码迷,mamicode.com
首页 > Web开发 > 详细

实战:搭建CA认证中心,使用CA证书搭建HTTPS

时间:2015-11-06 07:13:41      阅读:341      评论:0      收藏:0      [点我收藏+]

标签:request   认证中心   英文缩写   服务端   申请者   

CA认证中心服务端:xuegod63.cn                         IP:192.168.0.61
客户端                  :xuegod64.cn                         IP:192.168.0.62
CA:Certificate Authority的缩写,通常翻译成认证权威或者认证中心,主要用途是为用户发放数字证书。
认证中心(CA)的功能有:证书发放、证书更新、证书撤销和证书验证。
CA证书作用:身份认证--->数据的不可否认性


https 监听端口: 443



证书请求文件:CSR是Cerificate Signing Request的英文缩写,即证书请求文件,也就是证书申请者在申请数字证书时由CSP(加密服务提供者)在生成私钥的同时也生成证书请求文件,证书申请者只要把CSR文件提交给证书颁发机构后,证书颁发机构使用其根证书的私钥签名就生成了证书文件,也就是颁发给用户的证书。


总结:证书签名过程
1、 生成请求文件
2、 CA使用根证书的私钥加密请求文件,生成证书
3、 把证书传给申请者


申请免费证书:
https://buy.wosign.com/free/


实战:搭建CA认证中心



安装CA认证软件包中心:

[root@xuegod61 ~]# rpm -qf `which openssl`
openssl-1.0.1e-15.el6.x86_64

配置一个自己的CA认证中心。生成CA的根证书和私钥。 根证书中包括:CA的公钥

[root@xuegod61 ~]# vim /etc/pki/tls/openssl.cnf

改: 172 #basicConstraints=CA:FALSE
为:172 basicConstraints=CA:TRUE #让自己成为CA认证中心


生成CA的公钥证书和私钥

[root@xuegod61 ~]# /etc/pki/tls/misc/CA -h     ##查看帮助

usage: /etc/pki/tls/misc/CA -newcert|-newreq|-newreq-nodes|-newca|-sign|-verify  


[root@xuegod61 ~]# /etc/pki/tls/misc/CA -newca
CA certificate filename (or enter to create)     #直接回车
Making CA certificate ...
Generating a 2048 bit RSA private key
....................+++
..........................................................................+++
writing new private key to ‘/etc/pki/CA/private/./cakey.pem‘
Enter PEM pass phrase:123456         # 输入密码,保护私钥
Verifying - Enter PEM pass phrase:123456     #再次输入密码
-----
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter ‘.‘, the field will be left blank.
----
Country Name (2 letter code) [XX]:CN
State or Province Name (full name) []:beijing
Locality Name (eg, city) [Default City]:haidian
Organization Name (eg, company) [Default Company Ltd]: xuegod
Organizational Unit Name (eg, section) []:IT
Common Name (eg, your name or your server‘s hostname) []:xuegod61.cn #通用名称(例如,您的姓名或您的服务器的主机名),随便写
Email Address []:1@163.com
Please enter the following ‘extra‘ attributes
to be sent with your certificate request #添加一个“额外”的属性,让客户端发送CA证书,请求文件时,要输入的密
A challenge password []:     #直接加车
An optional company name []:    #直接加车
Using configuration from /etc/pki/tls/openssl.cnf     # CA服务器的配置文件。上面修改的内容会添加到这个配置文件中
Enter pass phrase for /etc/pki/CA/private/./cakey.pem: 123456     #输入刚才保护CA密钥的密码

Check that the request matches the signature
Signature ok
Certificate Details:
        Serial Number: 10592025808180940008 (0x92fe6f5a84650ce8)
        Validity
            Not Before: Nov  5 22:55:32 2015 GMT
            Not After : Nov  4 22:55:32 2018 GMT
        Subject:
            countryName               = CN
            stateOrProvinceName       = beijing
            organizationName          = xuegod
            organizationalUnitName    = IT
            commonName                = xuegod61.cn
            emailAddress              = 1@163.com
        X509v3 extensions:
            X509v3 Subject Key Identifier:
                33:DB:C9:59:D1:A5:C4:63:64:A2:5E:87:5F:10:21:CF:BB:D6:FC:FA
            X509v3 Authority Key Identifier:
                keyid:33:DB:C9:59:D1:A5:C4:63:64:A2:5E:87:5F:10:21:CF:BB:D6:FC:FA

            X509v3 Basic Constraints:
                CA:TRUE
Certificate is to be certified until Nov  4 22:55:32 2018 GMT (1095 days)

Write out database with 1 new entries
Data Base Updated

到此CA认证中心就搭建好了。


查看生成的CA根证书:

