生成密钥对和证书的步骤
主机名 | ip地址 | 系统 |
---|---|---|
DR | 192.168.10.130 | CentOS-8 |
RS1 | 192.168.10.131 | CentOS-8 |
RS2 | 192.168.10.133 | CentOS-8 |
创建所需的CA目录以及文件
[root@DR ~]# for dir in certs crl newcerts private ; do mkdir -pv /etc/pki/CA/$dir;done
mkdir: created directory '/etc/pki/CA'
mkdir: created directory '/etc/pki/CA/certs'
mkdir: created directory '/etc/pki/CA/crl'
mkdir: created directory '/etc/pki/CA/newcerts'
mkdir: created directory '/etc/pki/CA/private'
[root@DR ~]#
[root@DR ~]# cd /etc/pki/CA/
[root@DR CA]# ls
certs crl newcerts private
[root@DR CA]#
生成密钥对
[root@DR CA]# (umask 077;openssl genrsa -out private/cakey.pem 2048)
Generating RSA private key, 2048 bit long modulus (2 primes)
......+++++
.............................................................................+++++
e is 65537 (0x010001)
[root@DR CA]#
生成自签署证书和证书索引数据库文件,制定第一个颁发证书的序列号
[root@DR CA]# openssl req -new -x509 -key private/cakey.pem -out cacert.pem -days 365
...
-----
Country Name (2 letter code) [XX]:CN
State or Province Name (full name) []:HB
Locality Name (eg, city) [Default City]:WH
Organization Name (eg, company) [Default Company Ltd]:runtime
Organizational Unit Name (eg, section) []:runtime
Common Name (eg, your name or your server's hostname) []:runtime
Email Address []: #这里直接回车
[root@DR CA]#
[root@DR CA]# touch index.txt
[root@DR CA]# echo 01 > serial
[root@DR CA]#
在RS1主机上生成密钥对
[root@RS1 ~]# mkdir /etc/httpd/ssl
[root@RS1 ~]#
[root@RS1 ~]# cd /etc/httpd/ssl/
[root@RS1 ssl]#
[root@RS1 ssl]# (umask 077;openssl genrsa -out httpd.key 2048)
Generating RSA private key, 2048 bit long modulus (2 primes)
.....................................+++++
............................................................+++++
e is 65537 (0x010001)
[root@RS1 ssl]#
生成证书签署请求
[root@RS1 ssl]# openssl req -new -key httpd.key -days 365 -out httpd.csr
...
-----
Country Name (2 letter code) [XX]:CN
State or Province Name (full name) []:HB
Locality Name (eg, city) [Default City]:WH
Organization Name (eg, company) [Default Company Ltd]:runtime
Organizational Unit Name (eg, section) []:runtime
Common Name (eg, your name or your server's hostname) []:runtime
Email Address []: #这里直接回车
Please enter the following 'extra' attributes
to be sent with your certificate request
A challenge password []: #这里直接回车
An optional company name []: #这里直接回车
[root@RS1 ssl]#
[root@RS1 ssl]# ls
httpd.csr httpd.key
[root@RS1 ssl]#
把证书签署请求文件发送给CA
[root@RS1 ssl]# scp httpd.csr root@192.168.10.130:/root
root@192.168.10.130's password:
Permission denied, please try again.
root@192.168.10.130's password:
httpd.csr 100% 989 1.8MB/s 00:00
[root@RS1 ssl]#
CA签署证书并发给RS1和RS2主机
[root@DR ~]# openssl ca -in /root/httpd.csr -out httpd.crt -days 365
Using configuration from /etc/pki/tls/openssl.cnf
Check that the request matches the signature
Signature ok
Certificate Details:
Serial Number: 1 (0x1)
Validity
Not Before: Oct 8 12:25:28 2023 GMT
Not After : Oct 7 12:25:28 2024 GMT
Subject:
countryName = CN
stateOrProvinceName = HB
organizationName = runtime
organizationalUnitName = runtime
commonName = runtime
X509v3 extensions:
X509v3 Basic Constraints:
CA:FALSE
Netscape Comment:
OpenSSL Generated Certificate
X509v3 Subject Key Identifier:
67:EC:F0:4B:68:1A:75:5D:08:FD:A1:6F:A8:90:ED:5D:2D:96:58:46
X509v3 Authority Key Identifier:
keyid:F9:CC:AF:25:3C:75:48:6C:C9:AE:61:34:EE:03:9E:F8:43:F2:B9:F1
Certificate is to be certified until Oct 7 12:25:28 2024 GMT (365 days)
Sign the certificate? [y/n]:y
1 out of 1 certificate requests certified, commit? [y/n]y
Write out database with 1 new entries
Data Base Updated
[root@DR ~]#
[root@DR ~]# ls
anaconda-ks.cfg httpd.crt httpd.csr
[root@DR ~]#
在DR主机上将签署好的证书httpd.crt和生成的自签署证书cacert.pem发送给RS1和RS2主机
DR
[root@DR ~]# scp httpd.crt root@192.168.10.131:/etc/httpd/ssl
The authenticity of host '192.168.10.131 (192.168.10.131)' can't be established.
