linux下搭建CA认证服务器并认证服务

1、搭建CA认证服务器并认证服务1、 安装opensslrootvipuser200 # yum -y install opensslrootvipuser200 # vim /etc/pki/tls/将172 basicConstraints=CA:FALSE改为172 basicConstraints=CA:TRUE#表示根级别的认证服务器不需要像上级请求认证2、 生成公钥证书和私钥rootvipuser200 # /etc/pki/tls/misc/CA -helpUnknown arg usage: /etc/pki/tls/misc/CA -newcert|-newreq|-newreq

2、-nodes|-newca|-sign|-verifyrootvipuser200 # /etc/pki/tls/misc/CA -newcaCA certificate filename (or enter to create)Making CA certificate .Generating a 2048 bit RSA private key.+.+writing new private key to '/etc/pki/CA/private/./cakey.pem'Enter PEM pass phrase:Verifying - Enter PEM pass phra

3、se:#填写密码-You are about to be asked to enter information that will be incorporatedinto your certificate request.What you are about to enter is what is called a Distinguished Name or a DN.There are quite a few fields but you can leave some blankFor some fields there will be a default value,If you ente

4、r '.', the field will be left blank.-Country Name (2 letter code) XX:CN#国家State or Province Name (full name) :HENAN#省Locality Name (eg, city) Default City:LUOYANG#市Organization Name (eg, company) Default Company Ltd:ZLF-COM #公司名字 Organizational Unit Name (eg, section) :IT#公司部门Common Name (eg

5、, your name or your server's hostname) :vipuser200.club#服务器名字Email Address 邮件地址Please enter the following 'extra' attributes #额外属性以下3行不填即可to be sent with your certificate requestA challenge password :An optional company name :Using configuration from /etc/pki/tls/fEnter pass

6、 phrase for /etc/pki/CA/private/./cakey.pem:#输入上面你输入的密码Check that the request matches the signatureSignature okCertificate Details: Serial Number: 13248658701588095830 (0xb7dcb0e50a8be356) Validity Not Before: Jul 4 22:19:22 2016 GMT Not After : Jul 4 22:19:22 2019 GMT Subject: countryName = CN stat

7、eOrProvinceName = HENAN organizationName = ZLF-COM organizationalUnitName = IT commonName = vipuser200.club emailAddress =X509v3 extensions: X509v3 Subject Key Identifier: 62:A8:4A:02:91:AA:56:FF:BD:91:26:49:6F:02:D0:5D:70:8A:41:36 X509v3 Authority Key Identifier: keyid:62:A8:4A:02:91:A

8、A:56:FF:BD:91:26:49:6F:02:D0:5D:70:8A:41:36 X509v3 Basic Constraints: CA:TRUECertificate is to be certified until Jul 4 22:19:22 2019 GMT (1095 days)Write out database with 1 new entriesData Base Updated查看CA的私钥rootvipuser200 # vim /etc/pki/CA/private/cakey.pem -BEGIN ENCRYPTED PRIVATE KEY-MIIFDjBABg

9、kqhkiG9w0BBQ0wMzAbBgkqhkiG9w0BBQwwDgQIYBaODVh/svsCAggAMBQGCCqGSIb3DQMHBAhYEcNnBucpgwSCBMiEIKp4Qd851+hYOCUggAmWd4pgk8SdNVkLFBTFinghYfQVoEXRFRScPI/BasNdCGHIVzGn+ZlIBWucg99j82FQhRA7kFlh查看CA的公钥rootvipuser200 # vim /etc/pki/CA/cacert.pem Certificate: Data: Version: 3 (0x2) Serial Number: 1324865870158809

10、5830 (0xb7dcb0e50a8be356) Signature Algorithm: sha1WithRSAEncryption Issuer: C=CN, ST=HENAN, O=ZLF-COM, OU=IT, CN=vipuser200.club/emailAddressValidity Not Before: Jul 4 22:19:22 2016 GMT Not After : Jul 4 22:19:22 2019 GMT Subject: C=CN, ST=HENAN, O=ZLF-COM, OU=IT, CN=vipuser200.club/em

