钥

[root@xuegod61 ~]# vim /etc/pki/CA/private/cakey.pem

-----BEGIN ENCRYPTED PRIVATE KEY-----
MIIFDjBABgkqhkiG9w0BBQ0wMzAbBgkqhkiG9w0BBQwwDgQIAVthQXWJA3cCAggA
MBQGCCqGSIb3DQMHBAjtrTJksBjvtASCBMgaX0dxU1Cnhx8iXyMFLVpeWm35L2Wf

实战:使用证书搭建https

在xuegod64上配置https
1、安装:httpd
2、xuegod62生成证书请求文件,获得证书
3、把证书和httpd相结合。

1、安装HTTPD

[root@xuegod62 ~]# yum install -y httpd

2、xuegod62生成证书请求文件,获得证书

[root@xuegod62 ~]# openssl genrsa -h   ##查看帮助

生一个私钥密钥:

[root@xuegod62 ~]# openssl genrsa -des3 -out /etc/httpd/conf.d/server.key
Generating RSA private key, 512 bit long modulus
.....++++++++++++
..............................++++++++++++
e is 65537 (0x10001)
Enter pass phrase for /etc/httpd/conf.d/server.key:123456     #输入保护私钥的密码
Verifying - Enter pass phrase for /etc/httpd/conf.d/server.key: 123456

使用私钥生成证书请求文件

[root@xuegod62 ~]# openssl req -new -key /etc/httpd/conf.d/server.key -out /server.csr             #注意后期添加的国家,省,组织等信息要和CA保持一致

Enter pass phrase for /etc/httpd/conf.d/server.key:     123456      #输入私钥的密码

You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [XX]:CN
State or Province Name (full name) []:beijing
Locality Name (eg, city) [Default City]:haidian
Organization Name (eg, company) [Default Company Ltd]:xuegod
Organizational Unit Name (eg, section) []:IT
Common Name (eg, your name or your server's hostname) []:xuegod62.cn

#这里要求输入的CommonName必须不通过浏览器访问您网站的 URL 完全相同,否则用户会发现您服务器证书的通用名不站点的名字丌匹配,用户就会怀疑您的证书的真实性。可以使域名也可以使IP址。
Email Address []:1@162.com

Please enter the following 'extra' attributes
to be sent with your certificate request
A challenge password []:        #不输密码直接回车

An optional company name []:

将证书请求文件发给CA服务器:

[root@xuegod62 ~]# scp /server.csr 192.168.0.61:/tmp/
root@192.168.0.61's password:
server.csr                  100%  684     0.7KB/s   00:00

CA签名:

[root@xuegod61 ~]# openssl ca -keyfile /etc/pki/CA/private/cakey.pem -cert /etc/pki/CA/cacert.pem -in /tmp/server.csr -out /server.crt
Using configuration from /etc/pki/tls/openssl.cnf
Enter pass phrase for /etc/pki/CA/private/cakey.pem:    123456
Check that the request matches the signature
Signature ok
Certificate Details:
        Serial Number: 10592025808180940009 (0x92fe6f5a84650ce9)
        Validity
            Not Before: Nov  5 23:43:21 2015 GMT
            Not After : Nov  4 23:43:21 2016 GMT
        Subject:
            countryName               = CN
            stateOrProvinceName       = beijing
            organizationName          = xuegod
            organizationalUnitName    = IT
            commonName                = xuegod62.cn
            emailAddress              = 1@162.com
        X509v3 extensions:
            X509v3 Basic Constraints:
                CA:TRUE
            Netscape Comment:
                OpenSSL Generated Certificate
            X509v3 Subject Key Identifier:
                80:FB:DE:AB:6D:CC:20:E2:F9:AE:73:09:8A:1B:50:F2:9B:84:BC:C5
            X509v3 Authority Key Identifier:
                keyid:33:DB:C9:59:D1:A5:C4:63:64:A2:5E:87:5F:10:21:CF:BB:D6:FC:FA

Certificate is to be certified until Nov  4 23:43:21 2016 GMT (365 days)
Sign the certificate? [y/n]:y

