一、准备
两台虚拟机
192.168.252.148 CA
192.168.252.149 客户端
二、构建私有CA
192.168.252.148 CA
安装openssl
1.检查是否存在
rpm -qa openssl
2.安装或者更新openssl
yum install openssl openssl-devel -y
查看CA相关配置
/etc/pki/tls/openssl.cnf这个文件是CA的配置文件。
此文件对于是证书签署者的身份会使用到此文件
此文件对于证书的申请者的身份是无用的。
根证书服务器目录:
根CA服务器:/etc/pki/CA 192.168.252.148
网站服务器:/etc/pki/tls 192.168.252.149
查看文件
cat /etc/pki/tls/openssl.cnf
创建所需文件
cd /etc/pki/CA/
ls
certs crl newcerts private1.创建生成证书索引数据库文件
touch index.txt
2.指定第一个颁发证书的序列号
echo 01 > serialls
certs crl index.txt newcerts private serial
创建秘钥
1.使用openssl创建秘钥
cd /etc/pki/CA/
(umask 066; openssl genrsa -out private/cakey.pem 2048)Generating RSA private key, 2048 bit long modulus
.....................+++
...............................+++
e is 65537 (0x10001)2.在private中查看
ls private/
cakey.pem
https://img-blog.csdnimg.cn/img_convert/0de211d21605e254111ab1d555384658.png" width="1016" />
生成自签名的证书
根CA自签名证书,根CA是最顶级的认证机构,没有人能够认证他,所以只能自己认证自己生成自签名证书。
1.生成自签名证书通过秘钥
openssl req -new -x509 -key /etc/pki/CA/private/cakey.pem -days 7300 -out /etc/pki/CA/cacert.pem -days 7300You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [XX]:CN //签发国家
State or Province Name (full name) []:BEIJING //签发省份
Locality Name (eg, city) [Default City]:BEIJING //签发城市
Organization Name (eg, company) [Default Company Ltd]:CA //签发公司
Organizational Unit Name (eg, section) []:OPT //签发部门
Common Name (eg, your name or your server's hostname) []:www.syh.com //签发域名
Email Address []:3146359748@qq.com //签发邮件 2.查看文件
ls
cacert.pem certs crl index.txt newcerts private serial
https://img-blog.csdnimg.cn/img_convert/a1a6c616ef33f82137d3ed4563b764be.png" width="1200" />
https://img-blog.csdnimg.cn/img_convert/3953220f63cda6c905437a04fa12da84.png" width="736" />
参数解释:
-new 生成新证书签署请求
-x509 专用于CA生成自签证书
-key 生成请求时用到的私钥文件
-days 证书的有效期限
-out 证书的保存路径
下载安装证书
yum install -y lrzsz
sz /etc/pki/CA/cacert.pem
https://img-blog.csdnimg.cn/img_convert/622762f9826a255e84b9e180b24cd1c7.png" width="182" />
以谷歌浏览器为例:
点击设置
https://img-blog.csdnimg.cn/img_convert/c561a5a8c6adb9b5e15862e71f25e01a.png" width="1200" />
点击安全和隐私
https://img-blog.csdnimg.cn/img_convert/a763b124a6e81b975ef11ecdc298c274.png" width="1200" />
向下滑
https://img-blog.csdnimg.cn/img_convert/2d44c21becdef3fab99221fd46065751.png" width="1200" />
找到证书管理会出现一个弹窗
https://img-blog.csdnimg.cn/img_convert/7a668c84f7356efcba0c847dabd87471.png" width="1200" />
导入刚才上传电脑的证书
https://img-blog.csdnimg.cn/img_convert/18f84c4938be74dd5cf9ae92bb721902.png" width="754" />
根据向导导入证书
https://img-blog.csdnimg.cn/img_convert/f043c3ae0f8194dddf28cbf1825c85be.png" width="785" />
导入刚才上传的证书
https://img-blog.csdnimg.cn/img_convert/76450bf3a9139a98a1ca87fb59cfa838.png" width="785" />
完成
三、服务器端进行CA证书申请和签名
192.168.252.149 客户端
安装openssl
1.检查是否存在
rpm -qa openssl
2.安装或者更新openssl
yum install openssl openssl-devel -y
生成私钥文件
1.生成私钥
(umask 066; openssl genrsa -out /etc/pki/tls/private/www.syh.com.key 2048)Generating RSA private key, 2048 bit long modulus
...........................................................................................+++
.....+++
e is 65537 (0x10001)2.查看私钥
ls /etc/pki/tls/private/
localhost.key www.syh.com.key
https://img-blog.csdnimg.cn/img_convert/a984d3f5fa1603487397ca52b1c30f84.png" width="1200" />
私钥加密生成证书
1.私钥加密生成证书
openssl req -new -key /etc/pki/tls/private/www.syh.com.key -days 365 -out /etc/pki/tls/www.syh.com.csrww.syh.com.csr
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [XX]:CN
State or Province Name (full name) []:BEIJING
Locality Name (eg, city) [Default City]:BEIJING
Organization Name (eg, company) [Default Company Ltd]:CA
Organizational Unit Name (eg, section) []:OPT
Common Name (eg, your name or your server's hostname) []:www.syh.com
Email Address []:3146359748@qq.comPlease enter the following 'extra' attributes
to be sent with your certificate request
A challenge password []:
An optional company name []://此处的信息要一定与在生成自签名的证书的信息一致2.查看证书的生成
ls /etc/pki/tls/
cert.pem certs misc openssl.cnf private www.syh.com.csr
