當前位置：首頁 > 编程资源 > 编程问答 >内容正文

编程问答

实战：搭建CA认证中心，使用CA证书搭建HTTPS

發布時間：2025/3/17 编程问答 38 豆豆

生活随笔收集整理的這篇文章主要介紹了实战：搭建CA认证中心，使用CA证书搭建HTTPS 小編覺得挺不錯的,現在分享給大家,幫大家做個參考.

CA認證中心服務端：xuegod63.cn ??????????????????????? IP：192.168.0.61
客戶端????????????????? ：xuegod64.cn ????????????????????????IP：192.168.0.62
CA：Certificate Authority的縮寫，通常翻譯成認證權威或者認證中心，主要用途是為用戶發放數字證書。
認證中心（CA）的功能有：證書發放、證書更新、證書撤銷和證書驗證。
CA證書作用：身份認證--->數據的不可否認性

https 監聽端口： 443

證書請求文件:CSR是Cerificate Signing Request的英文縮寫，即證書請求文件，也就是證書申請者在申請數字證書時由CSP(加密服務提供者)在生成私鑰的同時也生成證書請求文件，證書申請者只要把CSR文件提交給證書頒發機構后，證書頒發機構使用其根證書的私鑰簽名就生成了證書文件，也就是頒發給用戶的證書。

總結：證書簽名過程
1、生成請求文件
2、 CA使用根證書的私鑰加密請求文件,生成證書
3、把證書傳給申請者

申請免費證書：
https://buy.wosign.com/free/

實戰：搭建CA認證中心

安裝CA認證軟件包中心：

[root@xuegod61 ~]# rpm -qf `which openssl`
openssl-1.0.1e-15.el6.x86_64

配置一個自己的CA認證中心。生成CA的根證書和私鑰。根證書中包括：CA的公鑰

[root@xuegod61 ~]# vim /etc/pki/tls/openssl.cnf

改： 172 #basicConstraints=CA:FALSE
為：172 basicConstraints=CA:TRUE #讓自己成為CA認證中心

生成CA的公鑰證書和私鑰

[root@xuegod61 ~]# /etc/pki/tls/misc/CA -h???? ##查看幫助

[root@xuegod61 ~]# /etc/pki/tls/misc/CA -newca
CA certificate filename (or enter to create) ????#直接回車
Making CA certificate ...
Generating a 2048 bit RSA private key
....................+++
..........................................................................+++
writing new private key to '/etc/pki/CA/private/./cakey.pem'
Enter PEM pass phrase:123456 ????????# 輸入密碼，保護私鑰
Verifying - Enter PEM pass phrase:123456 ????#再次輸入密碼
-----
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
----
Country Name (2 letter code) [XX]:CN
State or Province Name (full name) []:beijing
Locality Name (eg, city) [Default City]:haidian
Organization Name (eg, company) [Default Company Ltd]: xuegod
Organizational Unit Name (eg, section) []:IT
Common Name (eg, your name or your server's hostname) []:xuegod61.cn #通用名稱（例如，您的姓名或您的服務器的主機名）,隨便寫
Email Address []:1@163.com
Please enter the following 'extra' attributes
to be sent with your certificate request #添加一個“額外”的屬性，讓客戶端發送CA證書,請求文件時，要輸入的密
A challenge password []: ????#直接加車
An optional company name []:????#直接加車
Using configuration from /etc/pki/tls/openssl.cnf ????# CA服務器的配置文件。上面修改的內容會添加到這個配置文件中
Enter pass phrase for /etc/pki/CA/private/./cakey.pem: 123456 ????#輸入剛才保護CA密鑰的密碼

Check that the request matches the signature
Signature ok
Certificate Details:
??????? Serial Number: 10592025808180940008 (0x92fe6f5a84650ce8)
??????? Validity
??????????? Not Before: Nov? 5 22:55:32 2015 GMT
??????????? Not After : Nov? 4 22:55:32 2018 GMT
??????? Subject:
??????????? countryName?????????????? = CN
??????????? stateOrProvinceName?????? = beijing
??????????? organizationName????????? = xuegod
??????????? organizationalUnitName??? = IT
??????????? commonName??????????????? = xuegod61.cn
??????????? emailAddress????????????? = 1@163.com
??????? X509v3 extensions:
??????????? X509v3 Subject Key Identifier:
??????????????? 33:DB:C9:59:D1:A5:C4:63:64:A2:5E:87:5F:10:21:CF:BB:D6:FC:FA
??????????? X509v3 Authority Key Identifier:
??????????????? keyid:33:DB:C9:59:D1:A5:C4:63:64:A2:5E:87:5F:10:21:CF:BB:D6:FC:FA

??????????? X509v3 Basic Constraints:
??????????????? CA:TRUE
Certificate is to be certified until Nov? 4 22:55:32 2018 GMT (1095 days)

