实战:搭建CA认证中心,使用CA证书搭建HTTPS
CA認(rèn)證中心服務(wù)端:xuegod63.cn ??????????????????????? IP:192.168.0.61
客戶端????????????????? :xuegod64.cn ????????????????????????IP:192.168.0.62
CA:Certificate Authority的縮寫(xiě),通常翻譯成認(rèn)證權(quán)威或者認(rèn)證中心,主要用途是為用戶發(fā)放數(shù)字證書(shū)。
認(rèn)證中心(CA)的功能有:證書(shū)發(fā)放、證書(shū)更新、證書(shū)撤銷(xiāo)和證書(shū)驗(yàn)證。
CA證書(shū)作用:身份認(rèn)證--->數(shù)據(jù)的不可否認(rèn)性
https 監(jiān)聽(tīng)端口: 443
證書(shū)請(qǐng)求文件:CSR是Cerificate Signing Request的英文縮寫(xiě),即證書(shū)請(qǐng)求文件,也就是證書(shū)申請(qǐng)者在申請(qǐng)數(shù)字證書(shū)時(shí)由CSP(加密服務(wù)提供者)在生成私鑰的同時(shí)也生成證書(shū)請(qǐng)求文件,證書(shū)申請(qǐng)者只要把CSR文件提交給證書(shū)頒發(fā)機(jī)構(gòu)后,證書(shū)頒發(fā)機(jī)構(gòu)使用其根證書(shū)的私鑰簽名就生成了證書(shū)文件,也就是頒發(fā)給用戶的證書(shū)。
總結(jié):證書(shū)簽名過(guò)程
1、 生成請(qǐng)求文件
2、 CA使用根證書(shū)的私鑰加密請(qǐng)求文件,生成證書(shū)
3、 把證書(shū)傳給申請(qǐng)者
申請(qǐng)免費(fèi)證書(shū):
https://buy.wosign.com/free/
實(shí)戰(zhàn):搭建CA認(rèn)證中心
安裝CA認(rèn)證軟件包中心:
[root@xuegod61 ~]# rpm -qf `which openssl`
openssl-1.0.1e-15.el6.x86_64
配置一個(gè)自己的CA認(rèn)證中心。生成CA的根證書(shū)和私鑰。 根證書(shū)中包括:CA的公鑰
[root@xuegod61 ~]# vim /etc/pki/tls/openssl.cnf
改: 172 #basicConstraints=CA:FALSE
為:172 basicConstraints=CA:TRUE #讓自己成為CA認(rèn)證中心
生成CA的公鑰證書(shū)和私鑰
[root@xuegod61 ~]# /etc/pki/tls/misc/CA -h???? ##查看幫助
usage: /etc/pki/tls/misc/CA -newcert|-newreq|-newreq-nodes|-newca|-sign|-verify??
[root@xuegod61 ~]# /etc/pki/tls/misc/CA -newca
CA certificate filename (or enter to create) ????#直接回車(chē)
Making CA certificate ...
