标签:
---web服务器---
#yum install httpd -y
#service httpd start
#chkconfig httpd on
#vi /var/www/html/index.html
---------------
<h1>http://www.baidu.com
<br>172.16.254.101
---------------
# openssl genrsa 1024 > web.key
//制作一个1024长度的私钥
# openssl req -new -key web.key -days 365 -out web.csr
//生成一个签名请求
//req --- openssl中的子命令用来做证书及签名请求
//-new --- 创建一个
//-key --- 指定私钥
//-days --- 有效期
//-out --- 输出
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter ‘.‘, the field will be left blank.
-----
Country Name (2 letter code) [XX]:CN
State or Province Name (full name) []:liaoning
Locality Name (eg, city) [Default City]:shenyang
Organization Name (eg, company) [Default Company Ltd]:uplooking
Organizational Unit Name (eg, section) []:instructor
Common Name (eg, your name or your server‘s hostname) []:s1.uplooking.com
Email Address []:root@s1.uplooking.com
Please enter the following ‘extra‘ attributes
to be sent with your certificate request
A challenge password []: <按回车>
An optional company name []: <按回车>
#scp /root/web.csr s2:/root
---CA认证机构---
--->将s1的签名请求web.csr签发生成web.crt
s2现在并不是一个CA认证机构
需要先将s2部署成为CA认证机构
部署CA认证机构比较繁琐,
我们使用错误提示的方式构建CA认证机构,
并签发签名请求
# openssl ca -in web.csr -out web.crt //直接签发看错误提示
Using configuration from /etc/pki/tls/openssl.cnf
Error opening CA private key /etc/pki/CA/private/cakey.pem
# openssl genrsa 1024 > /etc/pki/CA/private/cakey.pem
//生成CA认证机构所需的私钥
# openssl ca -in web.csr -out web.crt
Using configuration from /etc/pki/tls/openssl.cnf
Error opening CA certificate /etc/pki/CA/cacert.pem
# openssl req -new -key /etc/pki/CA/private/cakey.pem -days 365 -x509 -out /etc/pki/CA/cacert.pem
//生成CA认证机构的自签名证书
//-x509 数字证书协议
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter ‘.‘, the field will be left blank.
-----
Country Name (2 letter code) [XX]:CN
State or Province Name (full name) []:liaoning
Locality Name (eg, city) [Default City]:shenyang
Organization Name (eg, company) [Default Company Ltd]:uplooking
Organizational Unit Name (eg, section) []:uplooking
Common Name (eg, your name or your server‘s hostname) []:s2.uplooking.com
Email Address []:root@s2.uplooking.com
# openssl ca -in web.csr -out web.crt
Using configuration from /etc/pki/tls/openssl.cnf
/etc/pki/CA/index.txt: No such file or directory
unable to open ‘/etc/pki/CA/index.txt‘
# touch /etc/pki/CA/index.txt //生成CA的索引文件
# openssl ca -in web.csr -out web.crt
Using configuration from /etc/pki/tls/openssl.cnf
/etc/pki/CA/serial: No such file or directory
error while loading serial number
# echo 01 > /etc/pki/CA/serial //生成CA的序列号文件
----------------------------
生成一个最基本的用来签发的CA认证机构的步骤
# openssl genrsa 1024 > /etc/pki/CA/private/cakey.pem
//生成CA认证机构所需的私钥
# openssl req -new -key /etc/pki/CA/private/cakey.pem -days 365 -x509 -out /etc/pki/CA/cacert.pem
//生成CA认证机构的自签名证书
# touch /etc/pki/CA/index.txt //生成CA的索引文件
# echo 01 > /etc/pki/CA/serial //生成CA的序列号文件
-----------------------------
# openssl ca -in web.csr -out web.crt //签发证书
Using configuration from /etc/pki/tls/openssl.cnf
Check that the request matches the signature
Signature ok
Certificate Details:
Serial Number: 1 (0x1)
Validity
Not Before: Aug 19 01:51:32 2014 GMT
Not After : Aug 19 01:51:32 2015 GMT
Subject:
countryName = CN
stateOrProvinceName = liaoning
organizationName = uplooking
organizationalUnitName = instructor
commonName = s1.uplooking.com
emailAddress = root@s1.uplooking.com
X509v3 extensions:
X509v3 Basic Constraints:
CA:FALSE
Netscape Comment:
OpenSSL Generated Certificate
X509v3 Subject Key Identifier:
7B:E3:E3:19:AF:BD:08:74:A3:49:58:96:4F:BC:82:DF:2B:1A:9 6:06
X509v3 Authority Key Identifier:
keyid:65:48:30:AF:9E:A4:45:33:ED:E6:7C:9F:CD:C7:82:C8:B 1:7D:7E:C4
Certificate is to be certified until Aug 19 01:51:32 2015 GMT (365 days )
Sign the certificate? [y/n]:y
1 out of 1 certificate requests certified, commit? [y/n]y
Write out database with 1 new entries
Data Base Updated
#scp /root/web.crt s1:/root
---web服务器---
#yum install mod_ssl -y
# ls web.*
web.crt web.csr web.key
证书 签名请求 私钥
# vi /etc/httpd/conf.d/ssl.conf
-------------------------
105 SSLCertificateFile /etc/pki/tls/certs/web.crt
112 SSLCertificateKeyFile /etc/pki/tls/private/web.key
-------------------------
#
# cp web.crt /etc/pki/tls/certs/
# cp web.key /etc/pki/tls/private/
# service httpd restart
# netstat -antulp | grep :443
使用浏览器访问你的https的网站
将CA的证书导入到IE浏览器中,然后查看网页
---CA服务器---
# yum install vsftpd -y
# service vsftpd start
# cp /etc/pki/CA/cacert.pem /var/ftp/pub/s2CA.crt
客户端下载s2CA.crt证书
下载完成以后,导入证书
标签:
原文地址:http://www.cnblogs.com/mayuansheng/p/5802673.html