CA認(rèn)證中心服務(wù)端：xuegod63.cn ??????????????????????? IP：192.168.0.61
客戶端????????????????? ：xuegod64.cn ????????????????????????IP：192.168.0.62
CA：Certificate Authority的縮寫(xiě)，通常翻譯成認(rèn)證權(quán)威或者認(rèn)證中心，主要用途是為用戶發(fā)放數(shù)字證書(shū)。
認(rèn)證中心（CA）的功能有：證書(shū)發(fā)放、證書(shū)更新、證書(shū)撤銷(xiāo)和證書(shū)驗(yàn)證。
CA證書(shū)作用：身份認(rèn)證--->數(shù)據(jù)的不可否認(rèn)性

https 監(jiān)聽(tīng)端口： 443

證書(shū)請(qǐng)求文件:CSR是Cerificate Signing Request的英文縮寫(xiě)，即證書(shū)請(qǐng)求文件，也就是證書(shū)申請(qǐng)者在申請(qǐng)數(shù)字證書(shū)時(shí)由CSP(加密服務(wù)提供者)在生成私鑰的同時(shí)也生成證書(shū)請(qǐng)求文件，證書(shū)申請(qǐng)者只要把CSR文件提交給證書(shū)頒發(fā)機(jī)構(gòu)后，證書(shū)頒發(fā)機(jī)構(gòu)使用其根證書(shū)的私鑰簽名就生成了證書(shū)文件，也就是頒發(fā)給用戶的證書(shū)。

總結(jié)：證書(shū)簽名過(guò)程
1、 生成請(qǐng)求文件
2、 CA使用根證書(shū)的私鑰加密請(qǐng)求文件,生成證書(shū)
3、 把證書(shū)傳給申請(qǐng)者

申請(qǐng)免費(fèi)證書(shū)：
https://buy.wosign.com/free/

實(shí)戰(zhàn)：搭建CA認(rèn)證中心

安裝CA認(rèn)證軟件包中心：

[root@xuegod61 ~]# rpm -qf `which openssl`
openssl-1.0.1e-15.el6.x86_64

配置一個(gè)自己的CA認(rèn)證中心。生成CA的根證書(shū)和私鑰。 根證書(shū)中包括：CA的公鑰

[root@xuegod61 ~]# vim /etc/pki/tls/openssl.cnf

改： 172 #basicConstraints=CA:FALSE
為：172 basicConstraints=CA:TRUE #讓自己成為CA認(rèn)證中心

生成CA的公鑰證書(shū)和私鑰

[root@xuegod61 ~]# /etc/pki/tls/misc/CA -h???? ##查看幫助

usage: /etc/pki/tls/misc/CA -newcert|-newreq|-newreq-nodes|-newca|-sign|-verify??

[root@xuegod61 ~]# /etc/pki/tls/misc/CA -newca
CA certificate filename (or enter to create) ????#直接回車(chē)
Making CA certificate ...
Generating a 2048 bit RSA private key
....................+++
..........................................................................+++
writing new private key to '/etc/pki/CA/private/./cakey.pem'
Enter PEM pass phrase:123456 ????????# 輸入密碼，保護(hù)私鑰
Verifying - Enter PEM pass phrase:123456 ????#再次輸入密碼
-----
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
----
Country Name (2 letter code) [XX]:CN
State or Province Name (full name) []:beijing
Locality Name (eg, city) [Default City]:haidian
Organization Name (eg, company) [Default Company Ltd]: xuegod
Organizational Unit Name (eg, section) []:IT
Common Name (eg, your name or your server's hostname) []:xuegod61.cn #通用名稱（例如，您的姓名或您的服務(wù)器的主機(jī)名）,隨便寫(xiě)
Email Address []:1@163.com
Please enter the following 'extra' attributes
to be sent with your certificate request #添加一個(gè)“額外”的屬性，讓客戶端發(fā)送CA證書(shū),請(qǐng)求文件時(shí)，要輸入的密
A challenge password []: ????#直接加車(chē)
An optional company name []:????#直接加車(chē)
Using configuration from /etc/pki/tls/openssl.cnf ????# CA服務(wù)器的配置文件。上面修改的內(nèi)容會(huì)添加到這個(gè)配置文件中
Enter pass phrase for /etc/pki/CA/private/./cakey.pem: 123456 ????#輸入剛才保護(hù)CA密鑰的密碼

