《linux下搭建CA认证服务器并认证服务》由会员分享,可在线阅读,更多相关《linux下搭建CA认证服务器并认证服务(11页珍藏版)》请在金锄头文库上搜索。
1、. . .搭建CA认证服务器并认证服务1、 安装opensslrootvipuser200 # yum -y install opensslrootvipuser200 # vim /etc/pki/tls/将172 basicConstraints=CA:FALSE改为172 basicConstraints=CA:TRUE#表示根级别的认证服务器不需要像上级请求认证2、 生成公钥证书和私钥rootvipuser200 # /etc/pki/tls/misc/CA -helpUnknown arg usage: /etc/pki/tls/misc/CA -newcert|-newreq|-n
2、ewreq-nodes|-newca|-sign|-verifyrootvipuser200 # /etc/pki/tls/misc/CA -newcaCA certificate filename (or enter to create)Making CA certificate .Generating a 2048 bit RSA private key.+.+writing new private key to /etc/pki/CA/private/./cakey.pemEnter PEM pass phrase:Verifying - Enter PEM pass phrase:#填
3、写密码-You are about to be asked to enter information that will be incorporatedinto your certificate request.What you are about to enter is what is called a Distinguished Name or a DN.There are quite a few fields but you can leave some blankFor some fields there will be a default value,If you enter .,
4、the field will be left blank.-Country Name (2 letter code) XX:CN#国家State or Province Name (full name) :HENAN#省Locality Name (eg, city) Default City:LUOYANG#市Organization Name (eg, company) Default Company Ltd:ZLF-COM #公司名字 Organizational Unit Name (eg, section) :IT#公司部门Common Name (eg, your name or
5、your servers hostname) :vipuser200.club#服务器名字Email Address :#邮件地址Please enter the following extra attributes #额外属性以下3行不填即可to be sent with your certificate requestA challenge password :An optional company name :Using configuration from /etc/pki/tls/fEnter pass phrase for /etc/pki/CA/private/./cakey.p
6、em:#输入上面你输入的密码Check that the request matches the signatureSignature okCertificate Details: Serial Number: 13248658701588095830 (0xb7dcb0e50a8be356) Validity Not Before: Jul 4 22:19:22 2016 GMT Not After : Jul 4 22:19:22 2019 GMT Subject: countryName = CN stateOrProvinceName = HENAN organizationName
7、= ZLF-COM organizationalUnitName = IT commonName = vipuser200.club emailAddress = X509v3 extensions: X509v3 Subject Key Identifier: 62:A8:4A:02:91:AA:56:FF:BD:91:26:49:6F:02:D0:5D:70:8A:41:36 X509v3 Authority Key Identifier: keyid:62:A8:4A:02:91:AA:56:FF:BD:91:26:49:6F:02:D0:5D:70:8A:41:36 X509v3 B
8、asic Constraints: CA:TRUECertificate is to be certified until Jul 4 22:19:22 2019 GMT (1095 days)Write out database with 1 new entriesData Base Updated查看CA的私钥rootvipuser200 # vim /etc/pki/CA/private/cakey.pem -BEGIN ENCRYPTED PRIVATE KEY-MIIFDjBABgkqhkiG9w0BBQ0wMzAbBgkqhkiG9w0BBQwwDgQIYBaODVh/svsCAg
9、gAMBQGCCqGSIb3DQMHBAhYEcNnBucpgwSCBMiEIKp4Qd851+hYOCUggAmWd4pgk8SdNVkLFBTFinghYfQVoEXRFRScPI/BasNdCGHIVzGn+ZlIBWucg99j82FQhRA7kFlh查看CA的公钥rootvipuser200 # vim /etc/pki/CA/cacert.pem Certificate: Data: Version: 3 (0x2) Serial Number: 13248658701588095830 (0xb7dcb0e50a8be356) Signature Algorithm: sha1W
10、ithRSAEncryption Issuer: C=CN, ST=HENAN, O=ZLF-COM, OU=IT, CN=vipuser200.club/emailAddress= Validity Not Before: Jul 4 22:19:22 2016 GMT Not After : Jul 4 22:19:22 2019 GMT Subject: C=CN, ST=HENAN, O=ZLF-COM, OU=IT, CN=vipuser200.club/emailAddress= Subject Public Key Info:到此CA认证中心搭建好了3、 搭建认证https开启另
11、一台web服务器并启动rootvipuser201 # yum -y install httpdrootvipuser201 # service httpd restartStopping httpd: OK Starting httpd: httpd: apr_sockaddr_info_get() failed for vipuser201.clubhttpd: Could not reliably determine the servers fully qualified domain name, using 127.0.0.1 for ServerName OK #这个表示hostna
12、me里面没有对应的域名,改/etc/hosts文件即可生成vipuser201证书请求文件,并获得证书先生成私钥然后用私钥生成证书请求文件用非对称加密算法加密并输入etc/httpd/conf.d/server.key私钥rootvipuser201 # openssl genrsa -des3 -out /etc/httpd/conf.d/server.keyGenerating RSA private key, 1024 bit long modulus.+.+e is 65537 (0x10001)Enter pass phrase for /etc/httpd/conf.d/serve
13、r.key:#写个密码保护Verifying - Enter pass phrase for /etc/httpd/conf.d/server.key:用私钥生成证书请求文件rootvipuser201 # openssl req -new -key /etc/httpd/conf.d/server.key -out /server.csrEnter pass phrase for /etc/httpd/conf.d/server.key:You are about to be asked to enter information that will be incorporatedinto your certificate request.What you are about to enter is what is
