Linux从青铜到王者-基于http的CA认证实战

互联网老辛
739 阅读6分钟

大家好,我是互联网老辛,这是我参与更文挑战的第24天, 活动详情查看:更文挑战

CA认证的介绍

CA翻译成: 认证中心,主要用途:实现为用户发放数字证书。 认证中心(CA)功能: 证书发放,证书更新,证书撤销和证书验证

总结签证过程:

  1. 生成请求文件
  2. CA确认申请者的身份的真实性
  3. CA使用根证书私钥加密请求文件-生成证书
  4. 把证书发给申请者

搭建CA认证

1. 安装ca认证软件包中心

直接安装openssl即可,但一般系统都已经安装好了,我们用下面的命令查看

[root@xinsz08-64 桌面]# rpm -qf `which openssl`
openssl-1.0.1e-57.el6.x86_64

2. 配置一个自己的CA认证中心,生成CA的根证书和私钥。根证书包括 : CA公钥

[root@xinsz08-64 桌面]# vim /etc/pki/tls/openssl.cnf 
basicConstraints=CA:TRUE

3. 生成CA的公钥和私钥

[root@xinsz08-64 桌面]# /etc/pki/tls/misc/CA -h -newcert 新证书 -newreq 新请求 -newreq-nodes 新请求节点 -newca 新的CA证书 -sign 签证 -verify 验证

[root@xinsz08-64 桌面]# /etc/pki/tls/misc/CA -newca
CA certificate filename (or enter to create)

Making CA certificate ...
Generating a 2048 bit RSA private key
.............+++
............................+++
writing new private key to '/etc/pki/CA/private/./cakey.pem'
Enter PEM pass phrase:123456
Verifying - Enter PEM pass phrase:  123456
-----
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [XX]:CN
State or Province Name (full name) []:beijing
Locality Name (eg, city) [Default City]:haidian
Organization Name (eg, company) [Default Company Ltd]:zmedu
Organizational Unit Name (eg, section) []:IT
Common Name (eg, your name or your server's hostname) []:zmedu.cn 
Email Address []:xinsz08@yeah.net

Please enter the following 'extra' attributes
to be sent with your certificate request
A challenge password []:
An optional company name []:
Using configuration from /etc/pki/tls/openssl.cnf
Enter pass phrase for /etc/pki/CA/private/./cakey.pem: 123456
Check that the request matches the signature
Signature ok
Certificate Details:
        Serial Number: 11528897308301078024 (0x9ffedf04e93e2e08)
        Validity
            Not Before: Mar  5 06:01:52 2020 GMT
            Not After : Mar  5 06:01:52 2023 GMT
        Subject:
            countryName               = CN
            stateOrProvinceName       = beijing
            organizationName          = zmedu
            organizationalUnitName    = IT
            commonName                = zmedu.cn
            emailAddress              = xinsz08@yeah.net
        X509v3 extensions:
            X509v3 Subject Key Identifier: 
                E5:76:DA:19:34:76:F6:1D:26:66:57:97:C1:93:F5:BA:4E:B1:50:1A
            X509v3 Authority Key Identifier: 
                keyid:E5:76:DA:19:34:76:F6:1D:26:66:57:97:C1:93:F5:BA:4E:B1:50:1A

            X509v3 Basic Constraints: 
                CA:TRUE
Certificate is to be certified until Mar  5 06:01:52 2023 GMT (1095 days)

Write out database with 1 new entries
Data Base Updated

4. 查看生成的CA根证书

[root@xinsz08-64 桌面]# vim /etc/pki/CA/cacert.pem 查看公钥 [root@xinsz08-64 桌面]# vim /etc/pki/CA/private/cakey.pem 查看私钥

设置好了本地的CA认证服务器之后,我们来看看CA的认证过程

  1. 安装httpd
[root@xinsz08-1 ~]# yum install httpd -y
  1. 修改http web服务器
[root@xinsz08-1 ~]# vim /etc/httpd/conf/httpd.conf 
[root@xinsz08-1 ~]# service httpd restart
停止 httpd:                                               [失败]
正在启动 httpd:                                           [确定]
  1. 客户端服务器生成证书请求文件,获得证书
[root@xinsz08-1 ~]# openssl genrsa -des3 -out /etc/httpd/conf.d/sever.key
Generating RSA private key, 1024 bit long modulus
................++++++
.......................++++++
e is 65537 (0x10001)
Enter pass phrase for /etc/httpd/conf.d/sever.key:
Verifying - Enter pass phrase for /etc/httpd/conf.d/sever.key:
  1. 使用私钥生成请求文件
[root@xinsz08-64 ~]# openssl req -new -key /etc/httpd/conf.d/server.key 	-out 	/server.csr    #注意后期添加的国家,省,组织等信息要和CA保持一致
Enter pass phrase for /etc/httpd/conf.d/server.key:123456  #输入私钥的密码
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [XX]:CN
State or Province Name (full name) []:beijing
Locality Name (eg, city) [Default City]:haidian
Organization Name (eg, company) [Default Company Ltd]:zmedu
Organizational Unit Name (eg, section) []:IT
Common Name (eg, your name or your server's hostname) []:xinsz08-64.cn 
#这里要求输入的CommonName必须与通过浏览器访问您网站的 URL 完全相同,否则用户会发	现您服务器证书的通用名与站点的名字不匹配,用户就会怀疑您的证书的真实性。可以使域名也可以	使IP地址。
Email Address []:1@163.com