1 out of 1 certificate requests certified, commit? [y/n]y
Write out database with 1 new entries
Data Base Updated

Certificate is to be certified until Dec 21 14:25:53 2015 GMT (365 days) #证书有效期是365天。证书进行认证,直到12月21日十四时25分53秒格林尼治标准时间2015年(365天)
Sign the certificate? [y/n]:y #注册证书
1 out of 1 certificate requests certified, commit? [y/n]y #确认
Write out database with 1 new entries
Data Base Updated

将证书复制到xuegod64

[root@xuegod61 ~]# scp /server.crt 192.168.0.62:/

到此证书签名完毕。
实战:使用证书实现https
SSL:(Secure Socket Layer)安全套接字层,通过一种机制在互联网上提供密钥传输。其主要目标是保证两个应用间通信数据的保密性和可靠性,可在服务器端和用户端同时支持的一种加密算法。目前主流版本SSLV2、SSLV3(常用)。
SSL四次握手安全传输:
加密协议: SSL 3.0 或 TLS 1.0
C -------------------------------------------------> S

  1. 请求一个安全的会话,协商算法
    C <------------------------------------------------- S
    2. 将自己Server端的证书给客户端
    C -------------------------------------------------> S
    3. 客户端用浏览中存放CA的根证书检测xuegod64证书,如果对,使用CA根证书中的公钥解密。得到xuegod64的公钥;
    然后生成一把对称的加密密钥,用xuegod64的公钥加密这个密钥发给xuegod64。 后期使用对称密钥加密数据
    C <------------------------------------------------> S

4. xuegod62使用私钥解密,得到对称的加密密钥
然后,使用对称加密密钥来进行安全快速传输数据

配置HTTPS web服务器: xuegod62

[root@xuegod62 ~]# yum install mod_ssl -y       安装:SSL模块

配置:

[root@xuegod62 ~]# cp /server.crt /etc/httpd/conf.d/      #复制证书
[root@xuegod62 ~]# ll /etc/httpd/conf.d/server.key     # 查看私钥
-rw-r--r--. 1 root root 963 11月  6 07:24 /etc/httpd/conf.d/server.key

[root@xuegod62 ~]# vim /etc/httpd/conf.d/ssl.conf

104 # certificate can be generated using the genkey(1) command.
改:105 SSLCertificateFile /etc/pki/tls/certs/localhost.crt
为:
SSLCertificateFile /etc/httpd/conf.d/server.crt

106 #SSLCertificateFile /etc/pki/tls/certs/localhost.crt
107
108 # Server Private Key:
109 # If the key is not combined with the certificate, use this
110 # directive to point at the key file. Keep in mind that if
111 # you've both a RSA and a DSA private key you can configure
112 # both in parallel (to also allow the use of DSA ciphers, etc.)
改:113 SSLCertificateKeyFile /etc/pki/tls/private/localhost.key
为:
SSLCertificateKeyFile /etc/httpd/conf.d/server.key
114 #SSLCertificateKeyFile /etc/pki/tls/private/localhost.key

启动服务:
[root@xuegod62 ~]# /etc/init.d/httpd start
正在启动 httpd:Apache/2.2.15 mod_ssl/2.2.15 (Pass Phrase Dialog)
Some of your private key files are encrypted for security reasons.
In order to read them you have to provide the pass phrases.

Server xuegod62.cn:443 (RSA)
Enter pass phrase:  123456

OK: Pass Phrase Dialog successful.
                                                           [确定]

测试

查看端口号:

[root@xuegod62 ~]# netstat -anupt |grep 443
tcp        0      0 :::443                      :::*                        LISTEN      49865/httpd

转载于:https://blog.51cto.com/1359775010/1710218

实战:搭建CA认证中心,使用CA证书搭建HTTPS相关推荐

  1. 【实战-Linux】--搭建CA认证中心实现https取证

    环境 CA认证中心服务端:xuegod63.cn IP:192.168.1.63           客户端:xuegod64.cn IP:192.168.1.64 CA认证中心简述  CA :Cer ...

