实战：搭建CA认证中心，使用CA证书搭建HTTPS / 憋错料

CA认证中心服务端：xuegod63.cn IP：192.168.0.61
客户端：xuegod64.cn IP：192.168.0.62
CA：Certificate Authority的缩写，通常翻译成认证权威或者认证中心，主要用途是为用户发放数字证书。
认证中心（CA）的功能有：证书发放、证书更新、证书撤销和证书验证。
CA证书作用：身份认证--->数据的不可否认性

https 监听端口： 443

证书请求文件:CSR是Cerificate Signing Request的英文缩写，即证书请求文件，也就是证书申请者在申请数字证书时由CSP(加密服务提供者)在生成私钥的同时也生成证书请求文件，证书申请者只要把CSR文件提交给证书颁发机构后，证书颁发机构使用其根证书的私钥签名就生成了证书文件，也就是颁发给用户的证书。

总结：证书签名过程
1、生成请求文件
2、 CA使用根证书的私钥加密请求文件,生成证书
3、把证书传给申请者

申请免费证书：
https://buy.wosign.com/free/

实战：搭建CA认证中心

安装CA认证软件包中心：

[[email protected] ~]# rpm -qf `which openssl`
openssl-1.0.1e-15.el6.x86_64

配置一个自己的CA认证中心。生成CA的根证书和私钥。根证书中包括：CA的公钥

[[email protected] ~]# vim /etc/pki/tls/openssl.cnf

改： 172 #basicConstraints=CA:FALSE
为：172 basicConstraints=CA:TRUE #让自己成为CA认证中心

生成CA的公钥证书和私钥

[[email protected] ~]# /etc/pki/tls/misc/CA -h ##查看帮助

[[email protected] ~]# /etc/pki/tls/misc/CA -newca
CA certificate filename (or enter to create)     #直接回车
Making CA certificate ...
Generating a 2048 bit RSA private key
....................+++
..........................................................................+++
writing new private key to ‘/etc/pki/CA/private/./cakey.pem‘
Enter PEM pass phrase:123456         # 输入密码，保护私钥
Verifying - Enter PEM pass phrase:123456     #再次输入密码
-----
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter ‘.‘, the field will be left blank.
----
Country Name (2 letter code) [XX]:CN
State or Province Name (full name) []:beijing
Locality Name (eg, city) [Default City]:haidian
Organization Name (eg, company) [Default Company Ltd]: xuegod
Organizational Unit Name (eg, section) []:IT
Common Name (eg, your name or your server‘s hostname) []:xuegod61.cn #通用名称（例如，您的姓名或您的服务器的主机名）,随便写
Email Address []:[email protected]
Please enter the following ‘extra‘ attributes
to be sent with your certificate request #添加一个“额外”的属性，让客户端发送CA证书,请求文件时，要输入的密
A challenge password []:     #直接加车
An optional company name []:    #直接加车
Using configuration from /etc/pki/tls/openssl.cnf     # CA服务器的配置文件。上面修改的内容会添加到这个配置文件中
Enter pass phrase for /etc/pki/CA/private/./cakey.pem: 123456     #输入刚才保护CA密钥的密码

Check that the request matches the signature
Signature ok
Certificate Details:
        Serial Number: 10592025808180940008 (0x92fe6f5a84650ce8)
        Validity
            Not Before: Nov 5 22:55:32 2015 GMT
            Not After : Nov 4 22:55:32 2018 GMT
        Subject:
            countryName               = CN
            stateOrProvinceName       = beijing
            organizationName          = xuegod
            organizationalUnitName    = IT
            commonName                = xuegod61.cn
            emailAddress              = [email protected]
        X509v3 extensions:
            X509v3 Subject Key Identifier:
                33:DB:C9:59:D1:A5:C4:63:64:A2:5E:87:5F:10:21:CF:BB:D6:FC:FA
            X509v3 Authority Key Identifier:
                keyid:33:DB:C9:59:D1:A5:C4:63:64:A2:5E:87:5F:10:21:CF:BB:D6:FC:FA

X509v3 Basic Constraints:
CA:TRUE
Certificate is to be certified until Nov 4 22:55:32 2018 GMT (1095 days)

