linux下搭建CA認(rèn)證服務(wù)器并認(rèn)證服務(wù)_第1頁
linux下搭建CA認(rèn)證服務(wù)器并認(rèn)證服務(wù)_第2頁
linux下搭建CA認(rèn)證服務(wù)器并認(rèn)證服務(wù)_第3頁
linux下搭建CA認(rèn)證服務(wù)器并認(rèn)證服務(wù)_第4頁
linux下搭建CA認(rèn)證服務(wù)器并認(rèn)證服務(wù)_第5頁
已閱讀5頁,還剩1頁未讀 繼續(xù)免費(fèi)閱讀

下載本文檔

版權(quán)說明:本文檔由用戶提供并上傳,收益歸屬內(nèi)容提供方,若內(nèi)容存在侵權(quán),請進(jìn)行舉報或認(rèn)領(lǐng)

文檔簡介

1、搭建CA認(rèn)證服務(wù)器并認(rèn)證服務(wù)1、 安裝opensslrootvipuser200 # yum -y install opensslrootvipuser200 # vim /etc/pki/tls/將172 basicConstraints=CA:FALSE改為172 basicConstraints=CA:TRUE#表示根級別的認(rèn)證服務(wù)器不需要像上級請求認(rèn)證2、 生成公鑰證書和私鑰rootvipuser200 # /etc/pki/tls/misc/CA -helpUnknown arg usage: /etc/pki/tls/misc/CA -newcert|-newreq|-newreq

2、-nodes|-newca|-sign|-verifyrootvipuser200 # /etc/pki/tls/misc/CA -newcaCA certificate filename (or enter to create)Making CA certificate .Generating a 2048 bit RSA private key.+.+writing new private key to '/etc/pki/CA/private/./cakey.pem'Enter PEM pass phrase:Verifying - Enter PEM pass phra

3、se:#填寫密碼-You are about to be asked to enter information that will be incorporatedinto your certificate request.What you are about to enter is what is called a Distinguished Name or a DN.There are quite a few fields but you can leave some blankFor some fields there will be a default value,If you ente

4、r '.', the field will be left blank.-Country Name (2 letter code) XX:CN#國家State or Province Name (full name) :HENAN#省Locality Name (eg, city) Default City:LUOYANG#市Organization Name (eg, company) Default Company Ltd:ZLF-COM #公司名字 Organizational Unit Name (eg, section) :IT#公司部門Common Name (eg

5、, your name or your server's hostname) :vipuser200.club#服務(wù)器名字Email Address 郵件地址Please enter the following 'extra' attributes #額外屬性以下3行不填即可to be sent with your certificate requestA challenge password :An optional company name :Using configuration from /etc/pki/tls/fEnter pass

6、 phrase for /etc/pki/CA/private/./cakey.pem:#輸入上面你輸入的密碼Check that the request matches the signatureSignature okCertificate Details: Serial Number: 13248658701588095830 (0xb7dcb0e50a8be356) Validity Not Before: Jul 4 22:19:22 2016 GMT Not After : Jul 4 22:19:22 2019 GMT Subject: countryName = CN stat

7、eOrProvinceName = HENAN organizationName = ZLF-COM organizationalUnitName = IT commonName = vipuser200.club emailAddress =X509v3 extensions: X509v3 Subject Key Identifier: 62:A8:4A:02:91:AA:56:FF:BD:91:26:49:6F:02:D0:5D:70:8A:41:36 X509v3 Authority Key Identifier: keyid:62:A8:4A:02:91:A

8、A:56:FF:BD:91:26:49:6F:02:D0:5D:70:8A:41:36 X509v3 Basic Constraints: CA:TRUECertificate is to be certified until Jul 4 22:19:22 2019 GMT (1095 days)Write out database with 1 new entriesData Base Updated查看CA的私鑰rootvipuser200 # vim /etc/pki/CA/private/cakey.pem -BEGIN ENCRYPTED PRIVATE KEY-MIIFDjBABg

9、kqhkiG9w0BBQ0wMzAbBgkqhkiG9w0BBQwwDgQIYBaODVh/svsCAggAMBQGCCqGSIb3DQMHBAhYEcNnBucpgwSCBMiEIKp4Qd851+hYOCUggAmWd4pgk8SdNVkLFBTFinghYfQVoEXRFRScPI/BasNdCGHIVzGn+ZlIBWucg99j82FQhRA7kFlh查看CA的公鑰rootvipuser200 # vim /etc/pki/CA/cacert.pem Certificate: Data: Version: 3 (0x2) Serial Number: 1324865870158809

10、5830 (0xb7dcb0e50a8be356) Signature Algorithm: sha1WithRSAEncryption Issuer: C=CN, ST=HENAN, O=ZLF-COM, OU=IT, CN=vipuser200.club/emailAddressValidity Not Before: Jul 4 22:19:22 2016 GMT Not After : Jul 4 22:19:22 2019 GMT Subject: C=CN, ST=HENAN, O=ZLF-COM, OU=IT, CN=vipuser200.club/em

11、ailAddressSubject Public Key Info:到此CA認(rèn)證中心搭建好了3、 搭建認(rèn)證https開啟另一臺web服務(wù)器并啟動rootvipuser201 # yum -y install httpdrootvipuser201 # service httpd restartStopping httpd: OK Starting httpd: httpd: apr_sockaddr_info_get() failed for vipuser201.clubhttpd: Could not reliably determine the server&#

