实战:搭建CA认证中心,使用CA证书搭建HTTPS

CA认证中心服务端:xuegod63.cn                         IP:192.168.0.61
客户端                  :xuegod64.cn                         IP:192.168.0.62
CA:Certificate Authority的缩写,通常翻译成认证权威或者认证中心,主要用途是为用户发放数字证书。
认证中心(CA)的功能有:证书发放、证书更新、证书撤销和证书验证。
CA证书作用:身份认证--->数据的不可否认性

https 监听端口: 443

证书请求文件:CSR是Cerificate Signing Request的英文缩写,即证书请求文件,也就是证书申请者在申请数字证书时由CSP(加密服务提供者)在生成私钥的同时也生成证书请求文件,证书申请者只要把CSR文件提交给证书颁发机构后,证书颁发机构使用其根证书的私钥签名就生成了证书文件,也就是颁发给用户的证书。

总结:证书签名过程
1、 生成请求文件
2、 CA使用根证书的私钥加密请求文件,生成证书
3、 把证书传给申请者

申请免费证书:
https://buy.wosign.com/free/

实战:搭建CA认证中心

安装CA认证软件包中心:

[[email protected] ~]# rpm -qf `which openssl`
openssl-1.0.1e-15.el6.x86_64

配置一个自己的CA认证中心。生成CA的根证书和私钥。 根证书中包括:CA的公钥

[[email protected] ~]# vim /etc/pki/tls/openssl.cnf

改: 172 #basicConstraints=CA:FALSE
为:172 basicConstraints=CA:TRUE #让自己成为CA认证中心

生成CA的公钥证书和私钥

[[email protected] ~]# /etc/pki/tls/misc/CA -h     ##查看帮助

usage: /etc/pki/tls/misc/CA -newcert|-newreq|-newreq-nodes|-newca|-sign|-verify

[[email protected] ~]# /etc/pki/tls/misc/CA -newca
CA certificate filename (or enter to create)     #直接回车
Making CA certificate ...
Generating a 2048 bit RSA private key
....................+++
..........................................................................+++
writing new private key to ‘/etc/pki/CA/private/./cakey.pem‘
Enter PEM pass phrase:123456         # 输入密码,保护私钥
Verifying - Enter PEM pass phrase:123456     #再次输入密码
-----
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter ‘.‘, the field will be left blank.
----
Country Name (2 letter code) [XX]:CN
State or Province Name (full name) []:beijing
Locality Name (eg, city) [Default City]:haidian
Organization Name (eg, company) [Default Company Ltd]: xuegod
Organizational Unit Name (eg, section) []:IT
Common Name (eg, your name or your server‘s hostname) []:xuegod61.cn #通用名称(例如,您的姓名或您的服务器的主机名),随便写
Email Address []:[email protected]
Please enter the following ‘extra‘ attributes
to be sent with your certificate request #添加一个“额外”的属性,让客户端发送CA证书,请求文件时,要输入的密
A challenge password []:     #直接加车
An optional company name []:    #直接加车
Using configuration from /etc/pki/tls/openssl.cnf     # CA服务器的配置文件。上面修改的内容会添加到这个配置文件中
Enter pass phrase for /etc/pki/CA/private/./cakey.pem: 123456     #输入刚才保护CA密钥的密码

Check that the request matches the signature
Signature ok
Certificate Details:
        Serial Number: 10592025808180940008 (0x92fe6f5a84650ce8)
        Validity
            Not Before: Nov  5 22:55:32 2015 GMT
            Not After : Nov  4 22:55:32 2018 GMT
        Subject:
            countryName               = CN
            stateOrProvinceName       = beijing
            organizationName          = xuegod
            organizationalUnitName    = IT
            commonName                = xuegod61.cn
            emailAddress              = [email protected]
        X509v3 extensions:
            X509v3 Subject Key Identifier:
                33:DB:C9:59:D1:A5:C4:63:64:A2:5E:87:5F:10:21:CF:BB:D6:FC:FA
            X509v3 Authority Key Identifier:
                keyid:33:DB:C9:59:D1:A5:C4:63:64:A2:5E:87:5F:10:21:CF:BB:D6:FC:FA

X509v3 Basic Constraints:
                CA:TRUE
Certificate is to be certified until Nov  4 22:55:32 2018 GMT (1095 days)

Write out database with 1 new entries
Data Base Updated

到此CA认证中心就搭建好了。

查看生成的CA根证书:

