搭建CA认证中心,使用CA证书搭建HTTPS
CA认证中心服务端:xuegod63.cn IP:192.168.0.61客户端 :xuegod64.cn IP:192.168.0.62
CA:Certificate Authority的缩写,通常翻译成认证权威或者认证中心,主要用途是为用户发放数字证书。
认证中心(CA)的功能有:证书发放、证书更新、证书撤销和证书验证。
CA证书作用:身份认证--->数据的不可否认性
https 监听端口: 443
证书请求文件:CSR是Cerificate Signing Request的英文缩写,即证书请求文件,也就是证书申请者在申请数字证书时由CSP(加密服务提供者)在生成私钥的同时也生成证书请求文件,证书申请者只要把CSR文件提交给证书颁发机构后,证书颁发机构使用其根证书的私钥签名就生成了证书文件,也就是颁发给用户的证书。
总结:证书签名过程
1、 生成请求文件
2、 CA使用根证书的私钥加密请求文件,生成证书
3、 把证书传给申请者
申请免费证书:
https://buy.wosign.com/free/
实战:搭建CA认证中心
安装CA认证软件包中心:
# rpm -qf `which openssl`
openssl-1.0.1e-15.el6.x86_64
配置一个自己的CA认证中心。生成CA的根证书和私钥。 根证书中包括:CA的公钥
# vim /etc/pki/tls/openssl.cnf
改: 172 #basicConstraints=CA:FALSE
为:172 basicConstraints=CA:TRUE #让自己成为CA认证中心
生成CA的公钥证书和私钥
# /etc/pki/tls/misc/CA -h ##查看帮助
usage: /etc/pki/tls/misc/CA -newcert|-newreq|-newreq-nodes|-newca|-sign|-verify
# /etc/pki/tls/misc/CA -newca
CA certificate filename (or enter to create) #直接回车
Making CA certificate ...
Generating a 2048 bit RSA private key
....................+++
..........................................................................+++
writing new private key to '/etc/pki/CA/private/./cakey.pem'
Enter PEM pass phrase:123456 # 输入密码,保护私钥
Verifying - Enter PEM pass phrase:123456 #再次输入密码
-----
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
----
Country Name (2 letter code) :CN
State or Province Name (full name) []:beijing
Locality Name (eg, city) :haidian
Organization Name (eg, company) : xuegod
Organizational Unit Name (eg, section) []:IT
Common Name (eg, your name or your server's hostname) []:xuegod61.cn #通用名称(例如,您的姓名或您的服务器的主机名),随便写
Email Address []:1@163.com
Please enter the following 'extra' attributes
to be sent with your certificate request #添加一个“额外”的属性,让客户端发送CA证书,请求文件时,要输入的密
A challenge password []: #直接加车
An optional company name []: #直接加车
Using configuration from /etc/pki/tls/openssl.cnf # CA服务器的配置文件。上面修改的内容会添加到这个配置文件中
Enter pass phrase for /etc/pki/CA/private/./cakey.pem: 123456 #输入刚才保护CA密钥的密码
Check that the request matches the signature
Signature ok
Certificate Details:
Serial Number: 10592025808180940008 (0x92fe6f5a84650ce8)
Validity
Not Before: Nov5 22:55:32 2015 GMT
Not After : Nov4 22:55:32 2018 GMT
Subject:
countryName = CN
stateOrProvinceName = beijing
organizationName = xuegod
organizationalUnitName = IT
commonName = xuegod61.cn
emailAddress = 1@163.com
X509v3 extensions:
X509v3 Subject Key Identifier:
33:DB:C9:59:D1:A5:C4:63:64:A2:5E:87:5F:10:21:CF:BB:D6:FC:FA
X509v3 Authority Key Identifier:
keyid:33:DB:C9:59:D1:A5:C4:63:64:A2:5E:87:5F:10:21:CF:BB:D6:FC:FA
X509v3 Basic Constraints:
CA:TRUE
Certificate is to be certified until Nov4 22:55:32 2018 GMT (1095 days)
Write out database with 1 new entries
Data Base Updated
到此CA认证中心就搭建好了。
查看生成的CA根证书:
