构建私有CA和证书

一、准备

两台虚拟机

192.168.252.148 CA

192.168.252.149 客户端

二、构建私有CA

192.168.252.148 CA

安装openssl

复制代码
1.检查是否存在
rpm -qa openssl
2.安装或者更新openssl
yum install openssl openssl-devel -y

查看CA相关配置

/etc/pki/tls/openssl.cnf这个文件是CA的配置文件。

此文件对于是证书签署者的身份会使用到此文件

此文件对于证书的申请者的身份是无用的。

根证书服务器目录:

根CA服务器:/etc/pki/CA 192.168.252.148

网站服务器:/etc/pki/tls 192.168.252.149

复制代码
查看文件
cat  /etc/pki/tls/openssl.cnf

创建所需文件

复制代码
cd /etc/pki/CA/
ls
certs  crl  newcerts  private

1.创建生成证书索引数据库文件
touch index.txt
2.指定第一个颁发证书的序列号
echo 01 > serial

ls
certs  crl  index.txt  newcerts  private  serial

创建秘钥

复制代码
1.使用openssl创建秘钥
cd /etc/pki/CA/
(umask 066; openssl genrsa -out private/cakey.pem 2048)

Generating RSA private key, 2048 bit long modulus
.....................+++
...............................+++
e is 65537 (0x10001)

2.在private中查看
ls private/
cakey.pem

生成自签名的证书

根CA自签名证书,根CA是最顶级的认证机构,没有人能够认证他,所以只能自己认证自己生成自签名证书。

复制代码
1.生成自签名证书通过秘钥
openssl req -new -x509 -key /etc/pki/CA/private/cakey.pem -days 7300 -out /etc/pki/CA/cacert.pem -days 7300

You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [XX]:CN                         //签发国家  
State or Province Name (full name) []:BEIJING                //签发省份
Locality Name (eg, city) [Default City]:BEIJING              //签发城市
Organization Name (eg, company) [Default Company Ltd]:CA     //签发公司
Organizational Unit Name (eg, section) []:OPT                //签发部门
Common Name (eg, your name or your server's hostname) []:www.syh.com   //签发域名
Email Address []:3146359748@qq.com                           //签发邮件                         

2.查看文件
ls
cacert.pem  certs  crl  index.txt  newcerts  private  serial

参数解释:

复制代码
-new 			生成新证书签署请求
-x509 		专用于CA生成自签证书
-key 			生成请求时用到的私钥文件
-days 		证书的有效期限
-out 		 	证书的保存路径

下载安装证书

复制代码
yum install -y lrzsz
sz /etc/pki/CA/cacert.pem

以谷歌浏览器为例:

点击设置

点击安全和隐私

向下滑

找到证书管理会出现一个弹窗

导入刚才上传电脑的证书

根据向导导入证书

导入刚才上传的证书

完成

三、服务器端进行CA证书申请和签名

192.168.252.149 客户端

安装openssl

复制代码
1.检查是否存在
rpm -qa openssl
2.安装或者更新openssl
yum install openssl openssl-devel -y

生成私钥文件

复制代码
1.生成私钥
(umask 066; openssl genrsa -out /etc/pki/tls/private/www.syh.com.key 2048)

Generating RSA private key, 2048 bit long modulus
...........................................................................................+++
.....+++
e is 65537 (0x10001)

2.查看私钥
ls /etc/pki/tls/private/
localhost.key  www.syh.com.key

私钥加密生成证书

复制代码
1.私钥加密生成证书
openssl req -new -key /etc/pki/tls/private/www.syh.com.key -days 365 -out /etc/pki/tls/www.syh.com.csr

ww.syh.com.csr
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [XX]:CN
State or Province Name (full name) []:BEIJING
Locality Name (eg, city) [Default City]:BEIJING
Organization Name (eg, company) [Default Company Ltd]:CA
Organizational Unit Name (eg, section) []:OPT
Common Name (eg, your name or your server's hostname) []:www.syh.com
Email Address []:3146359748@qq.com

Please enter the following 'extra' attributes
to be sent with your certificate request
A challenge password []:
An optional company name []:

//此处的信息要一定与在生成自签名的证书的信息一致

2.查看证书的生成
ls  /etc/pki/tls/
cert.pem  certs  misc  openssl.cnf  private  www.syh.com.csr

四、证书签署

客户端的证书传输到CA端上

传输这个证书/etc/pki/tls/www.qf.com.csr到CA端

复制代码
192.168.252.149:
cd  /etc/pki/tls/
scp  www.syh.com.csr  192.168.252.148:/etc/pki/CA/private

192.168.252.148:
cd /etc/pki/CA/private
ls
cakey.pem  www.syh.com.csr

证书签署

1.修改配置文件/etc/pki/tls/openssl.cnf,修改organizationName=supplied

复制代码
192.168.252.148:
1.编辑配置文件
vim /etc/pki/tls/openssl.cnf
/organizationName搜索这个
找到这个模块修改:
# For the CA policy
[ policy_match ]
countryName             = match
stateOrProvinceName     = match
organizationName        = supplied
organizationalUnitName  = optional
commonName              = supplied
emailAddress            = optional

