CA Introduction
Build the CA server (data encryption transfer for Web services)
CA Server (172.40.55.10)
First step: Configure the CA signing environment
Step two: Generate the private key for the CA server
Step three: Create a root certificate for the CA server
Fourth step: Publish the root certificate file
First step: Configure the CA signing environment
[Email protected] ~]# RPM-QF/ETC/PKI/TLS/OPENSSL.CNF
Openssl-1.0.1e-42.el6.x86_64
[Email protected] ~]#
Vim/etc/pki/tls/openssl.cnf
[Ca_default]
Dir =/etc/pki/ca
Certs = $dir/certs
Certificate? = $dir The title of/MY-CA.CRT root certificate
Private_key? = $dir/private/my-ca.key private key Name
[Req_distinguished_name]
Countryname_default = CN Country
Stateorprovincename_default = Beijing province
Localityname_default = Beijing city
0.organizationname_default = Tarena Unit
: Wq
Build Index.txt, serial files as needed
[Email protected] ~]# CD/ETC/PKI/CA
[email protected] ca]# Touch index.txt
[Email protected] ca]# echo > serial
Step two: Generate the private key for the CA server
cd/etc/pki/ca/private/
OpenSSL genrsa-des3 2048 > My-ca.key (123456 password)
chmod My-ca.key
Step three: Create a root certificate for the CA server
cd/etc/pki/ca/
OpenSSL req-new-x509-key private/my-ca.key-days 365 > my-ca.crt (enter the password for the private key)
[email protected] ca]# OpenSSL req-new-x509-key private/my-ca.key-days 365 > MY-CA.CRT
Enter Pass phrase for Private/my-ca.key:
You is about-to is asked to-enter information that'll be incorporated
into your certificate request.
What's about-to-enter is called a distinguished Name or a DN.
There is quite a few fields but can leave some blank
For some fields there would be a default value,
If you enter '. ', the field would be a left blank.
-----
Country Name (2 letter code) [CN]:
State or province name (full name) [Beijing]:
Locality Name (eg, city) [Beijing]:
Organization Name (eg, company) [Tarena]:
Organizational Unit Name (eg, section) []:mis
Common name (eg, your name or your server ' s hostname) []:ca.tarena.com
Email Address []:[email protected]
[Email protected] ca]#
Fourth step: Publish the root certificate file
cd/etc/pki/ca/
CP my-ca.crt/var/www/html/
Service httpd Restart
++++++++++++++++++++++++
Web server
1 Generate your own private key
2 Generating a certificate request file
3 CA Server Issue Certificate
4 Download the Issued certificate
5 When you configure the Web service to run, use the issued certificate
6 Restart website Service
1 Generate your own private key
cd/etc/pki/tls/private/
OpenSSL Genrsa 2048 > Www.key
chmod Www.key
2 Generating a certificate request file
cd/etc/pki/tls/private/
OpenSSL Req-new-key www.key >/ROOT/WWW.CSR
[Email protected] private]#
[email protected] private]# OpenSSL req-new-key www.key >/ROOT/WWW.CSR
You is about-to is asked to-enter information that'll be incorporated
into your certificate request.
What's about-to-enter is called a distinguished Name or a DN.
There is quite a few fields but can leave some blank
For some fields there would be a default value,
If you enter '. ', the field would be a left blank.
-----
Country Name (2 letter code) [CN]:
State or province name (full name) [Beijing]:
Locality Name (eg, city) [Beijing]:
Organization Name (eg, company) [Tarena]:
Organizational Unit Name (eg, section) []:mis
Common name (eg, your name or your server ' s hostname) []:ca.tarenac^h.^h^c
[Email protected] private]#
[email protected] private]# OpenSSL req-new-key www.key >/ROOT/WWW.CSR
You is about-to is asked to-enter information that'll be incorporated
into your certificate request.
What's about-to-enter is called a distinguished Name or a DN.