# vim/etc/pki/CA/cacert.pem
Certificate:
Data:
Version: 3 (0x2)
Serial Number: 10592025808180940008 (0x92fe6f5a84650ce8)
Signature Algorithm: sha1WithRSAEncryption
Issuer: C=CN, ST=beijing, O=xuegod, OU=IT,CN=xuegod61.cn/emailAddress=1@163.com
Validity #CA认证机构信息
Not Before: Nov5 22:55:32 2015 GMT
Not After : Nov4 22:55:32 2018 GMT
Subject: C=CN, ST=beijing, O=xuegod, OU=IT, CN=xuegod61.cn/emailAddress=1.163.com
Subject Public Key Info: #CA认证中心公钥信息
Public Key Algorithm: rsaEncryption
Public-Key: (2048 bit)
Modulus:
查看根证书的私钥
# vim /etc/pki/CA/private/cakey.pem
-----BEGIN ENCRYPTED PRIVATE KEY-----
MIIFDjBABgkqhkiG9w0BBQ0wMzAbBgkqhkiG9w0BBQwwDgQIAVthQXWJA3cCAggA
MBQGCCqGSIb3DQMHBAjtrTJksBjvtASCBMgaX0dxU1Cnhx8iXyMFLVpeWm35L2Wf
实战:使用证书搭建https
在xuegod64上配置https
1、安装:httpd
2、xuegod62生成证书请求文件,获得证书
3、把证书和httpd相结合。
1、安装HTTPD
# yum install -y httpd
2、xuegod62生成证书请求文件,获得证书
# openssl genrsa -h ##查看帮助
生一个私钥密钥:
# openssl genrsa -des3 -out /etc/httpd/conf.d/server.key
Generating RSA private key, 512 bit long modulus
.....++++++++++++
..............................++++++++++++
e is 65537 (0x10001)
Enter pass phrase for /etc/httpd/conf.d/server.key:123456 #输入保护私钥的密码
Verifying - Enter pass phrase for /etc/httpd/conf.d/server.key: 123456
使用私钥生成证书请求文件
# openssl req -new -key /etc/httpd/conf.d/server.key -out /server.csr #注意后期添加的国家,省,组织等信息要和CA保持一致
Enter pass phrase for /etc/httpd/conf.d/server.key: 123456 #输入私钥的密码
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) :CN
State or Province Name (full name) []:beijing
Locality Name (eg, city) :haidian
Organization Name (eg, company) :xuegod
Organizational Unit Name (eg, section) []:IT
Common Name (eg, your name or your server's hostname) []:xuegod62.cn
#这里要求输入的CommonName必须不通过浏览器访问您网站的 URL 完全相同,否则用户会发现您服务器证书的通用名不站点的名字丌匹配,用户就会怀疑您的证书的真实性。可以使域名也可以使IP址。
Email Address []:1@162.com
Please enter the following 'extra' attributes
to be sent with your certificate request
A challenge password []: #不输密码直接回车
An optional company name []:
将证书请求文件发给CA服务器:
# scp /server.csr 192.168.0.61:/tmp/
root@192.168.0.61's password:
server.csr 100%684 0.7KB/s 00:00
CA签名:
# openssl ca -keyfile /etc/pki/CA/private/cakey.pem -cert /etc/pki/CA/cacert.pem -in /tmp/server.csr -out /server.crt
Using configuration from /etc/pki/tls/openssl.cnf
Enter pass phrase for /etc/pki/CA/private/cakey.pem: 123456
Check that the request matches the signature
Signature ok
Certificate Details:
Serial Number: 10592025808180940009 (0x92fe6f5a84650ce9)
Validity
Not Before: Nov5 23:43:21 2015 GMT
Not After : Nov4 23:43:21 2016 GMT
Subject:
countryName = CN
stateOrProvinceName = beijing
organizationName = xuegod
organizationalUnitName = IT
commonName = xuegod62.cn
emailAddress = 1@162.com
X509v3 extensions:
