标签:ca 认证中心
1.安装openssl软件
[root@xuegod61 ~]# yum -y install openssl
2.配置文件
172 basicConstraints=CA:TRUE
3.生成公钥证书和私钥
[root@xuegod61 ~]# /etc/pki/tls/misc/CA -h
usage: /etc/pki/tls/misc/CA -newcert|-newreq|-newreq-nodes|-newca|-sign|-verify
[root@xuegod61~]# /etc/pki/tls/misc/CA -newca
Usingconfiguration from /etc/pki/tls/openssl.cnf
Enterpass phrase for /etc/pki/CA/private/./cakey.pem:
Checkthat the request matches the signature
Signatureok
CertificateDetails:
Serial Number: 17413805404962385785(0xf1aa43c0e68f6f79)
Validity
Not Before: Jan 24 08:36:04 2016GMT
Not After : Jan 23 08:36:04 2019GMT
Subject:
countryName = CN
stateOrProvinceName = beijing
organizationName =xuegod
organizationalUnitName = IT
commonName = xuegod61.cn
emailAddress =1@163.com
X509v3 extensions:
X509v3 Subject Key Identifier:
DA:BD:34:5B:08:8A:90:30:75:7B:59:E3:F6:61:98:94:B6:7C:18:83
X509v3 Authority Key Identifier:
keyid:DA:BD:34:5B:08:8A:90:30:75:7B:59:E3:F6:61:98:94:B6:7C:18:83
X509v3 Basic Constraints:
CA:TRUE
Certificateis to be certified until Jan 23 08:36:04 2019 GMT (1095 days)
Writeout database with 1 new entries
DataBase Updated
4.查看证书和私钥
[root@xuegod61~]# vim /etc/pki/CA/cacert.pem
查看私钥
[root@xuegod61~]# vim /etc/pki/CA/private/cakey.pem
-----BEGIN ENCRYPTED PRIVATE KEY-----
MIIFDjBABgkqhkiG9w0BBQ0wMzAbBgkqhkiG9w0BBQwwDgQI7zwuLuC9VTYCAggA
MBQGCCqGSIb3DQMHBAgyhrOhDVaJAwSCBMhPUFUQDD3i/o+Zl+EKtX83Pe2lHHBl
8pQD6fh+DyzMINJ1hMycy/nRzBqt/+1bLnkIsmK2LN5YC4lLJbxzAODUrauOVGPs
/nbAO+70fg5xvosvJ1tfYI2h5inF3SbXvApf7bcazcw3Uf8w0KhWFiOFLyJuhefv
XTYvbdrKyrw3BCHJY9U8caEBkZvhndML7qFjeUary2SUoVNC49ACcfiuybNFGVdf
CoHwP1R7/2ieM3DHAYFdx0h0rsgr60tcko/WOihSrlJiBLlSsChBl6PwVZTZGbpF
wB54rLX3P3ZpRtUMZXEA+1pCxBukznWYziULx31bZpk+u4vUMvdund4+O6nEwKnG
nD2bqGoLltpqvQ/VdzAy94vKXOfYRYvA30ZVXEM+IAuf61taBaeX78pNEL6ylDaZ
nFSRK67pVJTaN414y/sKNwUgxRu9Mb68hjOL1MCdTbKA8/mYGRBRnq69bmVaUmzf
SH4ymXbUOz9AG/7JicRAs01AsM68fcQaNGEKcXA0NBKOQRWPMKJx5fTjgZbLpkhj
rR1U3rr8B9SroZrVt8qj0sjpfbYjd+ElNAZMeInHGFJ0R3cg7tRVviSWIbosAKk+
38zF4e2haKv1NSrh2UHT2sBmwFW74pHJ3EwUYpxS+mHDamCYKn2CTj9pO+lK6HFP
OJ62IApcWZmolR/OtqlniD3cGBY8FRNVL16KMTHdHIDTNYElL3wwDfVsb9B1YV8n
Rlni0v7VYv2ZPMu1La7sBYUEc7fkPOqleeHhUEU232h1UT/BnEUCOYKwr0f+uFur
/B2MspqbagU0fx5TSM2D+BPUf2M88qYmgynQim5hu4zOhHAmxjsdNMFMNTppUyHQ
Xr9Equ/L+3PlW1KhAxvy4npY8swAsDgQVX10GiEV6VAUZDgWg5uAWVk38QspifaG
1hGoRKAuDV/o+dpeMPJbemZ6iPDzpOlqXsjw1kU8BcbGHFY5pxoQ2YrAYsobiPMw
KQQuF0xcFZhjKnPUI2GyG+Am2FnTnwnd0wCKF5NR7qq5tsd9LlHFckX3OIBDWFqb
C12pzgyWa3JymqToeGdP3oVKW1TczrhNOQZEgahXAhEkr2t5qbtuiY9xTNOiSYeL
MfFNF6s6cf3WSFSWwUWidIrF3kBrhV2/2vzapObFxGfBsYhyadFrJjNO2ZYKQRwu
zqM5iuNltCKikMMz9EfScWlaIuZGzzgp/NptsD0dpZV5YWvmfFn+1EHck8JDWmXQ
FWeH3RYgn9mWM8PwjAjKHFHboGMdR3IILQ8u0PpW7SaOcAj29C/JRxwWajr11t6O
umi2cdtMRZDpD9qsrLE5xplMw6yPlbV+WrgM+MOs4DFrPnmjrEjUUD+F4ulsCeey
RE2TXyHwQOczqD8D6masMgw4DL9siLPDTtWjFxJmqJuJmISILF0CkDIIWBi9lRI8
Lu4XE0A6cl3wBVDjFefHUN8as6OzQ4QsFMqFnX4xVv4bSDWO9HEx4Dk8Hof/AOIH
JwYleEBvUjDO8FuGKfULZcwlTZdFfsfkTvZaORnBTh1QFLFg2RhZmhU4BEfuY+v7
oFIwQE55L+9zweERjjMPy1bfm7aC5+9+nGpxDsa8ua43b+eAfCSf/WsXCg4pmlp/
wPw=
-----END ENCRYPTED PRIVATE KEY-----
5.客户端安装httpd
[root@xuegod63 ~]# yum install httpd -y
6.客户端生成证书请求文件,获得证书
[root@xuegod63 ~]# yum install openssl -y
生成私钥
[root@xuegod63 ~]# openssl genrsa -des3-out /etc/httpd/conf.d/server.key
利用私钥生成证书请求文件
[root@xuegod63~]# openssl req -new -key /etc/httpd/conf.d/server.key -out /server.csr
[root@xuegod63~]# scp /server.csr root@192.168.5.63:/tmp
7.生成证书
[root@xuegod61 ~]# openssl ca -keyfile/etc/pki/CA/private/cakey.pem -cert
/etc/pki/CA/cacert.pem-in /tmp/server.csr -out /server.crt
8.复制证书到客户端
[root@xuegod61CA]# scp /server.crt 192.168.1.64:/
9.客户端安装ssl
[root@xuegod63~]# yum install mod_ssl -y
10.客户端配置ssl
[root@xuegod63~]#vim /etc/httpd/conf.d/ssl.conf
改代码:SSLCertificateFile /etc/httpd/conf.d/server.crt
SSLCertificateKeyFile/etc/httpd/conf.d/server.key
11.重启服务
[root@xuegod63~]#service httpd restart
12.客户端访问
浏览器查看证书
本文出自 “eNet-chen” 博客,谢绝转载!
标签:ca 认证中心
原文地址:http://enet01.blog.51cto.com/7301323/1738077