Generating a 2048 bit RSA private key
....................+++
..........................................................................+++
writing new private key to '/etc/pki/CA/private/./cakey.pem'
Enter PEM pass phrase:123456 ????????# 輸入密碼,保護(hù)私鑰
Verifying - Enter PEM pass phrase:123456 ????#再次輸入密碼
-----
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
----
Country Name (2 letter code) [XX]:CN
State or Province Name (full name) []:beijing
Locality Name (eg, city) [Default City]:haidian
Organization Name (eg, company) [Default Company Ltd]: xuegod
Organizational Unit Name (eg, section) []:IT
Common Name (eg, your name or your server's hostname) []:xuegod61.cn #通用名稱(例如,您的姓名或您的服務(wù)器的主機(jī)名),隨便寫(xiě)
Email Address []:1@163.com
Please enter the following 'extra' attributes
to be sent with your certificate request #添加一個(gè)“額外”的屬性,讓客戶端發(fā)送CA證書(shū),請(qǐng)求文件時(shí),要輸入的密
A challenge password []: ????#直接加車(chē)
An optional company name []:????#直接加車(chē)
Using configuration from /etc/pki/tls/openssl.cnf ????# CA服務(wù)器的配置文件。上面修改的內(nèi)容會(huì)添加到這個(gè)配置文件中
Enter pass phrase for /etc/pki/CA/private/./cakey.pem: 123456 ????#輸入剛才保護(hù)CA密鑰的密碼
Check that the request matches the signature
Signature ok
Certificate Details:
??????? Serial Number: 10592025808180940008 (0x92fe6f5a84650ce8)
??????? Validity
??????????? Not Before: Nov? 5 22:55:32 2015 GMT
??????????? Not After : Nov? 4 22:55:32 2018 GMT
??????? Subject:
??????????? countryName?????????????? = CN
??????????? stateOrProvinceName?????? = beijing
??????????? organizationName????????? = xuegod
??????????? organizationalUnitName??? = IT
??????????? commonName??????????????? = xuegod61.cn
??????????? emailAddress????????????? = 1@163.com
??????? X509v3 extensions:
??????????? X509v3 Subject Key Identifier:
??????????????? 33:DB:C9:59:D1:A5:C4:63:64:A2:5E:87:5F:10:21:CF:BB:D6:FC:FA
??????????? X509v3 Authority Key Identifier:
??????????????? keyid:33:DB:C9:59:D1:A5:C4:63:64:A2:5E:87:5F:10:21:CF:BB:D6:FC:FA
??????????? X509v3 Basic Constraints:
??????????????? CA:TRUE
Certificate is to be certified until Nov? 4 22:55:32 2018 GMT (1095 days)
Write out database with 1 new entries
Data Base Updated
到此CA認(rèn)證中心就搭建好了。
查看生成的CA根證書(shū):
[root@xuegod61 ~]# vim? /etc/pki/CA/cacert.pem
Certificate:
??? Data:
??????? Version: 3 (0x2)
??????? Serial Number: 10592025808180940008 (0x92fe6f5a84650ce8)
??? Signature Algorithm: sha1WithRSAEncryption
??????? Issuer: C=CN, ST=beijing, O=xuegod, OU=IT,CN=xuegod61.cn/emailAddress=1@163.com
??????? Validity?????????? #CA認(rèn)證機(jī)構(gòu)信息
??????????? Not Before: Nov? 5 22:55:32 2015 GMT
??????????? Not After : Nov? 4 22:55:32 2018 GMT
??????? Subject: C=CN, ST=beijing, O=xuegod, OU=IT, CN=xuegod61.cn/emailAddress=1.163.com
??????? Subject Public Key Info:????? #CA認(rèn)證中心公鑰信息
??????????? Public Key Algorithm: rsaEncryption
??????????????? Public-Key: (2048 bit)
??????????????? Modulus:
查看根證書(shū)的私鑰
[root@xuegod61 ~]# vim /etc/pki/CA/private/cakey.pem
-----BEGIN ENCRYPTED PRIVATE KEY-----
MIIFDjBABgkqhkiG9w0BBQ0wMzAbBgkqhkiG9w0BBQwwDgQIAVthQXWJA3cCAggA
