生成密钥对和证书的步骤

嗝~壁老黄

已于 2023-10-11 14:29:19 修改

阅读量133

点赞数

文章标签： linux

于 2023-10-11 11:52:18 首次发布

本文链接：https://blog.csdn.net/m0_69852463/article/details/133764792

版权

生成密钥对和证书的步骤

主机名	ip地址	系统
DR	192.168.10.130	CentOS-8
RS1	192.168.10.131	CentOS-8
RS2	192.168.10.133	CentOS-8

创建所需的CA目录以及文件

[root@DR ~]# for dir in certs crl newcerts private ; do mkdir -pv /etc/pki/CA/$dir;done
mkdir: created directory '/etc/pki/CA'
mkdir: created directory '/etc/pki/CA/certs'
mkdir: created directory '/etc/pki/CA/crl'
mkdir: created directory '/etc/pki/CA/newcerts'
mkdir: created directory '/etc/pki/CA/private'
[root@DR ~]# 
[root@DR ~]# cd /etc/pki/CA/
[root@DR CA]# ls
certs  crl  newcerts  private
[root@DR CA]#

生成密钥对

[root@DR CA]# (umask 077;openssl genrsa -out private/cakey.pem 2048)
Generating RSA private key, 2048 bit long modulus (2 primes)
......+++++
.............................................................................+++++
e is 65537 (0x010001)
[root@DR CA]#

生成自签署证书和证书索引数据库文件，制定第一个颁发证书的序列号

[root@DR CA]# openssl req -new -x509 -key private/cakey.pem -out cacert.pem -days 365
...
-----
Country Name (2 letter code) [XX]:CN
State or Province Name (full name) []:HB
Locality Name (eg, city) [Default City]:WH
Organization Name (eg, company) [Default Company Ltd]:runtime
Organizational Unit Name (eg, section) []:runtime
Common Name (eg, your name or your server's hostname) []:runtime
Email Address []:      #这里直接回车
[root@DR CA]# 
[root@DR CA]# touch index.txt
[root@DR CA]# echo 01 > serial
[root@DR CA]#

在RS1主机上生成密钥对

[root@RS1 ~]# mkdir /etc/httpd/ssl
[root@RS1 ~]# 
[root@RS1 ~]# cd /etc/httpd/ssl/
[root@RS1 ssl]# 
[root@RS1 ssl]# (umask 077;openssl genrsa -out httpd.key 2048)
Generating RSA private key, 2048 bit long modulus (2 primes)
.....................................+++++
............................................................+++++
e is 65537 (0x010001)
[root@RS1 ssl]#

生成证书签署请求

[root@RS1 ssl]# openssl req -new -key httpd.key -days 365 -out httpd.csr
...
-----
Country Name (2 letter code) [XX]:CN
State or Province Name (full name) []:HB
Locality Name (eg, city) [Default City]:WH
Organization Name (eg, company) [Default Company Ltd]:runtime
Organizational Unit Name (eg, section) []:runtime
Common Name (eg, your name or your server's hostname) []:runtime
Email Address []:     #这里直接回车

Please enter the following 'extra' attributes
to be sent with your certificate request
A challenge password []:      #这里直接回车     
An optional company name []:      #这里直接回车
[root@RS1 ssl]# 
[root@RS1 ssl]# ls
httpd.csr  httpd.key
[root@RS1 ssl]#

把证书签署请求文件发送给CA

[root@RS1 ssl]# scp httpd.csr root@192.168.10.130:/root
root@192.168.10.130's password: 
Permission denied, please try again.
root@192.168.10.130's password: 
httpd.csr                                                                     100%  989     1.8MB/s   00:00    
[root@RS1 ssl]#

CA签署证书并发给RS1和RS2主机

[root@DR ~]# openssl ca -in /root/httpd.csr -out httpd.crt -days 365
Using configuration from /etc/pki/tls/openssl.cnf
Check that the request matches the signature
Signature ok
Certificate Details:
        Serial Number: 1 (0x1)
        Validity
            Not Before: Oct  8 12:25:28 2023 GMT
            Not After : Oct  7 12:25:28 2024 GMT
        Subject:
            countryName               = CN
            stateOrProvinceName       = HB
            organizationName          = runtime
            organizationalUnitName    = runtime
            commonName                = runtime
        X509v3 extensions:
            X509v3 Basic Constraints: 
                CA:FALSE
            Netscape Comment: 
                OpenSSL Generated Certificate
            X509v3 Subject Key Identifier: 
                67:EC:F0:4B:68:1A:75:5D:08:FD:A1:6F:A8:90:ED:5D:2D:96:58:46
            X509v3 Authority Key Identifier: 
                keyid:F9:CC:AF:25:3C:75:48:6C:C9:AE:61:34:EE:03:9E:F8:43:F2:B9:F1
Certificate is to be certified until Oct  7 12:25:28 2024 GMT (365 days)
Sign the certificate? [y/n]:y
1 out of 1 certificate requests certified, commit? [y/n]y
Write out database with 1 new entries
Data Base Updated
[root@DR ~]# 
[root@DR ~]# ls
anaconda-ks.cfg  httpd.crt  httpd.csr
[root@DR ~]#