Check that the request matches the signature
Signature ok
Certificate Details:
??????? Serial Number: 10592025808180940008 (0x92fe6f5a84650ce8)
??????? Validity
??????????? Not Before: Nov? 5 22:55:32 2015 GMT
??????????? Not After : Nov? 4 22:55:32 2018 GMT
??????? Subject:
??????????? countryName?????????????? = CN
??????????? stateOrProvinceName?????? = beijing
??????????? organizationName????????? = xuegod
??????????? organizationalUnitName??? = IT
??????????? commonName??????????????? = xuegod61.cn
??????????? emailAddress????????????? = 1@163.com
??????? X509v3 extensions:
??????????? X509v3 Subject Key Identifier:
??????????????? 33:DB:C9:59:D1:A5:C4:63:64:A2:5E:87:5F:10:21:CF:BB:D6:FC:FA
??????????? X509v3 Authority Key Identifier:
??????????????? keyid:33:DB:C9:59:D1:A5:C4:63:64:A2:5E:87:5F:10:21:CF:BB:D6:FC:FA

??????????? X509v3 Basic Constraints:
??????????????? CA:TRUE
Certificate is to be certified until Nov? 4 22:55:32 2018 GMT (1095 days)

Write out database with 1 new entries
Data Base Updated

到此CA認(rèn)證中心就搭建好了。

查看生成的CA根證書(shū)：

[root@xuegod61 ~]# vim? /etc/pki/CA/cacert.pem
Certificate:
??? Data:
??????? Version: 3 (0x2)
??????? Serial Number: 10592025808180940008 (0x92fe6f5a84650ce8)
??? Signature Algorithm: sha1WithRSAEncryption
??????? Issuer: C=CN, ST=beijing, O=xuegod, OU=IT,CN=xuegod61.cn/emailAddress=1@163.com
??????? Validity?????????? #CA認(rèn)證機(jī)構(gòu)信息
??????????? Not Before: Nov? 5 22:55:32 2015 GMT
??????????? Not After : Nov? 4 22:55:32 2018 GMT
??????? Subject: C=CN, ST=beijing, O=xuegod, OU=IT, CN=xuegod61.cn/emailAddress=1.163.com
??????? Subject Public Key Info:????? #CA認(rèn)證中心公鑰信息
??????????? Public Key Algorithm: rsaEncryption
??????????????? Public-Key: (2048 bit)
??????????????? Modulus:

查看根證書(shū)的私鑰

[root@xuegod61 ~]# vim /etc/pki/CA/private/cakey.pem

-----BEGIN ENCRYPTED PRIVATE KEY-----
MIIFDjBABgkqhkiG9w0BBQ0wMzAbBgkqhkiG9w0BBQwwDgQIAVthQXWJA3cCAggA
MBQGCCqGSIb3DQMHBAjtrTJksBjvtASCBMgaX0dxU1Cnhx8iXyMFLVpeWm35L2Wf

實(shí)戰(zhàn)：使用證書(shū)搭建https

在xuegod64上配置https
1、安裝：httpd
2、xuegod62生成證書(shū)請(qǐng)求文件，獲得證書(shū)
3、把證書(shū)和httpd相結(jié)合。

1、安裝HTTPD

[root@xuegod62 ~]# yum install -y httpd

2、xuegod62生成證書(shū)請(qǐng)求文件，獲得證書(shū)

[root@xuegod62 ~]# openssl genrsa -h?? ##查看幫助

生一個(gè)私鑰密鑰：

[root@xuegod62 ~]# openssl genrsa -des3 -out /etc/httpd/conf.d/server.key
Generating RSA private key, 512 bit long modulus
.....++++++++++++
..............................++++++++++++
e is 65537 (0x10001)
Enter pass phrase for /etc/httpd/conf.d/server.key:123456 ????#輸入保護(hù)私鑰的密碼
Verifying - Enter pass phrase for /etc/httpd/conf.d/server.key: 123456