Write out database with 1 new entries
Data Base Updated

到此CA认证中心就搭建好了。

查看生成的CA根证书：

[[email protected] ~]# vim /etc/pki/CA/cacert.pem
Certificate:
    Data:
        Version: 3 (0x2)
        Serial Number: 10592025808180940008 (0x92fe6f5a84650ce8)
    Signature Algorithm: sha1WithRSAEncryption
        Issuer: C=CN, ST=beijing, O=xuegod, OU=IT,CN=xuegod61.cn/[email protected]
        Validity           #CA认证机构信息
            Not Before: Nov 5 22:55:32 2015 GMT
            Not After : Nov 4 22:55:32 2018 GMT
        Subject: C=CN, ST=beijing, O=xuegod, OU=IT, CN=xuegod61.cn/emailAddress=1.163.com
        Subject Public Key Info:      #CA认证中心公钥信息
            Public Key Algorithm: rsaEncryption
                Public-Key: (2048 bit)
                Modulus:

查看根证书的私钥

[[email protected] ~]# vim /etc/pki/CA/private/cakey.pem

-----BEGIN ENCRYPTED PRIVATE KEY-----
MIIFDjBABgkqhkiG9w0BBQ0wMzAbBgkqhkiG9w0BBQwwDgQIAVthQXWJA3cCAggA
MBQGCCqGSIb3DQMHBAjtrTJksBjvtASCBMgaX0dxU1Cnhx8iXyMFLVpeWm35L2Wf

实战：使用证书搭建https

在xuegod64上配置https
1、安装：httpd
2、xuegod62生成证书请求文件，获得证书
3、把证书和httpd相结合。

1、安装HTTPD

[[email protected] ~]# yum install -y httpd

2、xuegod62生成证书请求文件，获得证书

[[email protected] ~]# openssl genrsa -h ##查看帮助

生一个私钥密钥：

[[email protected] ~]# openssl genrsa -des3 -out /etc/httpd/conf.d/server.key
Generating RSA private key, 512 bit long modulus
.....++++++++++++
..............................++++++++++++
e is 65537 (0x10001)
Enter pass phrase for /etc/httpd/conf.d/server.key:123456 #输入保护私钥的密码
Verifying - Enter pass phrase for /etc/httpd/conf.d/server.key: 123456

使用私钥生成证书请求文件

[[email protected] ~]# openssl req -new -key /etc/httpd/conf.d/server.key -out /server.csr #注意后期添加的国家，省，组织等信息要和CA保持一致

Enter pass phrase for /etc/httpd/conf.d/server.key: 123456 #输入私钥的密码

You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter ‘.‘, the field will be left blank.
-----
Country Name (2 letter code) [XX]:CN
State or Province Name (full name) []:beijing
Locality Name (eg, city) [Default City]:haidian
Organization Name (eg, company) [Default Company Ltd]:xuegod
Organizational Unit Name (eg, section) []:IT
Common Name (eg, your name or your server‘s hostname) []:xuegod62.cn

#这里要求输入的CommonName必须不通过浏览器访问您网站的 URL 完全相同，否则用户会发现您服务器证书的通用名不站点的名字丌匹配，用户就会怀疑您的证书的真实性。可以使域名也可以使IP址。
Email Address []:[email protected]

Please enter the following ‘extra‘ attributes
to be sent with your certificate request
A challenge password []: #不输密码直接回车

An optional company name []:

将证书请求文件发给CA服务器：

[[email protected] ~]# scp /server.csr 192.168.0.61:/tmp/
[email protected]‘s password:
server.csr 100% 684 0.7KB/s 00:00

CA签名：

[[email protected] ~]# openssl ca -keyfile /etc/pki/CA/private/cakey.pem -cert /etc/pki/CA/cacert.pem -in /tmp/server.csr -out /server.crt
Using configuration from /etc/pki/tls/openssl.cnf
Enter pass phrase for /etc/pki/CA/private/cakey.pem:    123456
Check that the request matches the signature
Signature ok
Certificate Details:
        Serial Number: 10592025808180940009 (0x92fe6f5a84650ce9)
        Validity
            Not Before: Nov 5 23:43:21 2015 GMT
            Not After : Nov 4 23:43:21 2016 GMT
        Subject:
            countryName               = CN
            stateOrProvinceName       = beijing
            organizationName          = xuegod
            organizationalUnitName    = IT
            commonName                = xuegod62.cn
            emailAddress              = [email protected]
        X509v3 extensions:
            X509v3 Basic Constraints:
                CA:TRUE
            Netscape Comment:
                OpenSSL Generated Certificate
            X509v3 Subject Key Identifier:
                80:FB:DE:AB:6D:CC:20:E2:F9:AE:73:09:8A:1B:50:F2:9B:84:BC:C5
            X509v3 Authority Key Identifier:
                keyid:33:DB:C9:59:D1:A5:C4:63:64:A2:5E:87:5F:10:21:CF:BB:D6:FC:FA