[[email protected] ~]# vim  /etc/pki/CA/cacert.pem
Certificate:
    Data:
        Version: 3 (0x2)
        Serial Number: 10592025808180940008 (0x92fe6f5a84650ce8)
    Signature Algorithm: sha1WithRSAEncryption
        Issuer: C=CN, ST=beijing, O=xuegod, OU=IT,CN=xuegod61.cn/[email protected]
        Validity           #CA认证机构信息
            Not Before: Nov  5 22:55:32 2015 GMT
            Not After : Nov  4 22:55:32 2018 GMT
        Subject: C=CN, ST=beijing, O=xuegod, OU=IT, CN=xuegod61.cn/emailAddress=1.163.com
        Subject Public Key Info:      #CA认证中心公钥信息
            Public Key Algorithm: rsaEncryption
                Public-Key: (2048 bit)
                Modulus:

查看根证书的私钥

[[email protected] ~]# vim /etc/pki/CA/private/cakey.pem

-----BEGIN ENCRYPTED PRIVATE KEY-----
MIIFDjBABgkqhkiG9w0BBQ0wMzAbBgkqhkiG9w0BBQwwDgQIAVthQXWJA3cCAggA
MBQGCCqGSIb3DQMHBAjtrTJksBjvtASCBMgaX0dxU1Cnhx8iXyMFLVpeWm35L2Wf

实战:使用证书搭建https

在xuegod64上配置https
1、安装:httpd
2、xuegod62生成证书请求文件,获得证书
3、把证书和httpd相结合。

1、安装HTTPD

[[email protected] ~]# yum install -y httpd

2、xuegod62生成证书请求文件,获得证书

[[email protected] ~]# openssl genrsa -h   ##查看帮助

生一个私钥密钥:

[[email protected] ~]# openssl genrsa -des3 -out /etc/httpd/conf.d/server.key
Generating RSA private key, 512 bit long modulus
.....++++++++++++
..............................++++++++++++
e is 65537 (0x10001)
Enter pass phrase for /etc/httpd/conf.d/server.key:123456     #输入保护私钥的密码
Verifying - Enter pass phrase for /etc/httpd/conf.d/server.key: 123456

使用私钥生成证书请求文件

[[email protected] ~]# openssl req -new -key /etc/httpd/conf.d/server.key -out /server.csr             #注意后期添加的国家,省,组织等信息要和CA保持一致

Enter pass phrase for /etc/httpd/conf.d/server.key:     123456      #输入私钥的密码

You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter ‘.‘, the field will be left blank.
-----
Country Name (2 letter code) [XX]:CN
State or Province Name (full name) []:beijing
Locality Name (eg, city) [Default City]:haidian
Organization Name (eg, company) [Default Company Ltd]:xuegod
Organizational Unit Name (eg, section) []:IT
Common Name (eg, your name or your server‘s hostname) []:xuegod62.cn

#这里要求输入的CommonName必须不通过浏览器访问您网站的 URL 完全相同,否则用户会发现您服务器证书的通用名不站点的名字丌匹配,用户就会怀疑您的证书的真实性。可以使域名也可以使IP址。
Email Address []:[email protected]

Please enter the following ‘extra‘ attributes
to be sent with your certificate request
A challenge password []:        #不输密码直接回车

An optional company name []:

将证书请求文件发给CA服务器:

[[email protected] ~]# scp /server.csr 192.168.0.61:/tmp/
[email protected]‘s password:
server.csr                  100%  684     0.7KB/s   00:00

CA签名:

[[email protected] ~]# openssl ca -keyfile /etc/pki/CA/private/cakey.pem -cert /etc/pki/CA/cacert.pem -in /tmp/server.csr -out /server.crt
Using configuration from /etc/pki/tls/openssl.cnf
Enter pass phrase for /etc/pki/CA/private/cakey.pem:    123456
Check that the request matches the signature
Signature ok
Certificate Details:
        Serial Number: 10592025808180940009 (0x92fe6f5a84650ce9)
        Validity
            Not Before: Nov  5 23:43:21 2015 GMT
            Not After : Nov  4 23:43:21 2016 GMT
        Subject:
            countryName               = CN
            stateOrProvinceName       = beijing
            organizationName          = xuegod
            organizationalUnitName    = IT
            commonName                = xuegod62.cn
            emailAddress              = [email protected]
        X509v3 extensions:
            X509v3 Basic Constraints:
                CA:TRUE
            Netscape Comment:
                OpenSSL Generated Certificate
            X509v3 Subject Key Identifier:
                80:FB:DE:AB:6D:CC:20:E2:F9:AE:73:09:8A:1B:50:F2:9B:84:BC:C5
            X509v3 Authority Key Identifier:
                keyid:33:DB:C9:59:D1:A5:C4:63:64:A2:5E:87:5F:10:21:CF:BB:D6:FC:FA