使用私鑰生成證書(shū)請(qǐng)求文件

[root@xuegod62 ~]# openssl req -new -key /etc/httpd/conf.d/server.key -out /server.csr???????????? #注意后期添加的國(guó)家，省，組織等信息要和CA保持一致

Enter pass phrase for /etc/httpd/conf.d/server.key:???? 123456????? #輸入私鑰的密碼

You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [XX]:CN
State or Province Name (full name) []:beijing
Locality Name (eg, city) [Default City]:haidian
Organization Name (eg, company) [Default Company Ltd]:xuegod
Organizational Unit Name (eg, section) []:IT
Common Name (eg, your name or your server's hostname) []:xuegod62.cn

#這里要求輸入的CommonName必須不通過(guò)瀏覽器訪問(wèn)您網(wǎng)站的 URL 完全相同，否則用戶會(huì)發(fā)現(xiàn)您服務(wù)器證書(shū)的通用名不站點(diǎn)的名字丌匹配，用戶就會(huì)懷疑您的證書(shū)的真實(shí)性。可以使域名也可以使IP址。
Email Address []:1@162.com

Please enter the following 'extra' attributes
to be sent with your certificate request
A challenge password []:????????#不輸密碼直接回車(chē)

An optional company name []:

將證書(shū)請(qǐng)求文件發(fā)給CA服務(wù)器：

[root@xuegod62 ~]# scp /server.csr 192.168.0.61:/tmp/
root@192.168.0.61's password:
server.csr????????????????? 100%? 684???? 0.7KB/s?? 00:00

CA簽名：

[root@xuegod61 ~]# openssl ca -keyfile /etc/pki/CA/private/cakey.pem -cert /etc/pki/CA/cacert.pem -in /tmp/server.csr -out /server.crt
Using configuration from /etc/pki/tls/openssl.cnf
Enter pass phrase for /etc/pki/CA/private/cakey.pem:????123456
Check that the request matches the signature
Signature ok
Certificate Details:
??????? Serial Number: 10592025808180940009 (0x92fe6f5a84650ce9)
??????? Validity
??????????? Not Before: Nov? 5 23:43:21 2015 GMT
??????????? Not After : Nov? 4 23:43:21 2016 GMT
??????? Subject:
??????????? countryName?????????????? = CN
??????????? stateOrProvinceName?????? = beijing
??????????? organizationName????????? = xuegod
??????????? organizationalUnitName??? = IT
??????????? commonName??????????????? = xuegod62.cn
??????????? emailAddress????????????? = 1@162.com
??????? X509v3 extensions:
??????????? X509v3 Basic Constraints:
??????????????? CA:TRUE
??????????? Netscape Comment:
??????????????? OpenSSL Generated Certificate
??????????? X509v3 Subject Key Identifier:
??????????????? 80:FB:DE:AB:6D:CC:20:E2:F9:AE:73:09:8A:1B:50:F2:9B:84:BC:C5
??????????? X509v3 Authority Key Identifier:
??????????????? keyid:33:DB:C9:59:D1:A5:C4:63:64:A2:5E:87:5F:10:21:CF:BB:D6:FC:FA

Certificate is to be certified until Nov? 4 23:43:21 2016 GMT (365 days)
Sign the certificate? [y/n]:y


1 out of 1 certificate requests certified, commit? [y/n]y
Write out database with 1 new entries
Data Base Updated

Certificate is to be certified until Dec 21 14:25:53 2015 GMT (365 days) #證書(shū)有效期是365天。證書(shū)進(jìn)行認(rèn)證，直到12月21日十四時(shí)25分53秒格林尼治標(biāo)準(zhǔn)時(shí)間2015年（365天）
Sign the certificate? [y/n]:y #注冊(cè)證書(shū)
1 out of 1 certificate requests certified, commit? [y/n]y #確認(rèn)
Write out database with 1 new entries
Data Base Updated