Certificate is to be certified until Nov 4 23:43:21 2016 GMT (365 days)
Sign the certificate? [y/n]:y

1 out of 1 certificate requests certified, commit? [y/n]y
Write out database with 1 new entries
Data Base Updated

Certificate is to be certified until Dec 21 14:25:53 2015 GMT (365 days) #证书有效期是365天。证书进行认证，直到12月21日十四时25分53秒格林尼治标准时间2015年（365天）
Sign the certificate? [y/n]:y #注册证书
1 out of 1 certificate requests certified, commit? [y/n]y #确认
Write out database with 1 new entries
Data Base Updated

将证书复制到xuegod64

[[email protected] ~]# scp /server.crt 192.168.0.62:/

到此证书签名完毕。
实战：使用证书实现https
SSL：(Secure Socket Layer)安全套接字层，通过一种机制在互联网上提供密钥传输。其主要目标是保证两个应用间通信数据的保密性和可靠性,可在服务器端和用户端同时支持的一种加密算法。目前主流版本SSLV2、SSLV3(常用）。
SSL四次握手安全传输：
加密协议： SSL 3.0 或 TLS 1.0
C -------------------------------------------------> S

请求一个安全的会话，协商算法
C <------------------------------------------------- S
2. 将自己Server端的证书给客户端
C -------------------------------------------------> S
3. 客户端用浏览中存放CA的根证书检测xuegod64证书，如果对，使用CA根证书中的公钥解密。得到xuegod64的公钥；
然后生成一把对称的加密密钥,用xuegod64的公钥加密这个密钥发给xuegod64。后期使用对称密钥加密数据
C <------------------------------------------------> S

4. xuegod62使用私钥解密，得到对称的加密密钥
然后，使用对称加密密钥来进行安全快速传输数据

配置HTTPS web服务器： xuegod62

[[email protected] ~]# yum install mod_ssl -y 安装：SSL模块

配置：

[[email protected] ~]# cp /server.crt /etc/httpd/conf.d/ #复制证书
[[email protected] ~]# ll /etc/httpd/conf.d/server.key # 查看私钥
-rw-r--r--. 1 root root 963 11月 6 07:24 /etc/httpd/conf.d/server.key

[[email protected] ~]# vim /etc/httpd/conf.d/ssl.conf

104 # certificate can be generated using the genkey(1) command.
改：105 SSLCertificateFile /etc/pki/tls/certs/localhost.crt
为：
SSLCertificateFile /etc/httpd/conf.d/server.crt

106 #SSLCertificateFile /etc/pki/tls/certs/localhost.crt
107
108 # Server Private Key:
109 # If the key is not combined with the certificate, use this
110 # directive to point at the key file. Keep in mind that if
111 # you‘ve both a RSA and a DSA private key you can configure
112 # both in parallel (to also allow the use of DSA ciphers, etc.)
改：113 SSLCertificateKeyFile /etc/pki/tls/private/localhost.key
为：
SSLCertificateKeyFile /etc/httpd/conf.d/server.key
114 #SSLCertificateKeyFile /etc/pki/tls/private/localhost.key

启动服务：
[[email protected] ~]# /etc/init.d/httpd start
正在启动 httpd：Apache/2.2.15 mod_ssl/2.2.15 (Pass Phrase Dialog)
Some of your private key files are encrypted for security reasons.
In order to read them you have to provide the pass phrases.

Server xuegod62.cn:443 (RSA)
Enter pass phrase: 123456

OK: Pass Phrase Dialog successful.
[确定]

测试

查看端口号：

[[email protected] ~]# netstat -anupt |grep 443
tcp 0 0 :::443 :::* LISTEN 49865/httpd