四、证书签署
客户端的证书传输到CA端上
传输这个证书/etc/pki/tls/www.qf.com.csr到CA端
192.168.252.149:
cd /etc/pki/tls/
scp www.syh.com.csr 192.168.252.148:/etc/pki/CA/private192.168.252.148:
cd /etc/pki/CA/private
ls
cakey.pem www.syh.com.csr
https://img-blog.csdnimg.cn/img_convert/c82ed84e44a7abd6098a982eca5a9f47.png" width="1200" />
https://img-blog.csdnimg.cn/img_convert/0a59cb0f04b606972f0d0074e703d1a7.png" width="411" />
证书签署
1.修改配置文件/etc/pki/tls/openssl.cnf,修改organizationName=supplied
192.168.252.148:
1.编辑配置文件
vim /etc/pki/tls/openssl.cnf
/organizationName搜索这个
找到这个模块修改:
# For the CA policy
[ policy_match ]
countryName = match
stateOrProvinceName = match
organizationName = supplied
organizationalUnitName = optional
commonName = supplied
emailAddress = optional
https://img-blog.csdnimg.cn/img_convert/24d85467a113949d00d0b51595257012.png" width="1105" />
2.CA签署
192.168.252.148:
1.签署证书
openssl ca -in /etc/pki/CA/private/www.syh.com.csr -out /etc/pki/CA/certs/www.syh.com.crt -days 365
Using configuration from /etc/pki/tls/openssl.cnfUsing configuration from /etc/pki/tls/openssl.cnf
Check that the request matches the signature
Signature ok
Certificate Details:Serial Number: 1 (0x1)ValidityNot Before: Sep 3 12:09:17 2024 GMTNot After : Sep 3 12:09:17 2025 GMTSubject:countryName = CNstateOrProvinceName = BEIJINGorganizationName = CAorganizationalUnitName = OPTcommonName = www.syh.comemailAddress = 3146359748@qq.comX509v3 extensions:X509v3 Basic Constraints: CA:FALSENetscape Comment: OpenSSL Generated CertificateX509v3 Subject Key Identifier: FA:A5:D7:6B:7D:8A:C2:BA:06:BA:7B:DF:71:35:40:5E:A1:AF:3A:F1X509v3 Authority Key Identifier: keyid:AF:0C:F8:02:B7:C0:51:E3:B7:AB:3A:A0:15:EE:0A:39:8A:03:AB:6ACertificate is to be certified until Sep 3 12:09:17 2025 GMT (365 days)
Sign the certificate? [y/n]:y1 out of 1 certificate requests certified, commit? [y/n]y
Write out database with 1 new entries
Data Base Updated2.查看证书
ls /etc/pki/CA/certs/
www.syh.com.crt
https://img-blog.csdnimg.cn/img_convert/a7025214d0d483bea54afaa0c10cd206.png" width="1200" />
https://img-blog.csdnimg.cn/img_convert/e365ce0072d1a37f96774a0067a4fe4b.png" width="362" />
发送签署后的证书
192.168.252.148:
1.发送证书
cd /etc/pki/CA/certs/
scp www.syh.com.crt 192.168.252.149:/etc/pki/CA/certs/192.168.252.149:
1.查看证书
ls /etc/pki/CA/certs/
www.syh.com.crt
https://img-blog.csdnimg.cn/img_convert/41e3f782457c4199e539745fc89f9afd.png" width="1200" />
https://img-blog.csdnimg.cn/img_convert/4a70c9c3d755938e87b71a8f7e93ce9c.png" width="555" />
五、测试
证书文件和密钥文件
证书文件路径:
/etc/pki/CA/certs/www.syh.com.crt
密钥文件路径:
/etc/pki/tls/private/www.syh.com.key
https://img-blog.csdnimg.cn/img_convert/20b49db86a1fe51c90c7afacb0790605.png" width="780" />
配置Nginx配置文件
1.编辑配置文件:
vim /etc/nginx/conf.d/nginx_ca.confserver {listen 443 ssl;server_name www.syh.com;ssl_certificate /etc/pki/CA/certs/www.syh.com.crt; #指定证书路径ssl_certificate_key /etc/pki/tls/private/www.syh.com.key; #指定私钥路径ssl_session_timeout 5m; #配置用于SSL会话的缓存ssl_protocols SSLv2 SSLv3 TLSv1 TLSv1.1 TLSv1.2 TLSv1.3; #如果出现无法访问的连接就将此注释注释掉ssl_ciphers ALL:!ADH:!EXPORT56:RC4+RSA:+HIGH:+MEDIUM:+LOW:+SSLv2:+EXP; #密码指定为OpenSSL支持的格式ssl_prefer_server_ciphers on; #设置协商加密算法时,优先使用服务端的
加密,而不是客户端浏览器的。location / {root /jump/html;index index.html index.htm;}
}2.创建发布目录
mkdir -p /jump/html
发布一个跳一跳3.重启
nginx -t
systemctl restart nginx
配置windows解析
https://img-blog.csdnimg.cn/img_convert/c8d06a2805cd98cf79b6e415faf5eb03.png" width="511" />
https://img-blog.csdnimg.cn/img_convert/f9975ed512224b7762a200477548dca8.png" width="1200" />
https://img-blog.csdnimg.cn/img_convert/56f5d76f08db1921323ea4b5cff9ac8a.png" width="1200" />
https://img-blog.csdnimg.cn/img_convert/2e51d04b72c1975e2dc7b2c2f333ab9a.png" width="1200" />
https://img-blog.csdnimg.cn/img_convert/8fda41c03dd9171a68d18aef2111a9d1.png" width="1200" />
访问
https://www.syh.com
https://img-blog.csdnimg.cn/img_convert/f42930de21183dc85b92478e512cc0b8.png" width="1200" />
因为私有证书不受此浏览器信任所以会出现不安全的https连接