碼上歡樂
相關內容    簡體    繁體

Centos7_CA認證

本文轉載自   查看原文   2020-11-17 20:42   409 

說明:

CA主機  :172.16.0.133

Client 主機  : 172.16.0.132

/etc/pki/tls目錄下面文件含義:

          Cert.pem  軟連接到certs/ca-bundle.crt

          certs              該服務器證書存放目錄

          ca-bundle.crt    內置信任證書

          pricate          證書密鑰存放目錄

          openssl.cnf      openssl的CA主配置文件

不用自己做證書,然后頒發。直接頒發證書

可實現https訪問
1 openssl req -x509 -nodes -days 365 -newkey rsa:2048 -keyout /etc/httpd/ssl.key -out /etc/httpd/ssl.crt
2 cat /etc/httpd/ssl.crt  >> /etc/pki/tls/certs/ca-bundle.crt

1 為CA提供所需的目錄及文件

(1)所需目錄,如果無,則創建

1 /etc/pki/CA/certs/         存放Ca簽署(頒發)過的數字證書
2 /etc/pki/CA/crl/             吊銷的證書
3 /etc/pki/CA/newcerts/ (證書備份目錄)
4 /etc/pki /CA/ private/   用於存放ca私鑰

(2)所需文件

1 [root@centos7 ~]# touch  /etc/pki/CA/serial        #序列號文件
2 [root@centos7 ~]# touch  /etc/pki/CA/index.txt  #數據庫文件

(3)

1 [root@centos7 ~]# echo 01 > /etc/pki/CA/serial     #維護ca的序列號

 

2 生成私鑰

1 [root@centos7 ~]#(umask 077; openssl genrsa -out /etc/pki/CA/private/cakey.pem  2048)

3·生成自簽證書

1 [root@centos7~]# openssl req -new -x509 -key /etc/pki/CA/private/cakey.pem -out /etc/pki/CA/cacert.pem -days 365

4 在client上進行如下操作

(1)創建放置私鑰,證書的文件夾

1 [root@CentOS7 ~]# mkdir /etc/httpd/ssl

(2)生成自己的私鑰

1 [root@CentOS7~]#(umask 077; openssl genrsa -out /etc/httpd/ssl/httpd.key 2048)

(3)請CA為自己生成公鑰

1 [root@CentOS7 ~]#openssl req -new -key /etc/httpd/ssl/httpd.key -out /etc/httpd/ssl/httpd.csr -days 365

(4)把生成的公鑰發送給CA

1 [root@CentOS7~]#scp /etc/httpd/ssl/httpd.csr root@172.16.0.133:/tmp/

5 在CA主機上為client簽證

 1 [root@centos7 ~]# openssl ca -in /tmp/httpd.csr  -out /etc/pki/CA/certs/httpd.crt -days 365
 2 Using configuration from /etc/pki/tls/openssl.cnf
 3 Check that the request matches the signature
 4 Signature ok
 5 Certificate Details:
 6         Serial Number: 1 (0x1)
 7         Validity
 8             Not Before: Jun  3 02:54:23 2017 GMT
 9             Not After : Jun  3 02:54:23 2018 GMT
10         Subject:
11             countryName               = CN
12             stateOrProvinceName       = BeiJing
13             organizationName          = Company
14             organizationalUnitName    = OPS
15             commonName                = www.test.com
16         X509v3 extensions:
17             X509v3 Basic Constraints: 
18                 CA:FALSE
19             Netscape Comment: 
20                 OpenSSL Generated Certificate
21             X509v3 Subject Key Identifier: 
22                 5D:A9:5A:90:29:F3:3A:7F:76:BE:21:78:14:80:E5:FB:5E:03:D8:D9
23             X509v3 Authority Key Identifier: 
24                 keyid:9E:1E:F3:84:4D:D0:79:E2:BD:DD:A8:50:29:6C:BA:0C:21:60:CA:96
25 Certificate is to be certified until Jun  3 02:54:23 2018 GMT (365 days)
26 Sign the certificate? [y/n]:y
27  
28 1 out of 1 certificate requests certified, commit? [y/n]y
29 Write out database with 1 new entries(出現這段才是頒發證書成功)
30 Data Base Updated

6 把簽署的證書發給client

1 [root@centos7~]#scp /etc/pki/CA/certs/httpd.crt root@172.16.10.132:/etc/httpd/ssl/

7 把CA的證書發給client

1 [root@serverB ~]scp /etc/pki/CA/cacert.pem root@172.16.0.132:/etc/httpd/ssl/

8 在client上導入CA的證書(cacert.pem)

1 cat /etc/httpd/ssl/cacert.pem >> /etc/pki/tls/certs/ca-bundle.crt

為保險建議也把CA頒發的.crt證書也導入

HTTPS配置

9 修改配置文件/etc/httpd/conf.d/virthost.conf

 

模板可在/etc/httpd/conf.d/ssl.conf 里找粘貼修改路徑就好了


免責聲明!

本站轉載的文章為個人學習借鑒使用,本站對版權不負任何法律責任。如果侵犯了您的隱私權益,請聯系本站郵箱yoyou2525@163.com刪除。



猜您在找 CA認證 CentOS 7 搭建CA認證中心實現https取證 CentOS 7 搭建CA認證中心實現https取證 CA認證以及https的實現 Linux之CA認證 CA認證原理以及實現(上) HTTPS--CA認證 CA證書申請、認證原理 CA認證和頒發吊銷證書 CA認證原理以及實現(下)
 
粵ICP備18138465號   © 2018-2025 CODEPRJ.COM