[root@xuegod61 ~]# vim  /etc/pki/CA/cacert.pem
Certificate:
    Data:
        Version: 3 (0x2)
        Serial Number: 10592025808180940008 (0x92fe6f5a84650ce8)
    Signature Algorithm: sha1WithRSAEncryption
        Issuer: C=CN, ST=beijing, O=xuegod, OU=IT,CN=xuegod61.cn/emailAddress=1@163.com
        Validity           #CA认证机构信息

            Not Before: Nov  5 22:55:32 2015 GMT
            Not After : Nov  4 22:55:32 2018 GMT
        Subject: C=CN, ST=beijing, O=xuegod, OU=IT, CN=xuegod61.cn/emailAddress=1.163.com
        Subject Public Key Info:      #CA认证中心公钥信息
            Public Key Algorithm: rsaEncryption
                Public-Key: (2048 bit)
                Modulus:

查看根证书的私钥

[root@xuegod61 ~]# vim /etc/pki/CA/private/cakey.pem

-----BEGIN ENCRYPTED PRIVATE KEY-----
MIIFDjBABgkqhkiG9w0BBQ0wMzAbBgkqhkiG9w0BBQwwDgQIAVthQXWJA3cCAggA
MBQGCCqGSIb3DQMHBAjtrTJksBjvtASCBMgaX0dxU1Cnhx8iXyMFLVpeWm35L2Wf


实战:使用证书搭建https


在xuegod64上配置https
1、安装:httpd
2、xuegod62生成证书请求文件,获得证书
3、把证书和httpd相结合。


1、安装HTTPD

[root@xuegod62 ~]# yum install -y httpd

2、xuegod62生成证书请求文件,获得证书

[root@xuegod62 ~]# openssl genrsa -h   ##查看帮助


生一个私钥密钥:

[root@xuegod62 ~]# openssl genrsa -des3 -out /etc/httpd/conf.d/server.key
Generating RSA private key, 512 bit long modulus
.....++++++++++++
..............................++++++++++++
e is 65537 (0x10001)
Enter pass phrase for /etc/httpd/conf.d/server.key:123456     #输入保护私钥的密码
Verifying - Enter pass phrase for /etc/httpd/conf.d/server.key: 123456


使用私钥生成证书请求文件

[root@xuegod62 ~]# openssl req -new -key /etc/httpd/conf.d/server.key -out /server.csr             #注意后期添加的国家,省,组织等信息要和CA保持一致

Enter pass phrase for /etc/httpd/conf.d/server.key:     123456      #输入私钥的密码

You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter ‘.‘, the field will be left blank.
-----
Country Name (2 letter code) [XX]:CN
State or Province Name (full name) []:beijing
Locality Name (eg, city) [Default City]:haidian
Organization Name (eg, company) [Default Company Ltd]:xuegod
Organizational Unit Name (eg, section) []:IT
Common Name (eg, your name or your server‘s hostname) []:xuegod62.cn

#这里要求输入的CommonName必须不通过浏览器访问您网站的 URL 完全相同,否则用户会发现您服务器证书的通用名不站点的名字丌匹配,用户就会怀疑您的证书的真实性。可以使域名也可以使IP址。
Email Address []:1@162.com

Please enter the following ‘extra‘ attributes
to be sent with your certificate request
A challenge password []:        #不输密码直接回车

An optional company name []:


将证书请求文件发给CA服务器:

[root@xuegod62 ~]# scp /server.csr 192.168.0.61:/tmp/
root@192.168.0.61‘s password:
server.csr                  100%  684     0.7KB/s   00:00



CA签名:

[root@xuegod61 ~]# openssl ca -keyfile /etc/pki/CA/private/cakey.pem -cert /etc/pki/CA/cacert.pem -in /tmp/server.csr -out /server.crt
Using configuration from /etc/pki/tls/openssl.cnf
Enter pass phrase for /etc/pki/CA/private/cakey.pem:    123456
Check that the request matches the signature
Signature ok
Certificate Details:
        Serial Number: 10592025808180940009 (0x92fe6f5a84650ce9)
        Validity
            Not Before: Nov  5 23:43:21 2015 GMT
            Not After : Nov  4 23:43:21 2016 GMT
        Subject:
            countryName               = CN
            stateOrProvinceName       = beijing
            organizationName          = xuegod
            organizationalUnitName    = IT
            commonName                = xuegod62.cn
            emailAddress              = 1@162.com
        X509v3 extensions:
            X509v3 Basic Constraints:
                CA:TRUE
            Netscape Comment:
                OpenSSL Generated Certificate
            X509v3 Subject Key Identifier:
                80:FB:DE:AB:6D:CC:20:E2:F9:AE:73:09:8A:1B:50:F2:9B:84:BC:C5
            X509v3 Authority Key Identifier:
                keyid:33:DB:C9:59:D1:A5:C4:63:64:A2:5E:87:5F:10:21:CF:BB:D6:FC:FA