X509v3 Basic Constraints:
CA:TRUE
Netscape Comment:
OpenSSL Generated Certificate
X509v3 Subject Key Identifier:
80:FB:DE:AB:6D:CC:20:E2:F9:AE:73:09:8A:1B:50:F2:9B:84:BC:C5
X509v3 Authority Key Identifier:
keyid:33:DB:C9:59:D1:A5:C4:63:64:A2:5E:87:5F:10:21:CF:BB:D6:FC:FA
Certificate is to be certified until Nov4 23:43:21 2016 GMT (365 days)
Sign the certificate? :y
1 out of 1 certificate requests certified, commit? y
Write out database with 1 new entries
Data Base Updated
Certificate is to be certified until Dec 21 14:25:53 2015 GMT (365 days) #证书有效期是365天。证书进行认证,直到12月21日十四时25分53秒格林尼治标准时间2015年(365天)
Sign the certificate? :y #注册证书
1 out of 1 certificate requests certified, commit? y #确认
Write out database with 1 new entries
Data Base Updated
将证书复制到xuegod64
# scp /server.crt 192.168.0.62:/
到此证书签名完毕。
实战:使用证书实现https
SSL:(Secure Socket Layer)安全套接字层,通过一种机制在互联网上提供密钥传输。其主要目标是保证两个应用间通信数据的保密性和可靠性,可在服务器端和用户端同时支持的一种加密算法。目前主流版本SSLV2、SSLV3(常用)。
SSL四次握手安全传输:
加密协议: SSL 3.0 或 TLS 1.0
C -------------------------------------------------> S
[*]请求一个安全的会话,协商算法
C <------------------------------------------------- S
2. 将自己Server端的证书给客户端
C -------------------------------------------------> S
3. 客户端用浏览中存放CA的根证书检测xuegod64证书,如果对,使用CA根证书中的公钥解密。得到xuegod64的公钥;
然后生成一把对称的加密密钥,用xuegod64的公钥加密这个密钥发给xuegod64。 后期使用对称密钥加密数据
C <------------------------------------------------> S
4. xuegod62使用私钥解密,得到对称的加密密钥
然后,使用对称加密密钥来进行安全快速传输数据
配置HTTPS web服务器: xuegod62
# yum install mod_ssl -y 安装:SSL模块
配置:
# cp /server.crt /etc/httpd/conf.d/ #复制证书
# ll /etc/httpd/conf.d/server.key # 查看私钥
-rw-r--r--. 1 root root 963 11月6 07:24 /etc/httpd/conf.d/server.key
# vim /etc/httpd/conf.d/ssl.conf
104 # certificate can be generated using the genkey(1) command.
改:105 SSLCertificateFile /etc/pki/tls/certs/localhost.crt
为:
SSLCertificateFile /etc/httpd/conf.d/server.crt
106 #SSLCertificateFile /etc/pki/tls/certs/localhost.crt
107
108 # Server Private Key:
109 # If the key is not combined with the certificate, use this
110 # directive to point at the key file. Keep in mind that if
111 # you've both a RSA and a DSA private key you can configure
112 # both in parallel (to also allow the use of DSA ciphers, etc.)
改:113 SSLCertificateKeyFile /etc/pki/tls/private/localhost.key
为:
SSLCertificateKeyFile /etc/httpd/conf.d/server.key
114 #SSLCertificateKeyFile /etc/pki/tls/private/localhost.key
启动服务:
# /etc/init.d/httpd start
正在启动 httpd:Apache/2.2.15 mod_ssl/2.2.15 (Pass Phrase Dialog)
Some of your private key files are encrypted for security reasons.
In order to read them you have to provide the pass phrases.
Server xuegod62.cn:443 (RSA)
Enter pass phrase:123456
OK: Pass Phrase Dialog successful.
[确定]
测试
查看端口号:
# netstat -anupt |grep 443
tcp 0 0 :::443 :::* LISTEN 49865/httpd
页:
[1]