一、准备

两台虚拟机

192.168.252.148 CA

192.168.252.149 客户端

二、构建私有CA

192.168.252.148 CA

安装openssl

1.检查是否存在
rpm -qa openssl
2.安装或者更新openssl
yum install openssl openssl-devel -y

查看CA相关配置

/etc/pki/tls/openssl.cnf这个文件是CA的配置文件。

此文件对于是证书签署者的身份会使用到此文件

此文件对于证书的申请者的身份是无用的。

根证书服务器目录：

根CA服务器：/etc/pki/CA 192.168.252.148

网站服务器：/etc/pki/tls 192.168.252.149

查看文件
cat  /etc/pki/tls/openssl.cnf

创建所需文件

cd /etc/pki/CA/
ls
certs  crl  newcerts  private1.创建生成证书索引数据库文件
touch index.txt
2.指定第一个颁发证书的序列号
echo 01 > serialls
certs  crl  index.txt  newcerts  private  serial

创建秘钥

1.使用openssl创建秘钥
cd /etc/pki/CA/
(umask 066; openssl genrsa -out private/cakey.pem 2048)Generating RSA private key, 2048 bit long modulus
.....................+++
...............................+++
e is 65537 (0x10001)2.在private中查看
ls private/
cakey.pem

https://img-blog.csdnimg.cn/img_convert/0de211d21605e254111ab1d555384658.png" width="1016" />

生成自签名的证书

根CA自签名证书，根CA是最顶级的认证机构，没有人能够认证他，所以只能自己认证自己生成自签名证书。

1.生成自签名证书通过秘钥
openssl req -new -x509 -key /etc/pki/CA/private/cakey.pem -days 7300 -out /etc/pki/CA/cacert.pem -days 7300You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [XX]:CN                         //签发国家  
State or Province Name (full name) []:BEIJING                //签发省份
Locality Name (eg, city) [Default City]:BEIJING              //签发城市
Organization Name (eg, company) [Default Company Ltd]:CA     //签发公司
Organizational Unit Name (eg, section) []:OPT                //签发部门
Common Name (eg, your name or your server's hostname) []:www.syh.com   //签发域名
Email Address []:3146359748@qq.com                           //签发邮件                         2.查看文件
ls
cacert.pem  certs  crl  index.txt  newcerts  private  serial

https://img-blog.csdnimg.cn/img_convert/a1a6c616ef33f82137d3ed4563b764be.png" width="1200" />

https://img-blog.csdnimg.cn/img_convert/3953220f63cda6c905437a04fa12da84.png" width="736" />

参数解释：

-new 			生成新证书签署请求
-x509 		专用于CA生成自签证书
-key 			生成请求时用到的私钥文件
-days 		证书的有效期限
-out 		 	证书的保存路径

下载安装证书

yum install -y lrzsz
sz /etc/pki/CA/cacert.pem

https://img-blog.csdnimg.cn/img_convert/622762f9826a255e84b9e180b24cd1c7.png" width="182" />

以谷歌浏览器为例：

点击设置

https://img-blog.csdnimg.cn/img_convert/c561a5a8c6adb9b5e15862e71f25e01a.png" width="1200" />

点击安全和隐私

https://img-blog.csdnimg.cn/img_convert/a763b124a6e81b975ef11ecdc298c274.png" width="1200" />

向下滑

https://img-blog.csdnimg.cn/img_convert/2d44c21becdef3fab99221fd46065751.png" width="1200" />

找到证书管理会出现一个弹窗

https://img-blog.csdnimg.cn/img_convert/7a668c84f7356efcba0c847dabd87471.png" width="1200" />

导入刚才上传电脑的证书

https://img-blog.csdnimg.cn/img_convert/18f84c4938be74dd5cf9ae92bb721902.png" width="754" />

根据向导导入证书

https://img-blog.csdnimg.cn/img_convert/f043c3ae0f8194dddf28cbf1825c85be.png" width="785" />

