ca认证(https)
证书签名过程:
1、网页服务器生成证书请求文件;
2、认证中心确认申请者的身份真实性;
3、认证中心使用根证书的私钥加密证书请求文件,生成证书;
4、把证书传给申请者。
一、实验环境
node1 192.168.40.132 CA认证中心(也要给自己颁发根证书)
node2 192.168.40.211 网页服务器
由于没有真实域名,所以自己搭建一个CA认证中心,实际只要去申请一个就好了。
[root@node1 ~]# rpm -qf `which openssl`
openssl-1.0.2k-.el7.x86_64 //openssl一般默认安装的
[root@node1 ~]# vim /etc/pki/tls/openssl.cnf
basicConstraints=CA:TRUE //第172行,让当前服务器成为CA认证中心
[root@node1 ~]# /etc/pki/tls/misc/CA -newca //新的CAche证书
CA certificate filename (or enter to create) //证书文件名,可以直接回车
Making CA certificate ...
Generating a bit RSA private key
...................+++
.+++
writing new private key to '/etc/pki/CA/private/./cakey.pem'
Enter PEM pass phrase: //保护私钥的密码,123456
Verifying - Enter PEM pass phrase: //重复密码,123456
-----
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name ( letter code) [XX]:CN
State or Province Name (full name) []:beijing //地区
Locality Name (eg, city) [Default City]:haidian //城市
Organization Name (eg, company) [Default Company Ltd]:test //组织名称,公司
Organizational Unit Name (eg, section) []:IT //部门
Common Name (eg, your name or your server's hostname) []:test.cn //通用名,名字或服务器主机名等
Email Address []: //邮箱 Please enter the following 'extra' attributes
to be sent with your certificate request //添加一个额外属性,让客户端发送CA证书请求文件时,要输入的密码
A challenge password []:
An optional company name []:
Using configuration from /etc/pki/tls/openssl.cnf
Enter pass phrase for /etc/pki/CA/private/./cakey.pem:
Check that the request matches the signature
Signature ok
Certificate Details:
Serial Number:
fe:b3::2e:3c:0e:ce:d2
Validity
Not Before: Oct :: GMT
Not After : Oct :: GMT
Subject:
countryName = CN
stateOrProvinceName = beijing
organizationName = test
organizationalUnitName = IT
commonName = test.cn
X509v3 extensions:
X509v3 Subject Key Identifier:
:E7:F4:D2:AD:::E0::FB::8E:3F:8B:::3B:FE:CB:
X509v3 Authority Key Identifier:
keyid::E7:F4:D2:AD:::E0::FB::8E:3F:8B:::3B:FE:CB:
X509v3 Basic Constraints:
CA:TRUE
Certificate is to be certified until Oct :: GMT ( days)
Write out database with new entries
Data Base Updated //搭建完成
[root@node1 ~]# cat /etc/pki/CA/cacert.pem
。。。。。省略
说明:/etc/pki/tls/misc/CA -newcert|-newreq|-newreq-nodes|-newca|-sign|-verify -newcert 新证书
-newreq 新请求
-newreq-nodes 新请求节点
-newca 新的CA证书
-sign 签证
-verify 验证
二.Apache实现https
备一个httpd,需要包含ssl模块
[root@node2 ~]# yum -y install httpd mod_ssl [root@node2 ~]# vim /etc/httpd/conf/httpd.conf
ServerName 192.168.5.102: //第95行
[root@node2 ~]# systemctl start httpd.service
[root@node2 ~]firewall-cmd --permanent --zone=public --add-port=/tcp [root@node2 ~]firewall-cmd --reload
生成证书请求文件,并发给CA认证中心node1
//-des3使用des3加密算法;-out输出到指定地址
[root@node2 ~]# openssl genrsa -des3 -out /etc/httpd/conf.d/server.key
Generating RSA private key, bit long modulus
Enter pass phrase for /etc/httpd/conf.d/server.key: //输入保护私钥的密码,123456
Verifying - Enter pass phrase for /etc/httpd/conf.d/server.key: //重复密码
[root@node2 ~]# openssl req -new -key /etc/httpd/conf.d/server.key -out /server.csr // CSR 证书请求文件
Generating RSA private key, bit long modulus
...........................................................................................................................................................+++
....................................................................................................................+++
e is (0x10001)
Enter pass phrase for /etc/httpd/conf.d/server.key:
Verifying - Enter pass phrase for /etc/httpd/conf.d/server.key:
[root@node2 ~]# openssl req -new -key /etc/httpd/conf.d/server.key -out /server.csr
Enter pass phrase for /etc/httpd/conf.d/server.key: //输入保护私钥的密码(/etc/httpd/conf.d/server.key的),123456
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
//通用名不能和CA一样,一般写域
Country Name ( letter code) [XX]:CN
State or Province Name (full name) []:beijing
Locality Name (eg, city) [Default City]:haidian