MBQGCCqGSIb3DQMHBAjtrTJksBjvtASCBMgaX0dxU1Cnhx8iXyMFLVpeWm35L2Wf
實(shí)戰(zhàn):使用證書(shū)搭建https
在xuegod64上配置https
1、安裝:httpd
2、xuegod62生成證書(shū)請(qǐng)求文件,獲得證書(shū)
3、把證書(shū)和httpd相結(jié)合。
1、安裝HTTPD
[root@xuegod62 ~]# yum install -y httpd
2、xuegod62生成證書(shū)請(qǐng)求文件,獲得證書(shū)
[root@xuegod62 ~]# openssl genrsa -h?? ##查看幫助
生一個(gè)私鑰密鑰:
[root@xuegod62 ~]# openssl genrsa -des3 -out /etc/httpd/conf.d/server.key
Generating RSA private key, 512 bit long modulus
.....++++++++++++
..............................++++++++++++
e is 65537 (0x10001)
Enter pass phrase for /etc/httpd/conf.d/server.key:123456 ????#輸入保護(hù)私鑰的密碼
Verifying - Enter pass phrase for /etc/httpd/conf.d/server.key: 123456
使用私鑰生成證書(shū)請(qǐng)求文件
[root@xuegod62 ~]# openssl req -new -key /etc/httpd/conf.d/server.key -out /server.csr???????????? #注意后期添加的國(guó)家,省,組織等信息要和CA保持一致
Enter pass phrase for /etc/httpd/conf.d/server.key:???? 123456????? #輸入私鑰的密碼
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [XX]:CN
State or Province Name (full name) []:beijing
Locality Name (eg, city) [Default City]:haidian
Organization Name (eg, company) [Default Company Ltd]:xuegod
Organizational Unit Name (eg, section) []:IT
Common Name (eg, your name or your server's hostname) []:xuegod62.cn
#這里要求輸入的CommonName必須不通過(guò)瀏覽器訪問(wèn)您網(wǎng)站的 URL 完全相同,否則用戶會(huì)發(fā)現(xiàn)您服務(wù)器證書(shū)的通用名不站點(diǎn)的名字丌匹配,用戶就會(huì)懷疑您的證書(shū)的真實(shí)性。可以使域名也可以使IP址。
Email Address []:1@162.com
Please enter the following 'extra' attributes
to be sent with your certificate request
A challenge password []:????????#不輸密碼直接回車(chē)
An optional company name []:
將證書(shū)請(qǐng)求文件發(fā)給CA服務(wù)器:
[root@xuegod62 ~]# scp /server.csr 192.168.0.61:/tmp/
root@192.168.0.61's password:
server.csr????????????????? 100%? 684???? 0.7KB/s?? 00:00
CA簽名:
[root@xuegod61 ~]# openssl ca -keyfile /etc/pki/CA/private/cakey.pem -cert /etc/pki/CA/cacert.pem -in /tmp/server.csr -out /server.crt
Using configuration from /etc/pki/tls/openssl.cnf
Enter pass phrase for /etc/pki/CA/private/cakey.pem:????123456
Check that the request matches the signature
Signature ok
Certificate Details:
??????? Serial Number: 10592025808180940009 (0x92fe6f5a84650ce9)
??????? Validity
??????????? Not Before: Nov? 5 23:43:21 2015 GMT
??????????? Not After : Nov? 4 23:43:21 2016 GMT
??????? Subject:
??????????? countryName?????????????? = CN
??????????? stateOrProvinceName?????? = beijing
??????????? organizationName????????? = xuegod
??????????? organizationalUnitName??? = IT
??????????? commonName??????????????? = xuegod62.cn
??????????? emailAddress????????????? = 1@162.com
??????? X509v3 extensions:
??????????? X509v3 Basic Constraints:
??????????????? CA:TRUE
??????????? Netscape Comment:
??????????????? OpenSSL Generated Certificate
??????????? X509v3 Subject Key Identifier:
??????????????? 80:FB:DE:AB:6D:CC:20:E2:F9:AE:73:09:8A:1B:50:F2:9B:84:BC:C5
??????????? X509v3 Authority Key Identifier:
??????????????? keyid:33:DB:C9:59:D1:A5:C4:63:64:A2:5E:87:5F:10:21:CF:BB:D6:FC:FA
Certificate is to be certified until Nov? 4 23:43:21 2016 GMT (365 days)
Sign the certificate? [y/n]:y