导入刚才上传的证书

https://img-blog.csdnimg.cn/img_convert/76450bf3a9139a98a1ca87fb59cfa838.png" width="785" />

完成

三、服务器端进行CA证书申请和签名

192.168.252.149 客户端

安装openssl

1.检查是否存在
rpm -qa openssl
2.安装或者更新openssl
yum install openssl openssl-devel -y

生成私钥文件

1.生成私钥
(umask 066; openssl genrsa -out /etc/pki/tls/private/www.syh.com.key 2048)Generating RSA private key, 2048 bit long modulus
...........................................................................................+++
.....+++
e is 65537 (0x10001)2.查看私钥
ls /etc/pki/tls/private/
localhost.key  www.syh.com.key

https://img-blog.csdnimg.cn/img_convert/a984d3f5fa1603487397ca52b1c30f84.png" width="1200" />

私钥加密生成证书

1.私钥加密生成证书
openssl req -new -key /etc/pki/tls/private/www.syh.com.key -days 365 -out /etc/pki/tls/www.syh.com.csrww.syh.com.csr
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [XX]:CN
State or Province Name (full name) []:BEIJING
Locality Name (eg, city) [Default City]:BEIJING
Organization Name (eg, company) [Default Company Ltd]:CA
Organizational Unit Name (eg, section) []:OPT
Common Name (eg, your name or your server's hostname) []:www.syh.com
Email Address []:3146359748@qq.comPlease enter the following 'extra' attributes
to be sent with your certificate request
A challenge password []:
An optional company name []://此处的信息要一定与在生成自签名的证书的信息一致2.查看证书的生成
ls  /etc/pki/tls/
cert.pem  certs  misc  openssl.cnf  private  www.syh.com.csr

四、证书签署

客户端的证书传输到CA端上

传输这个证书/etc/pki/tls/www.qf.com.csr到CA端

192.168.252.149:
cd  /etc/pki/tls/
scp  www.syh.com.csr  192.168.252.148:/etc/pki/CA/private192.168.252.148:
cd /etc/pki/CA/private
ls
cakey.pem  www.syh.com.csr

https://img-blog.csdnimg.cn/img_convert/c82ed84e44a7abd6098a982eca5a9f47.png" width="1200" />

https://img-blog.csdnimg.cn/img_convert/0a59cb0f04b606972f0d0074e703d1a7.png" width="411" />

证书签署

1.修改配置文件/etc/pki/tls/openssl.cnf，修改organizationName=supplied

192.168.252.148：
1.编辑配置文件
vim /etc/pki/tls/openssl.cnf
/organizationName搜索这个
找到这个模块修改：
# For the CA policy
[ policy_match ]
countryName             = match
stateOrProvinceName     = match
organizationName        = supplied
organizationalUnitName  = optional
commonName              = supplied
emailAddress            = optional

https://img-blog.csdnimg.cn/img_convert/24d85467a113949d00d0b51595257012.png" width="1105" />

2.CA签署

192.168.252.148：
1.签署证书
openssl ca -in /etc/pki/CA/private/www.syh.com.csr -out /etc/pki/CA/certs/www.syh.com.crt -days 365
Using configuration from /etc/pki/tls/openssl.cnfUsing configuration from /etc/pki/tls/openssl.cnf
Check that the request matches the signature
Signature ok
Certificate Details:Serial Number: 1 (0x1)ValidityNot Before: Sep  3 12:09:17 2024 GMTNot After : Sep  3 12:09:17 2025 GMTSubject:countryName               = CNstateOrProvinceName       = BEIJINGorganizationName          = CAorganizationalUnitName    = OPTcommonName                = www.syh.comemailAddress              = 3146359748@qq.comX509v3 extensions:X509v3 Basic Constraints: CA:FALSENetscape Comment: OpenSSL Generated CertificateX509v3 Subject Key Identifier: FA:A5:D7:6B:7D:8A:C2:BA:06:BA:7B:DF:71:35:40:5E:A1:AF:3A:F1X509v3 Authority Key Identifier: keyid:AF:0C:F8:02:B7:C0:51:E3:B7:AB:3A:A0:15:EE:0A:39:8A:03:AB:6ACertificate is to be certified until Sep  3 12:09:17 2025 GMT (365 days)
Sign the certificate? [y/n]:y1 out of 1 certificate requests certified, commit? [y/n]y
Write out database with 1 new entries
Data Base Updated2.查看证书
ls /etc/pki/CA/certs/
www.syh.com.crt