將證書(shū)復(fù)制到xuegod64

[root@xuegod61 ~]# scp /server.crt 192.168.0.62:/

到此證書(shū)簽名完畢。
實(shí)戰(zhàn)：使用證書(shū)實(shí)現(xiàn)https
SSL：(Secure Socket Layer)安全套接字層，通過(guò)一種機(jī)制在互聯(lián)網(wǎng)上提供密鑰傳輸。其主要目標(biāo)是保證兩個(gè)應(yīng)用間通信數(shù)據(jù)的保密性和可靠性,可在服務(wù)器端和用戶端同時(shí)支持的一種加密算法。目前主流版本SSLV2、SSLV3(常用）。
SSL四次握手安全傳輸：
加密協(xié)議： SSL 3.0 或 TLS 1.0
C -------------------------------------------------> S

請(qǐng)求一個(gè)安全的會(huì)話，協(xié)商算法
C <------------------------------------------------- S
2. 將自己Server端的證書(shū)給客戶端
C -------------------------------------------------> S
3. 客戶端用瀏覽中存放CA的根證書(shū)檢測(cè)xuegod64證書(shū)，如果對(duì)，使用CA根證書(shū)中的公鑰解密。得到xuegod64的公鑰；
然后生成一把對(duì)稱的加密密鑰,用xuegod64的公鑰加密這個(gè)密鑰發(fā)給xuegod64。 后期使用對(duì)稱密鑰加密數(shù)據(jù)
C <------------------------------------------------> S

4. xuegod62使用私鑰解密，得到對(duì)稱的加密密鑰
然后，使用對(duì)稱加密密鑰來(lái)進(jìn)行安全快速傳輸數(shù)據(jù)

配置HTTPS web服務(wù)器： xuegod62

[root@xuegod62 ~]# yum install mod_ssl -y?????? 安裝：SSL模塊

配置：

[root@xuegod62 ~]# cp /server.crt /etc/httpd/conf.d/????? #復(fù)制證書(shū)
[root@xuegod62 ~]# ll /etc/httpd/conf.d/server.key???? # 查看私鑰
-rw-r--r--. 1 root root 963 11月? 6 07:24 /etc/httpd/conf.d/server.key

[root@xuegod62 ~]# vim /etc/httpd/conf.d/ssl.conf

104 # certificate can be generated using the genkey(1) command.
改：105 SSLCertificateFile /etc/pki/tls/certs/localhost.crt
為：
SSLCertificateFile /etc/httpd/conf.d/server.crt

106 #SSLCertificateFile /etc/pki/tls/certs/localhost.crt
107
108 # Server Private Key:
109 # If the key is not combined with the certificate, use this
110 # directive to point at the key file. Keep in mind that if
111 # you've both a RSA and a DSA private key you can configure
112 # both in parallel (to also allow the use of DSA ciphers, etc.)
改：113 SSLCertificateKeyFile /etc/pki/tls/private/localhost.key
為：
SSLCertificateKeyFile /etc/httpd/conf.d/server.key
114 #SSLCertificateKeyFile /etc/pki/tls/private/localhost.key

啟動(dòng)服務(wù)：
[root@xuegod62 ~]# /etc/init.d/httpd start
正在啟動(dòng) httpd：Apache/2.2.15 mod_ssl/2.2.15 (Pass Phrase Dialog)
Some of your private key files are encrypted for security reasons.
In order to read them you have to provide the pass phrases.

Server xuegod62.cn:443 (RSA)
Enter pass phrase:? 123456

OK: Pass Phrase Dialog successful.
?????????????????????????????????????????????????????????? [確定]

測(cè)試

查看端口號(hào)：

[root@xuegod62 ~]# netstat -anupt |grep 443
tcp??????? 0????? 0 :::443????????????????????? :::*??????????????????????? LISTEN????? 49865/httpd

轉(zhuǎn)載于:https://blog.51cto.com/1359775010/1710218

總結(jié)

以上是生活随笔為你收集整理的实战：搭建CA认证中心，使用CA证书搭建HTTPS的全部?jī)?nèi)容，希望文章能夠幫你解決所遇到的問(wèn)題。

如果覺(jué)得生活随笔網(wǎng)站內(nèi)容還不錯(cuò)，歡迎將生活随笔推薦給好友。