ECDSA key fingerprint is SHA256:z2F8hfFO4+Z6J0ZDbXo2fsytcMRBVqsUnM2LdvOjWCs.
Are you sure you want to continue connecting (yes/no/[fingerprint])? yes
Warning: Permanently added '192.168.10.131' (ECDSA) to the list of known hosts.
root@192.168.10.131's password:
httpd.crt 100% 4424 4.0MB/s 00:00
[root@DR ~]# scp /etc/pki/CA/cacert.pem root@192.168.10.131:/etc/httpd/ssl
root@192.168.10.131's password:
cacert.pem 100% 1310 1.9MB/s 00:00
[root@DR ~]#
RS1
[root@RS1 ~]# cd /etc/httpd/ssl/
[root@RS1 ssl]# ls
cacert.pem httpd.crt httpd.csr httpd.key
[root@RS1 ssl]#
RS2
[root@RS2 ~]# mkdir /etc/httpd/ssl
DR
[root@DR ~]# scp httpd.crt root@192.168.10.133:/etc/httpd/ssl
root@192.168.10.133's password:
httpd.crt 100% 4424 3.4MB/s 00:00
[root@DR ~]# scp /etc/pki/CA/cacert.pem root@192.168.10.133:/etc/httpd/ssl
root@192.168.10.133's password:
cacert.pem 100% 1310 1.5MB/s 00:00
[root@DR ~]#
RS2
[root@RS2 ssl]# ls
cacert.pem httpd.crt
将RS1主机上的密钥对拷贝至RS2主机,安装模块
RS1
[root@RS1 ssl]# scp httpd.key root@192.168.10.133:/etc/httpd/ssl
The authenticity of host '192.168.10.133 (192.168.10.133)' can't be established.
ECDSA key fingerprint is SHA256:AOQsguPRyPBU/A2KBE9FlV6d+Q0A9b+Z9CK3gHvDg3k.
Are you sure you want to continue connecting (yes/no/[fingerprint])? yes
Warning: Permanently added '192.168.10.133' (ECDSA) to the list of known hosts.
root@192.168.10.133's password:
httpd.key 100% 1679 1.6MB/s 00:00
RS2
[root@RS2 ssl]# ls
cacert.pem httpd.crt httpd.key
[root@RS2 ssl]#
在RS1和RS2主机上安装mod_ssl模块
[root@RS1 ~]# yum -y install mod_ssl
[root@RS2 ~]# yum -y install mod_ssl
在 RS1 和 RS2 主机上配置ssl
RS1
[root@RS1 ~]# vim /etc/httpd/conf.d/ssl.conf
......
/SSLCertificateFile #在命令行输入这个,找到下面这一行后缀改为文件所在的位置
SSLCertificateFile /etc/httpd/ssl/httpd.crt
......
/SSLCertificateKeyFile #在命令行输入这个,找到下面这一行后缀改为文件所在的位置
SSLCertificateKeyFile /etc/httpd/ssl/httpd.key
......
/SSLCACertificateFile #在命令行输入这个,找到下面这一行后缀改为文件所在的位置
/SSLCACertificateFile /etc/httpd/ssl/cacert.pem #这一行要去掉注释
......
RS2
[root@RS2 ~]# vim /etc/httpd/conf.d/ssl.conf
......
/SSLCertificateFile #在命令行输入这个,找到下面这一行后缀改为文件所在的位置
SSLCertificateFile /etc/httpd/ssl/httpd.crt
......
/SSLCertificateKeyFile #在命令行输入这个,找到下面这一行后缀改为文件所在的位置
SSLCertificateKeyFile /etc/httpd/ssl/httpd.key
......
/SSLCACertificateFile #在命令行输入这个,找到下面这一行后缀改为文件所在的位置
SSLCACertificateFile /etc/httpd/ssl/cacert.pem #这一行要去掉注释
......