Certificate is to be certified until Nov  4 23:43:21 2016 GMT (365 days)
Sign the certificate? [y/n]:y

1 out of 1 certificate requests certified, commit? [y/n]y
Write out database with 1 new entries
Data Base Updated

Certificate is to be certified until Dec 21 14:25:53 2015 GMT (365 days) #证书有效期是365天。证书进行认证,直到12月21日十四时25分53秒格林尼治标准时间2015年(365天)
Sign the certificate? [y/n]:y #注册证书
1 out of 1 certificate requests certified, commit? [y/n]y #确认
Write out database with 1 new entries
Data Base Updated

将证书复制到xuegod64

[[email protected] ~]# scp /server.crt 192.168.0.62:/

到此证书签名完毕。
实战:使用证书实现https
SSL:(Secure Socket Layer)安全套接字层,通过一种机制在互联网上提供密钥传输。其主要目标是保证两个应用间通信数据的保密性和可靠性,可在服务器端和用户端同时支持的一种加密算法。目前主流版本SSLV2、SSLV3(常用)。
SSL四次握手安全传输:
加密协议: SSL 3.0 或 TLS 1.0
C -------------------------------------------------> S

  1. 请求一个安全的会话,协商算法
    C <------------------------------------------------- S
    2. 将自己Server端的证书给客户端
    C -------------------------------------------------> S
    3. 客户端用浏览中存放CA的根证书检测xuegod64证书,如果对,使用CA根证书中的公钥解密。得到xuegod64的公钥;
    然后生成一把对称的加密密钥,用xuegod64的公钥加密这个密钥发给xuegod64。 后期使用对称密钥加密数据
    C <------------------------------------------------> S

4. xuegod62使用私钥解密,得到对称的加密密钥
然后,使用对称加密密钥来进行安全快速传输数据

配置HTTPS web服务器: xuegod62

[[email protected] ~]# yum install mod_ssl -y       安装:SSL模块

配置:

[[email protected] ~]# cp /server.crt /etc/httpd/conf.d/      #复制证书
[[email protected] ~]# ll /etc/httpd/conf.d/server.key     # 查看私钥
-rw-r--r--. 1 root root 963 11月  6 07:24 /etc/httpd/conf.d/server.key

[[email protected] ~]# vim /etc/httpd/conf.d/ssl.conf

104 # certificate can be generated using the genkey(1) command.
改:105 SSLCertificateFile /etc/pki/tls/certs/localhost.crt
为:
SSLCertificateFile /etc/httpd/conf.d/server.crt

106 #SSLCertificateFile /etc/pki/tls/certs/localhost.crt
107
108 # Server Private Key:
109 # If the key is not combined with the certificate, use this
110 # directive to point at the key file. Keep in mind that if
111 # you‘ve both a RSA and a DSA private key you can configure
112 # both in parallel (to also allow the use of DSA ciphers, etc.)
改:113 SSLCertificateKeyFile /etc/pki/tls/private/localhost.key
为:
SSLCertificateKeyFile /etc/httpd/conf.d/server.key
114 #SSLCertificateKeyFile /etc/pki/tls/private/localhost.key

启动服务:
[[email protected] ~]# /etc/init.d/httpd start
正在启动 httpd:Apache/2.2.15 mod_ssl/2.2.15 (Pass Phrase Dialog)
Some of your private key files are encrypted for security reasons.
In order to read them you have to provide the pass phrases.

Server xuegod62.cn:443 (RSA)
Enter pass phrase:  123456

OK: Pass Phrase Dialog successful.
                                                           [确定]

测试

查看端口号:

[[email protected] ~]# netstat -anupt |grep 443
tcp        0      0 :::443                      :::*                        LISTEN      49865/httpd

时间: 2024-10-06 05:30:57

实战:搭建CA认证中心,使用CA证书搭建HTTPS的相关文章

【实战-Linux】--搭建CA认证中心实现https取证

环境 CA认证中心服务端:xuegod63.cn IP:192.168.1.63           客户端:xuegod64.cn IP:192.168.1.64 CA认证中心简述  CA :CertificateAuthority的缩写,通常翻译成认证权威或者认证中心,主要用途是为用户发放数字证书. 功能:证书发放.证书更新.证书撤销和证书验证. 作用:身份认证,数据的不可否认性 端口:443 过程: 证书请求文件:CSR是Cerificate Signing Request的英文缩写,即证