1 out of 1 certificate requests certified, commit? [y/n]y
Write out database with 1 new entries
Data Base Updated
Certificate is to be certified until Dec 21 14:25:53 2015 GMT (365 days) #證書(shū)有效期是365天。證書(shū)進(jìn)行認(rèn)證,直到12月21日十四時(shí)25分53秒格林尼治標(biāo)準(zhǔn)時(shí)間2015年(365天)
Sign the certificate? [y/n]:y #注冊(cè)證書(shū)
1 out of 1 certificate requests certified, commit? [y/n]y #確認(rèn)
Write out database with 1 new entries
Data Base Updated
將證書(shū)復(fù)制到xuegod64
[root@xuegod61 ~]# scp /server.crt 192.168.0.62:/
到此證書(shū)簽名完畢。
實(shí)戰(zhàn):使用證書(shū)實(shí)現(xiàn)https
SSL:(Secure Socket Layer)安全套接字層,通過(guò)一種機(jī)制在互聯(lián)網(wǎng)上提供密鑰傳輸。其主要目標(biāo)是保證兩個(gè)應(yīng)用間通信數(shù)據(jù)的保密性和可靠性,可在服務(wù)器端和用戶端同時(shí)支持的一種加密算法。目前主流版本SSLV2、SSLV3(常用)。
SSL四次握手安全傳輸:
加密協(xié)議: SSL 3.0 或 TLS 1.0
C -------------------------------------------------> S
請(qǐng)求一個(gè)安全的會(huì)話,協(xié)商算法
C <------------------------------------------------- S
2. 將自己Server端的證書(shū)給客戶端
C -------------------------------------------------> S
3. 客戶端用瀏覽中存放CA的根證書(shū)檢測(cè)xuegod64證書(shū),如果對(duì),使用CA根證書(shū)中的公鑰解密。得到xuegod64的公鑰;
然后生成一把對(duì)稱的加密密鑰,用xuegod64的公鑰加密這個(gè)密鑰發(fā)給xuegod64。 后期使用對(duì)稱密鑰加密數(shù)據(jù)
C <------------------------------------------------> S
4. xuegod62使用私鑰解密,得到對(duì)稱的加密密鑰
然后,使用對(duì)稱加密密鑰來(lái)進(jìn)行安全快速傳輸數(shù)據(jù)
配置HTTPS web服務(wù)器: xuegod62
[root@xuegod62 ~]# yum install mod_ssl -y?????? 安裝:SSL模塊
配置:
[root@xuegod62 ~]# cp /server.crt /etc/httpd/conf.d/????? #復(fù)制證書(shū)
[root@xuegod62 ~]# ll /etc/httpd/conf.d/server.key???? # 查看私鑰
-rw-r--r--. 1 root root 963 11月? 6 07:24 /etc/httpd/conf.d/server.key
[root@xuegod62 ~]# vim /etc/httpd/conf.d/ssl.conf
104 # certificate can be generated using the genkey(1) command.
改:105 SSLCertificateFile /etc/pki/tls/certs/localhost.crt
為:
SSLCertificateFile /etc/httpd/conf.d/server.crt
106 #SSLCertificateFile /etc/pki/tls/certs/localhost.crt
107
108 # Server Private Key:
109 # If the key is not combined with the certificate, use this
110 # directive to point at the key file. Keep in mind that if
111 # you've both a RSA and a DSA private key you can configure
112 # both in parallel (to also allow the use of DSA ciphers, etc.)
改:113 SSLCertificateKeyFile /etc/pki/tls/private/localhost.key
為:
SSLCertificateKeyFile /etc/httpd/conf.d/server.key
114 #SSLCertificateKeyFile /etc/pki/tls/private/localhost.key
啟動(dòng)服務(wù):
[root@xuegod62 ~]# /etc/init.d/httpd start
正在啟動(dòng) httpd:Apache/2.2.15 mod_ssl/2.2.15 (Pass Phrase Dialog)
Some of your private key files are encrypted for security reasons.
In order to read them you have to provide the pass phrases.
Server xuegod62.cn:443 (RSA)
Enter pass phrase:? 123456
OK: Pass Phrase Dialog successful.
?????????????????????????????????????????????????????????? [確定]
測(cè)試
查看端口號(hào):
[root@xuegod62 ~]# netstat -anupt |grep 443
tcp??????? 0????? 0 :::443????????????????????? :::*??????????????????????? LISTEN????? 49865/httpd
轉(zhuǎn)載于:https://blog.51cto.com/1359775010/1710218
總結(jié)
以上是生活随笔為你收集整理的实战:搭建CA认证中心,使用CA证书搭建HTTPS的全部?jī)?nèi)容,希望文章能夠幫你解決所遇到的問(wèn)題。
- 上一篇: mysql 日期和时间类型
- 下一篇: JQuery中html、append、a