Please enter the following 'extra' attributes
to be sent with your certificate request
A challenge password []:    #不输密码直接回车
An optional company name []:
注:证书请求文件中有xinsz08-64的公钥。  这个公钥是在生成证书请求文件时,通过指定的私钥 	/etc/httpd/conf.d/server.key生成的。 
常识: 通过私钥可以生成公钥的,通过公钥不可以推出来私钥。

5、将证书请求文件发给CA服务器:

[root@xinsz08-64 ~]# scp /server.csr 192.168.1.63:/tmp/
  1. 签名
[root@xinsz08-62 ~]# openssl ca -h
[root@xinsz08-62 ~]# openssl ca -keyfile /etc/pki/CA/private/cakey.pem -cert  /etc/pki/CA/cacert.pem -in /tmp/server.csr -out /server.crt 
Using configuration from /etc/pki/tls/openssl.cnf
Enter pass phrase for /etc/pki/CA/private/cakey.pem:123456
Check that the request matches the signature
Signature ok
Certificate Details:
        Serial Number:
            ce:60:e0:a3:fe:ee:88:09
        Validity
            Not Before: Dec 21 14:25:53 2014 GMT
            Not After : Dec 21 14:25:53 2015 GMT
        Subject:
            countryName               = CN
            stateOrProvinceName       = beijing
            organizationName          = xzmedu
            organizationalUnitName    = IT
            commonName                = xinsz08-64.cn
            emailAddress              = 1@163.com
        X509v3 extensions:
            X509v3 Basic Constraints: 
                CA:TRUE
            Netscape Comment: 
                OpenSSL Generated Certificate
            X509v3 Subject Key Identifier: 
                1B:30:0B:28:4A:31:EA:FC:05:7D:54:A3:87:A0:6E:BE:F8:D6:3C:F8
            X509v3 Authority Key Identifier: 
                keyid:6D:0F:0C:C5:96:32:A8:8B:D3:FF:36:39:5B:14:5B:9B:31:12:4A:C3

Certificate is to be certified until Dec 21 14:25:53 2015 GMT (365 days)   #证书有效期是365天。证书进行认证,直到12月21日十四时25分53秒格林尼治标准时间2015年(365天)
Sign the certificate? [y/n]:y    #注册证书
1 out of 1 certificate requests certified, commit? [y/n]y  #确认
Write out database with 1 new entries
Data Base Updated

7、将证书复制到xinsz08-64

[root@xinsz08-62 ~]# scp /server.crt 192.168.1.64:/

到此证书签名完毕。

使用证书实现https 18.4.2 在xinsz08-64上配置HTTPS web服务器 1、安装SSL模块

[root@xinsz08-64 ~]# yum install mod_ssl -y

2、配置apache加载证书文件 [root@xinsz08-64 ~]# cp /server.crt /etc/httpd/conf.d/ #复制证书

[root@xinsz08-64 ~]# ls /etc/httpd/conf.d/server.key  #查看私钥
/etc/httpd/conf.d/server.key

[root@xinsz08-64 ~]# vim /etc/httpd/conf.d/ssl.conf
改:100  SSLCertificateFile /etc/pki/tls/certs/localhost.crt 
为:100  SSLCertificateFile  /etc/httpd/conf.d/server.crt

改:107  SSLCertificateKeyFile /etc/pki/tls/private/localhost.key
为:107  SSLCertificateKeyFile /etc/httpd/conf.d/server.key

3、启动服务: [

root@xinsz08-64 ~]# systemctl restart httpd
Enter SSL pass phrase for xinsz08-64.cn:443 (RSA) : 123456    #httpd私钥密码

4、测试https,查看端口

 [root@xinsz08-64 ~]# netstat -antup | grep 443
tcp        0      0 :::443          :::*                        LISTEN      5138/httpd

5、通过浏览器测试https效果 访问IP

在这里插入图片描述 在这里插入图片描述 在这里插入图片描述 在这里插入图片描述 在这里插入图片描述

在这里插入图片描述 在这里插入图片描述 在这里插入图片描述

在这里插入图片描述

查看浏览器上的证书

在这里插入图片描述 在这里插入图片描述

在这里插入图片描述

在这里插入图片描述

在这里插入图片描述

总结

我们自己搭建CA认证是为了理清CA认证的过程,弄懂它的原理。 事实上我们在公司都是直接买现成的。这就像我们可以使用shell写一个监控脚本, 但 更多时候我们会用开源的工具,比如zabbix

avatar
文章
阅读
粉丝