2.CA签署

复制代码
192.168.252.148:
1.签署证书
openssl ca -in /etc/pki/CA/private/www.syh.com.csr -out /etc/pki/CA/certs/www.syh.com.crt -days 365
Using configuration from /etc/pki/tls/openssl.cnf


Using configuration from /etc/pki/tls/openssl.cnf
Check that the request matches the signature
Signature ok
Certificate Details:
        Serial Number: 1 (0x1)
        Validity
            Not Before: Sep  3 12:09:17 2024 GMT
            Not After : Sep  3 12:09:17 2025 GMT
        Subject:
            countryName               = CN
            stateOrProvinceName       = BEIJING
            organizationName          = CA
            organizationalUnitName    = OPT
            commonName                = www.syh.com
            emailAddress              = 3146359748@qq.com
        X509v3 extensions:
            X509v3 Basic Constraints: 
                CA:FALSE
            Netscape Comment: 
                OpenSSL Generated Certificate
            X509v3 Subject Key Identifier: 
                FA:A5:D7:6B:7D:8A:C2:BA:06:BA:7B:DF:71:35:40:5E:A1:AF:3A:F1
            X509v3 Authority Key Identifier: 
                keyid:AF:0C:F8:02:B7:C0:51:E3:B7:AB:3A:A0:15:EE:0A:39:8A:03:AB:6A

Certificate is to be certified until Sep  3 12:09:17 2025 GMT (365 days)
Sign the certificate? [y/n]:y


1 out of 1 certificate requests certified, commit? [y/n]y
Write out database with 1 new entries
Data Base Updated

2.查看证书
ls /etc/pki/CA/certs/
www.syh.com.crt

发送签署后的证书

复制代码
192.168.252.148:
1.发送证书
cd /etc/pki/CA/certs/
scp www.syh.com.crt 192.168.252.149:/etc/pki/CA/certs/

192.168.252.149:
1.查看证书
ls /etc/pki/CA/certs/
www.syh.com.crt

五、测试

证书文件和密钥文件

复制代码
证书文件路径:
/etc/pki/CA/certs/www.syh.com.crt
密钥文件路径:
/etc/pki/tls/private/www.syh.com.key

配置Nginx配置文件

复制代码
1.编辑配置文件:
vim /etc/nginx/conf.d/nginx_ca.conf

server {
        listen       443 ssl;
        server_name  www.syh.com;

        ssl_certificate      /etc/pki/CA/certs/www.syh.com.crt;                 #指定证书路径
        ssl_certificate_key  /etc/pki/tls/private/www.syh.com.key;              #指定私钥路径
        ssl_session_timeout  5m;                                                #配置用于SSL会话的缓存
        ssl_protocols SSLv2 SSLv3 TLSv1 TLSv1.1 TLSv1.2 TLSv1.3;  							#如果出现无法访问的连接就将此注释注释掉
        ssl_ciphers  ALL:!ADH:!EXPORT56:RC4+RSA:+HIGH:+MEDIUM:+LOW:+SSLv2:+EXP; #密码指定为OpenSSL支持的格式
        ssl_prefer_server_ciphers   on;                                         #设置协商加密算法时,优先使用服务端的
加密,而不是客户端浏览器的。

        location / {
                root /jump/html;
                index index.html index.htm;
        }
}

2.创建发布目录
mkdir -p  /jump/html
发布一个跳一跳

3.重启
nginx -t
systemctl restart nginx

配置windows解析

访问

https://www.syh.com

因为私有证书不受此浏览器信任所以会出现不安全的https连接

相关推荐
乖女子@@@15 小时前
协议_https协议
http·https·iphone
2501_915909061 天前
苹果上架App软件全流程指南:iOS 应用发布步骤、App Store 上架流程、uni-app 打包上传与审核技巧详解
android·ios·小程序·https·uni-app·iphone·webview
2501_915918411 天前
App 苹果 上架全流程解析 iOS 应用发布步骤、App Store 上架流程
android·ios·小程序·https·uni-app·iphone·webview
2501_916007471 天前
苹果上架全流程详解,iOS 应用发布步骤、App Store 上架流程、uni-app 打包上传与审核要点完整指南
android·ios·小程序·https·uni-app·iphone·webview
2501_915918411 天前
HTTPS 端口号详解 443 端口作用、iOS 抓包方法、常见 HTTPS 抓包工具与网络调试实践
android·网络·ios·小程序·https·uni-app·iphone
刘一说2 天前
Elasticsearch HTTPS访问错误解决指南
大数据·elasticsearch·https
2501_915106322 天前
App Store 软件上架全流程详解,iOS 应用发布步骤、uni-app 打包上传与审核要点完整指南
android·ios·小程序·https·uni-app·iphone·webview
三坛海会大神5552 天前
nginx中配置https详解:配置SSL/TLS证书
nginx·https·ssl
2501_916013742 天前
App 上架全流程指南,iOS App 上架步骤、App Store 应用发布流程、uni-app 打包上传与审核要点详解
android·ios·小程序·https·uni-app·iphone·webview
山楂树下懒猴子3 天前
ChatAI项目-ChatGPT-SDK组件工程
人工智能·chatgpt·junit·https·log4j·intellij-idea·mybatis