openssl实现私有CA,并配置基于openssl的https服务的配置,原理如下图
在CA服务器上实现私有CA步骤如下;
1、生成一对密钥
2.生成自签证书
基本的配置如下代码;
[root@CA CA]# pwd /etc/pki/CA [root@CA CA]# (umask 077;openssl genrsa -out private/cakey.pem 2048) [root@CA CA]# openssl req -new -x509 -key private/cakey.pem -out cacert.pem You are about to be asked to enter information that will be incorporated into your certificate request. What you are about to enter is what is called a Distinguished Name or a DN. There are quite a few fields but you can leave some blank For some fields there will be a default value, If you enter ‘.‘, the field will be left blank. ----- Country Name (2 letter code) [CN]: State or Province Name (full name) [NEIMENGGU]: Locality Name (eg, city) [Huhhot]: Organization Name (eg, company) [EDU]: Organizational Unit Name (eg, section) [Tech]: Common Name (eg, your name or your server‘s hostname) []:ca.edu.cn Email Address []:caadmin@edu.cn [root@CA CA]# touch index.txt [root@CA CA]# touch serial [root@CA CA]# echo 01 > serial [root@CA CA]# ls cacert.pem certs crl index.txt newcerts private serial
webserver服务器上的证书生成步骤;
[root@www ~]# cd /etc/httpd/ [root@www httpd]# mkdir ssl [root@www httpd]# cd ssl/ [root@www ssl]# pwd /etc/httpd/ssl [root@www ssl]# (umask 077; openssl genrsa -out httpd.key 1024) Generating RSA private key, 1024 bit long modulus ..........................++++++ .......++++++ e is 65537 (0x10001) [root@www ssl]# ll total 4 -rw-------. 1 root root 887 Aug 6 23:46 httpd.key
webserver生成证书签署请求;
[root@www ssl]# openssl req -new -key httpd.key -out httpd.csr You are about to be asked to enter information that will be incorporated into your certificate request. What you are about to enter is what is called a Distinguished Name or a DN. There are quite a few fields but you can leave some blank For some fields there will be a default value, If you enter ‘.‘, the field will be left blank. ----- Country Name (2 letter code) [XX]:CN State or Province Name (full name) []:NEIMENGGU Locality Name (eg, city) [Default City]:Huhhot Organization Name (eg, company) [Default Company Ltd]:EDU Organizational Unit Name (eg, section) []:Tech Common Name (eg, your name or your server‘s hostname) []:www.edu.cn Email Address []: Please enter the following ‘extra‘ attributes to be sent with your certificate request A challenge password []: An optional company name []:
将申请证书发送打CA服务器上,让CA服务器来完成证书的签署
[root@CA CA]# scp root@192.168.0.107:/etc/httpd/ssl/httpd.csr ./certs/ root@192.168.0.107‘s password: httpd.csr 100% 647 0.6KB/s 00:00 [root@CA CA]# ll ./certs/ total 4 -rw-r--r-- 1 root root 647 Aug 5 21:39 httpd.csr
CA服务器来完成证书的签署
[root@CA CA]# openssl ca -in ./certs/httpd.csr -out ./certs/httpd.crt -days 365 Using configuration from /etc/pki/tls/openssl.cnf Check that the request matches the signature Signature ok Certificate Details: Serial Number: 1 (0x1) Validity Not Before: Aug 5 13:45:06 2016 GMT Not After : Aug 5 13:45:06 2017 GMT Subject: countryName = CN stateOrProvinceName = NEIMENGGU organizationName = EDU organizationalUnitName = Tech commonName = www.edu.cn X509v3 extensions: X509v3 Basic Constraints: CA:FALSE Netscape Comment: OpenSSL Generated Certificate X509v3 Subject Key Identifier: 12:2C:ED:3F:F1:FA:54:FB:71:03:79:03:81:77:2D:A6:33:EF:8E:8F X509v3 Authority Key Identifier: keyid:1B:1E:92:D1:DD:79:A6:68:19:91:5F:08:04:FF:7C:25:73:E4:BC:82 Certificate is to be certified until Aug 5 13:45:06 2017 GMT (365 days) Sign the certificate? [y/n]:y 1 out of 1 certificate requests certified, commit? [y/n]y Write out database with 1 new entries Data Base Updated [root@CA CA]# ll ./certs/ total 4 -rw-r--r-- 1 root root 0 Aug 5 21:43 httpd.crt -rw-r--r-- 1 root root 647 Aug 5 21:39 httpd.csr
将证书文件发送给请求端;
[root@CA CA]# scp ./certs/httpd.crt root@192.168.0.107:/etc/httpd/ssl/ root@192.168.0.107‘s password: httpd.crt 100% 3754 3.7KB/s 00:00
在webserver服务器上安装支持ssl的模块;
# yum install -y mod_ssl
配置ssl.conf配置文件,修改如下行;
[root@www ssl]# vim /etc/httpd/conf.d/ssl.conf 107 SSLCertificateFile /etc/httpd/ssl/httpd.crt 114 SSLCertificateKeyFile /etc/httpd/ssl/httpd.key
启动apache服务
[root@www ssl]
在windows客户端通过如下方式安装信任CA证书颁发机构;
将CA服务器上的cakey.pem文件下载到windows客户端上,修改文件名后缀为crt(cakey.crt),双击此文件,安装信任该证书颁发机构,具体步骤;
安装证书-->下一步-->选择将证书放入下列存储-->浏览-->选择受信任的根证书颁发机构-->完成;
通过web页面访问,效果如下;
部署完成。
原文地址:http://xiaofeifei.blog.51cto.com/10174812/1835136
