一.相关介绍

1.什么是CA
认证中心(CA─Certificate Authority)作为权威的、可信赖的、公正的第三方机构,专门负责发放并管理所有参与网上交易的实体所需的数字证书。它作为一个权威机构,对密钥进行有效地管理,颁发证书证明密钥的有效性,并将公开密钥同某一个实体(消费者、商户、银行)联系在一起。可以建立起安全程度极高的加解密和身份认证系统,从而使信息除发送方和接收方外,不被其他方知悉;保证传输过程中不被篡改;发送方确信接收方不是假冒的(身份的真实性和不可伪装性);发送方不能否认 自己的发送行为(不可抵赖性)。
2,oppenssl的基本使用

       1 OpenSSL:SSL的开源实现  

       2      libcrypto:通用加密库,提供了各种加密函数  

       3      libssl:TLS/SSL协议的实现,基于会话的、实现了身份认证、数据机密性和会话完整性的TLS/SSL库  

       4      openssl:多用途的命令行工具;能够实现私有证书颁发机构;即在公司内部实现身份的验证;  

       5 openssl:  

       6      genrsa:通过RSA算法,生成密钥(私钥和公钥)  

       7      req:申请和生成证书  

       8      -new:生成新的证书  

       9      -x509:互联网常用的一种标准  

       10      -in:证书的位置(签署证书及证书请求常常用到)  

       11      -out:证书的存放位置  

       12      -days:证书的有效期限

二.具体配置

(1)Web

[root@tx1 ~]# cd /var/www/html/

[root@tx1 html]# echo "hello client" > index.html

[root@tx1 html]# service httpd restart

Stopping httpd:                                            [FAILED]

Starting httpd:                                            [  OK  ]

[root@tx1 ~]# openssl genrsa 1024 > newhttps.key网站生成自己的私钥

Generating RSA private key, 1024 bit long modulus

.++++++

............++++++

e is 65537 (0x10001)


[root@tx1 ~]# openssl req -new -key newhttps.key -days 365 -out newhttps.csr

//生成一个证书请求

You are about to be asked to enter information that will be incorporated

into your certificate request.

What you are about to enter is what is called a Distinguished Name or a DN.

There are quite a few fields but you can leave some blank

For some fields there will be a default value,

If you enter '.', the field will be left blank.

-----

Country Name (2 letter code) [GB]:CN

State or Province Name (full name) [Berkshire]:jilin

Locality Name (eg, city) [Newbury]:tonghua

Organization Name (eg, company) [My Company Ltd]:tongshi

Organizational Unit Name (eg, section) []:student

Common Name (eg, your name or your server's hostname) []:tx1.test.com

Email Address []:tx1@.com


Please enter the following 'extra' attributes

to be sent with your certificate request

A challenge password []:

An optional company name []:

(2)CA的配置(这里采用排错的方法)

@1.[root@tx1 ~]# openssl ca -in newhttps.csr -out newhttps.crt  //签发证书

Using configuration from /etc/pki/tls/openssl.cnf

Error opening CA private key ../../CA/private/cakey.pem

4048:error:02001002:system library:fopen:No such file or directory:bss_file.c:352:fopen('../../CA/private/cakey.pem','r')

4048:error:20074002:BIO routines:FILE_CTRL:system lib:bss_file.c:354:

unable to load CA private key

//系统报错,说没有找到CA的私钥,同时使用了相对路径的方式

//先修改成为绝对路径

[root@tx1 ~]# vim /etc/pki/tls/openssl.cnf

45 dir = /etc/pki/CA


@2.[root@tx1 ~]# openssl ca -in newhttps.csr -out newhttps.crt

Using configuration from /etc/pki/tls/openssl.cnf

Error opening CA private key /etc/pki/CA/private/cakey.pem

4061:error:02001002:system library:fopen:No such file or directory:bss_file.c:352:fopen('/etc/pki/CA/private/cakey.pem','r')

4061:error:20074002:BIO routines:FILE_CTRL:system lib:bss_file.c:354:

unable to load CA private key

//系统报错,说/etc/pki/CA/private/cakey.pem

//这个CA的私钥文件不存在

//解决办法,生成这个私钥

[root@tx1 ~]# openssl genrsa 1024 > /etc/pki/CA/private/cakey.pem //生成CA的私钥

Generating RSA private key, 1024 bit long modulus

......................................++++++

......++++++

e is 65537 (0x10001)


@3.[root@tx1 ~]# openssl ca -in newhttps.csr -out newhttps.crt

Using configuration from /etc/pki/tls/openssl.cnf

Error opening CA certificate /etc/pki/CA/cacert.pem

4069:error:02001002:system library:fopen:No such file or directory:bss_file.c:352:fopen('/etc/pki/CA/cacert.pem','r')

4069:error:20074002:BIO routines:FILE_CTRL:system lib:bss_file.c:354:

unable to load certificate

//系统报错,说找不到CA的证书/etc/pki/CA/cacert.pem

//解决办法,生成一个自签名证书

[root@tx1 ~]# openssl req -new -key /etc/pki/CA/private/cakey.pem -x509 -days 365 -out /etc/pki/CA/cacert.pem

You are about to be asked to enter information that will be incorporated

into your certificate request.