11、ailAddressSubject Public Key Info:到此CA认证中心搭建好了3、 搭建认证https开启另一台web服务器并启动rootvipuser201 # yum -y install httpdrootvipuser201 # service httpd restartStopping httpd: OK Starting httpd: httpd: apr_sockaddr_info_get() failed for vipuser201.clubhttpd: Could not reliably determine the server&#

12、39;s fully qualified domain name, using for ServerName OK #这个表示hostname里面没有对应的域名，改/etc/hosts文件即可生成vipuser201证书请求文件，并获得证书先生成私钥然后用私钥生成证书请求文件用非对称加密算法加密并输入etc/httpd/conf.d/server.key私钥rootvipuser201 # openssl genrsa -des3 -out /etc/httpd/conf.d/server.keyGenerating RSA private key, 1024 bit lo

13、ng modulus.+.+e is 65537 (0x10001)Enter pass phrase for /etc/httpd/conf.d/server.key:#写个密码保护Verifying - Enter pass phrase for /etc/httpd/conf.d/server.key:用私钥生成证书请求文件rootvipuser201 # openssl req -new -key /etc/httpd/conf.d/server.key -out /server.csrEnter pass phrase for /etc/httpd/conf.d/server.key

14、:You are about to be asked to enter information that will be incorporatedinto your certificate request.What you are about to enter is what is called a Distinguished Name or a DN.There are quite a few fields but you can leave some blankFor some fields there will be a default value,If you enter '.

15、', the field will be left blank.-Country Name (2 letter code) XX:CNState or Province Name (full name) :HENANLocality Name (eg, city) Default City:LUOYANGOrganization Name (eg, company) Default Company Ltd:ZLF-COMOrganizational Unit Name (eg, section) :ITCommon Name (eg, your name or your server&

16、#39;s hostname) :vipuser201.clubEmail Address :Please enter the following 'extra' attributesto be sent with your certificate requestA challenge password :An optional company name :#证书请求文件中有vipuser201的公钥，这个公钥是在生成证书请求文件时，通过指定的私钥/etc/httpd/conf.d/server.key生成的，通过私钥可以生成公钥，通过公钥推不出私钥。、证书发送到vipuser

17、200认证中心，并签证书rootvipuser201 # scp /server.csr 00:/rootrootvipuser200 # openssl ca -keyfile /etc/pki/CA/private/cakey.pem -cert /etc/pki/CA/cacert.pem -in /root/server.csr -out /root/server.crtUsing configuration from /etc/pki/tls/fEnter pass phrase for /etc/pki/CA/private/cakey.pem:Check t

18、hat the request matches the signatureSignature okCertificate Details: Serial Number: 13248658701588095831 (0xb7dcb0e50a8be357) Validity Not Before: Jul 4 23:12:56 2016 GMT Not After : Jul 4 23:12:56 2017 GMT Subject: countryName = CN stateOrProvinceName = HENAN organizationName = ZLF-COM organizatio

19、nalUnitName = IT commonName = vipuser201.club X509v3 extensions: X509v3 Basic Constraints: CA:TRUE Netscape Comment: OpenSSL Generated Certificate X509v3 Subject Key Identifier: 05:05:CA:78:12:8D:C9:53:69:92:EE:CA:49:C7:3F:01:DD:FC:64:23 X509v3 Authority Key Identifier: keyid:62:A8:4A:02:91:AA:56:FF

20、:BD:91:26:49:6F:02:D0:5D:70:8A:41:36Certificate is to be certified until Jul 4 23:12:56 2017 GMT (365 days)Sign the certificate? y/n:y#签证书y1 out of 1 certificate requests certified, commit? y/ny#再次确认Write out database with 1 new entriesData Base Updated将证书下发给vipuser201rootvipuser200 # scp /root/serv

21、er.crt 01:/root/vipuser201上查看rootvipuser201 # ls！ anaconda-ks.cfg install.log install.log.syslog server.crt4、 使用证书实现https配置https web服务器vipuser201rootvipuser201 # yum -y install mod_ssl #安装mod_ssl模块rootvipuser201 # scp /root/server.crt /etc/httpd/conf.d/rootvipuser201 # ls /etc/httpd/conf.d/server.server.crt server.key rootvipuser201 # vim /etc/httpd/conf.d/ssl.conf#修改为以下两项