在DR主机上将签署好的证书httpd.crt和生成的自签署证书cacert.pem发送给RS1和RS2主机

[root@DR ~]# scp httpd.crt root@192.168.10.131:/etc/httpd/ssl
The authenticity of host '192.168.10.131 (192.168.10.131)' can't be established.
ECDSA key fingerprint is SHA256:z2F8hfFO4+Z6J0ZDbXo2fsytcMRBVqsUnM2LdvOjWCs.
Are you sure you want to continue connecting (yes/no/[fingerprint])? yes
Warning: Permanently added '192.168.10.131' (ECDSA) to the list of known hosts.
root@192.168.10.131's password: 
httpd.crt                                                                             100% 4424     4.0MB/s   00:00    
[root@DR ~]# scp /etc/pki/CA/cacert.pem root@192.168.10.131:/etc/httpd/ssl
root@192.168.10.131's password: 
cacert.pem                                                                            100% 1310     1.9MB/s   00:00    
[root@DR ~]#

RS1

[root@RS1 ~]# cd /etc/httpd/ssl/
[root@RS1 ssl]# ls
cacert.pem  httpd.crt  httpd.csr  httpd.key
[root@RS1 ssl]#

RS2

[root@RS2 ~]# mkdir /etc/httpd/ssl

[root@DR ~]# scp httpd.crt root@192.168.10.133:/etc/httpd/ssl
root@192.168.10.133's password: 
httpd.crt                                                                             100% 4424     3.4MB/s   00:00    
[root@DR ~]# scp /etc/pki/CA/cacert.pem root@192.168.10.133:/etc/httpd/ssl
root@192.168.10.133's password: 
cacert.pem                                                                            100% 1310     1.5MB/s   00:00    
[root@DR ~]#

RS2

[root@RS2 ssl]# ls
cacert.pem  httpd.crt

将RS1主机上的密钥对拷贝至RS2主机，安装模块

RS1

[root@RS1 ssl]# scp httpd.key root@192.168.10.133:/etc/httpd/ssl
The authenticity of host '192.168.10.133 (192.168.10.133)' can't be established.
ECDSA key fingerprint is SHA256:AOQsguPRyPBU/A2KBE9FlV6d+Q0A9b+Z9CK3gHvDg3k.
Are you sure you want to continue connecting (yes/no/[fingerprint])? yes
Warning: Permanently added '192.168.10.133' (ECDSA) to the list of known hosts.
root@192.168.10.133's password: 
httpd.key                                                                     100% 1679     1.6MB/s   00:00

RS2

[root@RS2 ssl]# ls
cacert.pem  httpd.crt  httpd.key
[root@RS2 ssl]#

在RS1和RS2主机上安装mod_ssl模块

[root@RS1 ~]# yum -y install mod_ssl

[root@RS2 ~]# yum -y install mod_ssl

在 RS1 和 RS2 主机上配置ssl

RS1

[root@RS1 ~]# vim /etc/httpd/conf.d/ssl.conf
......
/SSLCertificateFile    #在命令行输入这个，找到下面这一行后缀改为文件所在的位置
SSLCertificateFile /etc/httpd/ssl/httpd.crt
......
/SSLCertificateKeyFile   #在命令行输入这个，找到下面这一行后缀改为文件所在的位置
SSLCertificateKeyFile /etc/httpd/ssl/httpd.key
......
/SSLCACertificateFile     #在命令行输入这个，找到下面这一行后缀改为文件所在的位置
/SSLCACertificateFile /etc/httpd/ssl/cacert.pem  #这一行要去掉注释
......

RS2

[root@RS2 ~]# vim /etc/httpd/conf.d/ssl.conf
......
/SSLCertificateFile    #在命令行输入这个，找到下面这一行后缀改为文件所在的位置
SSLCertificateFile /etc/httpd/ssl/httpd.crt
......
/SSLCertificateKeyFile   #在命令行输入这个，找到下面这一行后缀改为文件所在的位置
SSLCertificateKeyFile /etc/httpd/ssl/httpd.key
......
/SSLCACertificateFile     #在命令行输入这个，找到下面这一行后缀改为文件所在的位置
SSLCACertificateFile /etc/httpd/ssl/cacert.pem    #这一行要去掉注释
......

嗝~壁老黄

关注

0
点赞
踩
1

收藏

觉得还不错? 一键收藏
1
评论
生成密钥对和证书的步骤

创建所需的CA目录以及文件生成密钥对生成自签署证书和证书索引数据库文件，制定第一个颁发证书的序列号在装有httpd服务的RS1主机上生成密钥对生成证书签署请求把证书签署请求文件发送给CACA签署证书并发给RS1和RS2主机。
复制链接

扫一扫