  2. 搭建CA认证中心及搭建https实战

    自建CA证书客户端及使用nginx搭建https 一.CA简单介绍CA,Catificate Authority,通俗的理解就是一种认证机制.它的作用就是提供证书(也就是服务端证书,由域名,公司信息, ...

  3. CentOS 7 搭建CA认证中心实现https取证

    CA认证中心简述 CA :CertificateAuthority的缩写,通常翻译成认证权威或者认证中心,主要用途是为用户发放数字证书 功能:证书发放.证书更新.证书撤销和证书验证. 作用:身份认证, ...

  4. CentOS 7 搭建CA认证中心

    搭建CA认证中心 配置一个自己的CA认证中心 [root@centos ~]# vim /etc/pki/tls/openssl.cnf +172 #直接定位到172行 basicConstraint ...

  5. 信安实践——自建CA证书搭建https服务器

    https://www.cnblogs.com/libaoquan/p/7965873.html 1.理论知识 https简介 HTTPS(全称:Hyper Text Transfer Protoco ...

  6. centos7搭建CA服务器颁发ssl证书

    2019年12月16日 星期一 CQCEE 使用ssl来保证web通信安全 apache服务器与客户机采用明文通信 对HTTP传输加密的协议为HTTPS,是通过ssl进行http传输的协议,它通过公用 ...

  7. Uos统信系统 CA根证书搭建

    CA根证书搭建 题目 一.安装openssl 二.建立根证书存放目录 创建目录及文件 生成证书 使用私钥进行签名 提示:有任何问题可以私信我,下班看到第一时间回复 题目 CA CA根证书路径/CA/c ...

  8. 搭建CA并签发数字证书

    Openssl完成私有CA yum install openssl openssl-devel -y   ---完成私有软件包的安装 修改openssl.cnf配置文件 [root@CA ~]# vi ...

  9. centos7搭建DNS服务,CA字签证书

    1.描述TSL链路的通信图 第一阶段:client hello1:向服务端发送支持的协议版本,比如 tls1.22:客户端生成一个随机数,稍后用户生成"会话秘钥"3:发送支持的加密 ...

最新文章

  1. etcd 启动分析_grpc-go基于etcd实现服务发现机制
  2. Fiddler抓取手机(app)https包
  3. redis有序集合(Zset)
  4. 学习java 的30个目标
  5. python get rect 函数_python笔记之函数
  6. 【CodeForces - 244B】Undoubtedly Lucky Numbers (dfs打表 + 二分)
  7. JavaScript与WebAssembly进行比较
  8. HDU 5634 Rikka with Phi
  9. C语言学习 7-9 统计素数并求和
  10. 巧如范金,精比琢玉,一分钟高效打造精美详实的Go语言技术简历(Golang1.18)
  11. TensorFlow2.0教程-文本分类
  12. 张桂梅PK清华副教授:不要站在高楼上,傲慢地指着大山
  13. 【社会经验】如何高效的学习?
  14. Udacity机器学习入门笔记——数据集与问题
  15. putty连不上华为云服务器(Linux)怎么办?
  16. 彻底卸载mac软件的方法,这样才删除干净哦
  17. 智能手环---MQTT协议简介及协议原理
  18. 董老师又双叒叕送书啦,20本《Python数据分析、挖掘与可视化》
  19. oracle 数据库网络传输,Oracle数据库之间数据传输方法探讨
  20. springboot集成邮箱配置ssl或tls协议

热门文章

  1. 企业架构(五)——联邦企业架构(FEA)实施指南
  2. dart语法中list相关详解
  3. 求正多边形的面积JAVA_第六章第三十六题(几何:正多边形的面积)(Geometry: area of a regular polygon)...
  4. 快速将InnoDB表复制到另一个实例
  5. 2018 Multi-University Training Contest 6-oval-and-rectangle(hdu 6362)-题解
  6. MySQL buffer pool中的三种链
  7. 【SQL进阶】03.执行计划之旅1 - 初探
  8. 简单程序跟踪调试方式
  9. Artificial Intelligence and Change Management
  10. multi agent system university of liverpool professional presentation