linux-ca自签发

最新推荐文章于 2024-07-20 17:11:51 发布

weixin_33953249

最新推荐文章于 2024-07-20 17:11:51 发布

阅读量137

点赞数

文章标签：开发工具数据库运维

原文链接：http://blog.51cto.com/sweetsingle/741816

版权

账号认证
Linux openca 只能为本单位发布证书
Linux下做rootca 自签发证书实现client访问时有身份验证。

[root@localhost ~]# yum list all |grep openssl
This system is not registered with RHN.
RHN support will be disabled.
openssl.i686                           0.9.8e-7.el5          installed
openssl-devel.i386                     0.9.8e-7.el5          installed
openssl.i386                           0.9.8e-7.el5          rehl-server
openssl-perl.i386                      0.9.8e-7.el5          rehl-server
openssl097a.i386                       0.9.7a-9.el5_2.1      rehl-server
xmlsec1-openssl.i386                   1.2.9-8.1             rehl-server
xmlsec1-openssl-devel.i386             1.2.9-8.1             rehl-server
[root@localhost ~]# yum install openssl*

1.编辑openssl.cnf产生存放私钥的文件
[root@apache-server pki]# pwd
/etc/pki
[root@apache-server pki]# vim tls/openssl.cnf
--存放机构自己的私钥
dir             = /etc/pki/CA           # Where everything is kept
[root@apache-server pki]# cd /etc/pki/CA
[root@apache-server CA]# ll
total 8
drwx------ 2 root root 4096 Dec 17 2008 private

2.产生机构的私钥
[root@apache-server CA]# openssl genrsa 1024 >private/cakey.pem
Generating RSA private key, 1024 bit long modulus
.................++++++
.......++++++
e is 65537 (0x10001)
--改变权限
[root@apache-server CA]# chmod 600 private/*
[root@apache-server CA]# ll private/
total 4
-rw------- 1 root root 887 Aug 23 23:05 cakey.pem
[root@apache-server CA]#

3.自签发的证书ROOTCA
[root@apache-server CA]# openssl req -x509 -new -key private/cakey.pem -out cacert.pem -days

365
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [GB]:CN
State or Province Name (full name) [Berkshire]:HENAN
Locality Name (eg, city) [Newbury]:ZHENGZHOU
Organization Name (eg, company) [My Company Ltd]:ZZU
Organizational Unit Name (eg, section) []:TEC
Common Name (eg, your name or your server's hostname) []:ROOTCA.ZZU.COM
Email Address []:
[root@apache-server CA]#

Client申请证书
1. 产生私钥
[root@apache-server httpd]# mkdir certs
[root@apache-server httpd]# cd certs
[root@apache-server certs]# ll
total 0
[root@apache-server certs]# pwd
/etc/httpd/certs
[root@apache-server certs]# openssl genrsa 1024 >httpd.key
Generating RSA private key, 1024 bit long modulus
...............++++++
.......++++++
e is 65537 (0x10001)
[root@apache-server certs]# chmod 600 httpd.key
[root@apache-server certs]# ll
total 4
-rw------- 1 root root 887 Aug 23 23:20 httpd.key
[root@apache-server certs]#
2. 请求签发证书
前五部分跟rootca要保持一致,否则发布不了证书，只能本单位的签发证书
[root@apache-server certs]# openssl req -new -key httpd.key -out httpd.csr
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [GB]:CN
State or Province Name (full name) [Berkshire]:HENAN
Locality Name (eg, city) [Newbury]:ZHENGZHOU
Organization Name (eg, company) [My Company Ltd]:ZZU
Organizational Unit Name (eg, section) []:TEC
Common Name (eg, your name or your server's hostname) []:www.zzu.com
Email Address []:

Please enter the following 'extra' attributes
to be sent with your certificate request
A challenge password []:
An optional company name []:
[root@apache-server certs]#