https://img-blog.csdnimg.cn/img_convert/a7025214d0d483bea54afaa0c10cd206.png" width="1200" />

https://img-blog.csdnimg.cn/img_convert/e365ce0072d1a37f96774a0067a4fe4b.png" width="362" />

发送签署后的证书

192.168.252.148：
1.发送证书
cd /etc/pki/CA/certs/
scp www.syh.com.crt 192.168.252.149:/etc/pki/CA/certs/192.168.252.149：
1.查看证书
ls /etc/pki/CA/certs/
www.syh.com.crt

https://img-blog.csdnimg.cn/img_convert/41e3f782457c4199e539745fc89f9afd.png" width="1200" />

https://img-blog.csdnimg.cn/img_convert/4a70c9c3d755938e87b71a8f7e93ce9c.png" width="555" />

五、测试

证书文件和密钥文件

证书文件路径：
/etc/pki/CA/certs/www.syh.com.crt
密钥文件路径：
/etc/pki/tls/private/www.syh.com.key

https://img-blog.csdnimg.cn/img_convert/20b49db86a1fe51c90c7afacb0790605.png" width="780" />

配置Nginx配置文件

1.编辑配置文件：
vim /etc/nginx/conf.d/nginx_ca.confserver {listen       443 ssl;server_name  www.syh.com;ssl_certificate      /etc/pki/CA/certs/www.syh.com.crt;                 #指定证书路径ssl_certificate_key  /etc/pki/tls/private/www.syh.com.key;              #指定私钥路径ssl_session_timeout  5m;                                                #配置用于SSL会话的缓存ssl_protocols SSLv2 SSLv3 TLSv1 TLSv1.1 TLSv1.2 TLSv1.3;  							#如果出现无法访问的连接就将此注释注释掉ssl_ciphers  ALL:!ADH:!EXPORT56:RC4+RSA:+HIGH:+MEDIUM:+LOW:+SSLv2:+EXP; #密码指定为OpenSSL支持的格式ssl_prefer_server_ciphers   on;                                         #设置协商加密算法时，优先使用服务端的
加密，而不是客户端浏览器的。location / {root /jump/html;index index.html index.htm;}
}2.创建发布目录
mkdir -p  /jump/html
发布一个跳一跳3.重启
nginx -t
systemctl restart nginx

配置windows解析

https://img-blog.csdnimg.cn/img_convert/c8d06a2805cd98cf79b6e415faf5eb03.png" width="511" />

https://img-blog.csdnimg.cn/img_convert/f9975ed512224b7762a200477548dca8.png" width="1200" />

https://img-blog.csdnimg.cn/img_convert/56f5d76f08db1921323ea4b5cff9ac8a.png" width="1200" />

https://img-blog.csdnimg.cn/img_convert/2e51d04b72c1975e2dc7b2c2f333ab9a.png" width="1200" />

https://img-blog.csdnimg.cn/img_convert/8fda41c03dd9171a68d18aef2111a9d1.png" width="1200" />

访问

https://www.syh.com

https://img-blog.csdnimg.cn/img_convert/f42930de21183dc85b92478e512cc0b8.png" width="1200" />

因为私有证书不受此浏览器信任所以会出现不安全的https连接