Certificate is to be certified until Nov  4 23:43:21 2016 GMT (365 days)
Sign the certificate? [y/n]:y


1 out of 1 certificate requests certified, commit? [y/n]y
Write out database with 1 new entries
Data Base Updated


Certificate is to be certified until Dec 21 14:25:53 2015 GMT (365 days) #证书有效期是365天。证书进行认证,直到12月21日十四时25分53秒格林尼治标准时间2015年(365天)
Sign the certificate? [y/n]:y #注册证书
1 out of 1 certificate requests certified, commit? [y/n]y #确认
Write out database with 1 new entries
Data Base Updated



将证书复制到xuegod64

[root@xuegod61 ~]# scp /server.crt 192.168.0.62:/

到此证书签名完毕。
实战:使用证书实现https
SSL:(Secure Socket Layer)安全套接字层,通过一种机制在互联网上提供密钥传输。其主要目标是保证两个应用间通信数据的保密性和可靠性,可在服务器端和用户端同时支持的一种加密算法。目前主流版本SSLV2、SSLV3(常用)。
SSL四次握手安全传输:
加密协议: SSL 3.0 或 TLS 1.0
C -------------------------------------------------> S

  1. 请求一个安全的会话,协商算法
    C <------------------------------------------------- S
    2. 将自己Server端的证书给客户端
    C -------------------------------------------------> S
    3. 客户端用浏览中存放CA的根证书检测xuegod64证书,如果对,使用CA根证书中的公钥解密。得到xuegod64的公钥;
    然后生成一把对称的加密密钥,用xuegod64的公钥加密这个密钥发给xuegod64。 后期使用对称密钥加密数据
    C <------------------------------------------------> S


4. xuegod62使用私钥解密,得到对称的加密密钥
然后,使用对称加密密钥来进行安全快速传输数据


配置HTTPS web服务器: xuegod62

[root@xuegod62 ~]# yum install mod_ssl -y       安装:SSL模块

配置:

[root@xuegod62 ~]# cp /server.crt /etc/httpd/conf.d/      #复制证书
[root@xuegod62 ~]# ll /etc/httpd/conf.d/server.key     # 查看私钥
-rw-r--r--. 1 root root 963 11月  6 07:24 /etc/httpd/conf.d/server.key


[root@xuegod62 ~]# vim /etc/httpd/conf.d/ssl.conf

104 # certificate can be generated using the genkey(1) command.
改:105 SSLCertificateFile /etc/pki/tls/certs/localhost.crt
为:
SSLCertificateFile /etc/httpd/conf.d/server.crt

106 #SSLCertificateFile /etc/pki/tls/certs/localhost.crt
107
108 # Server Private Key:
109 # If the key is not combined with the certificate, use this
110 # directive to point at the key file. Keep in mind that if
111 # you‘ve both a RSA and a DSA private key you can configure
112 # both in parallel (to also allow the use of DSA ciphers, etc.)
改:113 SSLCertificateKeyFile /etc/pki/tls/private/localhost.key
为:
SSLCertificateKeyFile /etc/httpd/conf.d/server.key

114 #SSLCertificateKeyFile /etc/pki/tls/private/localhost.key


启动服务:
[root@xuegod62 ~]# /etc/init.d/httpd start
正在启动 httpd:Apache/2.2.15 mod_ssl/2.2.15 (Pass Phrase Dialog)
Some of your private key files are encrypted for security reasons.
In order to read them you have to provide the pass phrases.

Server xuegod62.cn:443 (RSA)
Enter pass phrase:  123456

OK: Pass Phrase Dialog successful.
                                                           [确定]


测试

查看端口号:

[root@xuegod62 ~]# netstat -anupt |grep 443
tcp        0      0 :::443                      :::*                        LISTEN      49865/httpd

技术分享

技术分享

技术分享


本文出自 “ヤ一个亼橌僤” 博客,请务必保留此出处http://1359775010.blog.51cto.com/10812777/1710218

实战:搭建CA认证中心,使用CA证书搭建HTTPS

标签:request   认证中心   英文缩写   服务端   申请者   

原文地址:http://1359775010.blog.51cto.com/10812777/1710218

(0)
(0)
   
举报
评论 一句话评论(0
登录后才能评论!
© 2014 mamicode.com 版权所有  联系我们:gaon5@hotmail.com
迷上了代码!