12、39;s fully qualified domain name, using for ServerName OK #這個表示hostname里面沒有對應(yīng)的域名,改/etc/hosts文件即可生成vipuser201證書請求文件,并獲得證書先生成私鑰然后用私鑰生成證書請求文件用非對稱加密算法加密并輸入etc/httpd/conf.d/server.key私鑰rootvipuser201 # openssl genrsa -des3 -out /etc/httpd/conf.d/server.keyGenerating RSA private key, 1024 bit lo

13、ng modulus.+.+e is 65537 (0x10001)Enter pass phrase for /etc/httpd/conf.d/server.key:#寫個密碼保護(hù)Verifying - Enter pass phrase for /etc/httpd/conf.d/server.key:用私鑰生成證書請求文件rootvipuser201 # openssl req -new -key /etc/httpd/conf.d/server.key -out /server.csrEnter pass phrase for /etc/httpd/conf.d/server.key

14、:You are about to be asked to enter information that will be incorporatedinto your certificate request.What you are about to enter is what is called a Distinguished Name or a DN.There are quite a few fields but you can leave some blankFor some fields there will be a default value,If you enter '.

15、', the field will be left blank.-Country Name (2 letter code) XX:CNState or Province Name (full name) :HENANLocality Name (eg, city) Default City:LUOYANGOrganization Name (eg, company) Default Company Ltd:ZLF-COMOrganizational Unit Name (eg, section) :ITCommon Name (eg, your name or your server&

16、#39;s hostname) :vipuser201.clubEmail Address :Please enter the following 'extra' attributesto be sent with your certificate requestA challenge password :An optional company name :#證書請求文件中有vipuser201的公鑰,這個公鑰是在生成證書請求文件時,通過指定的私鑰/etc/httpd/conf.d/server.key生成的,通過私鑰可以生成公鑰,通過公鑰推不出私鑰。、證書發(fā)送到vipuser

17、200認(rèn)證中心,并簽證書rootvipuser201 # scp /server.csr 00:/rootrootvipuser200 # openssl ca -keyfile /etc/pki/CA/private/cakey.pem -cert /etc/pki/CA/cacert.pem -in /root/server.csr -out /root/server.crtUsing configuration from /etc/pki/tls/fEnter pass phrase for /etc/pki/CA/private/cakey.pem:Check t

18、hat the request matches the signatureSignature okCertificate Details: Serial Number: 13248658701588095831 (0xb7dcb0e50a8be357) Validity Not Before: Jul 4 23:12:56 2016 GMT Not After : Jul 4 23:12:56 2017 GMT Subject: countryName = CN stateOrProvinceName = HENAN organizationName = ZLF-COM organizatio

19、nalUnitName = IT commonName = vipuser201.club X509v3 extensions: X509v3 Basic Constraints: CA:TRUE Netscape Comment: OpenSSL Generated Certificate X509v3 Subject Key Identifier: 05:05:CA:78:12:8D:C9:53:69:92:EE:CA:49:C7:3F:01:DD:FC:64:23 X509v3 Authority Key Identifier: keyid:62:A8:4A:02:91:AA:56:FF

20、:BD:91:26:49:6F:02:D0:5D:70:8A:41:36Certificate is to be certified until Jul 4 23:12:56 2017 GMT (365 days)Sign the certificate? y/n:y#簽證書y1 out of 1 certificate requests certified, commit? y/ny#再次確認(rèn)Write out database with 1 new entriesData Base Updated將證書下發(fā)給vipuser201rootvipuser200 # scp /root/serv

21、er.crt 01:/root/vipuser201上查看rootvipuser201 # ls! anaconda-ks.cfg install.log install.log.syslog server.crt4、 使用證書實現(xiàn)https配置https web服務(wù)器vipuser201rootvipuser201 # yum -y install mod_ssl #安裝mod_ssl模塊rootvipuser201 # scp /root/server.crt /etc/httpd/conf.d/rootvipuser201 # ls /etc/httpd/conf.d/server.server.crt server.key rootvipuser201 # vim /etc/httpd/conf.d/ssl.conf#修改為以下兩項

溫馨提示

  • 1. 本站所有資源如無特殊說明,都需要本地電腦安裝OFFICE2007和PDF閱讀器。圖紙軟件為CAD,CAXA,PROE,UG,SolidWorks等.壓縮文件請下載最新的WinRAR軟件解壓。
  • 2. 本站的文檔不包含任何第三方提供的附件圖紙等,如果需要附件,請聯(lián)系上傳者。文件的所有權(quán)益歸上傳用戶所有。
  • 3. 本站RAR壓縮包中若帶圖紙,網(wǎng)頁內(nèi)容里面會有圖紙預(yù)覽,若沒有圖紙預(yù)覽就沒有圖紙。
  • 4. 未經(jīng)權(quán)益所有人同意不得將文件中的內(nèi)容挪作商業(yè)或盈利用途。
  • 5. 人人文庫網(wǎng)僅提供信息存儲空間,僅對用戶上傳內(nèi)容的表現(xiàn)方式做保護(hù)處理,對用戶上傳分享的文檔內(nèi)容本身不做任何修改或編輯,并不能對任何下載內(nèi)容負(fù)責(zé)。
  • 6. 下載文件中如有侵權(quán)或不適當(dāng)內(nèi)容,請與我們聯(lián)系,我們立即糾正。
  • 7. 本站不保證下載資源的準(zhǔn)確性、安全性和完整性, 同時也不承擔(dān)用戶因使用這些下載資源對自己和他人造成任何形式的傷害或損失。

評論

0/150

提交評論