What you are about to enter is what is called a Distinguished Name or a DN.

There are quite a few fields but you can leave some blank

For some fields there will be a default value,

If you enter '.', the field will be left blank.

-----

Country Name (2 letter code) [GB]:CN

State or Province Name (full name) [Berkshire]:jilin

Locality Name (eg, city) [Newbury]:tonghua

Organization Name (eg, company) [My Company Ltd]:tongshi

Organizational Unit Name (eg, section) []:student

Common Name (eg, your name or your server's hostname) []:tx1.test.com

Email Address []:tx1@.com


@4.[root@tx1 ~]# openssl ca -in newhttps.csr -out newhttps.crt

Using configuration from /etc/pki/tls/openssl.cnf

I am unable to access the /etc/pki/CA/newcerts directory

/etc/pki/CA/newcerts: No such file or directory

//系统报错,说没有/etc/pki/CA/newcerts目录

//解决办法,创建该目录

[root@tx1 ~]# mkdir /etc/pki/CA/newcerts


@5.[root@tx1 ~]# openssl ca -in newhttps.csr -out newhttps.crt

Using configuration from /etc/pki/tls/openssl.cnf

/etc/pki/CA/index.txt: No such file or directory

unable to open '/etc/pki/CA/index.txt'

4097:error:02001002:system library:fopen:No such file or directory:bss_file.c:352:fopen('/etc/pki/CA/index.txt','r')

4097:error:20074002:BIO routines:FILE_CTRL:system lib:bss_file.c:354:

//说没有/etc/pki/CA/index.txt

//解决创建这个文件

[root@tx1 ~]# touch /etc/pki/CA/index.txt


@6.[root@tx1 ~]# openssl ca -in newhttps.csr -out newhttps.crt

Using configuration from /etc/pki/tls/openssl.cnf

/etc/pki/CA/serial: No such file or directory

error while loading serial number

4103:error:02001002:system library:fopen:No such file or directory:bss_file.c:352:fopen('/etc/pki/CA/serial','r')

4103:error:20074002:BIO routines:FILE_CTRL:system lib:bss_file.c:354:

//没有找到序列号

//解决办法,向/etc/pki/CA/serial导入初始化序列号

[root@tx1 ~]# echo 00 > /etc/pki/CA/serial


@7.[root@tx1 ~]# openssl ca -in newhttps.csr -out newhttps.crt

Using configuration from /etc/pki/tls/openssl.cnf

Check that the request matches the signature

Signature ok

Certificate Details:

       Serial Number: 0 (0x0)

       Validity

           Not Before: Jul 27 02:38:37 2013 GMT

           Not After : Jul 27 02:38:37 2014 GMT

       Subject:

           countryName               = CN

           stateOrProvinceName       = jilin

           organizationName          = tongshi

           organizationalUnitName    = student

           commonName                = tx1.test.com

           emailAddress              = tx1@.com

       X509v3 extensions:

           X509v3 Basic Constraints:

               CA:FALSE

           Netscape Comment:

               OpenSSL Generated Certificate

           X509v3 Subject Key Identifier:

               63:CF:FA:50:A6:69:F9:3E:84:A5:7F:B8:D5:1E:C2:60:F2:B9:06:F9

           X509v3 Authority Key Identifier:

               keyid:DB:FE:54:C0:B5:FE:F8:08:7A:00:48:E5:DE:22:29:6E:AD:24:47:43


Certificate is to be certified until Jul 27 02:38:37 2014 GMT (365 days)

Sign the certificate? [y/n]:y


1 out of 1 certificate requests certified, commit? [y/n]y

Write out database with 1 new entries

Data Base Updated

[root@tx1 ~]# scp newhttps.crt 192.168.8.71:/root

root@192.168.8.71's password:

newhttps.crt                                  100% 3201     3.1KB/s   00:00  

(3)Web

[root@tx1 ~]#  yum install  mod_ssl -y

[root@tx1 ~]# vim /etc/httpd/conf.d/ssl.conf

112 SSLCertificateFile /etc/pki/tls/certs/newhttps.crt

119 SSLCertificateKeyFile /etc/pki/tls/private/newhttps.key

[root@tx1 ~]# cp newhttps.key /etc/pki/tls/private/newhttps.key

[root@tx1 ~]# cp newhttps.crt /etc/pki/tls/certs/newhttps.crt

[root@tx1 ~]# service httpd restart

Stopping httpd:                                            [  OK  ]

Starting httpd:                                            [  OK  ]

三.客户端验证

1.访问

133605845.jpg

2.开始导入CA的证书

133607437.jpg

133609544.jpg

133611284.jpg

133613364.jpg

133615422.jpg

133617720.jpg

133620568.jpg

133622716.jpg

3.再次访问

133624168.jpg