搭建CA认证中心

前言 CA英文全称CertificationAuthority,即数字证书认机构.A是负责发放和管理数字证书的权威机构,并作为用户数字认证中受信任的第三方,承担公钥体系(PKI)中公钥的合法性检验的责任,在互联网上,实现用户与用户.用户与企业之间的数字身份认证. 本文通过使用openssl进行搭建私有CA认证体系,从而简单地了解CA的认证过程.搭建私有CA,可以实现企业内部认证加密. 图示CA流程 一.搭建CA认证中心 1.修改配置文件 #vim /etc/pki/tls/openssl.cnf

自建CA证书搭建https服务器

1.理论知识 https简介 HTTPS(全称:Hyper Text Transfer Protocol over Secure Socket Layer),是以安全为目标的HTTP通道,简单讲是HTTP的安全版.即HTTP下加入SSL层,HTTPS的安全基础是SSL,因此加密的详细内容就需要SSL. 超文本传输协议HTTP协议被用于在Web浏览器和网站服务器之间传递信息.HTTP协议以明文方式发送内容,不提供任何方式的数据加密,如果攻击者截取了Web浏览器和网站服务器之间的传输报文,就可以直接

自己搭建CA颁发证书做https加密网站

如果网站是针对内网的访问的,自己搭建CA服务器颁发证书就可以,如果是针对互联网来访问的,还是买ssl证书比较好,今天就来介绍一下自己搭建CA服务器颁发证书做加密网站. 192.168.10.187 CA服务器 192.168.10.190 web服务器 (1)搭建CA cd /etc/pki/CA 在这个目录下创建serial和index.txt两个文件 echo 00 > serial (00是颁发证书最初的版本号) touch index.txt (umask 006;openssl gen

搭建CA颁发证书做https加密网站

92.168.10.187 CA服务器 192.168.10.190 web服务器 (1)搭建CA cd /etc/pki/CA 在这个目录下创建serial和index.txt两个文件 echo 00 > serial (00是颁发证书最初的版本号) touch index.txt (umask 006;openssl genrsa -out private/cakey.pem 4096) 生成私钥 openssl req -new -x509 -key private/cakey.pem -

apache配置CA证书通过https通信

Apache Httpd 2.2 实现https加密通讯 实际生产中CA证书一般是向一些专业认证的国际机构来进行申请的.我们会模拟使用OpenSSL生成的证书,来实现Apache的安全加密通讯,这与实际生产中是类似的. 实验环境准备 主机A:172.16.0.57-------->httpd服务器 主机B:172.16.0.58--------->CA openssl 接下来,我们分两个部分进行,在主机B上搭建CA证书环境,然后在主机A上配置证书环境. 主机B上搭建CA证书环境 CA证书环境中

ActiveReports 9实战教程(1): 手把手搭建好开发环境Visual Studio 2013 社区版

ActiveReports9刚刚公布3天.微软就公布了 Visual Studio Community 2013 开发环境. Visual Studio Community 2013 提供完整功能的 IDE ,可开发 Windows.Android 和 iOS 应用.支持:C++, Python, HTML5, JavaScript, 和 C#,VB, F# 语言的开发.提供设计器.编辑器.调试器和诊断工具. 最牛逼的在于你全然能够免费使用该工具: 能够正大光明的免费使用visual studi

配置私有CA命令与配置证书(根据马哥的linux视频教程总结出来)

一:配置私用CA命令 1.编辑配置文件/etc/pki/tls/openssl.cnf 更改dir 将"../../CA"改为"/etc/pki/CA" 可以更改默认国家.省份.城市 mkdir certs  newcerts   crl touch index.txt touch serial echo 01 >serial 2.创建私有秘钥(公钥从此生成) 在/etc/pki/CA目录下 (umask 077;openssl genrsa 2048 >

linux学习之路之创建私钥CA及使用CA为客户端颁发证书

创建CA(Certificate Authority) CA的储存格式主要有2种:x509和pkcs12 x509是目前最主流的CA储存格式,在x509格式的证书中,储存的内容主要有: 证书的公钥和使用期限 证书的合法拥有着 证书该如何被使用 CA的信息 CA签名的校验码 默认情况下,TCP/IP模型和OSI模型,并没有实现数据的加密,而要实现数据的加密需要使用TLS/SSL协议,TLS和SSL在有些Linux版本上实现的机制是相同的,因此在这里我们之介绍SSL协议 SSL(Secure Soc