Write out database with 1 new entries
Data Base Updated

到此CA認證中心就搭建好了。

查看生成的CA根證書：

[root@xuegod61 ~]# vim? /etc/pki/CA/cacert.pem
Certificate:
??? Data:
??????? Version: 3 (0x2)
??????? Serial Number: 10592025808180940008 (0x92fe6f5a84650ce8)
??? Signature Algorithm: sha1WithRSAEncryption
??????? Issuer: C=CN, ST=beijing, O=xuegod, OU=IT,CN=xuegod61.cn/emailAddress=1@163.com
??????? Validity?????????? #CA認證機構信息
??????????? Not Before: Nov? 5 22:55:32 2015 GMT
??????????? Not After : Nov? 4 22:55:32 2018 GMT
??????? Subject: C=CN, ST=beijing, O=xuegod, OU=IT, CN=xuegod61.cn/emailAddress=1.163.com
??????? Subject Public Key Info:????? #CA認證中心公鑰信息
??????????? Public Key Algorithm: rsaEncryption
??????????????? Public-Key: (2048 bit)
??????????????? Modulus:

查看根證書的私鑰

[root@xuegod61 ~]# vim /etc/pki/CA/private/cakey.pem

-----BEGIN ENCRYPTED PRIVATE KEY-----
MIIFDjBABgkqhkiG9w0BBQ0wMzAbBgkqhkiG9w0BBQwwDgQIAVthQXWJA3cCAggA
MBQGCCqGSIb3DQMHBAjtrTJksBjvtASCBMgaX0dxU1Cnhx8iXyMFLVpeWm35L2Wf

實戰：使用證書搭建https

在xuegod64上配置https
1、安裝：httpd
2、xuegod62生成證書請求文件，獲得證書
3、把證書和httpd相結合。

1、安裝HTTPD

[root@xuegod62 ~]# yum install -y httpd

2、xuegod62生成證書請求文件，獲得證書

[root@xuegod62 ~]# openssl genrsa -h?? ##查看幫助

生一個私鑰密鑰：

[root@xuegod62 ~]# openssl genrsa -des3 -out /etc/httpd/conf.d/server.key
Generating RSA private key, 512 bit long modulus
.....++++++++++++
..............................++++++++++++
e is 65537 (0x10001)
Enter pass phrase for /etc/httpd/conf.d/server.key:123456 ????#輸入保護私鑰的密碼
Verifying - Enter pass phrase for /etc/httpd/conf.d/server.key: 123456

使用私鑰生成證書請求文件

[root@xuegod62 ~]# openssl req -new -key /etc/httpd/conf.d/server.key -out /server.csr???????????? #注意后期添加的國家，省，組織等信息要和CA保持一致

Enter pass phrase for /etc/httpd/conf.d/server.key:???? 123456????? #輸入私鑰的密碼

You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [XX]:CN
State or Province Name (full name) []:beijing
Locality Name (eg, city) [Default City]:haidian
Organization Name (eg, company) [Default Company Ltd]:xuegod
Organizational Unit Name (eg, section) []:IT
Common Name (eg, your name or your server's hostname) []:xuegod62.cn

#這里要求輸入的CommonName必須不通過瀏覽器訪問您網站的 URL 完全相同，否則用戶會發現您服務器證書的通用名不站點的名字丌匹配，用戶就會懷疑您的證書的真實性。可以使域名也可以使IP址。
Email Address []:1@162.com

Please enter the following 'extra' attributes
to be sent with your certificate request
A challenge password []:????????#不輸密碼直接回車

An optional company name []:

將證書請求文件發給CA服務器：

[root@xuegod62 ~]# scp /server.csr 192.168.0.61:/tmp/
root@192.168.0.61's password:
server.csr????????????????? 100%? 684???? 0.7KB/s?? 00:00

CA簽名：

[root@xuegod61 ~]# openssl ca -keyfile /etc/pki/CA/private/cakey.pem -cert /etc/pki/CA/cacert.pem -in /tmp/server.csr -out /server.crt
Using configuration from /etc/pki/tls/openssl.cnf
Enter pass phrase for /etc/pki/CA/private/cakey.pem:????123456
Check that the request matches the signature
Signature ok
Certificate Details:
??????? Serial Number: 10592025808180940009 (0x92fe6f5a84650ce9)
??????? Validity
??????????? Not Before: Nov? 5 23:43:21 2015 GMT
??????????? Not After : Nov? 4 23:43:21 2016 GMT
??????? Subject:
??????????? countryName?????????????? = CN
??????????? stateOrProvinceName?????? = beijing
??????????? organizationName????????? = xuegod
??????????? organizationalUnitName??? = IT
??????????? commonName??????????????? = xuegod62.cn
??????????? emailAddress????????????? = 1@162.com
??????? X509v3 extensions:
??????????? X509v3 Basic Constraints:
??????????????? CA:TRUE
??????????? Netscape Comment:
??????????????? OpenSSL Generated Certificate
??????????? X509v3 Subject Key Identifier:
??????????????? 80:FB:DE:AB:6D:CC:20:E2:F9:AE:73:09:8A:1B:50:F2:9B:84:BC:C5
??????????? X509v3 Authority Key Identifier:
??????????????? keyid:33:DB:C9:59:D1:A5:C4:63:64:A2:5E:87:5F:10:21:CF:BB:D6:FC:FA