Organization Name (eg, company) [Default Company Ltd]:test
Organizational Unit Name (eg, section) []:IT
Common Name (eg, your name or your server's hostname) []:test.com
Email Address []:
Please enter the following 'extra' attributes
to be sent with your certificate request
A challenge password []:
An optional company name []:
[root@node2 ~]# scp /server.csr 192.168.40.132:/
root@192.168.40.132's password:
server.csr
CAche认证中心进行签名,再回传
[root@node1 ~]# openssl ca -keyfile /etc/pki/CA/private/cakey.pem -cert /etc/pki/CA/cacert.pem -in /server.csr -out /server.crt //CRT 证书文件,可以是PEM格式
Using configuration from /etc/pki/tls/openssl.cnf
Enter pass phrase for /etc/pki/CA/private/cakey.pem:
Check that the request matches the signature
Signature ok
Certificate Details:
Serial Number:
fe:b3:47:2e:3c:0e:ce:d3
Validity
Not Before: Oct 14 12:52:55 2019 GMT
Not After : Oct 13 12:52:55 2020 GMT
Subject:
countryName = CN
stateOrProvinceName = beijing
organizationName = test
organizationalUnitName = IT
commonName = test.com
X509v3 extensions:
X509v3 Basic Constraints:
CA:TRUE
Netscape Comment:
OpenSSL Generated Certificate
X509v3 Subject Key Identifier:
2E:AA:92:E4:F1:05:74:55:E6:3A:B9:83:FC:4B:64:05:D4:A8:24:DC
X509v3 Authority Key Identifier:
keyid:69:E7:F4:D2:AD:56:53:E0:37:FB:37:8E:3F:8B:23:23:3B:FE:CB:45
Certificate is to be certified until Oct 13 12:52:55 2020 GMT (365 days)
Sign the certificate? [y/n]:y
1 out of 1 certificate requests certified, commit? [y/n]y
Write out database with 1 new entries
Data Base Updated
[root@node1 ~]# scp /server.crt 192.168.40.211:/ //回传给服务器
The authenticity of host '192.168.40.211 (192.168.40.211)' can't be established.
ECDSA key fingerprint is SHA256:pNJw/K2ipf4PO9OZtkTmisNZ+ctpN02yRIMxTvNGlrA.
ECDSA key fingerprint is MD5:42:0a:fb:3f:74:1f:12:fc:f1:6a:20:00:43:0a:0f:c3.
Are you sure you want to continue connecting (yes/no)? yes
Warning: Permanently added '192.168.40.211' (ECDSA) to the list of known hosts.
root@192.168.40.211's password:
server.crt 100% 4424 3.4MB/s 00:00
配置Apache加载证书文件
[root@node2 ~]# cp /server.crt /etc/httpd/conf.d/
[root@node2 ~]# vim /etc/httpd/conf.d/ssl.conf
SSLCertificateFile /etc/httpd/conf.d/server.crt //第100行,签名证书
SSLCertificateKeyFile /etc/httpd/conf.d/server.key /第107行,私钥 [root@node2 ~]#systemctl restart httpd
Enter SSL pass phrase for 192.168.40.211:443 (RSA) : ****** //123456
[root@node2 ~]# yum -y install net-tools.x86_64
[root@node2 ~]# netstat -antup | grep 443
tcp6 0 0 :::443 :::* LISTEN 1279/httpd
[root@node2 ~]firewall-cmd --permanent --zone=public --add-port=443/tcp
[root@node2 ~]firewall-cmd --reload
三.nginx实现https
[root@node2 ~]# yum -y install nginx
[root@node2 ~]# vim /etc/nginx/conf.d/default.conf
server {
listen ssl;
keepalive_timeout ;
location / {
root /usr/share/nginx/html;
index index.html index.htm;
}
ssl_protocols TLSv1 TLSv1. TLSv1.; #SSL支持的版本
ssl_ciphers AES128-SHA:AES256-SHA:RC4-SHA:DES-CBC3-SHA:RC4-MD5;
ssl_certificate /etc/httpd/conf.d/server.crt;
ssl_certificate_key /etc/httpd/conf.d/server.key;
ssl_session_cache shared:SSL:10m;
ssl_session_timeout 10m;
}
注意:粘贴会有空格。
[root@node2 ~]# nginx -t Enter PEM pass phrase:
nginx: the configuration file /etc/nginx/nginx.conf syntax is ok
nginx: configuration file /etc/nginx/nginx.conf test is successful
[root@node2 ~]# nginx
Enter PEM pass phrase:
[root@node2 ~]# netstat -antup | grep 443
tcp 0 0 0.0.0.0:443 0.0.0.0:* LISTEN 1461/nginx: master
推荐链接:https://blog.csdn.net/wangquannetwork/article/details/46147319
ca认证(https)的更多相关文章
- CA认证以及https的实现
(1).CA认证 CA全称Certificate Authority,通常翻译成认证权威或者认证中心,主要用途是为用户发放数字证书.认证中心(CA)的功能:证书发放.证书更新.证书撤销和证书验证.CA ...
- 探究公钥、私钥、对称加密、非对称加密、hash加密、数字签名、数字证书、CA认证、https它们究竟是什么,它们分别解决了通信过程的哪些问题。
一.准备 1. 角色:小白.美美.小黑. 2. 剧情:小白和美美在谈恋爱:小黑对美美求而不得.心生怨念,所以从中作梗. 3. 需求:小白要与美美需通过网络进行通信,联络感情,所以必须保证通信的安全性. ...