There is quite a few fields but can leave some blank
For some fields there would be a default value,
If you enter '. ', the field would be a left blank.
-----
Country Name (2 letter code) [CN]:
State or province name (full name) [Beijing]:
Locality Name (eg, city) [Beijing]:
Organization Name (eg, company) [Tarena]:
Organizational Unit Name (eg, section) []:mis
Common name (eg, your name or your server ' s hostname) []:ca.tedu.cn
Email Address []:[email protected]
Please enter the following ' extra ' attributes
To is sent with your certificate request
A Challenge Password []:
An optional company name []:
[Email protected] private]#
3 CA server issues certificates and shares issued certificates
cd/etc/pki/ca/certs/
OpenSSL CA-IN/ROOT/WWW.CSR > Www.crt
[email protected] certs]# OpenSSL CA-IN/ROOT/WWW.CSR > Www.crt
Using Configuration From/etc/pki/tls/openssl.cnf
Enter Pass phrase For/etc/pki/ca/private/my-ca.key:
Check that the request matches the signature
Signature OK
Certificate Details:
Serial number:1 (0x1)
Validity
Not Before:may 7 09:20:09 GMT
Not After:may 7 09:20:09 GMT
Subject:
CountryName = CN
Stateorprovincename = Beijing
OrganizationName = Tarena
Organizationalunitname = Mis
CommonName = ca.tedu.cn
EmailAddress = [email protected]
X509v3 Extensions:
X509v3 Basic Constraints:
Ca:false
Netscape Comment:
OpenSSL Generated Certificate
X509v3 Subject Key Identifier:
F9:5d:62:df:af:9e:23:29:be:b6:ce:dc:88:4f:e6:c7:b0:36:11:a6
X509v3 Authority Key Identifier:
Keyid:5b:1d:a7:f7:b6:22:fe:6d:f2:f1:8e:ce:89:eb:ef:58:e4:cf:a0:a5
Certificate is to be certified until 7 09:20:09 GMT (365 days)
Sign the certificate? [Y/n]:y
1 out of 1 certificate requests certified, commit? [Y/n]y
Write out database with 1 new entries
Data Base Updated
[Email protected] certs]#
CP www.crt/var/www/html/
4 The client downloads the issued certificate
cd/etc/pki/tls/certs/
Cp/etc/pki/ca/certs/www.crt./
[Email protected] certs]# ls/etc/pki/tls/private/
Www.key
[Email protected] certs]#
5 When you configure the Web service to run, use the issued certificate
Rpm-q Mod_ssl
Yum-y Install Mod_ssl
Vim/etc/httpd/conf.d/ssl.conf
Sslengine on
Sslcertificatefile/etc/pki/tls/certs/www.crt
Sslcertificatekeyfile/etc/pki/tls/private/www.key
: Wq
6 Restart website Service
Service httpd Restart
[[Email protected] conf]# PS aux | grep vmware-hostd
Netstat-untlap | grep:443
[Email protected] conf.d]# Netstat-utnalp | grep:443
TCP 0 0::: 443:::* LISTEN 8973/httpd
+++++++++++++++++++++++++++++++++++
Client
Http://web-ip
443 HTTPS://WEB-IP
[Email protected] conf]# elinks--dump https://localhost/one.html
ELinks: Deny connection
[Email protected] conf]#
[Email protected] conf]#
[Email protected] conf]# elinks--dump http://localhost/one.html
Hello a student
[Email protected] conf]#
++++++++++++++++++++++++++++++++++++
Site Client configuration (Access HTTP auto-jump HTTPS)
Https://172.40.55.10/one.html
Vim httpd.conf
<ifmodule ssl_module>
Sslrandomseed Startup Builtin
Sslrandomseed Connect Builtin
</IfModule>
Rewriteengine on
Rewritecond%{server_port}!^443$
Rewriterule (. *) https://%{server_name}/$1 [R]
: Wq
Service httpd REStat
Http://ca.tedu.cn/one.html
linux-Building CDA Digital certificate