3.请求证书传递，请求文件httpd.crs输出httpd.crt
[root@apache-server certs]# openssl ca -in httpd.csr -out httpd.crt
Using configuration from /etc/pki/tls/openssl.cnf
I am unable to access the /etc/pki/CA/newcerts directory
/etc/pki/CA/newcerts: No such file or directory
--存放根ca的目录没有创建
[root@apache-server certs]# cd /etc/pki/CA/
[root@apache-server CA]# ll
total 12
-rw-r--r-- 1 root root 1131 Aug 23 23:11 cacert.pem
drwx------ 2 root root 4096 Aug 23 23:05 private
[root@apache-server CA]# mkdir certs crl newcerts
[root@apache-server CA]# touch index.txt serial
[root@apache-server CA]#echo “01” >serial
--ca的编号
[root@apache-server CA]# cd /etc/httpd/certs
[root@apache-server certs]# ll
total 8
-rw-r--r-- 1 root root 643 Aug 23 23:25 httpd.csr
-rw------- 1 root root 887 Aug 23 23:20 httpd.key
[root@apache-server certs]# openssl ca -in httpd.csr -out httpd.crt
Using configuration from /etc/pki/tls/openssl.cnf
Check that the request matches the signature
Signature ok
Certificate Details:
        Serial Number: 1 (0x1)
        Validity
            Not Before: Aug 23 15:43:45 2011 GMT
            Not After : Aug 22 15:43:45 2012 GMT
        Subject:
            countryName               = CN
            stateOrProvinceName       = HENAN
            organizationName          = ZZU
            organizationalUnitName    = TEC
            commonName                = www.zzu.com
        X509v3 extensions:
            X509v3 Basic Constraints:
                CA:FALSE
            Netscape Comment:
                OpenSSL Generated Certificate
            X509v3 Subject Key Identifier:
                BC:38:DA:E8:CA:1C:D6:D9:34:80:B7:4B:4A:91:21:19:08:90:49:74
            X509v3 Authority Key Identifier:
                keyid:4D:07:D3:61:34:AA:57:A9:07:9F:62:6A:3C:04:27:52:E6:FE:A8:76

Certificate is to be certified until Aug 22 15:43:45 2012 GMT (365 days)
Sign the certificate? [y/n]:y

1 out of 1 certificate requests certified, commit? [y/n]y
Write out database with 1 new entries
Data Base Updated
[root@apache-server certs]#
--已签发证书

4.更改ssl.conf文件
[root@localhost ~]# yum list all |grep mod_ssl
This system is not registered with RHN.
RHN support will be disabled.
mod_ssl.i386                           1:2.2.3-22.el5        rehl-server
[root@localhost ~]# yum install mod_ssl
[root@localhost ~]# vim /etc/httpd/conf.d/ssl.conf
112 #SSLCertificateFile /etc/pki/tls/certs/localhost.crt
113
114 SSLCertificateFile /etc/httpd/certs/httpd.crt
120 #SSLCertificateKeyFile /etc/pki/tls/private/localhost.key
121
122 SSLCertificateKeyFile /etc/httpd/certs/httpd.key

[root@localhost ~]#
[root@localhost ~]# httpd -t
Syntax OK
[root@localhost ~]# service httpd restart
Stopping httpd:                                            [ OK ]
Starting httpd:                                            [ OK ]
--证书不信任，需要本地连接证书链，安装信任的根证书
[root@localhost ~]# vim /etc/httpd/conf.d/ssl.conf
132 SSLCertificateChainFile /etc/pki/CA/cacert.pem
--证书链，指定根证书
[root@localhost ~]# httpd -t
Syntax OK
[root@localhost ~]# service httpd restart
Stopping httpd:                                            [ OK ]
Starting httpd:                                            [ OK ]

5.本地安装根证书

21-1

21-2
--确定信任选择是

6.安装证书名称无效
--需要有指定的dns server,也可以更改hosts文件添加条目，是client之间访问站点，不会再显示证书提

示问题

21-3

7.client安装证书之后范围server的不同结果
1)以ip访问

21-4

2）域名访问

21-5

转载于:https://blog.51cto.com/sweetsingle/741816

weixin_33953249

关注

0
点赞
踩
0

收藏

觉得还不错? 一键收藏
0
评论
linux-ca自签发

账号认证Linux openca 只能为本单位发布证书Linux下做rootca 自签发证书实现client访问时有身份验证。[root@localhost ~]# yum list all |grep opensslThis system is not registered with RHN.RHN support will be disabled....
复制链接

扫一扫