- docker开启2376端口CA认证及IDEA中一键部署docker项目
嘿,大家好,今天更新的内容是docker开启2376端口CA认证及IDEA中一键部署docker项目... 先看效果 我们可以通过idea一键部署docker项目,还以通过idea的控制台实时查看容器 ...
- 浏览器CA认证流程
转载:https://blog.csdn.net/qq_22771739/article/details/86479411 首先说说证书的签发过程: 服务方 S 向第三方机构CA提交公钥.组织信息.个 ...
- Docker开启TLS和CA认证
前言:Docker直接开启2375端口是不安全的,别人只要连上之后就可以任意操作,下面是开启Docker的TLS和CA认证方法,并使用Jenkins和Portainer连接. 一.生成证书 查看服务器 ...
- 公钥、私钥、CA认证、数字签名、U盾
感谢传智播客的方立勋老师,在一个教学视频上,他巧妙地以蒋介石给宋美龄写密信作为例子,生动地讲述了软件密码学知识. 加密分为对称加密和非对称加密,我们传统理解的,发送数据之前使用一个加密器加密,接到数据 ...
- CA认证和颁发吊销证书
摘要:涉及到网络安全这一块,想必大家都听过CA吧.像百度.淘宝.京东等这些知名网站,每年都要花费一笔money来买CA证书.但其实简单的企业内的CA认证,我们自己就可以实现,今天小编我就讲解一下怎么在 ...
- CA认证_demo
CA认证,即电子认证服务 [1] ,是指为电子签名相关各方提供真实性.可靠性验证的活动. 证书颁发机构(CA, Certificate Authority)即颁发数字证书的机构.是负责发放和管理数字 ...
- CA认证相关
目录 CA认证相关 基本概念 CA认证相关 公钥私钥详解>> 基本概念 密钥对: 在非对称的加密技术中心, 有两种密钥, 分为私钥和公钥,私钥 --RSA算法-->公钥. 公钥: 公 ...
- CA认证机制的简明解释
公钥机制面临的问题: 假冒身份发布公钥! 可以用CA来认证公钥的身份.CA有点像公安局,公钥就像身份证.公安局可以向任何合法用户颁发身份证以证明其合法身份.第三方只要识别身份证的真伪就能判断身份证持有 ...
随机推荐
- python进阶ing——创建第一个Tornado应用
python进阶ing——创建第一个Tornado应用 分类: Python2013-06-02 23:02 1725人阅读 评论(2) 收藏 举报 pythonTornado 每天在群里跟很多群友讨 ...
- django之路由层(反向解析)总结
表关系的建立方式 表与表之间的关系就三种 一对一 OneToOne(to='') # to后面可以跟字符串的表名 也可以直接跟变量名表名(该表名必须在上面提前定义出来) 一对多 ForeignKey( ...
- Python&R&Matlab:批量生成变量
在编写程序时,有时我们需要命名相当多的变量,比如x0.x1.x2.....xn,用手一个个打出来是相当麻烦的.那么这时我们就需要批量生成变量了. 解决这个问题的关键在于,'xn'是自动构造出来的字符串 ...
- 21. ClustrixDB 识别平台限制
本节描述集群性能上潜在的限制平台因素,如何度量集群是否接近或超过这些限制,以及纠正这些条件的可用选项.“平台因素”指的是硬件资源,如CPU.内存.磁盘和网络I/O子系统.有关潜在的软件相关因素,请参见 ...
- python类装饰器即__call__方法
上一篇中我对学习过程中的装饰器进行了总结和整理,这一节简单整理下类装饰器 1.类中的__call__方法: 我们在定义好一个类后,实例化出一个对象,如果对这个对象以直接在后边加括号的方式进行调用,程序 ...
- 深入理解二阶段提交协议(DDB对XA悬挂事务的处理分析)(一)
https://sq.163yun.com/blog/article/165554812476866560
- HAOI2018简要题解
大概之后可能会重写一下,写的详细一些? Day 1 T1 简单的背包:DP 分析 可以发现,如果选出了一些数,令这些数的\(\gcd\)为\(d\),那么这些数能且仅能组合成\(\gcd(d,P)\) ...
- 2002: [Hnoi2010]Bounce 弹飞绵羊(分块)
2002: [Hnoi2010]Bounce 弹飞绵羊 时间限制: 10 Sec 内存限制: 259 MB 题目描述 某天,Lostmonkey发明了一种超级弹力装置,为了在他的绵羊朋友面前显摆,他 ...
- JavaWeb_Servlet生命周期
菜鸟教程 传送门 Servlet生命周期 package com.Gary.servlet; import java.io.IOException; import javax.servlet.Serv ...
- SpringBoot启动时的Banner设置
Spring Boot程序启动的时候输出的由字符组成的Spring符号并不陌生.这个是Spring Boot为自己设计的Banner: 1. 第一种方式:修改的时候,进行设置,在Application ...