Certificate is to be certified until Nov? 4 23:43:21 2016 GMT (365 days)
Sign the certificate? [y/n]:y

1 out of 1 certificate requests certified, commit? [y/n]y
Write out database with 1 new entries
Data Base Updated

Certificate is to be certified until Dec 21 14:25:53 2015 GMT (365 days) #證書有效期是365天。證書進行認證，直到12月21日十四時25分53秒格林尼治標準時間2015年（365天）
Sign the certificate? [y/n]:y #注冊證書
1 out of 1 certificate requests certified, commit? [y/n]y #確認
Write out database with 1 new entries
Data Base Updated

將證書復制到xuegod64

[root@xuegod61 ~]# scp /server.crt 192.168.0.62:/

到此證書簽名完畢。
實戰：使用證書實現https
SSL：(Secure Socket Layer)安全套接字層，通過一種機制在互聯網上提供密鑰傳輸。其主要目標是保證兩個應用間通信數據的保密性和可靠性,可在服務器端和用戶端同時支持的一種加密算法。目前主流版本SSLV2、SSLV3(常用）。
SSL四次握手安全傳輸：
加密協議： SSL 3.0 或 TLS 1.0
C -------------------------------------------------> S

請求一個安全的會話，協商算法
C <------------------------------------------------- S
2. 將自己Server端的證書給客戶端
C -------------------------------------------------> S
3. 客戶端用瀏覽中存放CA的根證書檢測xuegod64證書，如果對，使用CA根證書中的公鑰解密。得到xuegod64的公鑰；
然后生成一把對稱的加密密鑰,用xuegod64的公鑰加密這個密鑰發給xuegod64。后期使用對稱密鑰加密數據
C <------------------------------------------------> S

4. xuegod62使用私鑰解密，得到對稱的加密密鑰
然后，使用對稱加密密鑰來進行安全快速傳輸數據

配置HTTPS web服務器： xuegod62

[root@xuegod62 ~]# yum install mod_ssl -y?????? 安裝：SSL模塊

配置：

[root@xuegod62 ~]# cp /server.crt /etc/httpd/conf.d/????? #復制證書
[root@xuegod62 ~]# ll /etc/httpd/conf.d/server.key???? # 查看私鑰
-rw-r--r--. 1 root root 963 11月? 6 07:24 /etc/httpd/conf.d/server.key

[root@xuegod62 ~]# vim /etc/httpd/conf.d/ssl.conf

104 # certificate can be generated using the genkey(1) command.
改：105 SSLCertificateFile /etc/pki/tls/certs/localhost.crt
為：
SSLCertificateFile /etc/httpd/conf.d/server.crt

106 #SSLCertificateFile /etc/pki/tls/certs/localhost.crt
107
108 # Server Private Key:
109 # If the key is not combined with the certificate, use this
110 # directive to point at the key file. Keep in mind that if
111 # you've both a RSA and a DSA private key you can configure
112 # both in parallel (to also allow the use of DSA ciphers, etc.)
改：113 SSLCertificateKeyFile /etc/pki/tls/private/localhost.key
為：
SSLCertificateKeyFile /etc/httpd/conf.d/server.key
114 #SSLCertificateKeyFile /etc/pki/tls/private/localhost.key

啟動服務：
[root@xuegod62 ~]# /etc/init.d/httpd start
正在啟動 httpd：Apache/2.2.15 mod_ssl/2.2.15 (Pass Phrase Dialog)
Some of your private key files are encrypted for security reasons.
In order to read them you have to provide the pass phrases.

Server xuegod62.cn:443 (RSA)
Enter pass phrase:? 123456

OK: Pass Phrase Dialog successful.
?????????????????????????????????????????????????????????? [確定]

測試

查看端口號：

[root@xuegod62 ~]# netstat -anupt |grep 443
tcp??????? 0????? 0 :::443????????????????????? :::*??????????????????????? LISTEN????? 49865/httpd

轉載于:https://blog.51cto.com/1359775010/1710218

總結

以上是生活随笔為你收集整理的实战：搭建CA认证中心，使用CA证书搭建HTTPS的全部內容，希望文章能夠幫你解決所遇到的問題。

如果覺得生活随笔網站內容還不錯，歡迎將生活随笔推薦給好友。

上一篇： mysql 日期和时间类型
下一篇： JQuery中html、append、a